Packet Vaccine:Black-box Exploit Detection and

Signature Generation

Su Yong Kim

2

ContentsStack Overflow ExamplePacket VaccineEvaluation LimitationConclusion

3

Vulnerable Programvoid foo (char *bar) {

char c[12]; strcpy(c, bar); // no bounds checking...

} int main (int argc, char **argv) {

foo(argv[1]); return 1;

}

4

Stack LayoutJust After calling foo()

5

Stack Layout ExampleCalling foo(“hello”)

6

Stack Overflow Example ICalling foo(“AA……”)

Direct Jump

7

Stack Overflow Example IIIndirect Jump

Calling foo(“AA……”)

Code Section

Ox 7e8ecf49

FF D4(jmp esp)

esp

\x49 \xcf \x8e \x7e

8

Stack Overflow Example IIIReturn into Library

Calling foo(“AA……”)

Ker-nel32.dll

Ox 7C8623AD WinExec

API

\xAD \x23 \x86\

x7C

Ox 7C8623AD

9

Main IdeaDetect the packet with any address-like stringTest if an anomalous packet is malicious or not

Scrambling the address-like string of the packet Send the packet into the target serverIf any exception will occur on the target server,

drop the original packet and generate a signatureIf no exception, send the original packet into the

target server

10

Detecting Anomalous PacketsKey Idea

Check every 4-byte existing-sequence(32 bit system) in a packet’s application payload

Detect a jump address to redirect the control flow of a vulnerable program

Jump AddressStack & Heap address rangeAddress range of the global libraries such as msvcrt.dll or

libc.so system(), execve()

Empirical study on Linux0xbfff0000 to 0xbfffffff for the stack0x08040000 to 0x08ffffff for the heap

11

Determining Stack & Heap Address rangeMonitor stack and heap usage of the protected pro-

gramCalculate stack heap address range

From Stack base address – α * (typical stack maximum usage), α > 1

To Stack base address

Calculate stack heap address rangeFrom

Heap base addressTo

Heap base address + α * (typical heap maximum usage), α > 1

12

Making Packet VaccinePacket Vaccine

Weakened exploit packet with important ele-ments scrambled

IssuesPreserving the exploit semantics

Control flow should not be changedPreventing & Detecting malicious behavior by

the exploit Scrambling some fields of the exploit

13

Preserving the exploit semantics

Does User’s Input contains “/de-fault.ida”?

Call str-cpy

Does User’s Input contains “GET”?

14

Preventing & Detecting Malicious BehaviorAfter scrambling

Exploit failsException happens

\x41

15

Detecting ExploitIf an exception occurs on protected program

Correlate the exception with one of the byte sequences being scrambled Value of EIP or CR2 regster == byte sequence

Validate the correlation Randomize all bytes of byte sequence Check whether the exception happens again

16

Generating Signature(1/2)Application-independent Signature Generation

Generates packet vaccines randomizing each byte except scrambled jump address

Test them in the vulnerable applicationIf no exception, record the randomized byte as a

signature tokenRepeat all bytes except scrambled jump addressÞ Signature : Signature Tokens + Target Address

SetÞ Good Performance : Small size of exploit, Paral-

lel testing and Block-searching technique

17

Generating Signature(2/2)Using Protocol Information

Identify the application field that includes the jump address

Estimate that field’s length using the number of the bytes prior to the address

Iteratively alters the field size to generate new vaccines If a new vaccine makes the exception disappear, in-

create the size Otherwize, shrink the size

Þ Signature form (application, command, field.-name, max.field.size)

18

Signature Quality EvaluationComparison Target

Brumley’s approach to generate a signature on the basis of static analysis of a vulnerable pro-gram’s binary code

Comparison MeasureSource code of vulnerable application

19

Quality of the Token-Sequence SignatureVulnerable Program

BIND 8.2.2Signature Result

20

Quality of the Application-level SignatureVulnerable Program

ATP-httpdBrumley’s Signature

Command : GET or HEADMax.field.size : 812 bytesPerformance : more than a second

Packet VaccineCommand : GETMax.field.size : 703 bytesPerformance : 0.274 seconds

21

In SummaryBrumley’s approach is more accurate than

Packet VaccinePacket Vaccine is nearly as accurate as Brum-

ley’s approach when Packet Vaccine can use multiple exploits

Brumley’s approach cannot be used in obfus-cated binaries, while Packet Vaccine can

Packet Vaccine is significantly faster

22

Performance EvaluationExperiments Environment

Protected Program Apache 2.0.55 on Linux

Performance Tester ApacheBench 2.0.41-dev

Architecture

23

Server overheadsD0, D1 : On different hostsS0, S1 : On the Same host

Apache, proxy

Apache

Apache, proxy, packet vaccine

Apache, proxy

Apache, proxy, packet vaccine

24

Client-side DelayLocal Round Trip Delay : 300μsRemote Round Trip Delay : 75ms

25

Limitation by AuthorFalse negative in exploit detection

If packet vaccine destroy the exploit semanticsEspecially for binary protocol

Difficulty to apply on packets with encrypted payload or checksumsApplication-level proxy is needed

Less expressive signatureDescription for exploit condition is impossible

26

Limitation by PresenterAlphanumeric return address can be used to fool Packet Vaccine

Exceptions are more common than exploitable vulnerabilities

Packet Vaccine is so application-dependentHeap & Stack size should be calculated

Whenever the application is updatedSyntax tokens should be gatheredDecoding mechanism is not simple

It is difficult to protect single-threaded application by using Packet VaccineTest Server is neededParallel vaccine testing is impossible

27

ConclusionBlack-box exploit detectionEffective signature generation

Low false positive by using host informationLow overhead and easy deployment

It is needed to install only a lightweight collec-tor to gather forensic data from an exception on the host

28

Q&AThanks for Listening!