Cyber Security from a Different Perspective
Outline
Milsoft Introduction
Autobiography
MilGUARD
NATO-ACCS
2
%100 ÖZEL TÜRK ŞİRKETİ
1998 yılında kurulmuş olan MilSOFT, savunma alanında
faaliyet gösteren bir sistem entegrasyon ve
yazılım geliştirme firmasıdır.
TESİSLER
ODTÜ Teknokent (ANKARA)
Teknopark Istanbul (İSTANBUL)
MS36%
PhD3%
Diğer2%
BS59%
EĞİTİM SEVİYESİ
Mühendis79%
Diğer21%
MÜHENDİS ORANI
~ 200 PERSONEL
3
KOMUTA KONTROL MUHABERE BİLGİSAYAR (C4I)
TEKNOLOJİLERİ
C2 ve C4I Sistemleri Altyapıları
Savaş Yönetim Sistemi (Mil-CMS)
Koordineli Deniz Operasyonları
Deniz Bilgi Değişim Sistemi
Stratejik Seviye C4ISR Çözümleri
TAKTİK VERİ LİNK SİSTEMLERİ
Taktik Veri Linkleri (Link 1, Link 11, Link 16, Link 22)
JRE İşlemci
Özgün Taktik Veri Linki / Ağ Çözümleri (Mil-NET / Link-M)
İSTİHBARAT KEŞİF GÖZETLEME VE GÖRÜNTÜ KIYMETLENDİRME SİSTEMLERİ
Stratejik ve Operasyonel Seviye İstihbarat Keşif Gözetleme (ISR) Sistemleri
İHA’ya Özel ISR Çözümleri (YKİ-GÖRSİS, TGKS, UGT)
Sensörlere Özel Kıymetlendirme Çözümleri
(SAR/GMTI & EO/IR & Hiperspektral)
TEKNİK BİRİKİM veKABİLİYETLER
4
ELEKTRONİK HARP
EH Hareket Destek Merkezi Kurulumu
Tehdit Analizi ve Karıştırma Teknikleri Geliştirilmesi
Elektronik Harp Eğitimleri
GÖMÜLÜ YAZILIMLAR
Görev / Bakım Veri Bilgisayarı Yazılımı
Uçuş Test Enstrümantasyonu
DO-178B’ye uyumlu Yazılım Geliştirme ve Doğrulama, FAA
Sertifikasyonu
TEKNİK BİRİKİM veKABİLİYETLER
5
BİLGİ TEKNOLOJİLERİ
Ağ Merkezli Yetenekler
Anayurt Güvenliği
Kriz/Acil Durum Yönetimi
Lojistik Yaşam Döngüsü Desteği
Kurumsal Bilgi Yönetimi
SİBER GÜVENLİK
Yazılım Koruma
Tersine Mühendislikten Koruma
EĞİTİM VE SİMULASYON
Eğitim ve Simulasyon Yazılımları
EH ve Data Link Eğitim ve Simülasyon Çözümleri
TEKNİK BİRİKİM veKABİLİYETLER
6
Autobiography
BS 2013 METU CENGMinor from Psychology
MS 2015 METU CENGThesis Topic : Static Binary Rewriting
Working at MilSOFT since graduationSenior Software Engineer / Cyber Security Team Leader
7
Introduction
is a software protection tool that integrates:
8
OBFUSCATION TAMPER - PROOFING ANTI - DEBUG
techniques into:
EXECUTABLES SHARED LIBRARIESand
Introduction
Scope
Language:
10
C C++
Architecture: INTEL x86 (32-bit) INTEL x86_64 (64-bit)
Operating System: WINDOWS LINUX
Compiler: VISUAL STUDIO 2012+ GCC 4.8.2+ CLANG 3.8.0+
Type of Binary: PE EXECUTABLE .DLL ELF EXECUTABLE .SO
Motivation
Man at the end attacks
Source code level protection = complex development
Decoupling software development & protection
11
Former Approaches
Special compiler/linker dependency
Perfect disassembly assumption
Interactive disassembler dependency such as IDA-Pro
12
Challenges
Binary rewriting
Disassembly accuracy
Dynamic Branches
Exception handling
Performance
Protection strength
Red-zone in stack frame
13
Problem solving approach
Research (not simple Google searches)
Asking questions to authors (You have to solve that future work problem)
Prototype implementations
Reading source codes
Reverse engineering
Create your own solution
14
15
16
Procedure Call Example
804854e: e8 3d 06 00 00 call 8048b90 <main>
8048553: 50 pushl %eax
%esp
%eip 0x804854e
0x108
0x10c
0x110
123
0x108 %esp
%eip 0x8048590
0x108
0x10c
0x110
0x104 0x8048553
123
0x104
8048590: ... ...
8048591: c3 ret
%esp
%eip 0x8048553
0x108
0x10c
0x110
0x8048553
123
0x108
Implementation (1/5)
Find the function in file using debug information
Create a new executable section
17
Implementation (2/5)
Disassemble Move the function to the new section
18/33
Implementation (3/5)
Create initial relocation map Insert code pieces
19/33
Implementation (4/5)
Update relocation map Fix static jumps
20/33
Implementation (5/5)
Redirect incoming function calls
21
Source: Bryant, R. E., David Richard, O. H., & David Richard, O. H. (2003). Computer systems: a
programmer's perspective (Vol. 2). Upper Saddle River: Prentice Hall.22
Dynamic Jump Instructions (1/2)
Target of dynamic jumps determined at runtimeTarget can change according to the input or state of the program (ex: switch)
Find a superset of all possible dynamic jump targets Any data or immediate value that corresponds to beginning of an instruction in the function
23
Dynamic Jump Instructions (2/2)
Insert “0xF4 new_address" bytes to possible jump targets "0xF4" is halt instruction in x86. It does not take part in execution
Insert code piece that translates the dynamic jump target at runtimeCheck at run time if the target is inside the function, don’t touch otherwise
24
Redirection Map
Assume found possible jump targets: 0x804850d, 0x8048513 and 0x8048519
25
Contributions
Directly works on the compiler output
Mitigation for disassembly accuracy problem
Standalone - no interactive disassembler dependency
2 novel protection algorithms
3 patent applications
26
Case Study
A simple obfuscation method
Replace jumps with function calls
gzip - gen_codes function
27
NATO - ACCS
28
NATO - ACCS
Turkish Air Force and NATO Communication
Data Loss Prevention
Content Filtering
Must be transparent in network connection
Performance, performance, performance (go beyond algorithmic complexity)
29
Used skills so far (1/2)
Turkish Air Force and NATO CommunicationNetwork stack know-how
TCP, UDP, Application Layer Protocols
Kernel module development
No complex data structures, memory restrictions, performance
Inter process communication
Sockets, memory-map, shared memory etc.
Risk and Attack Analysis
30
Used skills so far (2/2)
Turkish Air Force and NATO CommunicationKernel – user space synchronization
Watch out for deadlocks, locking is dangerous
OS principlesMulti-threading, synchronization, OS architecture
Performance optimization
Cache friendly code, profiling
C and Java Development No STL, implement your own fast & lightweight data structures, algorithms
31
Thank you…
info & applications: [email protected]