Cyber Security from a Different Perspective

Outline Milsoft Introduction Autobiography MilGUARD NATO-ACCS 2

%100 ÖZEL TÜRK ŞİRKETİ 1998 yılında kurulmuş olan MilSOFT, savunma alanında faaliyet gösteren bir sistem entegrasyon ve yazılım geliştirme firmasıdır. TESİSLER ODTÜ Teknokent (ANKARA) Teknopark Istanbul (İSTANBUL) ~ 200 PERSONEL MÜHENDİS ORANI EĞİTİM SEVİYESİ Diğer 21% MS 36% Mühendis 79% BS 59% PhD 3% Diğer 2% 3

KOMUTA KONTROL MUHABERE BİLGİSAYAR (C4I) TEKNOLOJİLERİ C2 ve C4I Sistemleri Altyapıları Savaş Yönetim Sistemi (Mil-CMS) Koordineli Deniz Operasyonları Deniz Bilgi Değişim Sistemi Stratejik Seviye C4ISR Çözümleri TEKNİK BİRİKİM ve KABİLİYETLER TAKTİK VERİ LİNK SİSTEMLERİ Taktik Veri Linkleri (Link 1, Link 11, Link 16, Link 22) JRE İşlemci Özgün Taktik Veri Linki / Ağ Çözümleri (Mil-NET / Link-M) İSTİHBARAT KEŞİF GÖZETLEME VE GÖRÜNTÜ KIYMETLENDİRME SİSTEMLERİ Stratejik ve Operasyonel Seviye İstihbarat Keşif Gözetleme (ISR) Sistemleri İHA ya Özel ISR Çözümleri (YKİ-GÖRSİS, TGKS, UGT) Sensörlere Özel Kıymetlendirme Çözümleri (SAR/GMTI & EO/IR & Hiperspektral) 4

ELEKTRONİK HARP EH Hareket Destek Merkezi Kurulumu Tehdit Analizi ve Karıştırma Teknikleri Geliştirilmesi Elektronik Harp Eğitimleri TEKNİK BİRİKİM ve KABİLİYETLER GÖMÜLÜ YAZILIMLAR Görev / Bakım Veri Bilgisayarı Yazılımı Uçuş Test Enstrümantasyonu DO-178B ye uyumlu Yazılım Geliştirme ve Doğrulama, FAA Sertifikasyonu 5

BİLGİ TEKNOLOJİLERİ Ağ Merkezli Yetenekler TEKNİK BİRİKİM ve KABİLİYETLER Anayurt Güvenliği Kriz/Acil Durum Yönetimi Lojistik Yaşam Döngüsü Desteği Kurumsal Bilgi Yönetimi SİBER GÜVENLİK Yazılım Koruma Tersine Mühendislikten Koruma EĞİTİM VE SİMULASYON Eğitim ve Simulasyon Yazılımları EH ve Data Link Eğitim ve Simülasyon Çözümleri 6

Autobiography BS 2013 METU CENG Minor from Psychology MS 2015 METU CENG Thesis Topic : Static Binary Rewriting Working at MilSOFT since graduation Senior Software Engineer / Cyber Security Team Leader 7

Introduction is a software protection tool that integrates: OBFUSCATION TAMPER - PROOFING ANTI - DEBUG techniques into: EXECUTABLES and SHARED LIBRARIES 8

Introduction

Scope Language: C C++ Architecture: INTEL x86 (32-bit) INTEL x86_64 (64-bit) Operating System: WINDOWS LINUX Compiler: VISUAL STUDIO 2012+ GCC 4.8.2+ CLANG 3.8.0+ Type of Binary: PE EXECUTABLE.DLL ELF EXECUTABLE.SO 10

Motivation Man at the end attacks Source code level protection = complex development Decoupling software development & protection 11

Former Approaches Special compiler/linker dependency Perfect disassembly assumption Interactive disassembler dependency such as IDA-Pro 12

Challenges Binary rewriting Disassembly accuracy Dynamic Branches Exception handling Performance Protection strength Red-zone in stack frame 13

Problem solving approach Research (not simple Google searches) Asking questions to authors (You have to solve that future work problem) Prototype implementations Reading source codes Reverse engineering Create your own solution 14

Procedure Call Example 804854e: e8 3d 06 00 00 call 8048b90 <main> 8048553: 50 pushl %eax 8048590:...... 8048591: c3 ret 0x110 0x110 0x110 0x10c 0x10c 0x10c 0x108 123 0x108 123 0x108 123 0x104 0x8048553 0x8048553 %esp 0x108 %esp 0x104 %esp 0x108 %eip 0x804854e %eip 0x8048590 %eip 0x8048553 16

Implementation (1/5) Find the function in file using debug information Create a new executable section 17

Implementation (2/5) Disassemble Move the function to the new section 18/33

Implementation (3/5) Create initial relocation map Insert code pieces 19/33

Implementation (4/5) Update relocation map Fix static jumps 20/33

Implementation (5/5) Redirect incoming function calls 21

Source: Bryant, R. E., David Richard, O. H., & David Richard, O. H. (2003). Computer systems: a programmer's perspective (Vol. 2). Upper Saddle River: Prentice Hall. 22

Dynamic Jump Instructions (1/2) Target of dynamic jumps determined at runtime Target can change according to the input or state of the program (ex: switch) Find a superset of all possible dynamic jump targets Any data or immediate value that corresponds to beginning of an instruction in the function 23

Dynamic Jump Instructions (2/2) Insert 0xF4 new_address" bytes to possible jump targets "0xF4" is halt instruction in x86. It does not take part in execution Insert code piece that translates the dynamic jump target at runtime Check at run time if the target is inside the function, don t touch otherwise 24

Redirection Map Assume found possible jump targets: 0x804850d, 0x8048513 and 0x8048519 25

Contributions Directly works on the compiler output Mitigation for disassembly accuracy problem Standalone - no interactive disassembler dependency 2 novel protection algorithms 3 patent applications 26

Case Study A simple obfuscation method Replace jumps with function calls gzip - gen_codes function 27

NATO - ACCS 28

NATO - ACCS Turkish Air Force and NATO Communication Data Loss Prevention Content Filtering Must be transparent in network connection Performance, performance, performance (go beyond algorithmic complexity) 29

Used skills so far (1/2) Turkish Air Force and NATO Communication Network stack know-how TCP, UDP, Application Layer Protocols Kernel module development No complex data structures, memory restrictions, performance Inter process communication Sockets, memory-map, shared memory etc. Risk and Attack Analysis 30

Used skills so far (2/2) Turkish Air Force and NATO Communication Kernel user space synchronization Watch out for deadlocks, locking is dangerous OS principles Multi-threading, synchronization, OS architecture Performance optimization Cache friendly code, profiling C and Java Development No STL, implement your own fast & lightweight data structures, algorithms 31

Thank you info & applications: hr@milsoft.com.tr