General approach to exploit detection and signature generation

1
General approach to exploit detection and
signature generation

• White-box
• Need the source code
• Gray-box
• More accurate. But need to monitor a program's
  execution flow
• Black-box
• Detect and analyze an exploit using the outputs
  of a vulnerable program.

2
Packet vaccine approach

• A black-box approach.
• Faster, but does not use much on data format
  information.

3
ShieldGen approach

• Gray-box approach
• General Gray-box approach is inherently specific
  to the attack input used in the data flow
  analysis.
• Generalize attack-specific symbolic
  predicate-based signatures to cover significantly
  more attack variants with data format-informed
  probing to the oracle in ShieldGen.

4
Packet Vaccine Black-box Exploit Detection and
Signature Generation

• Xiaofeng Wang, Zhuowei Li, Jun Xu, Michael K.
  Reiter, Chongyung Kil, Jong Youl Choi
• Presented by Zhaosheng Zhu

5
Outline

• Introduction to Packet Vaccine
• Related work
• Design of the packet vaccine mechanism
• Implementation and Evaluation
• Application (Good Points)
• Limitations (Bad Points)
• Conclusion

6
Introduction to Packet Vaccine

• The principle of vaccine
• Packet vaccine
• Identify anomalous tokens in packet payloads
• Randomize the contents of tokens to get a vaccine
• Generate a signature during exception

7
Design of the packet vaccine mechanism
8
Design 1. Vaccine Generation

• Build a target address set
• T bs aus, bs U bh, bh auh U S
• Aggregate the application payloads of the packets
  in one session into a dataflow, carry out a
  proper decoding
• For every byte session, do replacement
• Construct vaccine packet using the new data flows

9
Example
10
Design 2. Exploit Detection and Vulnerability
Diagnosis

• Correlate each byte sequence that equals to the
  forensic string with the exception
• Validation test
• Randomize all byte sequences
• Generate new vaccine
• Check
• Repeat

11
Design 3. Signature Generation

• Constructs packet vaccines or probes by
  randomizing address-like strings
• It detects exploit by observing memory exception
  upon packet vaccine injection
• Generates signatures by finding in the attack
  input the bytes that cannot take random values

12
Byte-based vaccine injection

• Can be paralleled at most cases

13
Implementation

• Target address set is extracted from proc files
• Process monitor is developed using ptrace
• Kernel mode is necessary for CR2
• Signature generation
• Prober
• Verifier
• Sequential vaccine injection (performance penalty)

14
Evaluation

• Linux exploits
• Windows-based exploits Code Red II
• Heap-based overflow

15
Evaluation

• Comparison with MEP signatures
• MEP signature contains richer information
• Quality of MEP diminishes with the availability
  for multiple exploit instances and application
  information
• MEP is slower

16
Application
An architecture to protect Internet servers using
packet vaccine
17
Application (good points)

• Fast
• Up to an order of magnitude faster than gray-box
  approaches
• Not use source code
• Effective
• Immune to interference
• Low overhead
• No need to install anything on host
• Lightweight Collector

18
Limitations

• Its main probing scheme randomizes each byte
  rather than leveraging data format information
• Works more reliably for text-based protocols than
  the binary ones because of the lack of protocol
  knowledge for binary data formats.
• Briefly mentioned the benefit of leveraging
  protocol specifications.
• Unclear what type of protocol specification
  language considered and how protocol
  specifications leveraged.
• Can only detect control flow hijacking attacks
• cannot detect exploits of the WMF vulnerability

19
Conclusion

• Packet vaccine is a fast, blackbox technique for
  exploit detection
• But not good enough in some case. If given input
  data format we have better approach ShieldGen.

20
ShieldGen Automatic Data Patch Generation for
Unknown Vulnerabilitieswith Informed Probing

• Weidong Cui Marcus Peinado Helen J.
  Wang Michael E. Locasto
• Presented by Zhaosheng Zhu

21
Outline

• What is ShieldGen
• Related work and Comparison
• System Design
• Evaluation and Performance
• Some future work
• Conclusion

22
What is ShieldGen

• A system for automatically generating a data
  patch or a vulnerability signature for an unknown
  vulnerability.
• Leverage knowledge of the data format
• Use data-patch instead of traditional software
  patch.

23
SheildGen system overview
24
Related work

• Poly-graph
• Significant false negatives and false positives
• Nemean
• Generalization is dependent on the attack
  instance.
• Covers
• Signatures does not contain any protocol context.
  
• Packet vaccine
• Randomized each byte rather than leveraging data
  format information. Not efficient enough.
• Can only detect control-flow hijacking attack

25
The Oracle a Zero-Day Attack Detector

• Used the Vigilantes zero-day detector
• Based on dynamic data flow analysis
• Implement three vulnerability condition
• Arbitrary execution control (AEC)
• Arbitrary code execution (ACE)
• Arbitrary function arguments (AFA)

26
Data Format Spec and Data Analyzer

• Two assumptions to the input data
• Data formats are known
• No encryption or obfuscation are used.
• Two types of analyzers
• File data application level protocol, host-based
• Network data
• High-speed parsing w/ preprocessed protocol
  parser
• E.g., binpac and GAPA
• We use GAPA as our Data analyzer

27
System design

• Design goals
• No false positive
• Minimizing the number of false negatives
• Minimizing the number of probes.

28
Data patch generation
29
Some methods to reduce probes

• Recognizing iterative elements
• Obeying protocol semantics and reduce
  illegitimate probes.
• High possibility that the vulnerability predicate
  is only dependent on the last message

30
Probe generation algorithm

• Three Steps
• Buffer Overrun heuristic for character strings
• Iteration removal
• Eliminating irrelevant field conditions

31
Buffer overrun heuristics

• If the offending byte lies in the middle of a
  byte or unicode string then ShieldGen diagnoses a
  buffer overrun and adds the following condition
  as a refinement
• sizeof(buffer) gt offendingByte offset
• bufferStart offset

32
Iteration removal

• Many popular input formats include arbitrary
  sequences of largely independent elements
  (Records). Any input which contains a malicious
  record is an attack.
• Generating probes with removing some of the
  iterative elements.
• Iterative elements can be removed if probes still
  exploit successfully.

33
Eliminating irrelevant field conditions

• Constructing probes over the remaining data
  fields to eliminate dont-care fields and to find
  additional values of the data fields for which
  the attack succeeds.
• Evaluating one field at one time

34
Evaluation

• Run ShieldGen for three well known
  vulnerabilities
• SQL vulnerability
• RPC vulnerability
• WMF (Window Metafile) vulnerability

35
Filter quality of ShieldGen

• For a larger sample of real-world vulnerabilities

36
Failure cases and analysis

• Complex conditions
• Unchecked array indices
• Other special cases

37
Future work

• Quality of the data format specification
• In our scheme the quality of data format
  specification matters.
• Complex filter conditions

38
Future work

• Probing time
• Reference VM is preferred
• Attacks not delivered by the last message

39
Conclusion

• Leverage data information to construct new attack
  instance
• Generate high quality vulnerability signatures
• Fewer dont care fields
• Fewer false negatives

40
Thanks!