Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.

Slides:



Advertisements
Similar presentations
Module X Session Hijacking
Advertisements

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K. Salah1 Buffer Overflow The crown jewel of attacks.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Software-based Code Attestation for Wireless Sensors.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Web Application Security Assessment and Vulnerability Assessment.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.
By David Brumley, James Newsome, Dawn Song and Hao Wang and Somesh Jha.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Address Space Layout Permutation
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Packet Vaccine: Blackbox Exploit Detection and Signature Generation Authors: XiaoFeng Wang Zhuowei Li Jong Youl Choi School of Informatics, Indiana University.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.
PRECIP: Towards Practical and Retrofittable Confidential Information Protection XiaoFeng Wang (IUB), Zhuowei Li (IUB), Ninghui Li (Purdue) and Jong Youl.
Computer Security and Penetration Testing
ANCS 2006 Scalable Network-based Buffer Overflow Attack Detection Fu-Hau Hsu Department of Computer Science and Information Engineering National Central.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.
Attacking Applications: SQL Injection & Buffer Overflows.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
Mitigation of Buffer Overflow Attacks
Packet Vaccine: Black-box Exploit Detection and Signature Generation
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Module 7: Advanced Application and Web Filtering.
Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Introduction to Information Security ROP – Recitation 5.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.
CS703 - Advanced Operating Systems By Mr. Farhan Zaidi.
Information Systems Design and Development Security Precautions Computing Science.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.
Exploiting & Defense Day 1 Recap
Introduction to Information Security
Chapter 6 Application Hardening
POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
Introduction to Information Security
CSC 495/583 Topics of Software Security Stack Overflows (2)
Secure Software Development: Theory and Practice
Exam Review.
Backtracking Intrusions
Security in Java Real or Decaf? cs205: engineering software
Presentation transcript:

Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung Kil and Jong Youl Choi

Dr. XiaoFeng Wang Spring 2006 Automated Exploit Defense

Dr. XiaoFeng Wang Spring 2006 Expectations for Automated Defense?  A perfect fix to vulnerable software?  A reasonably secure and fast -generated fix seems more realistic

Dr. XiaoFeng Wang Spring 2006 Automatic Exploit Defense: the State of Art Source code instrument Static analysis of source code Monitor an application ’ s execution to the break point Static analysis of binary code

Dr. XiaoFeng Wang Spring 2006 Vaccine Vaccine: a weakened viruses or bacteria for stimulating antibody production How about a black-box “ packet vaccine ” ?

Dr. XiaoFeng Wang Spring 2006 IDEAS 1. scramble anomalous payload 2. exception and analysis 3. Injection of vaccine variances

Dr. XiaoFeng Wang Spring 2006 Properties  Fast Exploit Detection  Black-box Signature Generation  Work on obfuscated code  Little or no modification to the protected system

Dr. XiaoFeng Wang Spring 2006 Design 1. Vaccine Generation 2. Exploit Detection 3. Vulnerability Analysis 4. Signature Generation

Dr. XiaoFeng Wang Spring 2006 Vaccine Generation  How to generate a weakened exploit?  Our approach 1.Identify an address-like byte token on a packet 2.Randomize it

Dr. XiaoFeng Wang Spring 2006 Address-like Tokens  Use address range  stack: 0xc  heap: 0x  entries of some libc functions  Where to get them?  Linux: /proc/pid/maps  Windows: debugging tools/memory monitoring tools

Dr. XiaoFeng Wang Spring 2006 Example  Byte sequence `7801cbd3' falls in the address range of “ msvcrt.dll ”

Dr. XiaoFeng Wang Spring 2006 Exploit Detection and Vuln. Diagnosis  Detection:  Exception happens  Diagnosis  Pickup the contents from CR2 and EIP  Match them to the scrambled byte sequences  Locate the corrupted pointer

Dr. XiaoFeng Wang Spring 2006 Signature Generation (1)  App-independent Signatures  Byte sequences  Byte-based Vaccine Injection (BVI)  Modify one byte and the jump address  Send to the application  not crash  important byte

Dr. XiaoFeng Wang Spring 2006 Signature Generation (2)  Application-level Signatures  field length (buffer overrun)  special symbols (e.g, “ %n ” for formate string)  App-based Vaccine Injection (AVI)  the minimal field length  crash  remove special tokens  no crash

Dr. XiaoFeng Wang Spring 2006 Performance  BVI is parallelizable  for multi-process application  AVI can be enhanced by binary search

Dr. XiaoFeng Wang Spring 2006 Implementation  Intercept application-level dataflow to detect suspicious tokens  Scramble them to generate vaccines  Signature generation (RedHat Linux 7.3)  Verifier: implemented using ptrace  Prober: local/remote  Prober and verifier: a persistent connection  Verifier notifies Prober of exceptions

Dr. XiaoFeng Wang Spring 2006 Experiment: Vaccine Effectiveness

Dr. XiaoFeng Wang Spring 2006 Experiment: Signature Generation

Dr. XiaoFeng Wang Spring 2006 Signature Quality: BIND  Comparison between our signature and MEP (oakland 06)

Dr. XiaoFeng Wang Spring 2006 Signature Quality: ATP http  MEP  get “ GET ” and “ HEAD ”  But specific tokens ‘ / ’ and ‘ // ’ and longer field length (812)  AVI:  Only “ GET ”  But more precise field length (703)  The real buffer size is 680

Dr. XiaoFeng Wang Spring 2006 False positives

Dr. XiaoFeng Wang Spring 2006 Application: Protecting Internet Servers

Dr. XiaoFeng Wang Spring 2006 Server Workload = = 8.34

Dr. XiaoFeng Wang Spring 2006 Local Client Delay

Dr. XiaoFeng Wang Spring 2006 Remote Client Delay

Dr. XiaoFeng Wang Spring 2006 Other Applications  Vulnerability Scanner  A lightweight replacement for Grey-box approaches  Proactive discovery and fix of vulnerabilities

Dr. XiaoFeng Wang Spring 2006 Limitations  False negatives in exploit detection  Encrypted payload and checksums  Signature limitations in representation

Dr. XiaoFeng Wang Spring 2006 Future Work  Generation of more accurate signatures  Proactive detection of software vulnerabilities

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.