of Vulnerabilitybased Signature By David Brumley James Newsome Dawn Song and Hao Wang and Somesh Jha Part I Presenter Xin Zhao Definition Vulnerability A vulnerability is a type of bug that can be used by an attacker to alter the intended operation of the softw ID: 635618
Download Presentation The PPT/PDF document "Towards Automatic S ignature Generation" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Towards Automatic Signature Generation of Vulnerability-based Signature
By David
Brumley
, James Newsome, Dawn Song and
Hao
Wang and
Somesh
JhaSlide2
Part IPresenter: Xin ZhaoSlide3
DefinitionVulnerability - A vulnerability is a type of bug that can be used by an attacker to alter the intended operation of the software in a malicious way.Exploit - An exploit is an actual input that triggers a software vulnerability, typically with malicious intent and devastating consequences
BackgroundSlide4
Zero-day attacks that exploit unknown vulnerabilities represent a serious threatNo patch or signature availableSymantec:20 unknown vulnerabilities exploited 07/2005 – 06/2007Current practice is new vulnerability analysis and protection generation is mostly manual
Our goal: automate the process of protection generation for unknown vulnerabilities
Motivation(1)Slide5
Beware the lionNew year 200110,000 systems affectedinvades Linux systems through a network exploitinfiltrates BIND DNS through TCP or UDP Protocolallows infiltration through a legit request, but then can execute arbitrary commands through additional string of characters
incident report March 30 by CERT
Motivation(2)Slide6
Software Patch: patch the binary of vulnerable applicationInput Filter: a network firewall or a module on the I/O path
Data Patch: patch the data input instead of binary
Signature: signature-based input filtering
How to protect a Vulnerability Application?
Data
Input
Input Filter
Vulnerable application
DroppedSlide7
Automatic signature generationReason:Manual signature generation is slow and errorFast generation is important – previously unknown or unpatched vulnerabilities can be exploited orders of magnitude faster than a human can respondMore accurate
Our GoalSlide8
There are usually several different polymorphic exploit variants that can trigger a software vulnerabilityExploit variants may differ syntactically but be semantically equivalentTo be effective -- the signature should be constructed based on the property of the vulnerability, instead of an exploitChallengesSlide9
Require manual stepsEmploy heuristics which may fail in many settingsTechniques rely on specific properties of an exploit – return addressesBe limited by underlying signature representation they can generateOnly work for specific vulnerabilities in specific circumstances
Limitations of previous approachesSlide10
At a high level, our main contribution is a new class of signature, that is not specific to details such as whether an exploit successfully hijacks control of the program, but instead whether executing an input will (potentially) result in an unsafe execution state.Our approachSlide11
vulnerability signaturewhether executing an input potentially results in an unsafe program stateT(P, x) the execution trace obtained by executing a program P on input xVulnerability conditionrepresentation (how to express a vulnerability as a signature)
coverage (measured by false positive rate)
OverviewSlide12
vulnerability signaturerepresentation for set of inputs that define a specified vulnerability conditiontrade-offsrepresentation: matching accuracy vs. efficiencysignature creation: creation time vs. coverage
{
P,T,x,c
}
binary program (P), instruction trace
(T), exploit string (x), vulnerability condition (c)
Vulnerability SignatureSlide13
(P,c) = (< i1, . . . , ik >,c)T(P,x
) is the execution trace of running P with input x means
T satisfies vulnerability condition c
L
P,c
consists of the set of all inputs x to a program P
such that
Formally:
An exploit for a vulnerability (
P,c
) is an input
Vulnerability Signature NotationSlide14
P given in boxx = g/AAAAT={1,2,3,4,6,7, 8,9,8,10,11,10, 11,10,11,10,
11,10,11}
c = heap
overflow
(on 5th iteration of line 11)
ExampleSlide15
A vulnerability signature is a matching function MATCH which for an input x returns either EXPLOIT or BENIGN for a program P without running the programA perfect vulnerability signature satisfies
Completeness:
Soundness:
Vulnerability Signature DefinitionSlide16
C: Ґ×D×M×K×I ->{BENIGN, EXPLOIT}Ґ is a memoryD is the set of variables definedM is the program’s map from memory to valuesK is the continuation stack
I is the next instruction to execute
Vulnerability ConditionSlide17
Turing machine signaturesprecise (no false positive or negatives)may not terminate (in presence of loops, e.g.)symbolic constraint signaturesapproximates looping, aliasingguaranteed to terminateregular expression signatures
approximates elementary constructs (counting)
very efficient
Signature Representation ClassesSlide18
Can provide a precise, even exact, characterization of the vulnerability condition in a particular programA TM that exactly emulates the program has no error rateTuring Machine Sig.Slide19
says that for 10-char input, the first char is ‘g’ or ‘G’, up to four of the next chars may be spaces and at least 5 chars are non-spacesSymbolic Constraint Sig.Slide20
says ‘g’ or ‘G’ followed by 0 or more spaces and at least 5 non-spacesE.g: [g|G][ ]*[ˆ ]{5,}Regular Expression Sig.Slide21
TM - inlining vulnerability condition takes poly timeSymb. Constraint - poly-time transformations on TMRegexp - solve constraint (exp time; PSPACE-complete)or data-flow on TM (poly time)
Accuracy VS. EfficiencySlide22
MEP is a straight-line program -- e.g. the path that the exploit took to reach the vulnerabilityPEP includes different paths to the vulnerabilitya complete PEP coverage signature accepts all inputs in LP,c
complete coverage through a
chop of the program
includes all paths from the input read (
v
init
) to the vulnerability point (
v
final
)
MEP and PEPSlide23
Part IIPresenter: Xitao WenSlide24
Algorithm OverviewInput:Vulnerable program PVul condition cSample exploit
x
Instruction trace
T
Output:
TM sig
Symbolic constraint sigRegEx
sigSlide25
Algorithm OverviewPre-processDisassemble binaryConvert to an intermediate representation (IR)Chop P w.r.t. trace TA chop is a partial program
P’
that starts at T
0
and ends at exploit point
Call-graph level
Compute the sigGet TM sigTM -> Symbolic constraint
Symbolic constraint ->
RegExSlide26
ChoppingChopping reduces the size of program to be analyzedPerformed on call-graph levelNo function pointer support yetSlide27
Get TM SigReplace outgoing JMP with RET BENIGNSlide28
TM -> Symbolic ConstraintStatically estimate effects of memory updates and loopsMemory updates: SSA analysisLoops: static unrollingSlide29
Symbolic Constraint -> RegExSolution 1: Solve constraint system S and or-ing together all membersSolution 2: Data-flow analysis optimizationSlide30
Evaluation9000 lines C++ codeCBMC model checker to build/solve symbolic constraints, generate RegEx’sdisassembler based on Kruegel
; IR new
ATPhttpd
various vulnerabilities;
sprintf
-style string too long
10 distinct subpaths
to
R
egEx
in 0.1216sec
BINDstack overflow vulnerability; TSIG vulnerability10 distinct graphs in symbolic constraint
30ms for chopping88% of functions were reachable between entry and vulnerabilitySlide31
Questions?