Formalizing Sensitivity in Program Models for Intrusion Detection Henry Hanping Feng Yong Huang University of Massachusetts

Slides:



Advertisements
Similar presentations
Pushdown Automata Section 2.2 CSC 4170 Theory of Computation.
Advertisements

Pushdown Automata Chapter 12. Recognizing Context-Free Languages Two notions of recognition: (1) Say yes or no, just like with FSMs (2) Say yes or no,
Pushdown Automata Chapter 12. Recognizing Context-Free Languages We need a device similar to an FSM except that it needs more power. The insight: Precisely.
Concolic Modularity Testing Derrick Coetzee University of California, Berkeley CS 265 Final Project Presentation.
Chapter 7Louden, Programming Languages1 Chapter 7 - Control I: Expressions and Statements "Control" is the general study of the semantics of execution.
Costas Busch - RPI1 Pushdown Automata PDAs. Costas Busch - RPI2 Pushdown Automaton -- PDA Input String Stack States.
Courtesy Costas Busch - RPI1 Pushdown Automata PDAs.
1 The scanning process Goal: automate the process Idea: –Start with an RE –Build a DFA How? –We can build a non-deterministic finite automaton (Thompson's.
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
1 Normal Forms for Context-free Grammars. 2 Chomsky Normal Form All productions have form: variable and terminal.
Fall 2004COMP 3351 Pushdown Automata PDAs. Fall 2004COMP 3352 Pushdown Automaton -- PDA Input String Stack States.
Fall 2006Costas Busch - RPI1 Pushdown Automata PDAs.
1 Normal Forms for Context-free Grammars. 2 Chomsky Normal Form All productions have form: variable and terminal.
Pushdown Automaton (PDA)
Prof. Busch - LSU1 Pushdown Automata PDAs. Prof. Busch - LSU2 Pushdown Automaton -- PDA Input String Stack States.
Fall 2005Costas Busch - RPI1 Pushdown Automata PDAs.
1 Pushdown Automata PDAs. 2 Pushdown Automaton -- PDA Input String Stack States.
Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
A Survey of Host Based Intrusion Detection Systems (HIDS) Emre Can Sezer Dept. of Comp. Science North Carolina State University.
Pushdown Automata (PDAs)
Cs3102: Theory of Computation Class 6: Pushdown Automata Spring 2010 University of Virginia David Evans TexPoint fonts used in EMF. Read the TexPoint manual.
Cs3102: Theory of Computation Class 14: Turing Machines Spring 2010 University of Virginia David Evans.
PushDown Automata. What is a stack? A stack is a Last In First Out data structure where I only have access to the last element inserted in the stack.
CSC3315 (Spring 2009)1 CSC 3315 Lexical and Syntax Analysis Hamid Harroud School of Science and Engineering, Akhawayn University
SASI Enforcement of Security Policies : A Retrospective* PSLab 오민경.
CSCI 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Pushdown.
1 Pushdown Automata Definition Moves of the PDA Languages of the PDA Deterministic PDA’s.
Grammar Set of variables Set of terminal symbols Start variable Set of Production rules.
Nondeterministic Finite State Machines Chapter 5.
1 Chapter Pushdown Automata. 2 Section 12.2 Pushdown Automata A pushdown automaton (PDA) is a finite automaton with a stack that has stack operations.
CS 154 Formal Languages and Computability March 10 Class Meeting Department of Computer Science San Jose State University Spring 2016 Instructor: Ron Mak.
Deflating the Big Bang: Fast and Scalable Deep Packet Inspection with Extended Finite Automata Date:101/3/21 Publisher:SIGCOMM 08 Author:Randy Smith Cristian.
Pushdown Automata - like NFA-  but also has a stack - transition takes the current state, the current input symbol, and the top-of-the-stack symbol (which.
Recap: Nondeterministic Finite Automaton (NFA) A deterministic finite automaton (NFA) is a 5-tuple (Q, , ,s,F) where: Q is a finite set of elements called.
6. Pushdown Automata CIS Automata and Formal Languages – Pei Wang.
Algorithm Analysis 1.
More variants of Turing Machines
Protection of System Resources
CSE 105 theory of computation
CIS Automata and Formal Languages – Pei Wang
Pushdown Automata PDAs
The time complexity for e-closure(T).
Pushdown Automata PDAs
Pushdown Automata PDAs
Pushdown Automata PDAs
Chapter 7 PUSHDOWN AUTOMATA.
Pushdown Automata.
COSC 3340: Introduction to Theory of Computation
Pushdown Automata (PDA). Part 3
Stack Memory 2 (also called Call Stack)
Somesh Jha University of Wisconsin
Information Security CS 526
Nondeterministic Finite Automata
Pushdown Automaton (PDA)
Information Security CS 526
CSE 105 theory of computation
When a function is called...
… NPDAs continued.
Chapter 1 Regular Language
Pushdown automata The Chinese University of Hong Kong Fall 2011
Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.
Information Security CS 526
Recap lecture 40 Recap of example of PDA corresponding to CFG, CFG corresponding to PDA. Theorem, HERE state, Definition of Conversion form, different.
More About Nondeterminism
CSE 105 theory of computation
Non Deterministic Automata
Normal Forms for Context-free Grammars
COP 4620 / 5625 Programming Language Translation / Compiler Writing Fall 2003 Lecture 7, 10/09/2003 Prof. Roy Levow.
CSE 105 theory of computation
Presentation transcript:

Formalizing Sensitivity in Program Models for Intrusion Detection Henry Hanping Feng Yong Huang University of Massachusetts Jonathon T. Giffin Somesh Jha Barton P. Miller University of Wisconsin Wenke Lee Georgia Institute of Technology

11 May 2004 Henry Feng & Jonathon Giffin 2 Important Ideas Formalizing program models facilitates understanding & comparison. Exposing additional program state improves monitoring speed & model accuracy. –VPStatic model: reads program’s call stack –Dyck model: instruments binary code

11 May 2004 Henry Feng & Jonathon Giffin 3 Model-Based Intrusion Detection Build model of correct program behavior Model: automaton specifying all valid system call sequences Runtime monitor ensures execution does not violate model Operating System User Process

11 May 2004 Henry Feng & Jonathon Giffin 4 Model-Based Intrusion Detection Model must be fast to operate Model must accurately represent program –Context-sensitive models restrict impossible paths Operating System User Process

11 May 2004 Henry Feng & Jonathon Giffin 5 Code Example char *filename; pid_t[2] pid; int prepare (int index) { char buf[20]; pid[index] = getpid(); strcpy(buf, filename); return open(buf, O_RDWR); } getpid open

11 May 2004 Henry Feng & Jonathon Giffin 6 Code Example void action (void) { uid_t uid = getuid(); int handle; if (uid != 0) { handle = prepare(1); read(handle, …); } else { handle = prepare(0); write(handle, …); } close(handle); } getuid writeread close prepare

11 May 2004 Henry Feng & Jonathon Giffin 7 NFA Model getuid writeread close prepare getpid open Function action Function prepare

11 May 2004 Henry Feng & Jonathon Giffin 8 NFA Model getuid writeread close getpid open Function action Function prepare

11 May 2004 Henry Feng & Jonathon Giffin 9 Impossible Path Exploit void action (void) { uid_t uid = getuid(); int handle; if (uid != 0) { handle = prepare(1); read(handle, …); } else { handle = prepare(0); write(handle, …); } close(handle); } getuid writeread close prepare

11 May 2004 Henry Feng & Jonathon Giffin 10 pop Y push Y pop X PDA Model getuid writeread close getpid open push X Function action Function prepare

11 May 2004 Henry Feng & Jonathon Giffin 11 PDA Problems Impossible paths still exist –Non-determinism indicates missing execution information PDA run-time state explosion –ε-edge identifiers maintained on a stack –Stack non-determinism is expensive –post* algorithm: cubic in automaton size X push Y getuid getpid push X

11 May 2004 Henry Feng & Jonathon Giffin 12 Determinize PDA Expand the input alphabet by exposing the stack operations and the target state of the transition –f a,p,z indicates consume input a, push z on the stack, and transition to state p. –g a,p,z for pop operations. –e a,p for operations with no stack activity. Result in a Deterministic PDA (or DPDA). Exposing only stack operations we get PDA with deterministic stack operations (or sDPDA).

11 May 2004 Henry Feng & Jonathon Giffin 13 NFA State non-determinism is cheap. State non-determinism unlink

11 May 2004 Henry Feng & Jonathon Giffin 14 Non-Deterministic PDA Stack non-determinism is expensive. State non-determinism unlink push Ypush X Stack non-determinism

11 May 2004 Henry Feng & Jonathon Giffin 15 Deterministic PDA (DPDA) State non-determinism unlink push Ypush X Stack non-determinism

11 May 2004 Henry Feng & Jonathon Giffin 16 Stack-Deterministic PDA (sDPDA) State non-determinism unlink push Ypush X Stack non-determinism

11 May 2004 Henry Feng & Jonathon Giffin 17 Input Symbol Processing Complexity n is state count m is transition count k is PDA input alphabet size r is PDA stack alphabet size Model Time Complexity Space Complexity Input Alphabet Size PDAO(nm 2 ) k DPDAO(1)  (knr) sDPDAO(n)  (kr)

11 May 2004 Henry Feng & Jonathon Giffin 18 VPStatic A variant of VtPath model. –DPDA. –Generated by static analysis of binary. Use Addr(state) to expose states.

11 May 2004 Henry Feng & Jonathon Giffin 19 Determinizing via Observation Extract return addresses from call stack into virtual stack list for each system call. Generate a bunch of input symbols for each system call.

11 May 2004 Henry Feng & Jonathon Giffin 20 Addr(C0) Addr(C1) e(open,Addr(Sopen)) Determinizing via Observation char *filename; pid_t[2] pid; int prepare (int index) { char buf[20]; pid[index] = getpid(); strcpy(buf, filename); return open(buf, O_RDWR); } … Addr(C1) … e(none,Exit(prepare)) g(none,Addr(C1),Addr(C1)) e(none,Addr(C0)) f(none,Entry(prepare),Addr(C0)) e(open,Addr(Sopen)) getpid open

11 May 2004 Henry Feng & Jonathon Giffin 21 pop Y ]Y]Y [Y[Y ]X]X [X[X push Y pop X Dyck Model getuid writeread close getpid open push X

11 May 2004 Henry Feng & Jonathon Giffin 22 Dyck Model getuid [ X getpid open ] X read close getuid [ Y getpid open ] Y write close Matching brackets are alphabet symbols –Expose stack operations to runtime monitor –Language of bracket symbols is a Dyck language –Rewrite binary to generate bracket symbols

11 May 2004 Henry Feng & Jonathon Giffin 23 Determinizing via Binary Rewriting Insert code to generate bracket symbols around function call sites Notify monitor of stack activity Determinizes stack operations void action (void) { uid_t uid = getuid(); int handle; if (uid != 0) { precall(X); handle = prepare(1); postcall(X); read(handle, …); } else { precall(Y); handle = prepare(0); postcall(Y); write(handle, …); } close(handle); }

11 May 2004 Henry Feng & Jonathon Giffin 24 push Ypush X [Y[Y [X[X Dyck Model Dyck model stack-determinizes PDA Stack deterministism push Ypush X Stack non-determinism Only one valid stack configuration

11 May 2004 Henry Feng & Jonathon Giffin 25 Test Programs Program Number of Instructions htzipd 110,096 gzip 57,271 cat 52,601

11 May 2004 Henry Feng & Jonathon Giffin 26

11 May 2004 Henry Feng & Jonathon Giffin 27

11 May 2004 Henry Feng & Jonathon Giffin 28 Questions? Henry Hanping Feng, Yong Huang University of Massachusetts—Amherst Jonathon T. Giffin, Somesh Jha, Barton P. Miller University of Wisconsin—Madison Wenke Lee Georgia Institute of Technology