Download New Methods and Combinatorics for Bypassing Intrusion Prevention

Advanced Evasion Techniques
New Methods and Combinatorics
for Bypassing Intrusion
Prevention Technologies
Mark Boltz, Mika Jalava, Jack Walsh (ICSA Labs)
Stonesoft Corporation
Stonesoft Corporation International Headquarters
Itälahdenkatu 22 A Fl-0021O Helsinki, Finland
tel. +358 9 4767 11 | fax. +358 9 4767 1349
www.stonesoft.com
Stonesoft Inc. Americas Headquarters
1050 Crown Pointe Parkway, Suite 900
Atlanta, GA 30338, USA
tel. +1 866 869 4075 | fax. +1 770 668 1131
Table of Contents
Abstract3
The Authors
Network Security
Role of Intrusion Detection and Prevention
3
4
5
Evasions6
Networking Standards
6
Evasion Research
6
Normalization7
Advanced Evasion Techniques
8
Conclusion9
ICSA Labs Research Contribution
9
References11
Research Paper
Advanced Evasion Techniques
page 2
Abstract
The complexity of today’s network environments presents challenges to managing information
security systems. Intrusion detection and prevention systems (IPS) provide protection,
par ticularly to systems that must be left vulnerable because they cannot be updated without
adverse risks. For almost as long as there has been IPS technology, there have been attempts
to evade detection by such systems. However, the evasion
techniques used by criminals
and other bad actors has most likely been limited to a handful of techniques that are wellknown. Stonesoft found evasion techniques that extend earlier research to include a new set
of techniques—and combinations of the prior techniques. Together, these advanced evasion
techniques (AETs) prey upon protocol weaknesses and the permissive nature of network-based
communication, exponentially increasing the number of evasions that can bypass even the most
up-to-date IPS technologies.
The Authors
Mark Boltz is a senior solutions architect with Stonesoft Corporation. He has over 20 years
of experience in information technology, with over 18 years specializing in network security.
He holds CISSP and CISA cer tifications, and is pursuing a master’s degree in information
technology.
Mika Jalava is the chief technical of ficer (CTO) of Stonesoft Corporation.
Jack Walsh is Anti-SPAM and Network IPS Program Manager for ICSA Labs, an independent
division of Verizon Business.
Research Paper
Advanced Evasion Techniques
page 3
Network Security
Security in computer networks depends on a surprisingly large number of factors. This is true
even if we limit our scope to defending against active, network-based attacks. The variety of
controls that network, ser ver, and security administrators must understand and correctly use to
defend their organizations against an evolving threat landscape can be intimidating. Networking
devices, ser ver operating systems and applications must be up to date and correctly configured.
Access controls must be properly applied. The network must be segmented to provide protection
and minimize the damage that may result from possible compromise. Firewall rules must allow
only the ser vices required by the organization. Logs from all the systems should be centrally
collected, stored and analyzed for anomalous or unexpected behavior. Payment card and
personal information must be protected according to the internal security policy as well as
external compliance requirements.
While all organizations may attempt to follow the steps above as well as other best practices,
their network topology may preclude them from doing all that is in their best interest. Dynamic
and poorly designed network ser vices may not allow strict segmentation and firewall policies.
Organizations, such as many industrial networks, may be limited in terms of what updates can
be made to operating systems due to suppor t for legacy software and protocols. The sheer
volume of patches and new versions for operating systems and applications as well as their
mutual compatibility may limit the organization’s ability to adequately test them and keep pace.
Research Paper
Advanced Evasion Techniques
page 4
Role of Intrusion Detection and Prevention
To complement the fundamentally static, although ever-evolving protection provided by network
firewalls, intrusion detection (IDS) and prevention systems (IPS) have been deployed. IDS and
IPS technology help to mitigate concerns organizations have about the aforementioned issues.
Unlike a firewall with its set of
security policy rules that allow or
disallow packets depending on their
source, destination, protocol and
other
proper ties,
IDS
and
IPS
devices promise to inspect and
allow all traf fic to pass as long as
no threat is detected. If a malicious
connection
devices
is
will
attempted,
either
these
aler t
the
administrator (in the case of an
IDS), or drop the connection (in the
case of an IPS). The techniques
used
by
these
inspection-based
security devices var y, but usually
include protocol analysis and attack
signatures
that
predetermined
Figure 1: Basic Intrusion Prevention. The IPS inspects and disallows illegitimate
packets.
detect
patterns
in
the
network traf fic caused by malicious
exploits of vulnerabilities in one of
the communicating systems.
The number of known exploits and
vulnerabilities is large and continues
to
grow
rapidly.
Thankfully,
the
inspection capabilities of IDS and IPS
products are also evolving quickly.
Generally, when a new enterpriserelevant
exploit
is
discovered,
detection methods are implemented
in the inspection devices within a few
days, even hours. Because they may
be similar to others, some exploits
may be detected and prevented with
prior analytic capabilities.
Research Paper
Advanced Evasion Techniques
k
Figure 2: Basic Intrusion Detection. The IPS inspects and repor ts illegitimate
and suspicious packets.
page 5
Evasions
What if the target system is vulnerable to an enterprise-relevant exploit, but the attacker cannot
get his or her attack delivered because of a network-based detection system? Enter the evasion
technique. The development of evasion techniques, or just evasions for shor t, has not gone
unnoticed by those willing to misuse network resources. Evasions alter the attacker’s question
from, “How do I hack the destination system?” to “How do I hack the system unnoticed?”
Networking Standards
TCP/IP, the protocol suite used on the Internet and the vast majority of all computer networks,
is based on the requirements from RFC 791 that was written in 1981. Among other things, the
RFC says, “In general, an implementation must be conser vative in its sending behavior, and
liberal in its receiving behavior. That is, it must be careful to send well-formed datagrams, but
must accept any datagram that it can interpret (e.g., not object to technical errors where the
meaning is still clear)” (Postel, 1981, p. 23). That means there will be multiple ways to form
messages that will be interpreted identically by the receiving host. While this permissive stance
was intended to make interoperability between systems as reliable as possible, it at the same
time paved the way for a number of attacks and ways to hide those and other attacks from
detection.
As dif ferent operating systems and applications behave in dif ferent ways when receiving
packets, the destination host’s application may see something quite dif ferent than what was
in the network traf fic. Also, the network itself between the detection system and the host may
alter the traf fic. By carefully exploiting these dif ferences, in many cases, it is possible to
construct packets in a way that looks normal and safe, but when interpreted by the end host,
forms an exploit against it. In general, these techniques are called evasions.
Evasion Research
Evasion research took of f in the late 1990’s. In their 1998 paper, Newsham and Ptacek
presented a number of techniques that could be used to ef fectively evade detection systems.
Since then, the area has had little new research and appeal to either security vendors or
adversaries in the “black hat community”.
One of the basic evasion techniques
outlined by Newsham and Ptacek is
centered on the challenges of IP
fragmentation. IP fragmentation is
also specified in RFC 791, and is
required to ensure interoperability
between
systems
var ying
network
between
(Postel,
fragmentation
attacker
takes
and
handling
topologies
1981).
In
evasions,
advantage
“If we knew what we were
doing, it wouldn’t be
called research.”
in
IP
Alber t Einstein
the
of
scrambling fragments out-of-order,
Research Paper
Advanced Evasion Techniques
page 6
or by over whelming the IPS with too many fragments, for example. They caution, “an IDS that
does not properly handle out-of-order fragments is vulnerable; an attacker can intentionally
scramble her fragment streams to elude the IDS” (Newsham & Ptacek, 1998). Fur thermore, IDS
systems are challenged by the fact “that received fragments must be stored until the stream
of fragments can be reassembled into an entire IP datagram” (Newsham & Ptacek, 1998). The
conclusion is that IDS and IPS architectures have to compensate for all the possible ways
that the target system can potentially re-assemble the fragments, and the IPS has to cover all
possibilities. If the IPS can’t buf fer enough fragments before applying signatures, or determine
the possible re-sequencing, it no longer has the appropriate context, thus “rewriting the stream
on the IDS” (Newsham & Ptacek, 1998). We refer to the change in context between the IPS and
the target system as “state de-synchronization”.
Other evasions already covered in their work in 1998 include various techniques involving IP
options, TCP options, and TCP sequencing. These are covered in detail in their paper and are
noted here to provide fur ther background into the age of these evasion techniques.
Many of the evasion techniques presented in that paper from 1998 are still ef fective against
today’s IPS systems. This surprising fact should give you some idea about the level of interest
and attention that evasions have so far received among security vendors. Laboratories involved
in cer tification testing of security devices, such as ICSA Labs, have included a number of
evasions in their IPS test suites. However, because the amount of new vulnerabilities and
exploits is so over whelming, the payof f for the attacker has been suf ficiently high. This results
in continued use of the latest exploits rather than attacks in conjunction with evasions to
bypass network security protections.
Normalization
While security devices providing inspection ser vices need to match attack signatures to the
information being seen by the target host, they cannot simply obser ve the network traf fic
packet by packet. Similarly, it is not enough for security devices to place packets in the correct
order and reassemble any fragments. Security devices must consider other possibilities like
packets not received by the end host or protocols that can be decoded in multiple ways.
The mechanism for handling this is called normalization, and was suggested in research
from Handley and Paxson in 1999 and expanded in 2001. It is a task ver y much complicated
by the policy set for th in RFC 791. Although the standard requires the sending host to be
conser vative, it is unreasonable to expect anything of the kind from malicious users. Also, while
the target hosts are required by RFC 791 to be liberal in their receiving behavior, the fur ther
standards actually defining what this means are often ambiguous and simply allow too much
variation. Handley and Paxson add that “network traf fic unfor tunately often includes a nonnegligible propor tion of highly unusual, but benign, traf fic that will often result in false positives
concerning possible evasion attempts” (2001). And if dif ferent operating systems decode a
given message in dif ferent ways, it is dif ficult for a security device to make correct decisions
as a result of the normalization process.
Research Paper
Advanced Evasion Techniques
page 7
Advanced Evasion Techniques
At Stonesoft, our vulnerability research team has been deeply involved in improving our
products, including the IPS. Disappointing test results with some existing evasions forced us to
shift the team’s emphasis towards evasion research. Comprised of experienced security
professionals, the vulnerability research team was not satisfied merely by making the required
fixes. They delved much deeper into the realm of evasions, and were quite surprised by the
potential security risks that they found hidden there.
The team’s findings indicate that there are many more ways to desynchronize an IPS from
network traf fic with evasion techniques than had heretofore been publicly known. What that
means is that the IPS has a dif ferent understanding of the protocol state from what the target
host has. Because some of the methods discovered are rather simple, Stonesoft was initially
quite worried that these evasions
may
well
have
already
been
discovered and actually used by
criminals,
unbeknownst
to
the
existing crop of commercial IPS
devices and the organizations where
“There are no rules
here. We’re tr ying to
accomplish something.”
they are deployed. Other evasions
are significantly more complicated,
Thomas Edison
but never theless just as practical
and ef fective.
What may have slowed down evasion research is the fact that many of the attack and evasion
tools have been limited by standard operating systems and their TCP/IP stacks. The limitations
are to be expected, as these systems are supposed to follow the conser vative sending behavior
requirement. Freeing themselves from these limitations with special low-level tools, including
TCP/IP stacks having greatly increased flexibility, the Stonesoft researchers soon discovered
dozens of potential evasions. Testing these against a number of existing IPS and similar
systems, Stonesoft also found that the techniques ef fectively evaded detection.
The new evasions mostly build on well-known principles of de-synchronizing detection systems
relying on the network view of the traf fic, from the target host’s perspective. Although the
objective is the same, the methods var y. Evasion possibilities have been found on IP and
transpor t (TCP, UDP) layers as well as on application layer protocols, including but not limited
to SMB and RPC protocols. Although we cannot disclose the details of the advanced evasion
techniques during the vulnerability coordination process led by CERT-FI, the validity of the
findings has been verified through independent tests per formed by ICSA Labs (see contribution
note after the conclusion). The technical community will be provided fur ther details on the
techniques as soon as it is safe and responsible to do so.
The ef fectiveness of the detection process, including normalization, is limited by the fact that
the evasion methods can be combined. Unhindered by the operating system’s limitations on
sending malformed packets to the network, any modifications and combinations thereof can
be easily tested in Stonesoft’s laborator y environment against vulnerable host systems in
conjunction with either a commercial IPS or other security devices (e.g., a network firewall). It is
clear that these new evasions, along with the new ways to utilize them, add new requirements
to the normalization process. It is no longer possible to rely on low level normalization only at
the IP and transpor t layers as an increasing number of evasions show up at the application
layer targeting multiple protocols.
Research Paper
Advanced Evasion Techniques
page 8
Conclusion
The Stonesoft research team discovered the new evasion techniques in a lab environment
rather than while investigating nefarious activities on the Internet. However, this does not
mean that criminals or other bad actors had not already discovered and possibly been using
these evasions against real world targets. After all, a large percentage of information security
incidents actually go unnoticed. And according to the Verizon Business 2010 Data Breach
Investigations Repor t, approximately 20% of incidents involving malware detected have an
“unknown” component for the infection vector (Baker, et. al., 2010). Whether or not and to what
extent this may have been as a result of advanced evasion techniques is of course impossible
to say. It is quite probable though, especially in the more advanced, targeted attacks that
unknown evasion tools may be in use. Stonesoft has found that it is possible to evade many,
if not all, commercially available IPS’s and cer tainly all that have been tested. Given their
architecture, not all of them will be easily fixed.
Most of the network security threats, and almost all serious ones, are caused by criminals
motivated by money. As the rewards may be ver y high, the motivation to invest in the attacks
and evasions cer tainly exists. These facts then beg some obvious questions:
Why haven’t
more security vendors continued from where the last set of published research left of f? Is the
problem too dif ficult to tackle with the current security device architectures?
Looking at the past, the main selling points and comparison metrics for security devices have
been throughput per formance and price. Yet the actual reason for inspection-based security
devices is protection. It is curious then that the accuracy of inspection and ef ficiency of
responses to detected attacks and evasions has been neglected by security vendors. While
throughput is an impor tant factor, it is still secondar y to the security functionality – or ought
to be. Perhaps some security vendors believe that selling fast systems with seriously limited
security functionality is too lucrative to risk by researching and resolving threats such as the
evasions found by Stonesoft as they cannot be easily detected with per formance-optimized
systems.
ICSA Labs Research Contribution
For over 20 years ICSA Labs has tested hundreds of computer and network security products.
During that time ICSA Labs has helped ensure that enterprise end users get the best possible
protection as a result of rigorous, independent, third par ty testing of anti-virus, anti-spam,
network intrusion prevention, firewall, FIPS-140, USGv6, SSL, IPsec, and many other kinds of
products. It’s not surprising then that Stonesoft contacted ICSA Labs to verify its research into
the newly-found advanced evasion techniques (AETs).
Through the use of video conferencing equipment, Stonesoft demonstrated its findings to ICSA
Labs. Having packaged the evasions into an internal Stonesoft tool called Predator, ICSA Labs
watched as attacks using the newly discovered advanced evasions successfully passed through
IPS devices that were capable of detecting the original attack. Long proponents of responsible
disclosure, Stonesoft and ICSA Labs then formulated a plan that would permit ICSA Labs to test
the AETs while allowing the Predator tool and its evasion-related code to remain safely confined
to Stonesoft’s research lab in Finland.
Research Paper
Advanced Evasion Techniques
page 9
Following the video conferencing demonstration of the Predator tool and some of evasion
techniques, Stonesoft delivered traf fic packet captures that their research team had created
using the tool – the same packet captures that CERT-FI made available to af fected network
security vendors. Vulnerability exper ts at ICSA Labs analyzed and confirmed that many of the
evasions in those captures belonged to a new class of evasions not previously seen in public.
ICSA Labs then confirmed, by properly replaying the traf fic captures that the attacks disguised
by the AETs were not detected by several well-known intrusion prevention systems.
But to truly verify the AETs could evade detection and compromise systems, ICSA Labs needed
a way for themselves to combine the AETs with actual attacks and launch them against
vulnerable systems. To do so, ICSA Labs and Stonesoft set up a vir tual private network (VPN)
tunnel between Stonesoft’s Helsinki, Finland headquar ters and ICSA Labs’ Mechanicsburg,
Pennsylvania testing laborator y. ICSA Labs used the VPN connection to access the Predator
tool’s graphical user inter face. Picking and choosing from the Predator tool’s many options,
ICSA Labs was able to launch attacks coupled with the new AETs through several IPS devices
against a vulnerable system. Of the dozen-or-so new evasions tested, ICSA Labs was able to
confirm that many of the stealthy attacks passed through one or more of the tested commercial
IPS devices undetected and successfully compromised the vulnerable systems.
Research Paper
Advanced Evasion Techniques
page 10
References
Baker, W., Goudie, M., Hutton, A., Hylender, C., Niemantsverdriet, J., Novak, C., Oster tag, D.,
Por ter, C., Rosen, M., Sar tin, B., Tippett, P. (2010). Verizon 2010 Data Breach Investigations
Repor t. Verizon Business. Retrieved from http://www.verizonbusiness.com/resources/repor ts/
rp_2010-data-breach-repor t_en_xg.pdf
Caswell, B., Moore, H. D. (2006). Thermoptic Camouflage: Total IDS Evasion. Proceedings of
the BlackHat Conference. Retrieved from www.blackhat.com/presentations/bh-usa-06/BH-US06-Caswell.pdf
Chien, E., Falliere, N., Murchu, L. O. (2010). W32.Stuxnet Dossier. Symantec Security
Response. Retrieved from http://www.wired.com/images_blogs/threatlevel/2010/10/w32_
stuxnet_dossier.pdf
Gor ton, S. A., Champion, T. G. (2003). Combining Evasion Techniques to Avoid Network Intrusion
Detection Systems. Skaion Corporation. Retrieved from http://www.skaion.com/research/tgcrsd-raid.pdf
Handley, M., Kreibich, C., Paxson, V. (2001). Network Intrusion Detection: Evasion, Traf fic
Normalization, and End-to-end Protocol Semantics. In Proceedings of the 10th USENIX Security
Symposium. Vol. 10. Berkeley, CA: USENIX Association. pp. 115-131. Retrieved from http://
www.usenix.org/events/sec01/full_papers/handley/handley.pdf
Jang, Jong-Soo, Jeon, Yong-Hee, Oh, Jin-Tae, Park, Sang-Kil. (2007). Detection of DDoS and IDS
Evasion Attacks in a High-Speed Networks Environment. In International Journal of Computer
Science and Network Security. Vol. 7, No. 6. Retrieved from http://paper.ijcsns.org/07_
book/200706/20070617.pdf
Newsham, Timothy N., Ptacek, Thomas H. (1998). Inser tion, Evasion, and Denial of Ser vice:
Eluding Network Intrusion Detection. Secure Networks, Inc. Retrieved from http://insecure.org/
stf/secnet_ids/secnet_ids.html
Pazos-Revilla, M.. FPGA based fuzzy intrusion detection system for network security. M.S.
disser tation, Tennessee Technological University, United States -- Tennessee. Retrieved from
Disser tations & Theses: Full Text. (Publication No. AAT 1480256).
Postel, J. (1981). RFC 791: Internet Protocol. DARPA Internet Program Protocol Specification.
Internet Engineering Task Force. Retrieved from http://datatracker.ietf.org/doc/r fc791/
Research Paper
Advanced Evasion Techniques
page 11
Stonesoft Corporation (NASDAQ OMX: SFT1V) is an innovative provider of integrated network security solutions to secure the
information flow of distributed organizations. Stonesoft customers include enterprises with growing business needs requiring
advanced network security and always-on business connectivity.
StoneGate™ secure connectivity solution unifies firewall, VPN, IPS and SSL VPN blending network security, end-to-end
availability and award-winning load balancing into a unified and centrally managed system. The key benefits of StoneGatesecure
connectivity solution include low TCO, excellent price-per formance ratio and high ROI. The vir tual StoneGate solution protects
the network and ensures business continuity in both vir tual and physical network environments.
StoneGate Management Center provides unified management for StoneGate Firewall with VPN, IPS, and SSL VPN. StoneGate
Firewall and IPS work together to provide intelligent defence all over the enterprise network while StoneGate SSL VPN provides
enhanced security for mobile and remote use.
Founded in 1990, Stonesoft Corporation is a global company with corporate headquar ters in Helsinki, Finland and Americas
headquar ters in Atlanta, Georgia. For more information, visit www.stonesoft.com.
Stonesoft Corporation International Headquarters
Itälahdenkatu 22 A Fl-0021O Helsinki, Finland
tel. +358 9 4767 11 | fax. +358 9 4767 1349
www.stonesoft.com
Stonesoft Inc. Americas Headquarters
1050 Crown Pointe Parkway, Suite 900
Atlanta, GA 30338, USA
tel. +1 866 869 4075 | fax. +1 770 668 1131
Copyright 2010 Stonesoft Corporation. All rights reserved. All specifications are subject to change.
About Stonesoft