Skip to main content

Module research_paper

docs

Module research_paper 

Source
Expand description

§📄 Research Paper

The full system design, together with the evaluation results, are described in our research paper: Smoke and Mirrors: Systematic OT Malware Elicitation. Here we provide details for reproducing those results.

§Experiments

The paper contains experiments conducted on the following real-world malware samples and synthetic analogues:

  1. FrostyGoop. Used to assess the ability of protocol-aware network-response exploration to elicit exploitation-stage OT behaviour. Two variants were analysed, with distinct configurations:
    • FG-1: Single Modbus TCP Write Single Register operation
    • FG-2: Four alternating read/write operations on registers against a single host via json file
  2. Triton. Used to asses the ability of the framework to elicit exploitation-stage OT behaviours for incompletely documented protocols
  3. FrostyCry. A synthetic sample used to asses the frameworks ability to elicit response-gated branches
  4. Fuzzing Benchmarks. A collection of synthetic samples for benchmarking different mechanisms for memory block comparison, used in fuzzing runs:
    • memcmp - 2 bytes,
    • inline - 2 bytes.
NameHashEnv variablesCLI commandMode
FG-12fd9…559aset GODEBUG=asyncpreemptoff=1fg1 cliNetwork Mode
FG-25d2e…53fbset GODEBUG=asyncpreemptoff=1fg2 cliNetwork Mode
triloge854…d230N/A but requires a 32 bit buildtrilog cliNetwork Mode
FrostyCryN/AN/Afrostycry cliBuffer Mode
memcmp 2 bytesN/AN/Amemcmp cliBuffer Mode
inline 2 bytesN/AN/Ainline cliBuffer Mode

§Network Mode

When running SaM in network mode, the following command was used to start FakeNet:

fakenet.exe -v -c navigator-server.ini

§CLI commands

The following commands were used to execute SaM on the instrumented malware binaries.

§fg1-cli
cargo run --
--mutator-lib <full>\<path>\<to>\winafl-netspoof\build32\bin\Release\mutator.dll
--dynamorio-bin-dir <path>\<to>\<dynamorio cronbuild-11.91.20504>\bin64
--server-managed 
--coverage-module console_2fd9cb69ef30c0d00a61851b2d96350a9be68c7f1f25a31f896082cfbf39559a.exe
--target-module console_2fd9cb69ef30c0d00a61851b2d96350a9be68c7f1f25a31f896082cfbf39559a.exe
--target-path <path>\<to>\console_2fd9cb69ef30c0d00a61851b2d96350a9be68c7f1f25a31f896082cfbf39559a.exe 
--nargs 2 
--target-opts="-ip 192.168.1.10 -mode write -address 0 -value 99"
§fg2-cli
cargo run --
--mutator-lib <full>\<path>\<to>\winafl-netspoof\build32\bin\Release\mutator.dll
--dynamorio-bin-dir <path>\<to>\<dynamorio cronbuild-11.91.20504>\bin64
--server-managed 
--coverage-module console_5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb.exe
--target-module console_5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb.exe
--target-path <path>\<to>\console_5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb.exe
--nargs 2
--target-opts="-input-task input-task.json"

The JSON config file passed to sample FG-2, named input-task.json, contains the following content:

{
  "Iplist": ["192.168.1.10"],
  "Tasks": [
    {
      "Code": 3,
      "Address": 53370,
      "Count": 2
    },
    {
      "Code": 6,
      "Address": 53370,
      "Count": 2,
      "Value": 99
    },
    {
      "Code": 3,
      "Address": 53882,
      "Count": 2
    },
    {
      "Code": 16,
      "Address": 53882,
      "Count": 2,
      "Value": 99
    }
  ]
}
§trilog-cli

Note: requires 32-bit builds for trilog.exe.

cargo run --
--mutator-lib <full>\<path>\<to>\winafl-netspoof\build32\bin\Release\mutator.dll
--dynamorio-bin-dir <path>\<to>\<dynamorio cronbuild-11.91.20504>\bin32
--server-managed 
--coverage-module trilog.exe
--target-module trilog.exe
--target-path <path>\<to>\trilog.exe 
--seed-data <path>\<to>\example.bin 
--nargs 2 
--target-opts 192.2.2.2
§frostycry-cli
cargo run -- 
--mutator-lib <full>\<path>\<to>\winafl-netspoof\build64\bin\Release\mutator.dll
--dynamorio-bin-dir <path>\<to>\<dynamorio cronbuild-11.91.20504>\bin64
--coverage-module frostycry.exe 
--target-module frostycry.exe 
--target-path <path>\<to>\frostycry.exe 
--nargs 2 
--target-opts="-ip 192.168.22.22 -count 4 -value 99 -v"
--fuzz-iterations 3000 
--parallel 5
§memcmp-cli
cargo run -- 
--mutator-lib <full>\<path>\<to>\winafl-netspoof\build64\bin\Release\mutator.dll
--coverage-module prove_fuzzing_capability_memcmp_3.exe 
--target-module prove_fuzzing_capability_memcmp_3.exe
--target-path <path>\<to>\prove_fuzzing_capability_memcmp_3.exe 
--nargs 2 
--target-opts 192.2.2.2 
--fuzz-iterations 3000 
--parallel 5
§inline-cli
cargo run -- 
--mutator-lib <full>\<path>\<to>\winafl-netspoof\build64\bin\Release\mutator.dll 
--coverage-module prove_fuzzing_capability_cmp_inline_2.exe 
--target-module prove_fuzzing_capability_cmp_inline_2.exe
--target-path <path>\<to>\prove_fuzzing_capability_cmp_inline_2.exe 
--nargs 2
--target-opts 192.2.2.2 
--fuzz-iterations 3000 
--parallel 5