Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Published byEsther Holmes Modified over 8 years ago

Similar presentations

Presentation on theme: "Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David."— Presentation transcript:

1 Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David Brumley, and Dawn Song and Dawn Song Publisher: Network and Distributed Systems Security Symposium (NDSS), 2006 Presented by: Chowdhury, Abu Rahat Chowdhury, Abu Rahat

2 Today’s Outline The Authors and their Problem Statements Intro to VSEF & its Architecture : Taint Based VSEF. Destination Based VSEF. Performance and Implementation Comments.

3 Dawn Song Assistant Professor Computer Science Division University of California, Berkeley Current Research Projects and Thrusts BitBlaze: Binary analysis for COTS protection and malicious code defense Seaglass: Cryptographic constructions for secure, privacy-preserving distributed information sharing Networking Security Using Machine Learning Jim Newsome Electrical & Computer Engineering Carnegie Mellon University Graduate student pursuing a PhD Our work on patch-based exploit generation will appear at the 2008 IEEE Security and Privacy Symposium David Brumley Carnegie Mellon University - Phd Student The Authors

4 The Problem The number of new vulnerabilities reported each year continues to grow A new exploit for a single vulnerability can readily be turned into worms Also new vulnerabilities can compromise almost all vulnerable hosts in a very short amount of time So We need to find an automated defense system that can react to these vulnerabilities quickly!

5 Requirements for Defense System 1.Fast Defense Development/Deployment –Must fix vulnerability very quickly as worms spread very fast. 2.No requirement for source code –Most source code are proprietary and can not be shown to end user. 3.High accuracy and effectiveness –Low false positives/negatives. 4.Low performance overhead –Does not degrade performance.

6 Vulnerability Specific Execution- Based Filtering (VSEF) Definition:Definition: –An automated defense system that defends against “just discovered” attacks. Properties:Properties: – Robust Filters – Vulnerability specific, but exploit agnostic. – Efficient generation of VSEF Filters – Generates filters very quickly once a vulnerability is detected. – Efficient Detection – Contains very little overhead.

7 Vulnerability Specific Execution- Based Filtering (VSEF) At a high-level, VSEF filters out exploits based on the program’s execution not only filtering based solely upon the input string Does not Instrument and monitor the full execution VSEF only monitors and instruments the part of program execution which is relevant to the specific vulnerability VSEF therefore takes the best of both input-based filtering and full execution monitoring It is much more accurate than input-based filtering and much more efficient than full execution monitoring

8 VSEF Architecture Two Main Components: Two Main Components: – VSEF Filter Generator – Uses an exploit execution trace to create a VSEF filter which encodes the info needed for the monitoring to detect future attacks on the vulnerability. – VSEF Binary Instrumentation Engine – Used by vulnerable hosts in order to apply a VSEF filter to a binary program.

9 VSEF Architecture Diagram

10 The Big Picture To create a VSEF filter for a known vulnerability - a program binary, and a sample input that exploits that vulnerability is needed VSEF Filter Generator automatically generates a VSEF filter which encodes the information needed to detect future attacks against the vulnerability.

11 The Big Picture Using the VSEF filter, the vulnerable host can use our VSEF Binary Instrumentation Engine to automatically add instrumentation to the vulnerable binary program to obtain a hardened binary program The hardened program introduces very little overhead and for normal requests performs just as the original program

12 The Big Picture

13 Types of VSEF Two Types:Two Types: – Taint Based VSEF – Based on dynamic taint analysis. Has high accuracy. – Destination Based VSEF – An more optimistic version of Tainted Based VSEF. Normally requires fewer instructions to be instrumented.

14 Taint-Based VSEF (Overview) Marks data coming from untrusted sources. Inserts instrumentation instructions to track tainted data from untrusted sources. Accurately detects wide range of attacks Requires instrumenting many instructions.

15 Taint-Based VSEF (Filter Generation) Examines the trace in a backwards manner: –Begins at the end of the trace (the exploit point), then traces backwards to determine source of the taint.

16 Taint-Based VSEF (Binary Instrumentation) Checks to see if source operand is a tainted location. –If yes, then mark destination operand as tainted. Also checks whether sensitive value is being tainted. –If yes, then there is an attack!

17 Taint-Based VSEF (Performance & Accuracy) Performance: –Filter generation is almost instantaneous. –Execution overhead is proportional to number of instructions in the program. Accuracy: –No false positives (when watchpoint techniques are used) –False negatives happen if tainted input is propagated along a different code path, or the overwritten sensitive value is misused at a different location.

18 Destination Based VSEF (Overview) Definition: –An optimistic filter that focuses on instrumenting the point where sensitive data was illegitimately overwritten, rather than the point where tainted data was illegitimately used. In other words, it ONLY monitors the overwrite point!

19 Destination Based VSEF (Filter Generation) Determines: –The overwrite point. –The vulnerable context. –The destinations that should not be overwritten by that context. Checks the chain of instructions that propagated the tainted data to the overwrite point in a similar manner to taint-based VSEF.

20 Destination Based VSEF (Binary Instrumentation) Checks that that data movement instruction at overwrite point does not write to sensitive destination.

21 Destination Based VSEF (Accuracy & Performance) Accuracy: –Usually no false positives, but it can happen if: 1.VSEF Filter Generator identified wrong instruction at overwrite point. 2.Instruction at overwrite point can LEGALLY write to monitored location in vulnerable context. Performance: –Filters can be created almost instantly! –Performance can be improved if fewer instructions are implemented.

22 VSEF Implementation (Taint-Based) Implemented by modifying TaintCheck: Binary Instrumentation Engine implemented as an extension to TaintCheck.

23 VSEF Implementation (Destination-Based) Implemented using Dyninst: –A binary implementation tool. –Performs static rewriting of target binary. Filter Contains: –Address of overwrite point. –Activation records of stack when the overwrite point was executed. –Normalized address of the data that was overwritten.

24 Conclusion Hosts can be compromised very quickly due to vulnerabilities that can easily be exploited! –Thus, we need to find an automated system that can react to these vulnerabilities! VSEF can quickly defend and filter out those exploits with high accuracy and low overhead! Would make good commercial use!

25 VSEF Strengths Successfully satisfied all original requirements: Fast Deployment. No need for source code. Very high accuracy. Low overhead This approach is general, and could potentially be applied to other faults such as integer overflow, divide-by-zero, etc. Can be deployed in Windows and Linux/Unix OS.

26 VSEF Weaknesses Can still have false positives/false negatives: Can still have false positives/false negatives: – False Negatives for Taint Based VSEF: If tainted input is propagated along a different code path. If the overwritten sensitive value is misused at a different location. – False Positives for Destination Based VSEF: If VSEF Filter Generator identified wrong instruction at overwrite point. If instruction at overwrite point legally writes to monitored location in vulnerable context.

27 Suggestions Go commercially! –Sell VSEF to third party companies. They can use VSEF for product testing and enhancements.

28 Reference Slide An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior In context of computer programming, instrumentation refers to an ability to monitor or measure the level of a product's performance, to diagnose errors and writing trace information. Instrumentation is in the form of code instructions that monitor specific components in a system

29 Reference Slide Some Previous work has various drawbacks and do not satisfy all the requirements. One popular approach is to automatically generate network-based input filters to filter out known exploits Limited to syntactic properties of the input string and cannot take into account application specific semantic and context information In the extreme case where an input filter is used on an encrypted protocol, it must somehow be supplied with the decryption key, which is awkward and application-specific.

30 Reference Slide On the other hand, various host-based approaches have been proposed which are more accurate, but fail to meet the other requirements. For example, previous approaches have focused on: (1)Patching: patching a new vulnerability can be a time-consuming task—generating high quality patches often require source code, manual effort, and extensive testing. (2) Binary-based full execution monitoring: many approaches have been proposed to add protection to a binary program. However, these previous approaches are either inaccurate and only defend against a small classes of attacks or require hardware modification or incur high performance overhead when used to protect the entire program execution

31 Taint-Based VSEF (Taint Example)

32 VSEF Performance (Chart)

33 0 1 1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 0 1 1 0 1 1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 0 1 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 0 1 1 0 1 1 0 1 1 1 0 1 1 0 1 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 01 01111110111111101010111111100111111111 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 Thank You

Download ppt "Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,

SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.

Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
seminar on Intrusion detection system

seminar on Intrusion detection system
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Similar presentations

Ads by Google