Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits By Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier.

Slides:



Advertisements
Similar presentations
Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
Advertisements

Remote Procedure Call (RPC)
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
CS533 - Concepts of Operating Systems 1 Remote Procedure Calls - Alan West.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Fawaz Alsaadi Fahad Alsolmai.  Secure information sharing across different organizations is an emerging issue for collaborative software development,
Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Computer Security and Penetration Testing
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,
NFS. The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs. The implementation.
Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.
1 LAN switching and Bridges Relates to Lab 6. Covers interconnection devices (at different layers) and the difference between LAN switching (bridging)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.
Shield: Vulnerability-Driven End- Host Firewall for Preventing Known Vulnerability Attacks Sigcomm ’04.
Institute of Computer and Communication Network Engineering OFC/NFOEC, 6-10 March 2011, Los Angeles, CA Lessons Learned From Implementing a Path Computation.
1 mmdump Reference: “mmdump: A Tool for Monitoring Internet Multimedia Traffic” J. van der Merwe, R. Cceres, Y-H. Chu, C. Sreenan. ACM SIGCOMM Computer.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
6.1. Transport Control Protocol (TCP) It is the most widely used transport protocol in the world. Provides reliable end to end connection between two hosts.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.
1 Chapter 16 Protocols and Protocol Layering. 2 Protocol  Agreement about communication  Specifies  Format of messages (syntax)  Meaning of messages.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Operating Systems Lecture 2 Processes and Threads Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
RMI remote method invocation. Traditional network programming The client program sends data to the server in some intermediary format and the server has.
5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
2007cs Servers on the Web. The World-Wide Web 2007 cs CSS JS HTML Server Browser JS CSS HTML Transfer of resources using HTTP.
Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.
Mike Hsiao Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits Helen J. Wang, Chuanxiong Guo, Daniel R. Simon,
Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits H. Wang, C. Guo, D. Simon, and A. Zugenmaier Microsoft Research.
DoS/DDoS attack and defense
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Computer Science Lecture 3, page 1 CS677: Distributed OS Last Class: Communication in Distributed Systems Structured or unstructured? Addressing? Blocking/non-blocking?
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Role Of Network IDS in Network Perimeter Defense.
Distributed Computing & Embedded Systems Chapter 4: Remote Method Invocation Dr. Umair Ali Khan.
Network Layer Protocols COMP 3270 Computer Networks Computing Science Thompson Rivers University.
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Information Systems Design and Development Security Precautions Computing Science.
1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
Wireless Network Security
Error and Control Messages in the Internet Protocol
Introduction to Networking
A Real-time Intrusion Detection System for UNIX
Dr. John P. Abraham Professor UTPA
Dr. John P. Abraham Professor UTRGV, EDINBURG, TX
Authors: Helen J. Wang, Chuanxiong Guo, Daniel R
Dr. John P. Abraham Professor UTPA
Prof. Leonardo Mostarda University of Camerino
Authors: Helen J. Wang, Chuanxiong Guo, Daniel R
ITIS 6167/8167: Network and Information Security
Last Class: Communication in Distributed Systems
Error Checking continued
Presentation transcript:

Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits By Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier Presented at ACM SIGCOMM 2004 Presented by Jared Bott

2 What is Shield?  Program that “patches” vulnerabilities in applications Blocks network traffic from exploiting the vulnerabilities  Only deals with network traffic, so it won’t cause side effects like patches  Operates on vulnerabilities, not exploits

3 Outline  Why?  How? Details  Scalability  Implementation  Analysis of Paper

4 Why do we need Shield?  Patches have many issues Disruption  Often times, patches require stopping a program/service or rebooting a machine Unreliability  Patches often have side effects due to a focus on speed (getting the patch out), so little testing is done  Often other updates are bundled in with security updates

5 Why do we need Shield? Irreversibility  Most patches cannot be easily uninstalled if something does not work correctly Unawareness  Administrators may be unaware of a new patch or fail to act upon it  Shield aims to alleviate these problems

6 Outline  Why?  How? Details  Scalability  Implementation  Analysis of Paper

7 How does Shield work?  The producer of an application details the states of their program and the protocol(s) used by the program  Shield policy details vulnerability signature and the actions to take on recognizing an exploit  For each session between the program and another computer, Shield has an instance of the program’s state machine so that Shield can prevent any traffic that will cause an exploit

8 Vulnerability Modeling  When a new vulnerability is discovered a Shield designer creates a Shield policy for the vulnerability  Shield Vulnerability Signature – Specifies all sequences of application messages and payload characteristics that lead to a remote exploit of a vulnerability  Each application can be considered as a finite state machine, called the Application State Machine

9 Vulnerability Modeling  Protocol State Machine State machine that describes the state of program in relation to the arrival of protocol messages Each state in the PSM “overlays” a set of states from the ASM Smaller and simpler than the ASM  Pre-Vulnerability State – The state in the PSM at which receiving an exploitation network event could cause damage

10

11  Objectives for Shield design 1.Minimize and limit the amount of state maintained by Shield –Shield must resist any resource consumption attacks as well as the program it shields 2.Enough flexibility to support any application level protocol 3.Design fidelity –Shield should not be an easier target than the program it protects Shield Architecture

12 Shield Architecture  Shield separates policy from mechanism  Sessions must be identified Application-level protocols must provide a message type and Session ID  Out-of-order messages and application- level protocol message fragments must be handled

13 Shield Architecture  Policies must specify How to identify an application How to extract message type for event identification How to determine the session associated with a message States, events and transitions defining the PSM

14 Shield Architecture  Data Structures Specs Session states  Policy Loader transforms policies into Specs

15 Modules  Policy Loader – Integrates new/modified policies into existing Spec or creates new Spec; Syntax parsing  Application Dispatcher – Determines which Spec to reference when raw bytes arrive Forwards data (bytes) and Spec to Session Dispatcher

16 Modules  Session Dispatcher – Figures out locations of Session ID, message type and message boundary marker Sends event to the corresponding State Machine Instance  State Machine Instance Given a newly arrived event and the current state, the SMI consults the Spec about which event handler to invoke Calls the Shield Interpreter to interpret the event handler One SMI per session

17 Modules  Shield Interpreter – Interprets the event handler Event handler specifies how to parse the application-level protocol payload and examine it for exploits Carries out packet-dropping, session tear-down, registering a newly- negotiated dynamic port with Shield, setting the next state for the current SMI

18

19 Design Issues  Out-of-Order Arrivals  Scattered Arrivals  Application-Level Fragmentation

20 Policy Language  Describes states, events, transitions, generic ALP information Loaded into Spec data structure by the Policy Loader  Describes handler specification and payload parsing instructions Handlers examine the packet payload and pinpoint any exploit in the current packet payload  Record the session context that is needed for a later determination of exploit occurrence

21 Policy Language  Payload Specification Example PAYLOAD_STRUCT { SKIP BYTES(6) dummy1, BYTES(1) numTransferContexts, SKIP BYTES(1) dummy2, BYTES(16) UUID_RemoteActivation, SKIP BYTES(4) version, SKIP BYTES(numTransferContexts * 20) transferContexts, } P_Context;

22 Policy Language  Handler Specification 4 Data Types: BOOL, COUNTER, BYTES, WORD Built-in functions: DROP, TEARDOWN_SESSION, REGISTER_PORT… >>payload tells Shield to parse and to refer to the bytes that represent the “payload” of the packet

23 Shield for vulnerability behind CodeRed SHIELD(Vulnerability_Behind_CodeRed, TCP, (80)) INITIAL_STATE S_WaitForGetRequest; FINAL_STATE S_Final; # MSG_TYPE_LOCATION= (0, 1) WORD; MSG_BOUNDARY = "\r\n\r\n"; EVENT E_GET_REQUEST = ("GET", INCOMING); STATE_MACHINE = { (S_WaitForGetRequest, E_GET_Request, H_Get_Request), }; PAYLOAD_STRUCT { WORDS(1) method, WORDS(1) URI, BYTES(REST) dummy2, } P_Get_Request; HANDLER H_Get_Request (P_Get_Request) { COUNTER legalLimit = 239; COUNTER c = 0; # \?(.*)$ is the regular expression to retrieve the # query string in the URI # MATCH_STR_LEN returns legalLimit + 1 when legalLimit is exceeded c = MATCH_STR_LEN (>>P_Get_Request.URI, "\?(.*)$", legalLimit); IF (c > legalLimit) # Exploit! TEARDOWN_SESSION; RETURN (S_FINAL); FI RETURN (S_FINAL); };

24 Outline  Why?  How? Details  Scalability  Implementation  Analysis of Paper

25 Scalability  Remove a shield after the vulnerability it covers is patched  N Shields for N different applications are equivalent to a single shield in terms of their effect on the performance of any single application

26 Scalability  When multiple vulnerabilities on one application appear on disjoint paths of their state machine, per- packet shield processing overhead for them is almost equivalent to the overhead for one vulnerability

27 Scalability  With vulnerabilities that share paths, overhead may be cumulative Not many of these vulnerabilities

28 Outline  Why?  How? Details  Scalability  Implementation  Analysis of Paper

29 Implementation  WinSock2 Layered Service Provider  Compiled into a DLL  10,702 lines of C++

30 Vulnerabilities  Modeled vulnerabilities behind Slammer, MSBlast, CodeRed and twelve other vulnerabilities All were input validation failure vulnerabilities (i.e. buffer overflow, integer overflow)  Can Shield deal with common vulnerabilities?

31 Vulnerabilities of MSRC over the year 2003 # of Vuln. NatureWormableShieldable 6LocalNo 24User-involvedNoUsually hard 12Server buffer overruns YesEasy 3Cross-site scripting NoHard 3Server Denial- of-service NoVaries

32 Vulnerabilities  Shield is not good for: Bugs that are deeply embedded in an application’s logic Exploits using files Messages that are encrypted by the application

33 Application Throughput  Dell PWS650 Server w/3.06 GHz CPU and 1 GB RAM  Clients connect using 100 Mbps and 1 Gbps Ethernet connections  Clients send 1 MB messages using TCP  Performance would increase if not a WinSock LSP

34 CPU Comparison for 100 Mbps Switch

35 Throughput Comparison for 1 Gbps Switch

36 Outline  Why?  How? Details  Scalability  Implementation  Analysis of Paper

37 Strengths  Shield provides a solution that is reliable, minimally disruptive, reversible and can be safely automatically updated  Provides a safe, compact policy/protocol design language

38 Weaknesses  Implementation has performance issues  False positives can occur from a misunderstanding of the PSM  Specs give attackers an easy way to understand vulnerabilities

39 Further Research  Automated tools for Shield policy generation  Implement Shield at some place other than the end host  Distribution of shields  Can this be applied to vulnerabilities that don’t involve protocol messages?