Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.

Published byBertina Clark Modified over 9 years ago

Similar presentations

Presentation on theme: "Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu."— Presentation transcript:

1 Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu

2 1.Do some statistics on Cisco Advisories. – Classification methodology (on-going) 2.Classify the Advisories in various ways. – Read and classify Cisco advisories (on-going) 3.Select one Advisory from each category. 4.Find the root cause by reading program diff files, engineering notes, or interview development engineers. 5.For each Advisory/vulnerability category, develop ways to parse programs to look for such vulnerability. 6.Write the parser with the above detection capability. Approach 2Fan-Cheng Wu

3 Initial start Weekly report 2007/08/17 3Fan-Cheng Wu

4 Weekly Report 4Fan-Cheng Wu

5 Cisco Advisories 5Fan-Cheng Wu

6 Example for Vulnerability Classification Characteristic tree for protocol vulnerabilities A network time protocol (NTP) exploit 6Fan-Cheng Wu

7 Analyzing Cisco Advisories Weekly report 2007/08/23 7Fan-Cheng Wu

8 Outline Overview Cisco advisories Classifying Cisco advisories Tools to detect problems in code Secure coding 8Fan-Cheng Wu

9 Overview Cisco Advisories What information does Cisco advisory provide? – For example: [Multiple Vulnerabilities in the IOS FTP server] Table of Content 9Fan-Cheng Wu

10 Overview Cisco Advisories (cont.) Details  Cause Impact  Symptom Cause Symptom Protocol 10Fan-Cheng Wu

11 Overview Cisco Advisories (cont.) Vulnerability Scoring Details 11Fan-Cheng Wu

12 Example for Vulnerability Classification Characteristic tree for protocol vulnerabilities A network time protocol (NTP) exploit 12Fan-Cheng Wu

13 Classifying Cisco Advisory For example: [Multiple Vulnerabilities in the IOS FTP server] – Information in advisory Protocol, Cause, Symptom, Access, Impact … – Impossible to classify advisory by Improper authorization checking in IOS FTP server IOS reload when transferring files via FTP Design flaw? Implementation flaw? 13Fan-Cheng Wu

14 Detecting Vulnerability Design flaw – Function extraction [1] Implementation flaw – Secure coding [2] [1] Pleszkoch, M. & Linger, R. “Improving Network System Security with Function Extraction Technology for Automated Calculation of Program Behavior.” IEEE Computer Society Press, 2004. [2] “Secure coding,” http://www.securecoding.cert.org/ 14Fan-Cheng Wu

15 Detecting Design Flaw 15Fan-Cheng Wu

16 Implementation flaw Language – C Preprocessor Memory management Array … – C++ 16Fan-Cheng Wu

17 Classification Methodology for Vulnerability Weekly report 2007/09/14 17Fan-Cheng Wu

18 Outline Previous work – Landwehr’s taxonomies [1] – Bishop’s taxonomies [2] – Piessen’s taxonomy [4] – Du’s categorization [3] – Engle’s tree classification[5] Applying Engle’s scheme to Cisco advisory 18Fan-Cheng Wu Consider single dimension Consider multiple dimensions

19 By Genesis By Time of introduction By Location Landwehr’s taxonomies 19Fan-Cheng Wu Ambiguous ill-defined

20 Describing the vulnerabilities in a form which useful for the intrusion detection mechanisms Each vulnerability is classified by – The nature of the flaw – The time of introduction – The exploitation domain of the vulnerability – The effect domain – … Bishop’s taxonomies 20Fan-Cheng Wu

21 Classifying with software life-cycle Piessen’s taxonomy 21Fan-Cheng Wu

22 Describing security flaw in several area Categorization of sample security flaws Du’s categorization 22Fan-Cheng Wu

23 Vulnerabilities may fall into multiple classes. Classification steps: 1.Define characteristic set for vulnerability 2.Create characteristic tree by bottom-up approach 3.Classify vulnerability For example: Engle’s tree classification 23Fan-Cheng Wu Complete characteristic tree Characteristic tree for {Q, Heart} Step 1 Step 2

24 A table for summarizing previous works (not ready) Previous Works 24Fan-Cheng Wu

25 Complete Characteristic Tree for exploit 25Fan-Cheng Wu Exploit VulnerabilitySymptoms Landwehr's taxonomy Genesis Landwehr's taxonomy Time of introduction DoS Privilege escalation Information Disclosure DesignMaintenanceTrojan horseTrapdoor

26 Classifying CSCek55259 26Fan-Cheng Wu Exploit CSCek55259 VulnerabilitySymptoms GenesisTime of introduction Privilege escalation Specification/Design Identification/Auth entication … InadvertentDuring Development Improper authorization checking in IOS FTP

27 1.Landwehr CE, Bull AR, McDermott JP, et al. "A Taxonomy of Computer Program Security Flaws," ACM Computing Surveys, 1994,26(3):211-254. 2.Matt Bishop, "A Taxonomy of UNIX System and Network Vulnerabilities," Technical Report CSE-95-10, Department of Computer Science, University of California at Davis, May 1995. 3.Du W,Mathur A P, "Categorization of software errors that led to security breaches," Proceedings of the 21st National Information Systems Security Conference (NISSC' 98), 1998. 4.F. Piessens, "A taxonomy of causes of software vulnerabilities in Internet software," Proceedings of the. 13th International Symposium on Software Reliability Engineering, Annapolis, Maryland, USA, November 2002. 5. Sophie Engle, Sean Whalen, Damien Howard, "Tree Approach to Vulnerability Classification", Technical Report CSE-2006-10, Dept. of Computer Science, University of California at Davis, May 2006. Reference 27Fan-Cheng Wu

28 28Fan-Cheng Wu Exploit CSCek55259 VulnerabilitySymptoms GenesisTime of introduction DoS Privilege escalation Specification/Design Identification/Auth entication … InadvertentDuring Development

29 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits [1] Weekly report 2007/09/28 29Fan-Cheng Wu [1] Newsome J,Song D. Dynamic Taint Analysis for Automatic Detection,Analysis, and Signature Generation of Exploits on Commodity Software. Proceedings of the 12th Annual Network and Distributed System Security Symposium(NDSS 2005), 2005

30 Goal – Fine-grained attack detector for commodity software – Automatic tools for signature generation Design and Implementation Evaluation – Precision – Performance Attack Detector Automatic Signature Generation Outline 30Fan-Cheng Wu

31 Fine-grained attack detector for commodity software – Fine-grained attack detector – No need to recompile source code and libraries Automatic tools for signature generation Goal 31Fan-Cheng Wu

32 In order to monitor program in run-time, we run PUT(program under test) on a virtual machine. Valgrind [2] – An open-source virtual machine on Linux – Providing skin(tool) mechanism to instrument program in various ways TaintCheck, a skin of Valgrind that – marks untruthful input as tainted (TaintSeed) – traces tainted data (TaintTracker) – checks whether policies is violated by instructions (TaintAssert) Monitoring program in run-time 32Fan-Cheng Wu [2] Valgrind, http://valgrind.org/

33 System Architecture 33Fan-Cheng Wu Hardware OS Program Under Test Valgrind Exploit Analyzer Analyzing TaintAssert’s log to useful information about how the exploit happened Basic Infrastructure [Skin ] MemCheck

34 False Positive Possible cause of false positive – The program contains a vulnerability that should be fixed – The program performs sanity checks on the tainted data before it is used Evaluation – Tested 13 programs – False positive is produced in 2 programs when reading data from configuration file as an offset to a jump address Fan-Cheng Wu34

35 Possible cause of false negative – Tainted attribute of flags is not considered, for example: Suppose x is tainted if ( x == 1 ) y=1; else if ( x == 2 ) y=2; … is semantically the same as x = y – Tainted data is used as an index into a table. – TaintCheck is configured to trust input that should not be trusted. False Negative 35Fan-Cheng Wu

36 CPU-bound: bzip2 Short-lived: cfingerd Performance 36Fan-Cheng Wu

37 Common case: Apache Performance (cont.) 37Fan-Cheng Wu

38 Performance overhead Using TaintCheck with – sampling – anomaly detection Attack Detector 38Fan-Cheng Wu

39 Identifying the value used to overwrite a function pointer or return address Automatic Signature Generation 39Fan-Cheng Wu

Download ppt "Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu."

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,

A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Dynamic Tainting for Deployed Java Programs Du Li Advisor: Witawas Srisa-an University of Nebraska-Lincoln 1.

Dynamic Tainting for Deployed Java Programs Du Li Advisor: Witawas Srisa-an University of Nebraska-Lincoln 1.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.

Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Software Faults and Fault Injection Models --Raviteja Varanasi.

Software Faults and Fault Injection Models --Raviteja Varanasi.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October 2007. 2015/9/31.

Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October /9/31.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google