Download presentation
Presentation is loading. Please wait.
Published byKarin Daniels Modified over 8 years ago
1
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach
2
Constraint Framework, page 2 Constraint Framework Objective: Automatically repair vulnerabilities in COTS software using dynamically learned constraints Key Features: Attack detector based constraint checking greatly limits false positives Code injection and Denial of Service (crashes) vulnerabilities are protected Other detectors can be added to the framework Supports arbitrary x86 binaries Repairs are monitored and those that perform poorly are removed.
3
Constraint Framework, page 3 Outline Constraint framework overview (Michael Ernst) Instrumentation (Sung Kim) Firefox exploit details Instrumentation details Learning and repair (Yoav Zibin) Finding invariants with Daikon Creating and installing repair patches with LiveShield
4
Constraint Framework, page 4 Merge Constraints Monitor Learn x < 18x < 20x < 14 x < 20
5
Constraint Framework, page 5 Attack Location Enable logging of constraints related to attack Monitor Learn Monitor Security Server
6
Constraint Framework, page 6 Security Server Constraint/Attack Information Constraint Information Monitor Learn Monitor Logging
7
Constraint Framework, page 7 Constraint/Repair Information Distribute possible repairs Monitor Learn Monitor Logging Monitor Eval Repairs Security Server
8
Constraint Framework, page 8 Monitor Learn Monitor Logging Patch Activation Information Monitor Eval Repairs Monitor Secure Security Server Distribute most successful repair(s)
9
Constraint Framework, page 9 Learning Applications are instrumented throughout the community Only a small percentage of an application is instrumented on each machine Constraints are found locally and then merged centrally Constraints are learned at the basic block level Variables from multiple basic blocks in a function can be used Loop invariants and flow dependent invariants can be found Built on Determina’s client library Low overhead No visible change to client programs
10
Constraint Framework, page 10 Monitoring – detect attacks/bugs Current detectors Code injection (Determina’s Memory Firewall) Crashes (denial of service) Address violations Divide by zero Assertion checks Low overhead, no false positives Constraint violations are not an attack! Attack locations are sent to central server Framework supports additional detectors Unusual code execution Heap consistency checker User complaints
11
Constraint Framework, page 11 Logging - Correlate constraints and attacks Logging is enabled for constraints related to the attack across the community Overhead is low only related constraints are enabled for logging distribute logging over the community Send results to a central server for analysis A critical constraints is one that is violated if and only if there is an attack Repairs are created for each critical constraint There may be more than one possible repair for each constraint
12
Constraint Framework, page 12 Attack / repair example Attack exploits the C++ implementation of a Javascript system routine The type of the Javascript argument is not checked. System routine casts to a C++ object, calls a virtual method The object has a virtual table entry that points to injected code Violated constraint is found at the method call JSRI Address is in a set of legal method addresses Possible repairs Ignore the call Call one of the known valid methods Return early No repair
13
Constraint Framework, page 13 Evaluate repairs Server creates patches for each possible repair for each correlated constraint Server distributes each patch to a subset of the community When a patch is activated (the constraint is violated), the community member evaluates it and sends the results to the central server Is the attack avoided? Does the program exhibit other problems? Central server analyzes results The most successful patch is distributed and other patches are abandoned
14
Constraint Framework, page 14 Conclusion Critical vulnerabilities are addressed Code injection Denial of service Framework can be extended to other detectors Vulnerability is closed This attack will fail in the future Overhead is low Detector overhead is low Only constraints associated with attacks are logged Effective on legacy x86 binaries
15
Constraint Framework, page 15 Repair risks are low Constraints are formed during extensive learning throughout the community Only constraint violations that correlate with attacks are checked and repaired No guarantee of perfect behavior Alternative is a crash (or worse) Observed good behavior in practice Continue to monitor behavior across the community
16
Constraint Framework, page 16 Status Working Instrumentation of stripped Windows binaries with no debug information. Community learning Detection of code injection and crashes Repair generation (partially automated) and distribution Future Logging Repair evaluation Integration
17
Constraint Framework, page 17 Outline Constraint framework overview (Michael Ernst) Instrumentation (Sung Kim) Firefox exploit details Instrumentation details Learning and repair (Yoav Zibin) Finding invariants with Daikon Creating and installing repair patches with LiveShield
18
Constraint Framework, page 18 Application Communities Large installations with similar programs Windows Office One vulnerability can affect thousands of machines Goal: use the community to automatically detect attacks and repair vulnerabilities Approach: infer invariants and make related repairs Use the community to determine which constraints to enforce Use the community to evaluate repairs
19
Constraint Framework, page 19 Constraint Framework Monitor Learn Monitor Log Monitor Eval Repairs Monitor Secure AttackAttacks Merge Monitor Server
20
Constraint Framework, page 20 Talks Instrumentation for learning (Sung Kim) Firefox Exploit details Finding constraints (Yoav Zibin) Learning challenges Constraints associated with exploits Patch generation Demo Summary of exploits and our results
21
Constraint Framework, page 21 Constraint Framework Learn constraints throughout the community Detect an Attack (code injections, crashes, etc) Correlate constraint violations to attacks Create and evaluate fixes Deploy the best fix
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.