MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Remote Procedure Call (RPC)
By Hiranmayi Pai Neeraj Jain
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Bug Isolation via Remote Program Sampling Ben Liblit, Alex Aiken, Alice X.Zheng, Michael I.Jordan Presented by: Xia Cheng.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
ForeScout Technologies Ayelet Steinitz, Product Manager April, 2003.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Software Engineering for Safety : A Roadmap Presentation by: Manu D Vij CS 599 Software Engineering for Embedded Systems.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Maintaining and Updating Windows Server 2008
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Norman SecureSurf Protect your users when surfing the Internet.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Success status, page 1 Collaborative learning for security and repair in application communities MIT & Determina AC PI meeting July 10, 2007 Milestones.
Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Self-defending software: Automatically patching security vulnerabilities Michael Ernst University of Washington.
KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:
Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.
A Virtual Machine Introspection Based Architecture for Intrusion Detection CS598 STK Presented by Zahid Anwar.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Determina DARPA PI meeting Page 2Confidential © Determina, Inc. Agenda LiveShield –Product and Technology –Current Status Applications to Application.
Self-defending software: Automatically patching errors in deployed software Michael Ernst University of Washington Joint work with: Saman Amarasinghe,
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Wireless and Mobile Security
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Welcome.
A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.
Self-defending software: Collaborative learning for security and repair Michael Ernst MIT Computer Science & AI Lab.
Role Of Network IDS in Network Perimeter Defense.
Application Communities Phase 2 (AC2) Project Overview Nov. 20, 2008 Greg Sullivan BAE Systems Advanced Information Technologies (AIT)
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.
Michael Ernst, page 1 Application Communities: Next steps MIT & Determina October 2006.
Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Conclusion.
Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.
Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Database and Cloud Security
Application Communities
Protecting Memory What is there to protect in memory?
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Detecting Targeted Attacks Using Shadow Honeypots
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
CSC-682 Advanced Computer Security
Outline System architecture Experiments
Outline System architecture Current work Experiments Next Steps
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair in application communities MIT & Determina PM: Lee Badger DARPATech, August 2007 (Other AC performer: SRI) Self-defending COTS Software Approved for Public Release, Distribution Unlimited - Case 9649

MIT/Determina Application Communities, page 2 Approved for Public Release, Distribution Unlimited - Case 9649 Application Communities Many communities have largely identical installations (e.g., Windows, Office)‏ Problem: A single vulnerability can be exploited throughout the community Goal: Protection against exploitation of known or unknown software vulnerabilities in communities of COTS components Automatically (no need for pre-generated signature) Protect first Survive and maintain functionality

MIT/Determina Application Communities, page 3 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning approach Initially: all community members are susceptible to an unknown attack Perform machine learning to infer normal behavior When an attack occurs: 1.Detect attacks on any member of the community 2.Analyze additional attacks to localize 3.Generate potential fixes 4.Evaluate fixes 5.Distribute successful fixes Finally: all community members are automatically protected from the attack

MIT/Determina Application Communities, page 4 Approved for Public Release, Distribution Unlimited - Case 9649 The Community: A Problem and an Opportunity A community contains many vulnerable members A community also has significant advantages Increased Accuracy – A community exercises more behaviors during learning Amortized Risk – A problem in one member can lead to a solution for the rest Shared Burden – Use expensive monitoring techniques by distributing the burden across the members

MIT/Determina Application Communities, page 5 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative Learning Framework Provide best possible out-of-box proactive protection against vulnerabilities Protect (and take advantage of) a community Automatically repair vulnerabilities for improved continuity Use dynamically learned constraints Key Features: Proactive protection (Memory Firewall) for unknown vulnerabilities Attack detector based constraint checking focuses repair on exploited vulnerabilities Code injection and Denial of Service (crashes) vulnerabilities are protected and repaired Other detectors can be added to the framework Supports arbitrary x86 binaries Adaptive: Repairs that perform poorly are removed

MIT/Determina Application Communities, page 6 Approved for Public Release, Distribution Unlimited - Case 9649 … Collaborative Learning System Architecture Constraints Patch/Repair Code Generation Patches … Client Workstations (Learning)‏Client Workstations (Protected)‏ Patches Patch/Repair results Merge Constraints (Daikon)‏ MPEE Data Acquisition Client Library Application Learning (Daikon)‏ Sample Data MPEE Application Memory Firewall Live Shield Evaluation (observe execution)‏ MPEE Application Memory Firewall Live Shield Evaluation (observe execution)‏ MPEE Data Acquisition Client Library Application Learning (Daikon)‏ Sample Data Central Management System

MIT/Determina Application Communities, page 7 Approved for Public Release, Distribution Unlimited - Case 9649 Protection Stages Learning – Constraints are learned throughout the community Monitoring – Applications are monitored for attacks (Memory Firewall and crashes). Logging – Constraints near attack locations are analyzed. Repairs are generated for constraint violations that are correlated with attacks. Repair Evaluation – Effective repairs are distributed, ineffective repairs are discarded.

MIT/Determina Application Communities, page 8 Approved for Public Release, Distribution Unlimited - Case 9649 Merge Constraints Monitor Learn x < 18x < 20x < 14 x < 20

MIT/Determina Application Communities, page 9 Approved for Public Release, Distribution Unlimited - Case 9649 Attack Location Enable logging of constraints related to attack Monitor Learn Monitor Security Server

MIT/Determina Application Communities, page 10 Approved for Public Release, Distribution Unlimited - Case 9649 Security Server Constraint/Attack Information Constraint Information Monitor Learn Monitor Logging

MIT/Determina Application Communities, page 11 Approved for Public Release, Distribution Unlimited - Case 9649 Constraint/Repair Information Distribute possible repairs Monitor Learn Monitor Logging Monitor Eval Repairs Security Server

MIT/Determina Application Communities, page 12 Approved for Public Release, Distribution Unlimited - Case 9649 Monitor Learn Monitor Logging Patch Activation Information Monitor Eval Repairs Monitor Secure Security Server Distribute most successful repair(s)‏

MIT/Determina Application Communities, page 13 Approved for Public Release, Distribution Unlimited - Case 9649 Learning Applications are instrumented throughout the community Only a small percentage of an application is instrumented on each machine Constraints are found locally and then merged centrally Constraints are learned at the basic block level Variables from multiple basic blocks in a function can be used Loop invariants and flow dependent invariants can be found Built on Determina’s client library Low overhead No visible change to client programs

MIT/Determina Application Communities, page 14 Approved for Public Release, Distribution Unlimited - Case 9649 Monitoring – detect attacks/bugs Current detectors Code injection (Determina’s Memory Firewall)‏ Crashes (denial of service)‏ Address violations Divide by zero Assertion checks Low overhead, no false positives Constraint violations are not an attack! Attack locations are sent to central server Framework supports additional detectors Unusual code execution Heap consistency checker User complaints

MIT/Determina Application Communities, page 15 Approved for Public Release, Distribution Unlimited - Case 9649 Memory Firewall as Detector NETWORK KERNEL Make payment Change prefs Read statement Write RecordUpdate Registry Open port HIJACK Program Counter HIJACK Program Counter COMPROMISE ENTER call br jmp ENTER Monitoring is simple – Port monitoring or system call monitoring Don’t know good guy from bad guy – Only “known criminals” can be identified Even known bad guys are hard to detect – Encrypted channels Used by IDS, Application Firewalls HIJACK “Catch in the act of criminal behavior” All programs follow strict conventions – ABI (Application Binary Interface) ‏ – The Calling Convention (MS/Intel) ‏ Currently no enforcement All attacks violate some of these conventions COMPROMISE Monitoring can be done – System call monitoring Hard to distinguish between actions of a normal program vs. a compromised program – Leads to false positives Used by “System Call Interception” HIPS systems SYSTEM & APPLICATION MEMORY 3) ABI Violation 1) NO ABI Violation 2) NO ABI Violation Attack Code

MIT/Determina Application Communities, page 16 Approved for Public Release, Distribution Unlimited - Case 9649 Memory Firewall Security Policies Goal: Closest approximation to programmer intent Infer Control Flow Graph nodes and edges ISA requirements – x86 minimal OS requirements – page RW- ABI requirements – imports, exports, SEH Calling conventions (inter-module)‏ Compiler idiosyncrasies – C, gcc C, C++, VB, Delphi Restricted Code Origins – Prevent code injection Restricted Control Transfers -Prevent code reuse attacks For x86 User mode: RET IND CALL IND JUMP

MIT/Determina Application Communities, page 17 Approved for Public Release, Distribution Unlimited - Case 9649 Logging - Correlate constraints and attacks Logging is enabled for constraints related to the attack across the community Overhead is low only related constraints are enabled for logging distribute logging over the community Send results to a central server for analysis A critical constraint is one that is violated if and only if there is an attack Repairs are created for each critical constraint There may be more than one possible repair for each constraint

MIT/Determina Application Communities, page 18 Approved for Public Release, Distribution Unlimited - Case 9649 Attack / repair example Attack exploits the C++ implementation of a Javascript system routine The type of the Javascript argument is not checked. System routine casts to a C++ object, calls a virtual method The object has a virtual table entry that points to injected code Violated constraint is found at the method call JSRI Address is in a set of legal method addresses Possible repairs Ignore the call Call one of the known valid methods Return early No repair

MIT/Determina Application Communities, page 19 Approved for Public Release, Distribution Unlimited - Case 9649 Evaluate repairs Server creates patches for each possible repair for each correlated constraint Server distributes each patch to a subset of the community When a patch is activated (the constraint is violated), the community member evaluates it and sends the results to the central server Is the attack avoided? Does the program exhibit other problems? Central server analyzes results The most successful patch is distributed and other patches are abandoned

MIT/Determina Application Communities, page 20 Approved for Public Release, Distribution Unlimited - Case 9649 Conclusion Critical vulnerabilities are recognized Code injection Denial of service Framework can be extended to other detectors Vulnerability is closed (repaired)‏ This attack will fail in the future Overhead is low Detector overhead is low Only constraints associated with attacks are logged Effective on legacy x86 binaries

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.