Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.

Published byBrendan Ferrington Modified over 9 years ago

Similar presentations

Presentation on theme: "Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung."— Presentation transcript:

1 Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung Kil and Jong Youl Choi

2 Dr. XiaoFeng Wang Spring 2006 Automated Exploit Defense

3 Dr. XiaoFeng Wang Spring 2006 Expectations for Automated Defense?  A perfect fix to vulnerable software?  A reasonably secure and fast -generated fix seems more realistic

4 Dr. XiaoFeng Wang Spring 2006 Automatic Exploit Defense: the State of Art Source code instrument Static analysis of source code Monitor an application ’ s execution to the break point Static analysis of binary code

5 Dr. XiaoFeng Wang Spring 2006 Vaccine Vaccine: a weakened viruses or bacteria for stimulating antibody production How about a black-box “ packet vaccine ” ?

6 Dr. XiaoFeng Wang Spring 2006 IDEAS 1. scramble anomalous payload 2. exception and analysis 3. Injection of vaccine variances

7 Dr. XiaoFeng Wang Spring 2006 Properties  Fast Exploit Detection  Black-box Signature Generation  Work on obfuscated code  Little or no modification to the protected system

8 Dr. XiaoFeng Wang Spring 2006 Design 1. Vaccine Generation 2. Exploit Detection 3. Vulnerability Analysis 4. Signature Generation

9 Dr. XiaoFeng Wang Spring 2006 Vaccine Generation  How to generate a weakened exploit?  Our approach 1.Identify an address-like byte token on a packet 2.Randomize it

10 Dr. XiaoFeng Wang Spring 2006 Address-like Tokens  Use address range  stack: 0xc0000000  heap: 0x08048000  entries of some libc functions  Where to get them?  Linux: /proc/pid/maps  Windows: debugging tools/memory monitoring tools

11 Dr. XiaoFeng Wang Spring 2006 Example  Byte sequence `7801cbd3' falls in the address range of “ msvcrt.dll ”

12 Dr. XiaoFeng Wang Spring 2006 Exploit Detection and Vuln. Diagnosis  Detection:  Exception happens  Diagnosis  Pickup the contents from CR2 and EIP  Match them to the scrambled byte sequences  Locate the corrupted pointer

13 Dr. XiaoFeng Wang Spring 2006 Signature Generation (1)  App-independent Signatures  Byte sequences  Byte-based Vaccine Injection (BVI)  Modify one byte and the jump address  Send to the application  not crash  important byte

14 Dr. XiaoFeng Wang Spring 2006 Signature Generation (2)  Application-level Signatures  field length (buffer overrun)  special symbols (e.g, “ %n ” for formate string)  App-based Vaccine Injection (AVI)  the minimal field length  crash  remove special tokens  no crash

15 Dr. XiaoFeng Wang Spring 2006 Performance  BVI is parallelizable  for multi-process application  AVI can be enhanced by binary search

16 Dr. XiaoFeng Wang Spring 2006 Implementation  Intercept application-level dataflow to detect suspicious tokens  Scramble them to generate vaccines  Signature generation (RedHat Linux 7.3)  Verifier: implemented using ptrace  Prober: local/remote  Prober and verifier: a persistent connection  Verifier notifies Prober of exceptions

17 Dr. XiaoFeng Wang Spring 2006 Experiment: Vaccine Effectiveness

18 Dr. XiaoFeng Wang Spring 2006 Experiment: Signature Generation

19 Dr. XiaoFeng Wang Spring 2006 Signature Quality: BIND  Comparison between our signature and MEP (oakland 06)

20 Dr. XiaoFeng Wang Spring 2006 Signature Quality: ATP http  MEP  get “ GET ” and “ HEAD ”  But specific tokens ‘ / ’ and ‘ // ’ and longer field length (812)  AVI:  Only “ GET ”  But more precise field length (703)  The real buffer size is 680

21 Dr. XiaoFeng Wang Spring 2006 False positives

22 Dr. XiaoFeng Wang Spring 2006 Application: Protecting Internet Servers

23 Dr. XiaoFeng Wang Spring 2006 Server Workload 1043.09-1016.07= 27.02 812.97-804.63= 8.34

24 Dr. XiaoFeng Wang Spring 2006 Local Client Delay

25 Dr. XiaoFeng Wang Spring 2006 Remote Client Delay

26 Dr. XiaoFeng Wang Spring 2006 Other Applications  Vulnerability Scanner  A lightweight replacement for Grey-box approaches  Proactive discovery and fix of vulnerabilities

27 Dr. XiaoFeng Wang Spring 2006 Limitations  False negatives in exploit detection  Encrypted payload and checksums  Signature limitations in representation

28 Dr. XiaoFeng Wang Spring 2006 Future Work  Generation of more accurate signatures  Proactive detection of software vulnerabilities

Download ppt "Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung."

Similar presentations

Module X Session Hijacking

Module X Session Hijacking
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Software-based Code Attestation for Wireless Sensors.

Software-based Code Attestation for Wireless Sensors.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.

General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.

Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.

Similar presentations

Ads by Google