Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

Slides:

Advertisements

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Advertisements

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

Continuously Recording Program Execution for Deterministic Replay Debugging.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

On-Chip Control Flow Integrity Check for Real Time Embedded Systems Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

Address Space Layout Permutation

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

An Introduction Chapter Chapter 1 Introduction2 Computer Systems  Programmable machines  Hardware + Software (program) HardwareProgram.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Computer Security and Penetration Testing

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Packet Vaccine: Black-box Exploit Detection and Signature Generation

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Attack signatures derived from Metasploit Final Presentation E. Ramirez A. Zoghbi

Deriving Input Syntactic Structure From Execution Zhiqiang Lin Xiangyu Zhang Purdue University November 11 th, 2008 The 16th ACM SIGSOFT International.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

CISC Machine Learning for Solving Systems Problems Presented by: Suman Chander B Dept of Computer & Information Sciences University of Delaware Automatic.

Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.

Shellcode Development -Femi Oloyede -Pallavi Murudkar.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Introduction to Information Security

Marking Scheme for Semantic-aware Web Application Security

High Coverage Detection of Input-Related Security Faults

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

Detecting Targeted Attacks Using Shadow Honeypots

CS5123 Software Validation and Quality Assurance

Understanding and Preventing Buffer Overflow Attacks in Unix

FIGURE Illustration of Stack Buffer Overflow

Return-to-libc Attacks

Presentation transcript:

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05 Presenter: Tai Do CDA 6938, Spring 2007

Introduction ([KJB+06]) Memory Corruption Vulnerability –Popular means to take control of target program –49% of all attacks in 2006* –Successful attacks cause a remote code execution –Attack techniques: stack overrun, heap overflows, etc.

Why Randomization ([KJB+06]) Most attacks use absolute memory addresses during memory corruption attacks. What is address space randomization? –randomizes the layout of process memory –makes the critical memory addresses unpredictable and breaks the hard-coded address assumption. With address space randomization, a memory corruption attack will most likely cause a vulnerable program to crash, rather than allow the attacker to take control of the program.

Buffer Overflow Attack ([N02]) instruction pointer (IP or PC) stack pointer base pointer

Attacker’s coderetAddrNOP Normal Process Layout Attacker’s coderetAddrNOP Randomized Process Layout Adapt from [KJB+06]

How to identify security vulnerability from a program crash Open source web server ghttpd-1.4. Log(): server logging functionalities. Buffer overflow vulnerability: temp[] Address space randomization causes a working exploit to crash the server process. Manual Debug session (gdb) is time consuming and difficult: PC register and stack trace are both corrupted.

What are the goals of this paper? The proposed approach: –Automatically diagnose memory corruption vulnerabilities (automatic backward tracing) –Automatic Response to Attacks (automatic signature generation)

Outline System Description: –Modeling Memory Corruption Attacks –Diagnosing Memory Corruption Vulnerabilities (Monitor and Diagnosis Engine) –Automatic Response to Attacks (Signature Generator) Evaluation Conclusion: strengths, weaknesses, suggestions

System Overview

System Architecture

Modeling Memory Corruption Attacks Why modeling memory corruption attacks on a randomized program? –Useful abstract model to guide the later discussion. –The model is just a finite state machine. –It shows possible cases that lead to program crash.

Modeling: Two Cases with a Buffer Overflow Attack Dereference a corrupted local variable The corrupted return address is invalid, crash when the ret instruction is executed

Modeling: State Transition For A Memory Corruption c: corrupting instruction t: takeover instruction f: faulting instruction Case 1 (green): Format String Case 2 and 3 (red and blue): buffer overflow Case 4 (purple): not sure

Diagnosing Memory Corruption Vulnerabilities Diagnosis means backward tracing to automatically locate the memory corruption vulnerabilities (the corrupting instruction) Similar to automated debugging process.

Diagnosis= Trace back Tracing back to the initial corrupting instruction consists of two steps: –Step 1: Convert Case-IV crashes to one of three other cases –Step 2: Trace the corrupting instructions. Locating the faulting instruction is critical in both steps. This is the starting point of the backward tracing.

Diagnosis: Locating Faulting Instruction PC points to the address of the next instruction to be executed should f complete Complex CaseSimple Case The process image at the time of crash does not include the specific address of f

For the complex case: use monitored re- execution and programmable breakpoints. Flow chart for identifying the Faulting instruction in the Complex Case

Diagnosis: Converting Case-IV Crashes Convert case-IV to other cases Idea: re-execution with non-overlapping memory layout. Caveat: –Applicable to programs that uses no more than 1/3 of the available address space, which is between 1 and 2 GB on a 32-bit system. Most network service applications have small memory fingerprints.

Diagnosis: Re-execution with non- overlapping memory layout c 1, t 1, f 1 c 1, t 1 c 2, t 2 c 2, t 2, f 2 c 2, t 2 At least two of the three instances will be non-Case-IV crashes. These two instances must crash at the same faulting instruction

Diagnosis: Tracing the Corrupting Instructions We are left with three cases: I, II and III We can use the faulting instruction and network malicious inputs to eliminate easier cases.

Diagnosis: Tracing the Corrupting Instructions Case III and IIB I don’t quite get the solution for tracing case III and IIB yet!!!!!! The idea: –The solution can not guarantee to trace back to the initial corrupting instruction if the data corrupted by this instruction is transformed in arbitrary ways before being used as a faulty address. –Nevertheless, current solution works well in the experimental evaluation.

Outline System Description: –Modeling Memory Corruption Attacks –Diagnosing Memory Corruption Vulnerabilities –Automatic Response to Attacks Evaluation Conclusion: strengths, weaknesses, suggestions

Automatic Response To Attacks Basic Message Signature: –the (invalid) address y that corrupting instruction c tries to write and the value x that c is writing. –Use critical byte sequences from the attack for the message filter: x and/or y. Correlating Message Signature with Program Execution State: –Improve false positive. – Attacks happen only at some specific server execution states. –Use the application’s call stack trace as an indication of the server protocol state (program counter + return addresses).

Correlating Message Signature with Program Execution State

Outline System Description: –Modeling Memory Corruption Attacks –Diagnosing Memory Corruption Vulnerabilities –Automatic Response to Attacks Evaluation Conclusion: strengths, weaknesses, suggestions

Experimental Evaluation Effectiveness of Diagnosis Compare call stack traces: from the diagnosis algorithm AND from manual code inspection and debugging Correctly identify ALL the vulnerable functions at the time of corruption.

Experimental Evaluation Automatic Response Complex protocol (OpenSSH): correlated message filtering helps. For ghttpd: binary signature vs. plain text URLs??? (no match for signatures)

Outline System Description: –Modeling Memory Corruption Attacks –Diagnosing Memory Corruption Vulnerabilities –Automatic Response to Attacks Evaluation Conclusion: strengths, weaknesses, suggestions

Strengths Propose a reactive approach for handling memory corruptions. Supposedly much faster (lower overhead) than full program execution monitoring (TaintCheck).

Weaknesses No report on performance overhead due to implementation issues with the prototype system. False negatives are possible. Tracing corrupting instructions is not complete: –in theory, some are still untraceable after program crashes. –in practice, current findings seem to work well

Suggestions Obvious To-Do lists: –Fine tune the system prototype. Report performance overhead –Work on not-traceable-yet scenarios for corrupting instructions

Keywords to take home Randomized program, memory corruption attacks. State transition, memory corruption attack modeling Monitored re-execution and programmable breakpoints Re execution with non overlapping memory

Thank you Questions?

References [N02] Josef Nelißen. Buffer Overflows for Dummies, May 1, [KJB+06] Chongkyung Kil, Jinsuk Jun, Christopher Bookholt, Jun Xu, and Peng Ning. Address Space Layout Permutation (ASLP): Towards Fine-grained Randomization of Commodity Software, ACSAC 06 (Dec 14, 2006) (.pdf and.ppt, plus their short paper in DSN 2006)