Su Yong Kim. Contents Stack Overflow Example Packet Vaccine Evaluation Limitation Conclusion 2.
-
Upload
moses-gregory -
Category
Documents
-
view
218 -
download
3
Transcript of Su Yong Kim. Contents Stack Overflow Example Packet Vaccine Evaluation Limitation Conclusion 2.
3
Vulnerable Programvoid foo (char *bar) {
char c[12]; strcpy(c, bar); // no bounds checking...
} int main (int argc, char **argv) {
foo(argv[1]); return 1;
}
7
Stack Overflow Example IIIndirect Jump
Calling foo(“AA……”)
Code Section
Ox 7e8ecf49
FF D4(jmp esp)
esp
\x49 \xcf \x8e \x7e
8
Stack Overflow Example IIIReturn into Library
Calling foo(“AA……”)
Ker-nel32.dll
Ox 7C8623AD WinExec
API
\xAD \x23 \x86\
x7C
Ox 7C8623AD
9
Main IdeaDetect the packet with any address-like stringTest if an anomalous packet is malicious or not
Scrambling the address-like string of the packet Send the packet into the target serverIf any exception will occur on the target server,
drop the original packet and generate a signatureIf no exception, send the original packet into the
target server
10
Detecting Anomalous PacketsKey Idea
Check every 4-byte existing-sequence(32 bit system) in a packet’s application payload
Detect a jump address to redirect the control flow of a vulnerable program
Jump AddressStack & Heap address rangeAddress range of the global libraries such as msvcrt.dll or
libc.so system(), execve()
Empirical study on Linux0xbfff0000 to 0xbfffffff for the stack0x08040000 to 0x08ffffff for the heap
11
Determining Stack & Heap Address rangeMonitor stack and heap usage of the protected pro-
gramCalculate stack heap address range
From Stack base address – α * (typical stack maximum usage), α > 1
To Stack base address
Calculate stack heap address rangeFrom
Heap base addressTo
Heap base address + α * (typical heap maximum usage), α > 1
12
Making Packet VaccinePacket Vaccine
Weakened exploit packet with important ele-ments scrambled
IssuesPreserving the exploit semantics
Control flow should not be changedPreventing & Detecting malicious behavior by
the exploit Scrambling some fields of the exploit
13
Preserving the exploit semantics
Does User’s Input contains “/de-fault.ida”?
Call str-cpy
Does User’s Input contains “GET”?
15
Detecting ExploitIf an exception occurs on protected program
Correlate the exception with one of the byte sequences being scrambled Value of EIP or CR2 regster == byte sequence
Validate the correlation Randomize all bytes of byte sequence Check whether the exception happens again
16
Generating Signature(1/2)Application-independent Signature Generation
Generates packet vaccines randomizing each byte except scrambled jump address
Test them in the vulnerable applicationIf no exception, record the randomized byte as a
signature tokenRepeat all bytes except scrambled jump addressÞ Signature : Signature Tokens + Target Address
SetÞ Good Performance : Small size of exploit, Paral-
lel testing and Block-searching technique
17
Generating Signature(2/2)Using Protocol Information
Identify the application field that includes the jump address
Estimate that field’s length using the number of the bytes prior to the address
Iteratively alters the field size to generate new vaccines If a new vaccine makes the exception disappear, in-
create the size Otherwize, shrink the size
Þ Signature form (application, command, field.-name, max.field.size)
18
Signature Quality EvaluationComparison Target
Brumley’s approach to generate a signature on the basis of static analysis of a vulnerable pro-gram’s binary code
Comparison MeasureSource code of vulnerable application
20
Quality of the Application-level SignatureVulnerable Program
ATP-httpdBrumley’s Signature
Command : GET or HEADMax.field.size : 812 bytesPerformance : more than a second
Packet VaccineCommand : GETMax.field.size : 703 bytesPerformance : 0.274 seconds
21
In SummaryBrumley’s approach is more accurate than
Packet VaccinePacket Vaccine is nearly as accurate as Brum-
ley’s approach when Packet Vaccine can use multiple exploits
Brumley’s approach cannot be used in obfus-cated binaries, while Packet Vaccine can
Packet Vaccine is significantly faster
22
Performance EvaluationExperiments Environment
Protected Program Apache 2.0.55 on Linux
Performance Tester ApacheBench 2.0.41-dev
Architecture
23
Server overheadsD0, D1 : On different hostsS0, S1 : On the Same host
Apache, proxy
Apache
Apache, proxy, packet vaccine
Apache, proxy
Apache, proxy, packet vaccine
25
Limitation by AuthorFalse negative in exploit detection
If packet vaccine destroy the exploit semanticsEspecially for binary protocol
Difficulty to apply on packets with encrypted payload or checksumsApplication-level proxy is needed
Less expressive signatureDescription for exploit condition is impossible
26
Limitation by PresenterAlphanumeric return address can be used to fool Packet Vaccine
Exceptions are more common than exploitable vulnerabilities
Packet Vaccine is so application-dependentHeap & Stack size should be calculated
Whenever the application is updatedSyntax tokens should be gatheredDecoding mechanism is not simple
It is difficult to protect single-threaded application by using Packet VaccineTest Server is neededParallel vaccine testing is impossible
27
ConclusionBlack-box exploit detectionEffective signature generation
Low false positive by using host informationLow overhead and easy deployment
It is needed to install only a lightweight collec-tor to gather forensic data from an exception on the host