General approach to exploit detection and signature generation - PowerPoint PPT Presentation

About This Presentation
Title:

General approach to exploit detection and signature generation

Description:

General approach to exploit detection and signature generation White-box Need the source code Gray-box More accurate. But need to monitor a program's execution flow – PowerPoint PPT presentation

Number of Views:89
Avg rating:3.0/5.0
Slides: 41
Provided by: csNorthwe
Category:

less

Transcript and Presenter's Notes

Title: General approach to exploit detection and signature generation


1
General approach to exploit detection and
signature generation
  • White-box
  • Need the source code
  • Gray-box
  • More accurate. But need to monitor a program's
    execution flow
  • Black-box
  • Detect and analyze an exploit using the outputs
    of a vulnerable program.

2
Packet vaccine approach
  • A black-box approach.
  • Faster, but does not use much on data format
    information.

3
ShieldGen approach
  • Gray-box approach
  • General Gray-box approach is inherently specific
    to the attack input used in the data flow
    analysis.
  • Generalize attack-specific symbolic
    predicate-based signatures to cover significantly
    more attack variants with data format-informed
    probing to the oracle in ShieldGen.

4
Packet Vaccine Black-box Exploit Detection and
Signature Generation
  • Xiaofeng Wang, Zhuowei Li, Jun Xu, Michael K.
    Reiter, Chongyung Kil, Jong Youl Choi
  • Presented by Zhaosheng Zhu

5
Outline
  • Introduction to Packet Vaccine
  • Related work
  • Design of the packet vaccine mechanism
  • Implementation and Evaluation
  • Application (Good Points)
  • Limitations (Bad Points)
  • Conclusion

6
Introduction to Packet Vaccine
  • The principle of vaccine
  • Packet vaccine
  • Identify anomalous tokens in packet payloads
  • Randomize the contents of tokens to get a vaccine
  • Generate a signature during exception

7
Design of the packet vaccine mechanism
8
Design 1. Vaccine Generation
  • Build a target address set
  • T bs aus, bs U bh, bh auh U S
  • Aggregate the application payloads of the packets
    in one session into a dataflow, carry out a
    proper decoding
  • For every byte session, do replacement
  • Construct vaccine packet using the new data flows

9
Example
10
Design 2. Exploit Detection and Vulnerability
Diagnosis
  • Correlate each byte sequence that equals to the
    forensic string with the exception
  • Validation test
  • Randomize all byte sequences
  • Generate new vaccine
  • Check
  • Repeat

11
Design 3. Signature Generation
  • Constructs packet vaccines or probes by
    randomizing address-like strings
  • It detects exploit by observing memory exception
    upon packet vaccine injection
  • Generates signatures by finding in the attack
    input the bytes that cannot take random values

12
Byte-based vaccine injection
  • Can be paralleled at most cases

13
Implementation
  • Target address set is extracted from proc files
  • Process monitor is developed using ptrace
  • Kernel mode is necessary for CR2
  • Signature generation
  • Prober
  • Verifier
  • Sequential vaccine injection (performance penalty)

14
Evaluation
  • Linux exploits
  • Windows-based exploits Code Red II
  • Heap-based overflow

15
Evaluation
  • Comparison with MEP signatures
  • MEP signature contains richer information
  • Quality of MEP diminishes with the availability
    for multiple exploit instances and application
    information
  • MEP is slower

16
Application
An architecture to protect Internet servers using
packet vaccine
17
Application (good points)
  • Fast
  • Up to an order of magnitude faster than gray-box
    approaches
  • Not use source code
  • Effective
  • Immune to interference
  • Low overhead
  • No need to install anything on host
  • Lightweight Collector

18
Limitations
  • Its main probing scheme randomizes each byte
    rather than leveraging data format information
  • Works more reliably for text-based protocols than
    the binary ones because of the lack of protocol
    knowledge for binary data formats.
  • Briefly mentioned the benefit of leveraging
    protocol specifications.
  • Unclear what type of protocol specification
    language considered and how protocol
    specifications leveraged.
  • Can only detect control flow hijacking attacks
  • cannot detect exploits of the WMF vulnerability

19
Conclusion
  • Packet vaccine is a fast, blackbox technique for
    exploit detection
  • But not good enough in some case. If given input
    data format we have better approach ShieldGen.

20
ShieldGen Automatic Data Patch Generation for
Unknown Vulnerabilitieswith Informed Probing
  • Weidong Cui Marcus Peinado Helen J.
    Wang Michael E. Locasto
  • Presented by Zhaosheng Zhu

21
Outline
  • What is ShieldGen
  • Related work and Comparison
  • System Design
  • Evaluation and Performance
  • Some future work
  • Conclusion

22
What is ShieldGen
  • A system for automatically generating a data
    patch or a vulnerability signature for an unknown
    vulnerability.
  • Leverage knowledge of the data format
  • Use data-patch instead of traditional software
    patch.

23
SheildGen system overview
24
Related work
  • Poly-graph
  • Significant false negatives and false positives
  • Nemean
  • Generalization is dependent on the attack
    instance.
  • Covers
  • Signatures does not contain any protocol context.
  • Packet vaccine
  • Randomized each byte rather than leveraging data
    format information. Not efficient enough.
  • Can only detect control-flow hijacking attack

25
The Oracle a Zero-Day Attack Detector
  • Used the Vigilantes zero-day detector
  • Based on dynamic data flow analysis
  • Implement three vulnerability condition
  • Arbitrary execution control (AEC)
  • Arbitrary code execution (ACE)
  • Arbitrary function arguments (AFA)

26
Data Format Spec and Data Analyzer
  • Two assumptions to the input data
  • Data formats are known
  • No encryption or obfuscation are used.
  • Two types of analyzers
  • File data application level protocol, host-based
  • Network data
  • High-speed parsing w/ preprocessed protocol
    parser
  • E.g., binpac and GAPA
  • We use GAPA as our Data analyzer

27
System design
  • Design goals
  • No false positive
  • Minimizing the number of false negatives
  • Minimizing the number of probes.

28
Data patch generation
29
Some methods to reduce probes
  • Recognizing iterative elements
  • Obeying protocol semantics and reduce
    illegitimate probes.
  • High possibility that the vulnerability predicate
    is only dependent on the last message

30
Probe generation algorithm
  • Three Steps
  • Buffer Overrun heuristic for character strings
  • Iteration removal
  • Eliminating irrelevant field conditions

31
Buffer overrun heuristics
  • If the offending byte lies in the middle of a
    byte or unicode string then ShieldGen diagnoses a
    buffer overrun and adds the following condition
    as a refinement
  • sizeof(buffer) gt offendingByte offset
  • bufferStart offset

32
Iteration removal
  • Many popular input formats include arbitrary
    sequences of largely independent elements
    (Records). Any input which contains a malicious
    record is an attack.
  • Generating probes with removing some of the
    iterative elements.
  • Iterative elements can be removed if probes still
    exploit successfully.

33
Eliminating irrelevant field conditions
  • Constructing probes over the remaining data
    fields to eliminate dont-care fields and to find
    additional values of the data fields for which
    the attack succeeds.
  • Evaluating one field at one time

34
Evaluation
  • Run ShieldGen for three well known
    vulnerabilities
  • SQL vulnerability
  • RPC vulnerability
  • WMF (Window Metafile) vulnerability

35
Filter quality of ShieldGen
  • For a larger sample of real-world vulnerabilities

36
Failure cases and analysis
  • Complex conditions
  • Unchecked array indices
  • Other special cases

37
Future work
  • Quality of the data format specification
  • In our scheme the quality of data format
    specification matters.
  • Complex filter conditions

38
Future work
  • Probing time
  • Reference VM is preferred
  • Attacks not delivered by the last message

39
Conclusion
  • Leverage data information to construct new attack
    instance
  • Generate high quality vulnerability signatures
  • Fewer dont care fields
  • Fewer false negatives

40
Thanks!
Write a Comment
User Comments (0)
About PowerShow.com