Vulnerability-Specific Execution Vulnerability-Specific Execution Filtering (VSEF) for Exploit Filtering (VSEF) for Exploit Prevention on Commodity Prevention on Commodity

SoftwareSoftwareAuthors:Authors:

James Newsome,James Newsome, David Brumley,David Brumley, and Dawn Songand Dawn Song

Publisher:Publisher:Network and Distributed Systems Security Network and Distributed Systems Security

Symposium (NDSS), Feb 2006 Symposium (NDSS), Feb 2006

Presented by:Presented by: Arun KrishnamurthyArun Krishnamurthy

Presentation OutlinePresentation Outline

The Problem.The Problem.

Intro to VSEF:Intro to VSEF: Taint Based VSEF.Taint Based VSEF. Destination Based VSEF.Destination Based VSEF.

Implementation and Performance.Implementation and Performance.

My Comments.My Comments.

The ProblemThe Problem

Exploits for new vulnerabilities Exploits for new vulnerabilities can compromise almost all can compromise almost all vulnerable hosts in a very short vulnerable hosts in a very short amount of time!amount of time!

We need to find an automated We need to find an automated defense system that can react to defense system that can react to these vulnerabilities quickly!these vulnerabilities quickly!

Requirements for Defense Requirements for Defense SystemSystem

1.1. Fast Defense Development/DeploymentFast Defense Development/Deployment Must fix vulnerability very quickly as worms spread Must fix vulnerability very quickly as worms spread

very fast.very fast.

2.2. No requirement for source codeNo requirement for source code Most source code are proprietary and can not be Most source code are proprietary and can not be

shown to end user. shown to end user.

3.3. High accuracy and effectivenessHigh accuracy and effectiveness Low false positives/negatives.Low false positives/negatives.

4.4. Low performance overheadLow performance overhead Does not degrade performance.Does not degrade performance.

Vulnerability Specific Execution-Based Vulnerability Specific Execution-Based Filtering (VSEF)Filtering (VSEF)

Definition:Definition: An automated defense system that defends against An automated defense system that defends against

“just discovered” attacks.“just discovered” attacks.

Properties:Properties: Robust FiltersRobust Filters – Vulnerability specific, but exploit – Vulnerability specific, but exploit

agnostic.agnostic.

Efficient generation of VSEF FiltersEfficient generation of VSEF Filters – Generates – Generates filters very quickly once a vulnerability is detected.filters very quickly once a vulnerability is detected.

Efficient DetectionEfficient Detection – Contains very little overhead. – Contains very little overhead.

VSEF ArchitectureVSEF Architecture

Two Main Components:Two Main Components: VSEF Filter GeneratorVSEF Filter Generator – Uses an – Uses an

exploit execution trace to create a exploit execution trace to create a VSEF filter which encodes the info VSEF filter which encodes the info needed for the monitoring to detect needed for the monitoring to detect future attacks on the vulnerability.future attacks on the vulnerability.

VSEF Binary Instrumentation EngineVSEF Binary Instrumentation Engine – Used by vulnerable hosts in order to – Used by vulnerable hosts in order to apply a VSEF filter to a binary.apply a VSEF filter to a binary.

VSEF Architecture VSEF Architecture DiagramDiagram

Types of VSEFTypes of VSEF

Two Types:Two Types: Taint Based VSEFTaint Based VSEF – Based on – Based on

dynamic taint analysis. Has high dynamic taint analysis. Has high accuracy.accuracy.

Destination Based VSEFDestination Based VSEF – An more – An more optimistic version of Tainted Based optimistic version of Tainted Based VSEF. Normally requires fewer VSEF. Normally requires fewer instructions to be instrumented.instructions to be instrumented.

Taint-Based VSEFTaint-Based VSEF(Overview)(Overview)

Marks data coming from untrusted sources.Marks data coming from untrusted sources.

Inserts instrumentation instructions to track Inserts instrumentation instructions to track tainted data from untrusted sources.tainted data from untrusted sources.

Accurately detects wide range of attacks:Accurately detects wide range of attacks: Buffer overruns, format strings, double free attacks.Buffer overruns, format strings, double free attacks.

Requires instrumenting many Requires instrumenting many instructions.instructions.

Taint-Based VSEFTaint-Based VSEF(Filter Generation)(Filter Generation)

Two Parts:Two Parts:1.1. List of instruction positions needed to add List of instruction positions needed to add

instrumentation for taint propagationinstrumentation for taint propagation

2.2. Instruction position needed to add Instruction position needed to add instrumentation to detect misuse of tainted data.instrumentation to detect misuse of tainted data.

Examines the trace in a backwards Examines the trace in a backwards manner:manner:

Begins at the end of the trace (the exploit point), Begins at the end of the trace (the exploit point), then traces backwards to determine source of the then traces backwards to determine source of the taint.taint.

Taint-Based VSEFTaint-Based VSEF(Taint Example)(Taint Example)

Taint-Based VSEFTaint-Based VSEF(Binary Instrumentation)(Binary Instrumentation)

Checks to see if source operand is a Checks to see if source operand is a tainted location.tainted location. If yes, then mark destination operand as If yes, then mark destination operand as

tainted.tainted.

Also checks whether sensitive value Also checks whether sensitive value is being tainted.is being tainted. If yes, then there is an attack!If yes, then there is an attack!

Taint-Based VSEFTaint-Based VSEF(Performance & Accuracy)(Performance & Accuracy)

Performance:Performance: Filter generation is almost instantaneous. Filter generation is almost instantaneous. Execution overhead is proportional to number of Execution overhead is proportional to number of

instructions in the program.instructions in the program.

Accuracy:Accuracy: No false positives when watchpoint techniques are No false positives when watchpoint techniques are

used.used. False negatives happen if tainted input is False negatives happen if tainted input is

propagated along a different code path, or the propagated along a different code path, or the overwritten sensitive value is misused at a different overwritten sensitive value is misused at a different location.location.

Destination Based VSEFDestination Based VSEF(Overview)(Overview)

Definition:Definition: An optimistic filter that focuses on An optimistic filter that focuses on

instrumenting the point where sensitive instrumenting the point where sensitive data was illegitimately overwritten, data was illegitimately overwritten, rather than the point where tainted rather than the point where tainted data was illegitimately used.data was illegitimately used.

In other words, it ONLY monitors In other words, it ONLY monitors the overwrite point!the overwrite point!

Destination Based VSEFDestination Based VSEF(Filter Generation)(Filter Generation)

Determines:Determines: The overwrite point.The overwrite point. The vulnerable context.The vulnerable context. The destinations that should not be The destinations that should not be

overwritten by that context.overwritten by that context.

Checks the chain of instructions that Checks the chain of instructions that propagated the tainted data to the propagated the tainted data to the overwrite point in a similar manner overwrite point in a similar manner to taint-based VSEF.to taint-based VSEF.

Destination Based VSEFDestination Based VSEF(Binary Instrumentation)(Binary Instrumentation)

Checks that that data movement Checks that that data movement instruction at overwrite point does instruction at overwrite point does not write to sensitive destination.not write to sensitive destination.

Can be done by instrumenting a Can be done by instrumenting a small number of instructions.small number of instructions. Data movement instruction.Data movement instruction. Call instruction corresponding to each Call instruction corresponding to each

activation record in vulnerable context.activation record in vulnerable context.

Destination Based VSEFDestination Based VSEF(Accuracy & Performance)(Accuracy & Performance)

Accuracy:Accuracy: Usually Usually no false positivesno false positives, but it can , but it can

happen if:happen if:1.1. VSEF Filter Generator identified wrong VSEF Filter Generator identified wrong

instruction at overwrite point.instruction at overwrite point.2.2. Instruction at overwrite point can LEGALLY Instruction at overwrite point can LEGALLY

write to monitored location in vulnerable write to monitored location in vulnerable context.context.

Performance:Performance: Filters can be created almost instantly!Filters can be created almost instantly! Performance can be improved if fewer Performance can be improved if fewer

instructions are implemented.instructions are implemented.

VSEF Implementation VSEF Implementation (Taint-Based)(Taint-Based)

Implemented by modifying TaintCheck:Implemented by modifying TaintCheck: Saves the set of instruction addresses from Saves the set of instruction addresses from

the part of directed acyclic graph into a the part of directed acyclic graph into a file.file.

Saves the instruction addresses where Saves the instruction addresses where tainted data is misused.tainted data is misused.

Binary Instrumentation Engine Binary Instrumentation Engine implemented as an extension to implemented as an extension to TaintCheck.TaintCheck.

VSEF Implementation VSEF Implementation (Destination-Based)(Destination-Based)

Implemented using Dyninst:Implemented using Dyninst: A binary implementation tool.A binary implementation tool. Performs static rewriting of target binary.Performs static rewriting of target binary.

Filter Contains:Filter Contains: Address of overwrite point.Address of overwrite point. Activation records of stack when the Activation records of stack when the

overwrite point was executed.overwrite point was executed. Normalized address of the data that was Normalized address of the data that was

overwritten.overwritten.

VSEF Performance & VSEF Performance & Accuracy Accuracy

(Taint-Based)(Taint-Based) Performance:Performance:

Due to efficient instrumentation techniques, Due to efficient instrumentation techniques, VSEF had very little performance overhead.VSEF had very little performance overhead. Only 14% slower than running server natively.Only 14% slower than running server natively. Only 2% slower than running DynamoRIO alone.Only 2% slower than running DynamoRIO alone.

Accuracy:Accuracy: Correctly handled exploits without any false Correctly handled exploits without any false

positives or false negatives.positives or false negatives.

VSEF Performance & VSEF Performance & Accuracy Accuracy

(Destination-Based)(Destination-Based) Performance:Performance:

Takes some time to create a filter from TaintCheck’s Takes some time to create a filter from TaintCheck’s long.long.

Also takes some time to use Binary Instrumentation Also takes some time to use Binary Instrumentation Engine to harden the vulnerable binary.Engine to harden the vulnerable binary.

However, only ran 3% slower than running server However, only ran 3% slower than running server natively.natively.

Accuracy:Accuracy: Successfully defended against original exploits and Successfully defended against original exploits and

its variants (its variants (No False PositivesNo False Positives).). Correctly unidentified any similar, but non-Correctly unidentified any similar, but non-

exploiting requests as attacks (exploiting requests as attacks (No False NegativesNo False Negatives).).

VSEF PerformanceVSEF Performance(Chart)(Chart)

VSEF StrengthsVSEF Strengths

Successfully satisfied all original Successfully satisfied all original requirements:requirements: Fast Deployment.Fast Deployment. No need for source code.No need for source code. Very high accuracy.Very high accuracy. Low overhead.Low overhead.

Can be deployed in Windows and Can be deployed in Windows and Linux/Unix OS.Linux/Unix OS.

VSEF WeaknessesVSEF Weaknesses

Can still have false positives/false Can still have false positives/false negatives:negatives: False Negatives for Taint Based VSEF:False Negatives for Taint Based VSEF:

If tainted input is propagated along a different code If tainted input is propagated along a different code path.path.

If the overwritten sensitive value is misused at a If the overwritten sensitive value is misused at a different location.different location.

False Positives for Destination Based VSEF:False Positives for Destination Based VSEF: If VSEF Filter Generator identified wrong instruction If VSEF Filter Generator identified wrong instruction

at overwrite point.at overwrite point. If instruction at overwrite point legally writes to If instruction at overwrite point legally writes to

monitored location in vulnerable context.monitored location in vulnerable context.

Suggestions for Suggestions for EnhancementEnhancement

Go commercially!Go commercially! Sell VSEF to third party companies.Sell VSEF to third party companies.

They can use VSEF for product testing They can use VSEF for product testing and enhancements.and enhancements.

Other than that, it’s almost Other than that, it’s almost perfect!perfect! I can’t think of anymore I can’t think of anymore

enhancements. enhancements.

ConclusionConclusion Hosts can be compromised very quickly Hosts can be compromised very quickly

due to vulnerabilities that can easily be due to vulnerabilities that can easily be exploited!exploited! Thus, we need to find an automated system Thus, we need to find an automated system

that can react to these vulnerabilities!that can react to these vulnerabilities!

VSEF can quickly defend and filter out VSEF can quickly defend and filter out those exploits with high accuracy and those exploits with high accuracy and low overhead!low overhead!

Would make good commercial use!Would make good commercial use!