Download presentation
Presentation is loading. Please wait.
1
Topics in Information Security, Prof. Avishai Wool Ohad Ben-Cohen ohadbc at eng.tau.ac.il Ohad Ben-Cohen ohadbc at eng.tau.ac.il Intrusion Detection via Static Analysis Intrusion Detection via Static Analysis
2
Topics in Information Security, Prof. Avishai Wool Based on
3
Topics in Information Security, Prof. Avishai Wool void sayhi(char *param) { char buf[96]; printf(“what’s u’r name?”); gets(buf); printf(“hi %s!\n”, buf); } What’s Wrong ?
4
Topics in Information Security, Prof. Avishai Wool Buffer Overflow
5
Topics in Information Security, Prof. Avishai Wool char buf[96]; printf(“what’s u’r name?”); gets(buf); printf(“hi %s!\n”, buf); exit(0); bad. /* evil code */ execve(“/bin/sh”); /* evil code */ execve(“/bin/sh”);
6
Topics in Information Security, Prof. Avishai Wool Model of Behaviour Rule Based or Observations Monitor and Alarm! AI Statistical Statistical False Positives HIDS by System Calls (k=1) Model of Behaviour Rule Based or Observations Monitor and Alarm! AI Statistical Statistical False Positives HIDS by System Calls (k=1) Intrusion Detection ?
7
Topics in Information Security, Prof. Avishai Wool char buf[96]; printf(“what’s u’r name?”); gets(buf); printf(“hi %s!\n”, buf); exit(0); Example 1 OK !
8
Topics in Information Security, Prof. Avishai Wool fd = open(“/etc/passwd”); if(time() < YEAR2009) read(fd, buf, 50); else write(fd,”new-user”); close(fd); Example 2 False Positive
9
Topics in Information Security, Prof. Avishai Wool char buf[50]; if(!fork()) execve(“stam_job”); gets(buf); printf(“got %s\n”, buf); exit(0); Example 3 False Negative
10
Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); if(i == 50) { write(fd, buf, 50); } close(fd); read write close Solution (four of them, not exactly) 1. Build a syscall Graph (NDFA) 2. Monitor syscalls 3. Kill if diverges 2. Monitor syscalls 3. Kill if diverges
11
Topics in Information Security, Prof. Avishai Wool Need source code Static, not Statistical 0 false positives ! may have false negatives Large branching factor… Tough computations Need source code Static, not Statistical 0 false positives ! may have false negatives Large branching factor… Tough computations Result
12
Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); func(); write(fd, buf, 50); func(); close(fd); read write close Functions func(): gettimeofday(); settimeofday(); gettimeofday settimeofday
13
Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); func(); write(fd, buf, 50); func(); close(fd); read write close Impossible Paths ! func(): gettimeofday(); settimeofday(); gettimeofday settimeofday
14
Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); func(); write(fd, buf, 50); func(); close(fd); context free grammar func(): gettimeofday(); settimeofday(); read write close gettimeofday settimeofday stack
15
Topics in Information Security, Prof. Avishai Wool (*func)(); Signals setjmp(); libraries dynamic linking Threads, execve()s (*func)(); Signals setjmp(); libraries dynamic linking Threads, execve()s Real World Problems
16
Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); (*func)(); close(fd); read close Function Pointers A()B()C()
17
Topics in Information Security, Prof. Avishai Wool signal(i, handlerA); signal(j, handlerB); signal(k, handlerC); i = read(fd, buf, 50); close(fd); read close Signals handlerA()handlerB()handlerC()
18
Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); close(fd); read close Signals handlerA()handlerB()handlerC()
19
Topics in Information Security, Prof. Avishai Wool setjmp(x); i = read(fd, buf, 50); setjmp(y); close(fd); longjmp(?); read close setjmp/longjmp x-statey-state
20
Topics in Information Security, Prof. Avishai Wool Graphs via gcc+manual fixes Used Java Framework (JIT) Heavy computational task Stop if Latencies > 1 hour Ignored common sys calls Analyze Parameters, too Graphs via gcc+manual fixes Used Java Framework (JIT) Heavy computational task Stop if Latencies > 1 hour Ignored common sys calls Analyze Parameters, too Experiments
21
Topics in Information Security, Prof. Avishai Wool Experiments
22
Topics in Information Security, Prof. Avishai Wool One Model Per App Small branchings Precise Precise no impossible paths Mimicry Attacks Precise Models too Expensive Jave framework too slow Failed to run Precise Models One Model Per App Small branchings Precise Precise no impossible paths Mimicry Attacks Precise Models too Expensive Jave framework too slow Failed to run Precise Models Conclusions
23
Topics in Information Security, Prof. Avishai Wool The End
24
Topics in Information Security, Prof. Avishai Wool begin: fd = open(“file”); while(1) { i = read(fd, buf, 50); if(i) goto begin; } exit(0); open read exit 1. what is the correct callgraph ? open read exit open read exit open read exit a) b) c) d) HomeWork
25
Topics in Information Security, Prof. Avishai Wool 2.What is IDA Pro ? 3.What are the sketches that make the background of this presentation ? any idea how were they created ? 4.Do you think Snort (see Elad’d hw) has 0 false positives like the paper claims to achieve ? 5.Bonus: which movie were the two swords in the background taken from ? HW – cont. (tip: all answers are short!) HW – cont. (tip: all answers are short!)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.