On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.

Slides:

Advertisements

Similar presentations

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Advertisements

Technology of Test Case Generation Levi Lúcio University of Geneva Marko Samer Vienna University of Technology.

By Hiranmayi Pai Neeraj Jain

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities Jedidiah R. Crandall†, S. Felix Wu†, and Frederic.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Automated malware classification based on network behavior

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

By David Brumley, James Newsome, Dawn Song and Hao Wang and Somesh Jha.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.

Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

1 DACODA [Crandall et al.; CCS 2005] DA vis mal COD e A nalyzer Discover invariants in the exploit vector ( ε )  Symbolic execution on the system trace.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

Saturday, May 17, 2008 Generating signatures for zero-day network attacks Pascal Gamper Daniela Brauckhoff Bernhard Tellenbach.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

The Inter-network is a big network of networks.. The five-layer networking model for the internet.

Breno de MedeirosFlorida State University Fall 2005 Network Intrusion Detection Systems Beyond packet filtering.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

COEN 180 Erasure Correcting, Error Detecting, and Error Correcting Codes.

Finding Diversity in Remote Code Injection Exploits Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker *University of California,

Execution of an instruction

Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic Authors: Oleg Kolensnikov and Wenke Lee Published: Technical report, 2005, College.

Database as a networked server DB at the centre of the network Network Access Map for DB environment Tracking of tools and apps Remove unnecessary network.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.

Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits H. Wang, C. Guo, D. Simon, and A. Zugenmaier Microsoft Research.

METAMORPHIC VIRUS NGUYEN LE VAN.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Chapter 27 IPv6 Protocol.

Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam.

DoS/DDoS attack and defense

Covert Channels in IPv6 Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin Syracuse University PET 2005, Cavtat, Croatia May 31 st, 2005.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

What’s Ahead for Embedded Software? (Wed) Gilsoo Kim

Role Of Network IDS in Network Perimeter Defense.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:

IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.

LECTURE 6 MALICIOUS SOFTWARE

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

EN Lecture Notes Spring 2016

Part 1: Basic Analysis Chapter 1: Basic Static Techniques

High Coverage Detection of Input-Related Security Faults

Chap 10 Malicious Software.

Chap 10 Malicious Software.

Topic 1: Be able to combine functions and determine the resulting function. Topic 2: Be able to find the product of functions and determine the resulting.

Presentation transcript:

On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits

1. Introduction A vulnerability gives the attacker an important primitive. –the attacker can build different exploits using this primitive Need to generate vulnerability-specific signatures from exploits. –Add more precision to the signature and use heuristics, such as look at the length of fields. –Relax the requirement that no portion of a valid protocol be dropped.

1.2 The DA vis Mal COD e A nalyzer Many exploits can involve more than one network connection, multiple processes, multithreading. Two different models in order to be more perspicuous in discussing polymorphism and metamorphism –The Epsilon-Gamma-Pi model Control flow hijacking attacks –PD-Requires-Provides model exploits

2. The Epsilon-Gamma-Pi Model

ε maps the exploit vector from the attacker’s network packets onto the trace of the machine being attacked before control flow hijacking occurs. –A vulnerability can be thought of as a set of projections for ε that will lead to control flow hijacking γ maps the bogus control data used for hijacking control flow. π maps the payload executed after control flow has been hijacked.

2. The Epsilon-Gamma-Pi Model Worm signature generation with any particular technique can bee seen as a characterization of one or more of the three mappings possibly combined with information about the attack trace on the infected host. Polymorphism change bytes in the row spaces of the three projections without changing the mappings. π and γ permit too much polymorphism Metamorphism uses different mappings each time.

3. How DACODA works Using symbolic execution, DACODA is able to discover strong, explicit equality predicates about ε. –strong, explicit equality predicate is an equality predicate that is exposed because of an explicit check for equality. These predicates can be used for signature generation.

3. How DACODA works Currently is being emulated in a full-system Pentium environment based on the Bochs emulator. Needs an oracle to raise an alert when bogus control flow transfer has occurred. Tracks the data through all kernel- and user-space processes and discovers equality predicates every time the labeled data or a symbolic expression is explicitly used in a conditional control flow transfer.

4. Exploits analyzed by DACODA Processing of Network Data in the Kernel Multiple Processes Involved Multithreading and Multiple Ports Side Channels Encodings and Encryption Undesirable Predicates Lack of Good Signature for Some Exploits

5. Poly/Metamorphism Polymorphism of ε –Change some bytes mapped by ε without changing the mapping. Metamorphism of ε –Take an equivalent path –Add paths that are unnecessary –Changing the order –What about multithreading ?

5.3 The PD-Requires-Provides Model Metamorphic techniques that use arbitrary memory corruption primitives in multithreaded applications to build complex exploits require a model that views the system “from-the-architecture-up”. Requirements and What They Provide Should Focus on Primitives, not Vulnerabilities

7. Conclusions Single contiguous byte string signatures are not effective for content filtering. Token-based byte string signatures composed from smaller strings are only semantically rich enough to be effective for content filtering if the vulnerability lies in a part of a protocol that is not commonly used. Whole-system analysis is critical in understanding exploits.

3. How DACODA Works: An Example