Topics in Information Security, Prof. Avishai Wool Ohad Ben-Cohen ohadbc at eng.tau.ac.il Ohad Ben-Cohen ohadbc at eng.tau.ac.il Intrusion Detection via Static Analysis Intrusion Detection via Static Analysis

Topics in Information Security, Prof. Avishai Wool Based on

Topics in Information Security, Prof. Avishai Wool void sayhi(char *param) { char buf[96]; printf(“what’s u’r name?”); gets(buf); printf(“hi %s!\n”, buf); } What’s Wrong ?

Topics in Information Security, Prof. Avishai Wool Buffer Overflow

Topics in Information Security, Prof. Avishai Wool char buf[96]; printf(“what’s u’r name?”); gets(buf); printf(“hi %s!\n”, buf); exit(0); bad. /* evil code */ execve(“/bin/sh”); /* evil code */ execve(“/bin/sh”);

Topics in Information Security, Prof. Avishai Wool Model of Behaviour Rule Based or Observations Monitor and Alarm! AI  Statistical Statistical  False Positives HIDS by System Calls (k=1) Model of Behaviour Rule Based or Observations Monitor and Alarm! AI  Statistical Statistical  False Positives HIDS by System Calls (k=1) Intrusion Detection ?

Topics in Information Security, Prof. Avishai Wool char buf[96]; printf(“what’s u’r name?”); gets(buf); printf(“hi %s!\n”, buf); exit(0); Example 1 OK !

Topics in Information Security, Prof. Avishai Wool fd = open(“/etc/passwd”); if(time() < YEAR2009) read(fd, buf, 50); else write(fd,”new-user”); close(fd); Example 2 False Positive

Topics in Information Security, Prof. Avishai Wool char buf[50]; if(!fork()) execve(“stam_job”); gets(buf); printf(“got %s\n”, buf); exit(0); Example 3 False Negative

Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); if(i == 50) { write(fd, buf, 50); } close(fd); read write close Solution (four of them, not exactly) 1. Build a syscall Graph (NDFA) 2. Monitor syscalls 3. Kill if diverges 2. Monitor syscalls 3. Kill if diverges

Topics in Information Security, Prof. Avishai Wool Need source code Static, not Statistical  0 false positives ! may have false negatives Large branching factor…  Tough computations Need source code Static, not Statistical  0 false positives ! may have false negatives Large branching factor…  Tough computations Result

Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); func(); write(fd, buf, 50); func(); close(fd); read write close Functions func(): gettimeofday(); settimeofday(); gettimeofday settimeofday

Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); func(); write(fd, buf, 50); func(); close(fd); read write close Impossible Paths ! func(): gettimeofday(); settimeofday(); gettimeofday settimeofday

Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); func(); write(fd, buf, 50); func(); close(fd); context free grammar func(): gettimeofday(); settimeofday(); read write close gettimeofday settimeofday stack

Topics in Information Security, Prof. Avishai Wool (*func)(); Signals setjmp(); libraries dynamic linking Threads, execve()s (*func)(); Signals setjmp(); libraries dynamic linking Threads, execve()s Real World Problems

Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); (*func)(); close(fd); read close Function Pointers A()B()C()

Topics in Information Security, Prof. Avishai Wool signal(i, handlerA); signal(j, handlerB); signal(k, handlerC); i = read(fd, buf, 50); close(fd); read close Signals handlerA()handlerB()handlerC()

Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); close(fd); read close Signals handlerA()handlerB()handlerC()

Topics in Information Security, Prof. Avishai Wool setjmp(x); i = read(fd, buf, 50); setjmp(y); close(fd); longjmp(?); read close setjmp/longjmp x-statey-state

Topics in Information Security, Prof. Avishai Wool Graphs via gcc+manual fixes Used Java Framework (JIT) Heavy computational task Stop if Latencies > 1 hour Ignored common sys calls Analyze Parameters, too Graphs via gcc+manual fixes Used Java Framework (JIT) Heavy computational task Stop if Latencies > 1 hour Ignored common sys calls Analyze Parameters, too Experiments

Topics in Information Security, Prof. Avishai Wool Experiments

Topics in Information Security, Prof. Avishai Wool One Model Per App Small branchings  Precise Precise  no impossible paths Mimicry Attacks Precise Models too Expensive Jave framework too slow Failed to run Precise Models One Model Per App Small branchings  Precise Precise  no impossible paths Mimicry Attacks Precise Models too Expensive Jave framework too slow Failed to run Precise Models Conclusions

Topics in Information Security, Prof. Avishai Wool The End

Topics in Information Security, Prof. Avishai Wool begin: fd = open(“file”); while(1) { i = read(fd, buf, 50); if(i) goto begin; } exit(0); open read exit 1. what is the correct callgraph ? open read exit open read exit open read exit a) b) c) d) HomeWork

Topics in Information Security, Prof. Avishai Wool 2.What is IDA Pro ? 3.What are the sketches that make the background of this presentation ? any idea how were they created ? 4.Do you think Snort (see Elad’d hw) has 0 false positives like the paper claims to achieve ? 5.Bonus: which movie were the two swords in the background taken from ? HW – cont. (tip: all answers are short!) HW – cont. (tip: all answers are short!)