Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David Brumley, and Dawn Song and Dawn Song Publisher: Network and Distributed Systems Security Symposium (NDSS), 2006 Presented by: Chowdhury, Abu Rahat Chowdhury, Abu Rahat

Today’s Outline The Authors and their Problem Statements Intro to VSEF & its Architecture : Taint Based VSEF. Destination Based VSEF. Performance and Implementation Comments.

Dawn Song Assistant Professor Computer Science Division University of California, Berkeley Current Research Projects and Thrusts BitBlaze: Binary analysis for COTS protection and malicious code defense Seaglass: Cryptographic constructions for secure, privacy-preserving distributed information sharing Networking Security Using Machine Learning Jim Newsome Electrical & Computer Engineering Carnegie Mellon University Graduate student pursuing a PhD Our work on patch-based exploit generation will appear at the 2008 IEEE Security and Privacy Symposium David Brumley Carnegie Mellon University - Phd Student The Authors

The Problem The number of new vulnerabilities reported each year continues to grow A new exploit for a single vulnerability can readily be turned into worms Also new vulnerabilities can compromise almost all vulnerable hosts in a very short amount of time So We need to find an automated defense system that can react to these vulnerabilities quickly!

Requirements for Defense System 1.Fast Defense Development/Deployment –Must fix vulnerability very quickly as worms spread very fast. 2.No requirement for source code –Most source code are proprietary and can not be shown to end user. 3.High accuracy and effectiveness –Low false positives/negatives. 4.Low performance overhead –Does not degrade performance.

Vulnerability Specific Execution- Based Filtering (VSEF) Definition:Definition: –An automated defense system that defends against “just discovered” attacks. Properties:Properties: – Robust Filters – Vulnerability specific, but exploit agnostic. – Efficient generation of VSEF Filters – Generates filters very quickly once a vulnerability is detected. – Efficient Detection – Contains very little overhead.

Vulnerability Specific Execution- Based Filtering (VSEF) At a high-level, VSEF filters out exploits based on the program’s execution not only filtering based solely upon the input string Does not Instrument and monitor the full execution VSEF only monitors and instruments the part of program execution which is relevant to the specific vulnerability VSEF therefore takes the best of both input-based filtering and full execution monitoring It is much more accurate than input-based filtering and much more efficient than full execution monitoring

VSEF Architecture Two Main Components: Two Main Components: – VSEF Filter Generator – Uses an exploit execution trace to create a VSEF filter which encodes the info needed for the monitoring to detect future attacks on the vulnerability. – VSEF Binary Instrumentation Engine – Used by vulnerable hosts in order to apply a VSEF filter to a binary program.

VSEF Architecture Diagram

The Big Picture To create a VSEF filter for a known vulnerability - a program binary, and a sample input that exploits that vulnerability is needed VSEF Filter Generator automatically generates a VSEF filter which encodes the information needed to detect future attacks against the vulnerability.

The Big Picture Using the VSEF filter, the vulnerable host can use our VSEF Binary Instrumentation Engine to automatically add instrumentation to the vulnerable binary program to obtain a hardened binary program The hardened program introduces very little overhead and for normal requests performs just as the original program

The Big Picture

Types of VSEF Two Types:Two Types: – Taint Based VSEF – Based on dynamic taint analysis. Has high accuracy. – Destination Based VSEF – An more optimistic version of Tainted Based VSEF. Normally requires fewer instructions to be instrumented.

Taint-Based VSEF (Overview) Marks data coming from untrusted sources. Inserts instrumentation instructions to track tainted data from untrusted sources. Accurately detects wide range of attacks Requires instrumenting many instructions.

Taint-Based VSEF (Filter Generation) Examines the trace in a backwards manner: –Begins at the end of the trace (the exploit point), then traces backwards to determine source of the taint.

Taint-Based VSEF (Binary Instrumentation) Checks to see if source operand is a tainted location. –If yes, then mark destination operand as tainted. Also checks whether sensitive value is being tainted. –If yes, then there is an attack!

Taint-Based VSEF (Performance & Accuracy) Performance: –Filter generation is almost instantaneous. –Execution overhead is proportional to number of instructions in the program. Accuracy: –No false positives (when watchpoint techniques are used) –False negatives happen if tainted input is propagated along a different code path, or the overwritten sensitive value is misused at a different location.

Destination Based VSEF (Overview) Definition: –An optimistic filter that focuses on instrumenting the point where sensitive data was illegitimately overwritten, rather than the point where tainted data was illegitimately used. In other words, it ONLY monitors the overwrite point!

Destination Based VSEF (Filter Generation) Determines: –The overwrite point. –The vulnerable context. –The destinations that should not be overwritten by that context. Checks the chain of instructions that propagated the tainted data to the overwrite point in a similar manner to taint-based VSEF.

Destination Based VSEF (Binary Instrumentation) Checks that that data movement instruction at overwrite point does not write to sensitive destination.

Destination Based VSEF (Accuracy & Performance) Accuracy: –Usually no false positives, but it can happen if: 1.VSEF Filter Generator identified wrong instruction at overwrite point. 2.Instruction at overwrite point can LEGALLY write to monitored location in vulnerable context. Performance: –Filters can be created almost instantly! –Performance can be improved if fewer instructions are implemented.

VSEF Implementation (Taint-Based) Implemented by modifying TaintCheck: Binary Instrumentation Engine implemented as an extension to TaintCheck.

VSEF Implementation (Destination-Based) Implemented using Dyninst: –A binary implementation tool. –Performs static rewriting of target binary. Filter Contains: –Address of overwrite point. –Activation records of stack when the overwrite point was executed. –Normalized address of the data that was overwritten.

Conclusion Hosts can be compromised very quickly due to vulnerabilities that can easily be exploited! –Thus, we need to find an automated system that can react to these vulnerabilities! VSEF can quickly defend and filter out those exploits with high accuracy and low overhead! Would make good commercial use!

VSEF Strengths Successfully satisfied all original requirements: Fast Deployment. No need for source code. Very high accuracy. Low overhead This approach is general, and could potentially be applied to other faults such as integer overflow, divide-by-zero, etc. Can be deployed in Windows and Linux/Unix OS.

VSEF Weaknesses Can still have false positives/false negatives: Can still have false positives/false negatives: – False Negatives for Taint Based VSEF: If tainted input is propagated along a different code path. If the overwritten sensitive value is misused at a different location. – False Positives for Destination Based VSEF: If VSEF Filter Generator identified wrong instruction at overwrite point. If instruction at overwrite point legally writes to monitored location in vulnerable context.

Suggestions Go commercially! –Sell VSEF to third party companies. They can use VSEF for product testing and enhancements.

Reference Slide An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior In context of computer programming, instrumentation refers to an ability to monitor or measure the level of a product's performance, to diagnose errors and writing trace information. Instrumentation is in the form of code instructions that monitor specific components in a system

Reference Slide Some Previous work has various drawbacks and do not satisfy all the requirements. One popular approach is to automatically generate network-based input filters to filter out known exploits Limited to syntactic properties of the input string and cannot take into account application specific semantic and context information In the extreme case where an input filter is used on an encrypted protocol, it must somehow be supplied with the decryption key, which is awkward and application-specific.

Reference Slide On the other hand, various host-based approaches have been proposed which are more accurate, but fail to meet the other requirements. For example, previous approaches have focused on: (1)Patching: patching a new vulnerability can be a time-consuming task—generating high quality patches often require source code, manual effort, and extensive testing. (2) Binary-based full execution monitoring: many approaches have been proposed to add protection to a binary program. However, these previous approaches are either inaccurate and only defend against a small classes of attacks or require hardware modification or incur high performance overhead when used to protect the entire program execution

Taint-Based VSEF (Taint Example)

VSEF Performance (Chart)

Thank You