Presentation is loading. Please wait.

Presentation is loading. Please wait.

Self-defending software: Automatically patching errors in deployed software Michael Ernst University of Washington Joint work with: Saman Amarasinghe,

Published byAlexandra Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "Self-defending software: Automatically patching errors in deployed software Michael Ernst University of Washington Joint work with: Saman Amarasinghe,"— Presentation transcript:

1 Self-defending software: Automatically patching errors in deployed software Michael Ernst University of Washington Joint work with: Saman Amarasinghe, Jonathan Bachrach, Michael Carbin, Sung Kim, Samuel Larsen, Carlos Pacheco, Jeff Perkins, Martin Rinard, Frank Sherwood, Stelios Sidiroglou, Greg Sullivan, Weng-Fai Wong, Yoav Zibin

2 Problem: Your code has bugs and vulnerabilities Attack detectors exist –Code injection, memory errors (buffer overrun) Reaction: –Crash the application Loss of data Overhead of restart Attack recurs Denial of service –Automatically patch the application

3 ClearView: Security for legacy software Requirements: 1.Protect against unknown vulnerabilities 2.Preserve functionality 3.Commercial & legacy software

4 1. Unknown vulnerabilities Proactively prevent attacks via unknown vulnerabilities –“Zero-day exploits” –No pre-generated signatures –No hard-coded fixes –No time for human reaction –Works for bugs as well as attacks

5 2. Preserve functionality Maintain continuity: application continues to operate despite attacks For applications that require high availability –Important for mission-critical applications –Web servers, air traffic control, communications Technique: create a patch (repair the application) –Patching is a valuable option for your toolbox

6 3. Commercial/legacy software No modification to source or executables No cooperation required from developers –Cannot assume built-in survivability features –No source information (no debug symbols) x86 Windows binaries

7 Learn from success and failure Normal executions show what the application is supposed to do Each attack (or failure) provides information about the underlying vulnerability Repairs improve over time –Eventually, the attack is rendered harmless –Similar to an immune system Detect all attacks (of given types) –Prevent negative consequences –First few attacks may crash the application

8 Attack detector Repair Learning all executions patch Pluggable detector, does not depend on learning attacks (or bugs) normal executions predictive constraints Learn normal behavior (constraints) from successful runs Check constraints during attacks Patch to re-establish constraints Evaluate and distribute patches True on every good run False during every attack Detect, learn, repair Restores normal behavior [Lin & Ernst 2003] Our focus

9 A deployment of ClearView (Server may be replicated, distributed, etc.) Encrypted, authenticated communication Server Community machines Threat model does not (yet!) include malicious nodes

10 Learning normal behavior … copy_len ≤ buff_size … Clients send inference results Server Community machines Server generalizes (merges results) Clients do local inference Observe normal behavior Generalize observed behavior copy_len < buff_size copy_len ≤ buff_size copy_len = buff_size

11 Attack detection & suppression Detector collects information and terminates application Server Community machines Detectors used in our research: –Code injection (Memory Firewall) –Memory corruption (Heap Guard) Many other possibilities exist

12 Learning attack behavior Server Violated: copy_len ≤ buff_size Instrumentation continuously evaluates learned behavior What was the effect of the attack? Community machines Clients send difference in behavior: violated constraints Server correlates constraints to attack

13 Repair Candidate patches: 1.Set copy_len = buff_size 2.Set copy_len = 0 3.Set buff_size = copy_len 4.Return from procedure Server Propose a set of patches for each behavior that predicts the attack Community machines Predictive: copy_len ≤ buff_size Server generates a set of patches

14 Repair Server Patch 1 Patch 3 Patch 2 Distribute patches to the community Community machines Ranking: Patch 1: 0 Patch 2: 0 Patch 3: 0 …

15 Repair Ranking: Patch 3: +5 Patch 2: 0 Patch 1: -5 … Server Patch 1 failed Patch 3 succeeded Evaluate patches Success = no detector is triggered When attacked, clients send outcome to server Community machines Detector is still running on clients Server ranks patches

16 Repair Server Patch 3 Server redistributes the most effective patches Redistribute the best patches Community machines Ranking: Patch 3: +5 Patch 2: 0 Patch 1: -5 …

17 Outline Overview Learning normal behavior Learning attack behavior Repair: propose and evaluate patches Evaluation: adversarial Red Team exercise Conclusion

18 Learning normal behavior Clients send inference results Community machines Server generalizes (merges results) Clients do local inference Generalize observed behavior … copy_len ≤ buff_size … Server copy_len < buff_size copy_len ≤ buff_size copy_len = buff_size

19 Dynamic invariant detection Daikon generalizes observed program executions Many optimizations for accuracy and speed –Data structures, code analysis, statistical tests, … We further enhanced the technique copy_len < buff_size copy_len ≤ buff_size copy_len = buff_size copy_len ≥ buff_size copy_len > buff_size copy_len ≠ buff_size copy_len: 22 buff_size: 42 copy_len < buff_size copy_len ≤ buff_size copy_len = buff_size copy_len ≥ buff_size copy_len > buff_size copy_len ≠ buff_size Candidate constraints:Remaining candidates: Observation:

20 Quality of inference results Not sound –Overfitting if observed executions are not representative Not complete –Templates are not exhaustive Useful! Unsoundness is not a hindrance –Does not affect attack detection –For repair, mitigated by the correlation step –Continued learning improves results

21 Outline Overview Learning normal behavior Learning attack behavior Repair: propose and evaluate patches Evaluation: adversarial Red Team exercise Conclusion

22 Detecting attacks (or bugs) Goal: detect problems close to their source Code injection (Determina Memory Firewall) –Triggers if control jumps to code that was not in the original executable Memory corruption (Heap Guard) –Triggers if sentinel values are overwritten These have low overhead and no false positives Other detectors are possible

23 Learning from failures Each attack provides information about the underlying vulnerability –That it exists –Where it can be exploited –How the exploit operates –What repairs are successful

24 Attack detection & suppression Server Community machines Detector collects information and terminates application

25 Learning attack behavior Server Community machines scanf read_input process_record main Detector collects information and terminates application Client sends attack info to server Where did the attack happen? Detector maintains a shadow call stack

26 Learning attack behavior Clients install instrumentation Server scanf read_input process_record main Server generates instrumentation for targeted code locations Server sends instru- mentation to all clients Checking for main, process_record, … Extra checking in attacked code Check the learned constraints Community machines

27 Learning attack behavior Server Violated: copy_len ≤ buff_size Instrumentation continuously evaluates inferred behavior What was the effect of the attack? Community machines Clients send difference in behavior: violated constraints Server correlates constraints to attack Predictive: copy_len ≤ buff_size

28 Correlating attacks & constraints Check constraints only at attack sites –Low overhead A constraint is predictive of an attack if: –The constraint is violated iff the attack occurs Create repairs for each predictive constraint –Re-establish normal behavior

29 Outline Overview Learning normal behavior Learning attack behavior Repair: propose and evaluate patches Evaluation: adversarial Red Team exercise Conclusion

30 Repair Server Patch 1 Patch 3 Patch 2 Distribute patches to the community Success = no detector is triggered Community machines Ranking: Patch 1: 0 Patch 2: 0 Patch 3: 0 … Patch evaluation uses additional detectors (e.g., crash, difference in attack)

31 Attack example Target: JavaScript system routine (written in C++) –Casts its argument to a C++ object, calls a virtual method –Does not check type of the argument Attack supplies an “object” whose virtual table points to attacker-supplied code Predictive constraint at the method call: –JSRI address target is one of a known set Possible repairs: –Call one of the known valid methods –Skip over the call –Return early

32 Repair example if (! (copy_len ≤ buff_size)) copy_len = buff_size; The repair checks the predictive constraint –If constraint is not violated, no need to repair –If constraint is violated, an attack is (probably) underway The patch does not depend on the detector –Should fix the problem before the detector is triggered Repair is not identical to what a human would write –Unacceptable to wait for human response

33 Example constraints & repairs v 1  v 2 if (!(v 1  v 2 )) v 1 = v 2 ; v  c if (!(v  c)) v = c; v  { c 1, c 2, c 3 } if (!(v==c 1 || v==c 2 || v==c 3 )) v = c i ; Return from enclosing procedure if (!(…)) return; Modify a use: convert “ call *v ” to if (…) call *v; Constraint on v (not negated)

34 Evaluating a patch In-field evaluation –No attack detector is triggered –No other behavior deviations E.g., crash, application invariants Pre-validation, before distributing the patch: Replay the attack +No need to wait for a second attack +Exactly reproduce the problem –Expensive to record log; log terminates abruptly –Need to prevent irrevocable effects –Delays distribution of good patches Run the program’s test suite –May be too sensitive –Not available for commercial software

35 Outline Overview Learning normal behavior Learning attack behavior Repair: propose and evaluate patches Evaluation: adversarial Red Team exercise Conclusion

36 Red Team Red Team attempts to break our system –Hired by DARPA; 10 engineers Red Team created 10 Firefox exploits –Each exploit is a webpage –Firefox executes arbitrary code –Malicious JavaScript, GC errors, stack smashing, heap buffer overflow, uninitialized memory

37 Rules of engagement Firefox 1.0 –ClearView may not be tuned to known vulnerabilities –Focus on most security-critical components No access to a community for learning Red Team has access to all ClearView materials –Source code, documents, learned invariants, …

38 ClearView was successful Detected all attacks, prevented all exploits For 7/10 vulnerabilities, generated a patch that maintained functionality –No observable deviation from desired behavior –After an average of 4.9 minutes and 5.4 attacks Handled polymorphic attack variants Handled simultaneous & intermixed attacks No false positives Low overhead for detection & repair

39 3 un-repaired vulnerabilities Consequence: Application crashes when attacked. No exploit occurs. 1.ClearView was mis-configured: didn’t try repairs in all procedures on the stack 2.Learning suite was too small: a needed constraint was not statistically significant 3.A needed constraint was not built into Daikon

40 Outline Overview Learning normal behavior Learning attack behavior Repair: propose and evaluate patches Evaluation: adversarial Red Team exercise Conclusion

41 Limitations ClearView might fail to repair an error: –Only fixes errors for which a detector exists –Daikon might not learn a needed constraint –Predictive constraint may be too far from error –Built-in repairs may not be sufficient ClearView might degrade the application: –Patch may impair functionality –Attacker may subvert patch –Malicious nodes may induce bad patches Bottom line: Red Team tried unsuccessfully

42 Related work Attack detection: ours are mostly standard –Distributed: Vigilante [Costa], live monitoring [Kıcıman], statistical bug isolation [Liblit] Learning –FSMs of system calls for anomaly detection –Invariants: [Lin], [Demsky], Gibraltar [Baliga] –System configuration: FFTV [Lorenzoli], Dimmunix [Jula] Repair & failure tolerance –Checkpoint and replay: Rx [Qin], microreboot [Candea] –Failure-oblivious [Rinard], ASSURE [Sidiroglou]

43 Credits Saman Amarasinghe Jonathan Bachrach Michael Carbin Michael Ernst Sung Kim Samuel Larsen Carlos Pacheco Jeff Perkins Martin Rinard Frank Sherwood Stelios Sidiroglou Greg Sullivan Weng-Fai Wong Yoav Zibin Subcontractor: Determina, Inc. Funding: DARPA (PM: Lee Badger) Red Team: SPARTA, Inc.

44 Contributions ClearView: framework for patch generation –Pluggable detection, learning, repair 1.Protects against unknown vulnerabilities –Learns from success –Learns from failure: what, where, how –Learning focuses effort where it is needed 2.Preserves functionality: repairs the vulnerability 3.Commercial software: Windows binaries Evaluation via a Red Team exercise

Download ppt "Self-defending software: Automatically patching errors in deployed software Michael Ernst University of Washington Joint work with: Saman Amarasinghe,"

Similar presentations

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
1 The Case for Byzantine Fault Detection. 2 Challenge: Byzantine faults Distributed systems are subject to a variety of failures and attacks Hacker break-in.

1 The Case for Byzantine Fault Detection. 2 Challenge: Byzantine faults Distributed systems are subject to a variety of failures and attacks Hacker break-in.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
By Gene Novark, Emery D. Berger and Benjamin G. Zorn Presented by Matthew Kent Exterminator: Automatically Correcting Memory Errors with High Probability.

By Gene Novark, Emery D. Berger and Benjamin G. Zorn Presented by Matthew Kent Exterminator: Automatically Correcting Memory Errors with High Probability.
Bug Isolation via Remote Program Sampling Ben Liblit, Alex Aiken, Alice X.Zheng, Michael I.Jordan Presented by: Xia Cheng.

Bug Isolation via Remote Program Sampling Ben Liblit, Alex Aiken, Alice X.Zheng, Michael I.Jordan Presented by: Xia Cheng.
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.

Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Zichao Qi, Fan Long, Sara Achour, and Martin Rinard MIT CSAIL

Zichao Qi, Fan Long, Sara Achour, and Martin Rinard MIT CSAIL
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
Success status, page 1 Collaborative learning for security and repair in application communities MIT & Determina AC PI meeting July 10, 2007 Milestones.

Success status, page 1 Collaborative learning for security and repair in application communities MIT & Determina AC PI meeting July 10, 2007 Milestones.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Address Space Layout Permutation

Address Space Layout Permutation
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
Www.aqualab.cs.northwestern.edu Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Similar presentations

Ads by Google