Presentation is loading. Please wait.

Presentation is loading. Please wait.

Packet Vaccine: Black-box Exploit Detection and Signature Generation

Published byMoses Gregory Modified over 9 years ago

Similar presentations

Presentation on theme: "Packet Vaccine: Black-box Exploit Detection and Signature Generation"— Presentation transcript:

1 Packet Vaccine: Black-box Exploit Detection and Signature Generation
Su Yong Kim

2 Contents Stack Overflow Example Packet Vaccine Evaluation Limitation
Conclusion

3 Vulnerable Program void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking... } int main (int argc, char **argv) foo(argv[1]); return 1;

4 Stack Layout Just After calling foo()

5 Stack Layout Example Calling foo(“hello”)

6 Stack Overflow Example I
Calling foo(“AA……”) Direct Jump

7 Stack Overflow Example II
Indirect Jump Calling foo(“AA……”) esp Code Section Ox 7e8ecf49 FF D4 (jmp esp) \x49 \xcf \x8e \x7e

8 Stack Overflow Example III
Return into Library Calling foo(“AA……”) Ox 7C8623AD Kernel32.dll Ox 7C8623AD WinExec API \xAD \x23 \x86 \x7C

9 Main Idea Detect the packet with any address-like string
Test if an anomalous packet is malicious or not Scrambling the address-like string of the packet Send the packet into the target server If any exception will occur on the target server, drop the original packet and generate a signature If no exception, send the original packet into the target server

10 Detecting Anomalous Packets
Key Idea Check every 4-byte existing-sequence(32 bit system) in a packet’s application payload Detect a jump address to redirect the control flow of a vulnerable program Jump Address Stack & Heap address range Address range of the global libraries such as msvcrt.dll or libc.so system(), execve() Empirical study on Linux 0xbfff0000 to 0xbfffffff for the stack 0x to 0x08ffffff for the heap

11 Determining Stack & Heap Address range
Monitor stack and heap usage of the protected program Calculate stack heap address range From Stack base address – α * (typical stack maximum usage), α > 1 To Stack base address Heap base address Heap base address + α * (typical heap maximum usage), α > 1

12 Making Packet Vaccine Packet Vaccine Issues
Weakened exploit packet with important elements scrambled Issues Preserving the exploit semantics Control flow should not be changed Preventing & Detecting malicious behavior by the exploit Scrambling some fields of the exploit

13 Preserving the exploit semantics
Does User’s Input contains “GET”? Does User’s Input contains “/default.ida”? Call strcpy

14 Preventing & Detecting Malicious Behavior
After scrambling Exploit fails Exception happens \x41

15 Detecting Exploit If an exception occurs on protected program
Correlate the exception with one of the byte sequences being scrambled Value of EIP or CR2 regster == byte sequence Validate the correlation Randomize all bytes of byte sequence Check whether the exception happens again

16 Generating Signature(1/2)
Application-independent Signature Generation Generates packet vaccines randomizing each byte except scrambled jump address Test them in the vulnerable application If no exception, record the randomized byte as a signature token Repeat all bytes except scrambled jump address Signature : Signature Tokens + Target Address Set Good Performance : Small size of exploit, Parallel testing and Block-searching technique

17 Generating Signature(2/2)
Using Protocol Information Identify the application field that includes the jump address Estimate that field’s length using the number of the bytes prior to the address Iteratively alters the field size to generate new vaccines If a new vaccine makes the exception disappear, increate the size Otherwize, shrink the size Signature form (application, command, field.name, max.field.size)

18 Signature Quality Evaluation
Comparison Target Brumley’s approach to generate a signature on the basis of static analysis of a vulnerable program’s binary code Comparison Measure Source code of vulnerable application

19 Quality of the Token-Sequence Signature
Vulnerable Program BIND 8.2.2 Signature Result

20 Quality of the Application-level Signature
Vulnerable Program ATP-httpd Brumley’s Signature Command : GET or HEAD Max.field.size : 812 bytes Performance : more than a second Packet Vaccine Command : GET Max.field.size : 703 bytes Performance : seconds

21 In Summary Brumley’s approach is more accurate than Packet Vaccine
Packet Vaccine is nearly as accurate as Brumley’s approach when Packet Vaccine can use multiple exploits Brumley’s approach cannot be used in obfuscated binaries, while Packet Vaccine can Packet Vaccine is significantly faster

22 Performance Evaluation
Experiments Environment Protected Program Apache on Linux Performance Tester ApacheBench dev Architecture

23 Apache, proxy, packet vaccine
Server overheads D0, D1 : On different hosts S0, S1 : On the Same host Apache Apache, proxy Apache, proxy, packet vaccine Apache, proxy Apache, proxy, packet vaccine

24 Client-side Delay Local Round Trip Delay : 300μs
Remote Round Trip Delay : 75ms

25 Limitation by Author False negative in exploit detection
If packet vaccine destroy the exploit semantics Especially for binary protocol Difficulty to apply on packets with encrypted payload or checksums Application-level proxy is needed Less expressive signature Description for exploit condition is impossible

26 Limitation by Presenter
Alphanumeric return address can be used to fool Packet Vaccine Exceptions are more common than exploitable vulnerabilities Packet Vaccine is so application-dependent Heap & Stack size should be calculated Whenever the application is updated Syntax tokens should be gathered Decoding mechanism is not simple It is difficult to protect single-threaded application by using Packet Vaccine Test Server is needed Parallel vaccine testing is impossible

27 Conclusion Black-box exploit detection Effective signature generation
Low false positive by using host information Low overhead and easy deployment It is needed to install only a lightweight collector to gather forensic data from an exception on the host

28 Q&A Thanks for Listening!

Download ppt "Packet Vaccine: Black-box Exploit Detection and Signature Generation"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.

Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
20065817 Su Yong Kim. Contents Domain Isolation Real-World Attacks Script Accenting Mechanism Attack Scenarios Revisited Performance Conclusion 2.

Su Yong Kim. Contents Domain Isolation Real-World Attacks Script Accenting Mechanism Attack Scenarios Revisited Performance Conclusion 2.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Software-based Code Attestation for Wireless Sensors.

Software-based Code Attestation for Wireless Sensors.
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.

Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow.

Stack buffer overflow.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
3/17/2008Prof. Hilfinger CS 164 Lecture 231 Run-time organization Lecture 23.

3/17/2008Prof. Hilfinger CS 164 Lecture 231 Run-time organization Lecture 23.
Signature Based Concurrency Control Thomas Schwarz, S.J. JoAnne Holliday Santa Clara University Santa Clara, CA 95053

Signature Based Concurrency Control Thomas Schwarz, S.J. JoAnne Holliday Santa Clara University Santa Clara, CA 95053
Computer Security Buffer Overflow lab Eu-Jin Goh.

Computer Security Buffer Overflow lab Eu-Jin Goh.
General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.

General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
CS252: Systems Programming Ninghui Li Final Exam Review.

CS252: Systems Programming Ninghui Li Final Exam Review.

Similar presentations

Ads by Google