High-Speed Matching of Vulnerability Signatures Nabil Schear * David R. Albrecht † Nikita Borisov † University of Illinois at Urbana-Champaign * Department.

Slides:

Advertisements

Similar presentations

Advertisements

State of the Exploit Matt Miller / Trust Boundary VulnerabilityExploitation.

ENGINEERING WORKSHOP Compute Engineering Workshop P4: specifying data planes Mihai Budiu San Jose, March 11, 2015.

CPU Review and Programming Models CT101 – Computing Systems.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 2: Data types and addressing modes dr.ir. A.C. Verschueren.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

CS7100 (Prasad)L16-7AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.

1 Compiler Construction Intermediate Code Generation.

Institute of Computer Science Foundation for Research and Technology – Hellas Greece Computer Architecture and VLSI Systems Laboratory Exploiting Spatial.

Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.

Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Data Parallel Algorithms Presented By: M.Mohsin Butt

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

UltraPAC ： automated protocol parser generator Daniel Burgener Jing Yuan.

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Chapter 4 Processor Technology and Architecture. Chapter goals Describe CPU instruction and execution cycles Explain how primitive CPU instructions are.

State Machines Timing Computer Bus Computer Performance Instruction Set Architectures RISC / CISC Machines.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

Chapter 9: Subprogram Control

PhD/Master course, Uppsala  Understanding the interaction between your program and computer  Structuring the code  Optimizing the code  Debugging.

PZ04A Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ04A - Scalar and composite data Programming Language.

2 Systems Architecture, Fifth Edition Chapter Goals Describe numbering systems and their use in data representation Compare and contrast various data.

General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.

Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs.

Networking Virtualization Using FPGAs Russell Tessier, Deepak Unnikrishnan, Dong Yin, and Lixin Gao Reconfigurable Computing Group Department of Electrical.

Penetration Testing Security Analysis and Advanced Tools: Snort.

ECE 526 – Network Processing Systems Design Network Processor Architecture and Scalability Chapter 13,14: D. E. Comer.

Network-based Intrusion Detection and Prevention in Challenging and Emerging Environments: High-speed Data Center, Web 2.0, and Social Networks Yan Chen.

High-Speed Parallel Processing of Protocol-Aware Signatures Jordi Ros-Giralt, James Ezick, Peter Szilagyi, Richard Lethin Unclassified, DISTRIBUTION STATEMENT.

Names Variables Type Checking Strong Typing Type Compatibility 1.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.

PERFORMANCE ANALYSIS cont. End-to-End Speedup  Execution time includes communication costs between FPGA and host machine  FPGA consistently outperforms.

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

1 COMP 3438 – Part II-Lecture 1: Overview of Compiler Design Dr. Zili Shao Department of Computing The Hong Kong Polytechnic Univ.

1 HARDCODING FINITE AUTOMATA Ernest Ketcha Ngassam Prof. Bruce W. Watson Prof. Derrick G. Kourie Department of Computer Science University of Pretoria.

Advanced Databases: Lecture 6 Query Optimization (I) 1 Introduction to query processing + Implementing Relational Algebra Advanced Databases By Dr. Akhtar.

ECE 353 Lab 1: Cache Simulation. Purpose Introduce C programming by means of a simple example Reinforce your knowledge of set associative caches.

MEMORY ORGANIZTION & ADDRESSING Presented by: Bshara Choufany.

Anomaly/Intrusion Detection and Prevention in Challenging Network Environments 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

Towards Vulnerability-Based Intrusion Detection with Event Processing Amer Farroukh, Mohammad Sadoghi, Hans-Arno Jacobsen University of Toronto July 13,

1. 2 Preface In the time since the 1986 edition of this book, the world of compiler design has changed significantly 3.

Web- and Multimedia-based Information Systems Lecture 2.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

1 NetShield: Massive Semantics-Based Vulnerability Signature Matching for High-Speed Networks Zhichun Li, Gao Xia, Hongyu Gao, Yi Tang, Yan Chen, Bin Liu,

Lecture by: Prof. Pooja Vaishnav.  Language Processor implementations are highly influenced by the kind of storage structure used for program variables.

Compiler and Runtime Support for Enabling Generalized Reduction Computations on Heterogeneous Parallel Configurations Vignesh Ravi, Wenjing Ma, David Chiu.

Anomaly/Intrusion Detection and Prevention in Challenging Network Environments 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

Vector and symbolic processors

Yan Chen Department of Electrical Engineering and Computer Science

ICOM 5016 – Introduction to Database Systems Lecture 13- File Structures Dr. Bienvenido Vélez Electrical and Computer Engineering Department Slides by.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Monitoring, Diagnosing, and Securing the Internet 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University Lab for.

Accelerating Multi-Pattern Matching on Compressed HTTP Traffic Dr. Anat Bremler-Barr (IDC) Joint work with Yaron Koral (IDC), Infocom[2009]

1 Scalar and composite data Programming Language Design and Implementation (4th Edition) by T. Pratt and M. Zelkowitz Prentice Hall, 2001 Section

Scalar and composite data Programming Language Design and Implementation (4th Edition) by T. Pratt and M. Zelkowitz Prentice Hall, 2001 Section

A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.

DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.

WWW and HTTP King Fahd University of Petroleum & Minerals

Christopher Han-Yu Chou Supervisor: Dr. Guy Lemieux

Automated Parser Generation for High-Speed NIDS

Automated Parser Generation for High-Speed NIDS

Yan Chen Department of Electrical Engineering and Computer Science

Dynamic Packet-filtering in High-speed Networks Using NetFPGAs

SigMatch Fast and Scalable Multi-Pattern Matching

ICOM 5016 – Introduction to Database Systems

Design principles for packet parsers

Presentation transcript:

High-Speed Matching of Vulnerability Signatures Nabil Schear * David R. Albrecht † Nikita Borisov † University of Illinois at Urbana-Champaign * Department of Computer Science † Department of Electrical and Computer Engineering {nschear2, dalbrech, 16 September 2008

2 Exploit vs. Vulnerability Signatures Exploit Signatures – Match a specific example of an exploit Vulnerability Signatures – Match the condition at which the program is vulnerable + fast to match - imprecise, false positives + exploit generic, very precise - expensive

3 Example – CUPS/IPP HTTP/ OK Content-Type: ipp Transfer-Encoding: chunked A05 header attribute HTTP IPP extra data attribute

4 Example – CUPS/IPP HTTP/ OK Content-Type: ipp Transfer-Encoding: chunked A05 header attribute HTTP IPP extra data attribute tagname_lenname value_lenvalue

5 Example – CUPS/IPP HTTP/ OK Content-Type: ipp Transfer-Encoding: chunked A05 header attribute HTTP IPP extra data attribute tag name_lenname value_lenvalue Buffer overflow: uint16 name_len used to copy name into 8KB buffer without checks

6 Example – CUPS/IPP HTTP/ OK Content-Type: ipp Transfer-Encoding: chunked A05 header attribute HTTP IPP extra data attribute tag name_len value_lenvalue 0xA EB105B4B33C966B BFDE2FAEB05E8EBFFFFFF Exploit Signature alert tcp any any -> any 631 (content: “|EB 10 5B 4B 33 C9 66 B …|”) Shell code stored in name field

7 Example – CUPS/IPP HTTP/ OK Content-Type: ipp Transfer-Encoding: chunked E5 header attribute tag nam e_ len 0xA EB10 5B4B33C966B extra data attribute value_lenvalue BFDE2FA EB05E8EBFFFFFF HTTP Chunk 1 Chunk 2 attribute Now split shell code across two HTTP chunks

8 Example – CUPS/IPP HTTP/ OK Content-Type: ipp Transfer-Encoding: chunked A05 header attribute HTTP IPP extra data attribute tagname_lenname value_lenvalue Vulnerability Signature if(name_len > 8192) Exception!

9 Motivation: Matching Performance Protocolbinpachand-coded CUPS/HTTP5,41420,340 DNS712,647 IPP8097,601 WMF61014,013 Throughput (Mbits/s) of vulnerability matchers Hand-coded 3x to 37x faster! Many vulnerabilities do not require full protocol parsing

10 Introducing VESPA A vulnerability signature and protocol parsing architecture Focus on performance –Hardware acceleration friendly design Future work: Offload to FPGA, network processor –Target use in NIC or switch 1 Gbps+ Low latency

11 Outline Parsing Architecture Design –Text Protocols –Binary Protocols Vulnerability Specification Language Performance Evaluation Related Work Conclusions

12 VESPA Design Couple protocol and vulnerability specifications –maximum parser optimization Design Principles –Fast matching primitives –Explicit State Management –Avoid parsing irrelevant message parts Basic Idea: Construct matching specs based on primitives and marry to state control functions

13 Protocol State Core State –Example: HTTP Content-Length header –Define structure and semantics of the message Always parse

14 Protocol State Core State –Example: HTTP Content-Length header –Define structure and semantics of the message Always parse Application State –Example: HTTP Accept-Charset header –Only relevant to the application Skip by default

15 Text Protocols Often use explicit field labeling –e.g., RCPT TO: multi-string matching primitive to flatten irrelevant protocol structure –e.g., search for “HTTP/1.”, “Content-Length:”, “Transfer-Encoding:”, “POST”, and “\r\n\r\n” simultaneously Use control logic to drive matching primitive

16 Binary Protocols Field meaning based on position in message Binary traversal primitive –Parses only core fields –No full in-memory representation –Parses vulnerability relevant fields when desired –Implemented with binpac language

17 VESPA Language Stores each var as a member of generated C++ class Extraction function within %{…}% bool is_post = str_matcher “POST” handler handle_post() %{ is_post = true; }% handle_post() %{ if(is_post) deploy(content_length); }% Handler SpecString Matcher Primitive Spec Embedded C++ code deploy(var) function to control match state Check vulnerability predicates here

18 Binary Protocols uint16 name_len = bin_matcher IPP.binpac:IPP_Attr_Data.name_len handler handle_name() default; handle_name() %{ if(name_len > 8192) // throw exception }% VESPA VESPA controls: –vulnerability state –predicate evaluation

19 Binary Protocols binpac controls protocol binary traversal uint16 name_len = bin_matcher IPP.binpac:IPP_Attr_Data.name_len handler handle_name() default; handle_name() %{ if(name_len > 8192) // throw exception }% type IPP_Attr_Data = record { name_len: uint16; name: bytestring &length = name_len &transient; value_len: uint16; value: bytestring &length = value_len &transient; }; binpac IPP specification VESPA

20 Modifying binpac for Binary Traversal Optimized binpac dynamic memory usage –Pre-allocate one of each object that could be parsed in one object –Remove STL vector storage for all array elements

21 Modifying binpac for Binary Traversal Optimized binpac dynamic memory usage –Pre-allocate one of each object that could be parsed in one object –Remove STL vector storage for all array elements Use &pointer attribute to specify objects that must be dynamically created –e.g., DNS name pointers…

22 Evaluation Focus on vulnerabilities difficult to match with exploit sigs Tested raw vuln sig matcher/parser performance –Network reassembly and reporting stages studied elsewhere Test System –2.6 GHz AMD Athlon64 –4GB RAM –Ubuntu Linux x86-64

23 Tested Vulnerabilities HTTP/IPP –Negative Content-Length causes integer overflow –uint16 name_len used to store size of 8KB buffer DNS –Pointer cycle can cause denial of service WMF –Vulnerable feature: allows arbitrary abort procedure to execute malicious code

24 Memory Micro-benchmarks 6x to 40x reduction in number of calls to new IPP and WMF call new 6x for any file DNS proportional to num of DNS pointers Protocolbinpactraversal DNS15,8122,296 IPP1, WMF3, Protocolbinpactraversal DNS53914 IPP336 WMF946 Bytes allocated per message Calls to new/malloc per message

25 Memory Micro-benchmarks 6x to 40x reduction in number of calls to new IPP and WMF call new 6x for any file DNS proportional to num of DNS pointers Protocolbinpactraversal DNS15,8122,296 IPP1, WMF3, Protocolbinpactraversal DNS53914 IPP336 WMF946 Bytes allocated per message Calls to new/malloc per message

26 String Primitive Micro-benchmarks Multi-string matching dominates text performance VESPA approximates performance of pattern based IDS for simple signatures

27 Parser Performance VESPA outperforms binpac by 3 to 5 times

28 Parser Performance VESPA DNS considerably faster than binpac –Recall, hand-coded 9x faster than VESPA (2.6 Gbits/s) –Room for improvement in binary traversal

29 Related Work Pattern Matching –Wu-Manber, Aho-Corasik, flex, pcre, XFA, Protomatching Vulnerability Signatures –Shield, GAPA, binpac, NetShield, Prospector IDS/IPS –Snort, Bro, SafeCard

30 Conclusions Key Insight: Vulnerability signatures often do not require full protocol parsing –Specialize protocol parser to signature matching Developed VESPA language and architecture –3-5 times faster than binpac –Performance tied to speed of primitives Able to hardware accelerate multi-string matching Improved performance of binary traversal Vulnerability signatures can be matched at 1 Gbps+ –Suitable for server NICs, switches, inline IPS

31 Thank you! Questions?