Download presentation
Presentation is loading. Please wait.
Published byMoses Gregory Modified over 9 years ago
1
Packet Vaccine: Black-box Exploit Detection and Signature Generation
Su Yong Kim
2
Contents Stack Overflow Example Packet Vaccine Evaluation Limitation
Conclusion
3
Vulnerable Program void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking... } int main (int argc, char **argv) foo(argv[1]); return 1;
4
Stack Layout Just After calling foo()
5
Stack Layout Example Calling foo(“hello”)
6
Stack Overflow Example I
Calling foo(“AA……”) Direct Jump
7
Stack Overflow Example II
Indirect Jump Calling foo(“AA……”) esp Code Section Ox 7e8ecf49 FF D4 (jmp esp) \x49 \xcf \x8e \x7e
8
Stack Overflow Example III
Return into Library Calling foo(“AA……”) Ox 7C8623AD Kernel32.dll Ox 7C8623AD WinExec API \xAD \x23 \x86 \x7C
9
Main Idea Detect the packet with any address-like string
Test if an anomalous packet is malicious or not Scrambling the address-like string of the packet Send the packet into the target server If any exception will occur on the target server, drop the original packet and generate a signature If no exception, send the original packet into the target server
10
Detecting Anomalous Packets
Key Idea Check every 4-byte existing-sequence(32 bit system) in a packet’s application payload Detect a jump address to redirect the control flow of a vulnerable program Jump Address Stack & Heap address range Address range of the global libraries such as msvcrt.dll or libc.so system(), execve() Empirical study on Linux 0xbfff0000 to 0xbfffffff for the stack 0x to 0x08ffffff for the heap
11
Determining Stack & Heap Address range
Monitor stack and heap usage of the protected program Calculate stack heap address range From Stack base address – α * (typical stack maximum usage), α > 1 To Stack base address Heap base address Heap base address + α * (typical heap maximum usage), α > 1
12
Making Packet Vaccine Packet Vaccine Issues
Weakened exploit packet with important elements scrambled Issues Preserving the exploit semantics Control flow should not be changed Preventing & Detecting malicious behavior by the exploit Scrambling some fields of the exploit
13
Preserving the exploit semantics
Does User’s Input contains “GET”? Does User’s Input contains “/default.ida”? Call strcpy
14
Preventing & Detecting Malicious Behavior
After scrambling Exploit fails Exception happens \x41
15
Detecting Exploit If an exception occurs on protected program
Correlate the exception with one of the byte sequences being scrambled Value of EIP or CR2 regster == byte sequence Validate the correlation Randomize all bytes of byte sequence Check whether the exception happens again
16
Generating Signature(1/2)
Application-independent Signature Generation Generates packet vaccines randomizing each byte except scrambled jump address Test them in the vulnerable application If no exception, record the randomized byte as a signature token Repeat all bytes except scrambled jump address Signature : Signature Tokens + Target Address Set Good Performance : Small size of exploit, Parallel testing and Block-searching technique
17
Generating Signature(2/2)
Using Protocol Information Identify the application field that includes the jump address Estimate that field’s length using the number of the bytes prior to the address Iteratively alters the field size to generate new vaccines If a new vaccine makes the exception disappear, increate the size Otherwize, shrink the size Signature form (application, command, field.name, max.field.size)
18
Signature Quality Evaluation
Comparison Target Brumley’s approach to generate a signature on the basis of static analysis of a vulnerable program’s binary code Comparison Measure Source code of vulnerable application
19
Quality of the Token-Sequence Signature
Vulnerable Program BIND 8.2.2 Signature Result
20
Quality of the Application-level Signature
Vulnerable Program ATP-httpd Brumley’s Signature Command : GET or HEAD Max.field.size : 812 bytes Performance : more than a second Packet Vaccine Command : GET Max.field.size : 703 bytes Performance : seconds
21
In Summary Brumley’s approach is more accurate than Packet Vaccine
Packet Vaccine is nearly as accurate as Brumley’s approach when Packet Vaccine can use multiple exploits Brumley’s approach cannot be used in obfuscated binaries, while Packet Vaccine can Packet Vaccine is significantly faster
22
Performance Evaluation
Experiments Environment Protected Program Apache on Linux Performance Tester ApacheBench dev Architecture
23
Apache, proxy, packet vaccine
Server overheads D0, D1 : On different hosts S0, S1 : On the Same host Apache Apache, proxy Apache, proxy, packet vaccine Apache, proxy Apache, proxy, packet vaccine
24
Client-side Delay Local Round Trip Delay : 300μs
Remote Round Trip Delay : 75ms
25
Limitation by Author False negative in exploit detection
If packet vaccine destroy the exploit semantics Especially for binary protocol Difficulty to apply on packets with encrypted payload or checksums Application-level proxy is needed Less expressive signature Description for exploit condition is impossible
26
Limitation by Presenter
Alphanumeric return address can be used to fool Packet Vaccine Exceptions are more common than exploitable vulnerabilities Packet Vaccine is so application-dependent Heap & Stack size should be calculated Whenever the application is updated Syntax tokens should be gathered Decoding mechanism is not simple It is difficult to protect single-threaded application by using Packet Vaccine Test Server is needed Parallel vaccine testing is impossible
27
Conclusion Black-box exploit detection Effective signature generation
Low false positive by using host information Low overhead and easy deployment It is needed to install only a lightweight collector to gather forensic data from an exception on the host
28
Q&A Thanks for Listening!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.