Presentation is loading. Please wait.

Presentation is loading. Please wait.

General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's."— Presentation transcript:

1 General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's execution flow Black-box  Detect and analyze an exploit using the outputs of a vulnerable program.

2 Packet vaccine approach A black-box approach. Faster, but does not use much on data format information.

3 ShieldGen approach Gray-box approach General Gray-box approach is inherently specific to the attack input used in the data flow analysis. Generalize attack-specific symbolic predicate- based signatures to cover significantly more attack variants with data format-informed probing to the oracle in ShieldGen.

4 Packet Vaccine: Black-box Exploit Detection and Signature Generation Xiaofeng Wang, Zhuowei Li, Jun Xu, Michael K. Reiter, Chongyung Kil, Jong Youl Choi Presented by Zhaosheng Zhu

5 Outline Introduction to Packet Vaccine Related work Design of the packet vaccine mechanism Implementation and Evaluation Application (Good Points) Limitations (Bad Points) Conclusion

6 Introduction to Packet Vaccine The principle of vaccine Packet vaccine:  Identify anomalous tokens in packet payloads  Randomize the contents of tokens to get a vaccine  Generate a signature during exception

7 Design of the packet vaccine mechanism

8 Design: 1. Vaccine Generation Build a target address set: T = [b s – au s, b s ] U [b h, b h + au h ] U S Aggregate the application payloads of the packets in one session into a dataflow, carry out a proper decoding For every byte session, do replacement Construct vaccine packet using the new data flows

9 Example

10 Design: 2. Exploit Detection and Vulnerability Diagnosis Correlate each byte sequence that equals to the forensic string with the exception Validation test Randomize all byte sequences Generate new vaccine Check Repeat

11 Design: 3. Signature Generation Constructs packet vaccines or probes by randomizing address-like strings It detects exploit by observing memory exception upon packet vaccine injection Generates signatures by finding in the attack input the bytes that cannot take random values

12 Byte-based vaccine injection Can be paralleled at most cases

13 Implementation Target address set is extracted from proc files Process monitor is developed using ptrace Kernel mode is necessary for CR2 Signature generation: Prober Verifier Sequential vaccine injection (performance penalty)

14 Evaluation Linux exploits Windows-based exploits: Code Red II Heap-based overflow

15 Evaluation Comparison with MEP signatures MEP signature contains richer information Quality of MEP diminishes with the availability for multiple exploit instances and application information MEP is slower

16 Application An architecture to protect Internet servers using packet vaccine

17 Application (good points) Fast Up to an order of magnitude faster than gray-box approaches Not use source code Effective Immune to interference Low overhead No need to install anything on host Lightweight Collector

18 Limitations Its main probing scheme randomizes each byte rather than leveraging data format information Works more reliably for text-based protocols than the binary ones because of the lack of protocol knowledge for binary data formats. Briefly mentioned the benefit of leveraging protocol specifications. Unclear what type of protocol specification language considered and how protocol specifications leveraged. Can only detect control flow hijacking attacks cannot detect exploits of the WMF vulnerability

19 Conclusion Packet vaccine is a fast, blackbox technique for exploit detection But not good enough in some case. If given input data format we have better approach: ShieldGen.

20 ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing Weidong Cui Marcus Peinado Helen J. Wang Michael E. Locasto Presented by Zhaosheng Zhu

21 Outline What is ShieldGen Related work and Comparison System Design Evaluation and Performance Some future work Conclusion

22 What is ShieldGen A system for automatically generating a data patch or a vulnerability signature for an unknown vulnerability. Leverage knowledge of the data format Use data-patch instead of traditional software patch.

23 SheildGen system overview

24 Related work Poly-graph Significant false negatives and false positives Nemean Generalization is dependent on the attack instance. Covers Signatures does not contain any protocol context. Packet vaccine Randomized each byte rather than leveraging data format information. Not efficient enough. Can only detect control-flow hijacking attack

25 The Oracle: a Zero-Day Attack Detector Used the Vigilante ’ s zero-day detector Based on dynamic data flow analysis Implement three vulnerability condition Arbitrary execution control (AEC) Arbitrary code execution (ACE) Arbitrary function arguments (AFA)

26 Data Format Spec and Data Analyzer Two assumptions to the input data Data formats are known No encryption or obfuscation are used. Two types of analyzers File data: application level protocol, host-based Network data High-speed parsing w/ preprocessed protocol parser E.g., binpac and GAPA We use GAPA as our Data analyzer

27 System design Design goals No false positive Minimizing the number of false negatives Minimizing the number of probes.

28 Data patch generation

29 Some methods to reduce probes Recognizing iterative elements Obeying protocol semantics and reduce illegitimate probes. High possibility that the vulnerability predicate is only dependent on the last message

30 Probe generation algorithm Three Steps Buffer Overrun heuristic for character strings Iteration removal Eliminating irrelevant field conditions

31 Buffer overrun heuristics If the offending byte lies in the middle of a byte or unicode string then ShieldGen diagnoses a buffer overrun and adds the following condition as a refinement: sizeof(buffer) > offendingByte offset – bufferStart offset

32 Iteration removal Many popular input formats include arbitrary sequences of largely independent elements (Records). Any input which contains a malicious record is an attack. Generating probes with removing some of the iterative elements. Iterative elements can be removed if probes still exploit successfully.

33 Eliminating irrelevant field conditions Constructing probes over the remaining data fields to eliminate don ’ t-care fields and to find additional values of the data fields for which the attack succeeds. Evaluating one field at one time

34 Evaluation Run ShieldGen for three well known vulnerabilities SQL vulnerability RPC vulnerability WMF (Window Metafile) vulnerability

35 Filter quality of ShieldGen For a larger sample of real-world vulnerabilities

36 Failure cases and analysis Complex conditions Unchecked array indices Other special cases

37 Future work Quality of the data format specification In our scheme the quality of data format specification matters. Complex filter conditions

38 Future work Probing time Reference VM is preferred Attacks not delivered by the last message

39 Conclusion Leverage data information to construct new attack instance Generate high quality vulnerability signatures Fewer don ’ t care fields Fewer false negatives

40 Thanks!

Download ppt "General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's."

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.

Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University

The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.

On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
Chapter 9 Classification And Forwarding. Outline.

Chapter 9 Classification And Forwarding. Outline.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.

1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.

Similar presentations

Ads by Google