1 / 40

General approach to exploit detection and signature generation

General approach to exploit detection and signature generation. White-box Need the source code Gray-box More accurate. But need to monitor a program's execution flow Black-box Detect and analyze an exploit using the outputs of a vulnerable program. Packet vaccine approach.

msinclair
Download Presentation

General approach to exploit detection and signature generation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. General approach to exploit detection and signature generation • White-box • Need the source code • Gray-box • More accurate. But need to monitor a program's execution flow • Black-box • Detect and analyze an exploit using the outputs of a vulnerable program.

  2. Packet vaccine approach • A black-box approach. • Faster, but does not use much on data format information.

  3. ShieldGen approach • Gray-box approach • General Gray-box approach is inherently specific to the attack input used in the data flow analysis. • Generalize attack-specific symbolic predicate-based signatures to cover significantly more attack variants with data format-informed probing to the oracle in ShieldGen.

  4. Packet Vaccine: Black-box Exploit Detection and Signature Generation Xiaofeng Wang, Zhuowei Li, Jun Xu, Michael K. Reiter, Chongyung Kil, Jong Youl Choi Presented by Zhaosheng Zhu

  5. Outline • Introduction to Packet Vaccine • Related work • Design of the packet vaccine mechanism • Implementation and Evaluation • Application (Good Points) • Limitations (Bad Points) • Conclusion

  6. Introduction to Packet Vaccine • The principle of vaccine • Packet vaccine: • Identify anomalous tokens in packet payloads • Randomize the contents of tokens to get a vaccine • Generate a signature during exception

  7. Design of the packet vaccine mechanism

  8. Design: 1. Vaccine Generation • Build a target address set: • T = [bs– aus, bs] U [bh, bh + auh] U S • Aggregate the application payloads of the packets in one session into a dataflow, carry out a proper decoding • For every byte session, do replacement • Construct vaccine packet using the new data flows

  9. Example

  10. Design: 2. Exploit Detection and Vulnerability Diagnosis • Correlate each byte sequence that equals to the forensic string with the exception • Validation test • Randomize all byte sequences • Generate new vaccine • Check • Repeat

  11. Design: 3. Signature Generation • Constructs packet vaccines or probes by randomizing address-like strings • It detects exploit by observing memory exception upon packet vaccine injection • Generates signatures by finding in the attack input the bytes that cannot take random values

  12. Byte-based vaccine injection • Can be paralleled at most cases

  13. Implementation • Target address set is extracted from proc files • Process monitor is developed using ptrace • Kernel mode is necessary for CR2 • Signature generation: • Prober • Verifier • Sequential vaccine injection (performance penalty)

  14. Evaluation • Linux exploits • Windows-based exploits: Code Red II • Heap-based overflow

  15. Evaluation • Comparison with MEP signatures • MEP signature contains richer information • Quality of MEP diminishes with the availability for multiple exploit instances and application information • MEP is slower

  16. Application An architecture to protect Internet servers using packet vaccine

  17. Application (good points) • Fast • Up to an order of magnitude faster than gray-box approaches • Not use source code • Effective • Immune to interference • Low overhead • No need to install anything on host • Lightweight Collector

  18. Limitations • Its main probing scheme randomizes each byte rather than leveraging data format information • Works more reliably for text-based protocols than the binary ones because of the lack of protocol knowledge for binary data formats. • Briefly mentioned the benefit of leveraging protocol specifications. • Unclear what type of protocol specification language considered and how protocol specifications leveraged. • Can only detect control flow hijacking attacks • cannot detect exploits of the WMF vulnerability

  19. Conclusion • Packet vaccine is a fast, blackbox technique for exploit detection • But not good enough in some case. If given input data format we have better approach: ShieldGen.

  20. ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilitieswith Informed Probing Weidong Cui Marcus Peinado Helen J. Wang Michael E. Locasto Presented by Zhaosheng Zhu

  21. Outline • What is ShieldGen • Related work and Comparison • System Design • Evaluation and Performance • Some future work • Conclusion

  22. What is ShieldGen • A system for automatically generating a data patch or a vulnerability signature for an unknown vulnerability. • Leverage knowledge of the data format • Use data-patch instead of traditional software patch.

  23. SheildGen system overview

  24. Related work • Poly-graph • Significant false negatives and false positives • Nemean • Generalization is dependent on the attack instance. • Covers • Signatures does not contain any protocol context. • Packet vaccine • Randomized each byte rather than leveraging data format information. Not efficient enough. • Can only detect control-flow hijacking attack

  25. The Oracle: a Zero-Day Attack Detector Used the Vigilante’s zero-day detector • Based on dynamic data flow analysis • Implement three vulnerability condition • Arbitrary execution control (AEC) • Arbitrary code execution (ACE) • Arbitrary function arguments (AFA)

  26. Data Format Spec and Data Analyzer • Two assumptions to the input data • Data formats are known • No encryption or obfuscation are used. • Two types of analyzers • File data: application level protocol, host-based • Network data • High-speed parsing w/ preprocessed protocol parser • E.g., binpac and GAPA • We use GAPA as our Data analyzer

  27. System design • Design goals • No false positive • Minimizing the number of false negatives • Minimizing the number of probes.

  28. Data patch generation

  29. Some methods to reduce probes • Recognizing iterative elements • Obeying protocol semantics and reduce illegitimate probes. • High possibility that the vulnerability predicate is only dependent on the last message

  30. Probe generation algorithm • Three Steps • Buffer Overrun heuristic for character strings • Iteration removal • Eliminating irrelevant field conditions

  31. Buffer overrun heuristics • If the offending byte lies in the middle of a byte or unicode string then ShieldGen diagnoses a buffer overrun and adds the following condition as a refinement: sizeof(buffer) > offendingByte offset – bufferStart offset

  32. Iteration removal • Many popular input formats include arbitrary sequences of largely independent elements (Records). Any input which contains a malicious record is an attack. • Generating probes with removing some of the iterative elements. • Iterative elements can be removed if probes still exploit successfully.

  33. Eliminating irrelevant field conditions • Constructing probes over the remaining data fields to eliminate don’t-care fields and to find additional values of the data fields for which the attack succeeds. • Evaluating one field at one time

  34. Evaluation • Run ShieldGen for three well known vulnerabilities • SQL vulnerability • RPC vulnerability • WMF (Window Metafile) vulnerability

  35. Filter quality of ShieldGen • For a larger sample of real-world vulnerabilities

  36. Failure cases and analysis • Complex conditions • Unchecked array indices • Other special cases

  37. Future work • Quality of the data format specification • In our scheme the quality of data format specification matters. • Complex filter conditions

  38. Future work • Probing time • Reference VM is preferred • Attacks not delivered by the last message

  39. Conclusion • Leverage data information to construct new attack instance • Generate high quality vulnerability signatures • Fewer don’t care fields • Fewer false negatives

  40. Thanks!

More Related