Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

Slides:

Advertisements

Similar presentations

Part IV: Memory Management

Advertisements

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Chapter 3 Loaders and Linkers

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Trace-Based Automatic Parallelization in the Jikes RVM Borys Bradel University of Toronto.

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

Topics in Information Security, Prof. Avishai Wool Ohad Ben-Cohen ohadbc at eng.tau.ac.il Ohad Ben-Cohen ohadbc at eng.tau.ac.il Intrusion Detection via.

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Computer Organization and Architecture The CPU Structure.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Department of Electrical and Computer Engineering Kekai Hu, Harikrishnan Chandrikakutty, Deepak Unnikrishnan, Tilman Wolf, and Russell Tessier Department.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

A Survey of Host Based Intrusion Detection Systems (HIDS) Emre Can Sezer Dept. of Comp. Science North Carolina State University.

Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,

Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space Babak Salamat, Todd Jackson, Andreas Gal, Michael.

Disco : Running commodity operating system on scalable multiprocessor Edouard et al. Presented by Jonathan Walpole (based on a slide set from Vidhya Sivasankaran)

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 8: Main Memory.

Bob Gilber, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara RAID 2011,9 報告者：張逸文 1.

Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.

CS533 Concepts of Operating Systems Jonathan Walpole.

Chapter 4 Storage Management (Memory Management).

Mitigation of Buffer Overflow Attacks

Overloading Binary Operators Two ways to overload –As a member function of a class –As a friend function As member functions –General syntax Data Structures.

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

Replay Compilation: Improving Debuggability of a Just-in Time Complier Presenter: Jun Tao.

CE Operating Systems Lecture 14 Memory management.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Chapter 4 Memory Management Virtual Memory.

Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.

Operating Systems Lecture 14 Segments Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software Engineering.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Chapter 8 Lecture 1 Software Testing. Program testing Testing is intended to show that a program does what it is intended to do and to discover program.

Precomputation- based Prefetching By James Schatz and Bashar Gharaibeh.

CISC Machine Learning for Solving Systems Problems Presented by: Suman Chander B Dept of Computer & Information Sciences University of Delaware Automatic.

Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.

Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto Memory Management Overview.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Author: Haoyu Song, Murali Kodialam, Fang Hao and T.V. Lakshman Publisher/Conf. : IEEE International Conference on Network Protocols (ICNP), 2009 Speaker:

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

1 Chapter 10: Virtual Memory Background Demand Paging Process Creation Page Replacement Allocation of Frames Thrashing Operating System Examples (not covered.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Chapter 9: Virtual Memory. 9.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Background Virtual memory – separation of user logical memory.

Qin Zhao1, Joon Edward Sim2, WengFai Wong1,2 1SingaporeMIT Alliance 2Department of Computer Science National University of Singapore

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Formalizing Sensitivity in Program Models for Intrusion Detection Henry Hanping Feng Yong Huang University of Massachusetts

Efficient Software-Based Fault Isolation

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

High Coverage Detection of Input-Related Security Faults

Chapter 9: Virtual-Memory Management

CS510 Operating System Foundations

CSE 542: Operating Systems

Following Malware Execution in IDA

Understanding and Preventing Buffer Overflow Attacks in Unix

Dynamic Binary Translators and Instrumenters

CSE 542: Operating Systems

Return-to-libc Attacks

Presentation transcript:

Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter: Jonathan McCune

2 Overview Introduction Related work VtPath Experiments Exploits Comparisons Conclusion

3 Introduction Runtime, training-phase based, anomaly detection system Uses call stack and program counter in addition to system call hooks Novel features based on virtual paths Compared experimentally and analytically with many other approaches

4 Related work Static analysis –Wagner, et al. (abstract stack) –Callgraph Run-time, training based: –This –Sekar, et al. (FSA) (last week’s srg) –N-gram, Var-gram

5 “Intrusion detection via static analysis.” Wagner, et al. Static analysis of program source code NDFA from control-flow graph –Cannot predict branches statically Impossible path problem Abstract stack model –Pushdown automaton Large automata can be resource intensive Claimed zero false positives

6 “Detecting Manipulated Remote Call Streams.” Giffin, et al. Static analysis of binary executables Tied to platform, not programming language Insertion of “null calls” helps impossible path problem Unusual performance analysis

7 “A fast automaton-based method for detecting anomalous program behavior.” Sekar, et al. Compact deterministic FSA from system call analysis of running programs Suffers from false positives, but not as a result of non-determinism Impossible paths not addressed DLLs not adequately addressed

8 Virtual Path (VtPath) Run-time analysis Learns correct behavior via training executions Utilizes return address information Generates abstract path and compares with learned behavior Similar to abstract stack of Wagner, et al., but avoid pushdown automaton

9 Virtual Path Example main() foo1() foo() foo2() foo3() main() fooA() foo() fooB() fooC()

10 VtPath Training Phase Two hash tables: –RA (return address) table –VP (virtual path) table RAs and VPs gradually added during normal program execution Use NULL entries at beginning and end of paths

11 VtPath Online Detection Phase Stack anomaly – if virtual stack list unavailable (common during buffer overflow attacks) Return address anomaly – if virtual stack list {a 0, a 1, … a n } contains a i not in RA table System call anomaly – if a n does not have the correct system call Virtual path anomaly – if virtual path at current system call is not in VP table

12 VtPath – Impossible Path Problem Return addresses are part of virtual path information Modifying return address saved on the stack will cause the program to return to a different location The next system call is likely to trigger a virtual path anomaly

13 VtPath - Implementation Issues Non-standard control flows –Signals (sigreturn system call) Treat each one like a separate program invocation –setjmp()/longjmp() and function pointers Hard to handle statically; handled at runtime if trained properly Dynamically linked libraries –Relative loading positions can change, invalidating PC values from training runs –Use a “block” model during training to capture file name and block length, ignoring start address Block anomaly – block lookup fails because attacker is trying to load a malicious DLL

14 Experiments – VtPath vs FSA Convergence times similar, but –FSA generates more transitions than VtPath (less efficient, less precise) –In practice, multiple levels of DLL functions are called quite frequently – VtPath more effective False Positives nearly identical VtPath executes faster, uses more memory Common exploits detected by both

15 Exploits Authors developed two masked mimicry attacks detectable only by VtPath Impossible Path Execution (IPE) Attack 1 –Exploits parallel structure of privileged / unprivileged code within same function IPE Attack 2: –F() called twice from within same function with different arguments –Overflow local variable to change option passed in

16 Attack 1

17 Attack 2

18 Comparison of SysCall-based Anomaly Detection Schemes 1.State-based / Information captured Data/heap values least useful (transient) Code segment of some value Syscalls and callstack most useful More information = runtime overhead 2.False positives How well is normal behavior captured? Only relevant for dynamic systems Proportional to resolution of program analysis 3.Detection capability More granularity = better detection capability SysCalls from invalid points vs. statistical regularity of training data vs. attacks’ deviation from perceived normal

19 Comparison of SysCall-based Anomaly Detection Schemes 4.Space requirement System call sequences Number of NDFA transitions (Wagner) Transitions in automaton 5.Convergence (training) time Cover most possible states / transitions VtPath requires more data than FSA Static techniques have big advantage here 6.Runtime overheads SysCall interception Hash lookup for valid state / return address / virtual path

20 Conclusions Using call stack (VtPath) has value There is no magic bullet –Everything is “complementary” Impossible path execution (IPE) is an important class of attack Use of FSA to analyze more than two consecutive SysCalls could improve VtPath

21 Discussion!