General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.

Slides:

Advertisements

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Advertisements

Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Chapter 9 Classification And Forwarding. Outline.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Address Space Layout Permutation

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Packet Vaccine: Blackbox Exploit Detection and Signature Generation Authors: XiaoFeng Wang Zhuowei Li Jong Youl Choi School of Informatics, Indiana University.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.

Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.

Packet Vaccine: Black-box Exploit Detection and Signature Generation

Quasi-Static Binary Analysis Hassen Saidi. Quasi-Static Analysis in VERNIER Node level: –Quasi-static analysis is a detector of malicious and bad behavior.

High-Speed Matching of Vulnerability Signatures Nabil Schear * David R. Albrecht † Nikita Borisov † University of Illinois at Urbana-Champaign * Department.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Deconstructing Storage Arrays Timothy E. Denehy, John Bent, Florentina I. Popovici, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau University of Wisconsin,

Deriving Input Syntactic Structure From Execution Zhiqiang Lin Xiangyu Zhang Purdue University November 11 th, 2008 The 16th ACM SIGSOFT International.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits H. Wang, C. Guo, D. Simon, and A. Zugenmaier Microsoft Research.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Sai Zhang Michael D. Ernst Google Research University of Washington

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:

MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

Internet Quarantine: Requirements for Containing Self-Propagating Code

Automatic Network Protocol Analysis

MadeCR: Correlation-based Malware Detection for Cognitive Radio

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Secure Software Development: Theory and Practice

Authors: Helen J. Wang, Chuanxiong Guo, Daniel R

Presentation transcript:

General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's execution flow Black-box  Detect and analyze an exploit using the outputs of a vulnerable program.

Packet vaccine approach A black-box approach. Faster, but does not use much on data format information.

ShieldGen approach Gray-box approach General Gray-box approach is inherently specific to the attack input used in the data flow analysis. Generalize attack-specific symbolic predicate- based signatures to cover significantly more attack variants with data format-informed probing to the oracle in ShieldGen.

Packet Vaccine: Black-box Exploit Detection and Signature Generation Xiaofeng Wang, Zhuowei Li, Jun Xu, Michael K. Reiter, Chongyung Kil, Jong Youl Choi Presented by Zhaosheng Zhu

Outline Introduction to Packet Vaccine Related work Design of the packet vaccine mechanism Implementation and Evaluation Application (Good Points) Limitations (Bad Points) Conclusion

Introduction to Packet Vaccine The principle of vaccine Packet vaccine:  Identify anomalous tokens in packet payloads  Randomize the contents of tokens to get a vaccine  Generate a signature during exception

Design of the packet vaccine mechanism

Design: 1. Vaccine Generation Build a target address set: T = [b s – au s, b s ] U [b h, b h + au h ] U S Aggregate the application payloads of the packets in one session into a dataflow, carry out a proper decoding For every byte session, do replacement Construct vaccine packet using the new data flows

Example

Design: 2. Exploit Detection and Vulnerability Diagnosis Correlate each byte sequence that equals to the forensic string with the exception Validation test Randomize all byte sequences Generate new vaccine Check Repeat

Design: 3. Signature Generation Constructs packet vaccines or probes by randomizing address-like strings It detects exploit by observing memory exception upon packet vaccine injection Generates signatures by finding in the attack input the bytes that cannot take random values

Byte-based vaccine injection Can be paralleled at most cases

Implementation Target address set is extracted from proc files Process monitor is developed using ptrace Kernel mode is necessary for CR2 Signature generation: Prober Verifier Sequential vaccine injection (performance penalty)

Evaluation Linux exploits Windows-based exploits: Code Red II Heap-based overflow

Evaluation Comparison with MEP signatures MEP signature contains richer information Quality of MEP diminishes with the availability for multiple exploit instances and application information MEP is slower

Application An architecture to protect Internet servers using packet vaccine

Application (good points) Fast Up to an order of magnitude faster than gray-box approaches Not use source code Effective Immune to interference Low overhead No need to install anything on host Lightweight Collector

Limitations Its main probing scheme randomizes each byte rather than leveraging data format information Works more reliably for text-based protocols than the binary ones because of the lack of protocol knowledge for binary data formats. Briefly mentioned the benefit of leveraging protocol specifications. Unclear what type of protocol specification language considered and how protocol specifications leveraged. Can only detect control flow hijacking attacks cannot detect exploits of the WMF vulnerability

Conclusion Packet vaccine is a fast, blackbox technique for exploit detection But not good enough in some case. If given input data format we have better approach: ShieldGen.

ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing Weidong Cui Marcus Peinado Helen J. Wang Michael E. Locasto Presented by Zhaosheng Zhu

Outline What is ShieldGen Related work and Comparison System Design Evaluation and Performance Some future work Conclusion

What is ShieldGen A system for automatically generating a data patch or a vulnerability signature for an unknown vulnerability. Leverage knowledge of the data format Use data-patch instead of traditional software patch.

SheildGen system overview

Related work Poly-graph Significant false negatives and false positives Nemean Generalization is dependent on the attack instance. Covers Signatures does not contain any protocol context. Packet vaccine Randomized each byte rather than leveraging data format information. Not efficient enough. Can only detect control-flow hijacking attack

The Oracle: a Zero-Day Attack Detector Used the Vigilante ’ s zero-day detector Based on dynamic data flow analysis Implement three vulnerability condition Arbitrary execution control (AEC) Arbitrary code execution (ACE) Arbitrary function arguments (AFA)

Data Format Spec and Data Analyzer Two assumptions to the input data Data formats are known No encryption or obfuscation are used. Two types of analyzers File data: application level protocol, host-based Network data High-speed parsing w/ preprocessed protocol parser E.g., binpac and GAPA We use GAPA as our Data analyzer

System design Design goals No false positive Minimizing the number of false negatives Minimizing the number of probes.

Data patch generation

Some methods to reduce probes Recognizing iterative elements Obeying protocol semantics and reduce illegitimate probes. High possibility that the vulnerability predicate is only dependent on the last message

Probe generation algorithm Three Steps Buffer Overrun heuristic for character strings Iteration removal Eliminating irrelevant field conditions

Buffer overrun heuristics If the offending byte lies in the middle of a byte or unicode string then ShieldGen diagnoses a buffer overrun and adds the following condition as a refinement: sizeof(buffer) > offendingByte offset – bufferStart offset

Iteration removal Many popular input formats include arbitrary sequences of largely independent elements (Records). Any input which contains a malicious record is an attack. Generating probes with removing some of the iterative elements. Iterative elements can be removed if probes still exploit successfully.

Eliminating irrelevant field conditions Constructing probes over the remaining data fields to eliminate don ’ t-care fields and to find additional values of the data fields for which the attack succeeds. Evaluating one field at one time

Evaluation Run ShieldGen for three well known vulnerabilities SQL vulnerability RPC vulnerability WMF (Window Metafile) vulnerability

Filter quality of ShieldGen For a larger sample of real-world vulnerabilities

Failure cases and analysis Complex conditions Unchecked array indices Other special cases

Future work Quality of the data format specification In our scheme the quality of data format specification matters. Complex filter conditions

Future work Probing time Reference VM is preferred Attacks not delivered by the last message

Conclusion Leverage data information to construct new attack instance Generate high quality vulnerability signatures Fewer don ’ t care fields Fewer false negatives

Thanks!