Presentation is loading. Please wait.

Presentation is loading. Please wait.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Published byKarin Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach."— Presentation transcript:

1 Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach

2 Constraint Framework, page 2 Constraint Framework Objective: Automatically repair vulnerabilities in COTS software using dynamically learned constraints Key Features: Attack detector based constraint checking greatly limits false positives Code injection and Denial of Service (crashes) vulnerabilities are protected Other detectors can be added to the framework Supports arbitrary x86 binaries Repairs are monitored and those that perform poorly are removed.

3 Constraint Framework, page 3 Outline Constraint framework overview (Michael Ernst) Instrumentation (Sung Kim) Firefox exploit details Instrumentation details Learning and repair (Yoav Zibin) Finding invariants with Daikon Creating and installing repair patches with LiveShield

4 Constraint Framework, page 4 Merge Constraints Monitor Learn x < 18x < 20x < 14 x < 20

5 Constraint Framework, page 5 Attack Location Enable logging of constraints related to attack Monitor Learn Monitor Security Server

6 Constraint Framework, page 6 Security Server Constraint/Attack Information Constraint Information Monitor Learn Monitor Logging

7 Constraint Framework, page 7 Constraint/Repair Information Distribute possible repairs Monitor Learn Monitor Logging Monitor Eval Repairs Security Server

8 Constraint Framework, page 8 Monitor Learn Monitor Logging Patch Activation Information Monitor Eval Repairs Monitor Secure Security Server Distribute most successful repair(s)

9 Constraint Framework, page 9 Learning Applications are instrumented throughout the community Only a small percentage of an application is instrumented on each machine Constraints are found locally and then merged centrally Constraints are learned at the basic block level Variables from multiple basic blocks in a function can be used Loop invariants and flow dependent invariants can be found Built on Determina’s client library Low overhead No visible change to client programs

10 Constraint Framework, page 10 Monitoring – detect attacks/bugs Current detectors Code injection (Determina’s Memory Firewall) Crashes (denial of service) Address violations Divide by zero Assertion checks Low overhead, no false positives Constraint violations are not an attack! Attack locations are sent to central server Framework supports additional detectors Unusual code execution Heap consistency checker User complaints

11 Constraint Framework, page 11 Logging - Correlate constraints and attacks Logging is enabled for constraints related to the attack across the community Overhead is low only related constraints are enabled for logging distribute logging over the community Send results to a central server for analysis A critical constraints is one that is violated if and only if there is an attack Repairs are created for each critical constraint There may be more than one possible repair for each constraint

12 Constraint Framework, page 12 Attack / repair example Attack exploits the C++ implementation of a Javascript system routine The type of the Javascript argument is not checked. System routine casts to a C++ object, calls a virtual method The object has a virtual table entry that points to injected code Violated constraint is found at the method call JSRI Address is in a set of legal method addresses Possible repairs Ignore the call Call one of the known valid methods Return early No repair

13 Constraint Framework, page 13 Evaluate repairs Server creates patches for each possible repair for each correlated constraint Server distributes each patch to a subset of the community When a patch is activated (the constraint is violated), the community member evaluates it and sends the results to the central server Is the attack avoided? Does the program exhibit other problems? Central server analyzes results The most successful patch is distributed and other patches are abandoned

14 Constraint Framework, page 14 Conclusion Critical vulnerabilities are addressed Code injection Denial of service Framework can be extended to other detectors Vulnerability is closed This attack will fail in the future Overhead is low Detector overhead is low Only constraints associated with attacks are logged Effective on legacy x86 binaries

15 Constraint Framework, page 15 Repair risks are low Constraints are formed during extensive learning throughout the community Only constraint violations that correlate with attacks are checked and repaired No guarantee of perfect behavior Alternative is a crash (or worse) Observed good behavior in practice Continue to monitor behavior across the community

16 Constraint Framework, page 16 Status Working Instrumentation of stripped Windows binaries with no debug information. Community learning Detection of code injection and crashes Repair generation (partially automated) and distribution Future Logging Repair evaluation Integration

17 Constraint Framework, page 17 Outline Constraint framework overview (Michael Ernst) Instrumentation (Sung Kim) Firefox exploit details Instrumentation details Learning and repair (Yoav Zibin) Finding invariants with Daikon Creating and installing repair patches with LiveShield

18 Constraint Framework, page 18 Application Communities Large installations with similar programs Windows Office One vulnerability can affect thousands of machines Goal: use the community to automatically detect attacks and repair vulnerabilities Approach: infer invariants and make related repairs Use the community to determine which constraints to enforce Use the community to evaluate repairs

19 Constraint Framework, page 19 Constraint Framework Monitor Learn Monitor Log Monitor Eval Repairs Monitor Secure AttackAttacks Merge Monitor Server

20 Constraint Framework, page 20 Talks Instrumentation for learning (Sung Kim) Firefox Exploit details Finding constraints (Yoav Zibin) Learning challenges Constraints associated with exploits Patch generation Demo Summary of exploits and our results

21 Constraint Framework, page 21 Constraint Framework Learn constraints throughout the community Detect an Attack (code injections, crashes, etc) Correlate constraint violations to attacks Create and evaluate fixes Deploy the best fix

Download ppt "Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach."

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Bug Isolation via Remote Program Sampling Ben Liblit, Alex Aiken, Alice X.Zheng, Michael I.Jordan Presented by: Xia Cheng.

Bug Isolation via Remote Program Sampling Ben Liblit, Alex Aiken, Alice X.Zheng, Michael I.Jordan Presented by: Xia Cheng.
Software-based Code Attestation for Wireless Sensors.

Software-based Code Attestation for Wireless Sensors.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.

Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
Patch Management Module 13. Module 2-421 You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.

Patch Management Module 13. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Success status, page 1 Collaborative learning for security and repair in application communities MIT & Determina AC PI meeting July 10, 2007 Milestones.

Success status, page 1 Collaborative learning for security and repair in application communities MIT & Determina AC PI meeting July 10, 2007 Milestones.
© 2010 VMware Inc. All rights reserved Patch Management Module 13.

© 2010 VMware Inc. All rights reserved Patch Management Module 13.
Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.
Self-defending software: Automatically patching security vulnerabilities Michael Ernst University of Washington.

Self-defending software: Automatically patching security vulnerabilities Michael Ernst University of Washington.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.

Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.
ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and.

ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and.
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Similar presentations

Ads by Google