Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topics in Information Security, Prof. Avishai Wool Ohad Ben-Cohen ohadbc at eng.tau.ac.il Ohad Ben-Cohen ohadbc at eng.tau.ac.il Intrusion Detection via.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Topics in Information Security, Prof. Avishai Wool Ohad Ben-Cohen ohadbc at eng.tau.ac.il Ohad Ben-Cohen ohadbc at eng.tau.ac.il Intrusion Detection via."— Presentation transcript:

1 Topics in Information Security, Prof. Avishai Wool Ohad Ben-Cohen ohadbc at eng.tau.ac.il Ohad Ben-Cohen ohadbc at eng.tau.ac.il Intrusion Detection via Static Analysis Intrusion Detection via Static Analysis

2 Topics in Information Security, Prof. Avishai Wool Based on

3 Topics in Information Security, Prof. Avishai Wool void sayhi(char *param) { char buf[96]; printf(“what’s u’r name?”); gets(buf); printf(“hi %s!\n”, buf); } What’s Wrong ?

4 Topics in Information Security, Prof. Avishai Wool Buffer Overflow

5 Topics in Information Security, Prof. Avishai Wool char buf[96]; printf(“what’s u’r name?”); gets(buf); printf(“hi %s!\n”, buf); exit(0); bad. /* evil code */ execve(“/bin/sh”); /* evil code */ execve(“/bin/sh”);

6 Topics in Information Security, Prof. Avishai Wool Model of Behaviour Rule Based or Observations Monitor and Alarm! AI  Statistical Statistical  False Positives HIDS by System Calls (k=1) Model of Behaviour Rule Based or Observations Monitor and Alarm! AI  Statistical Statistical  False Positives HIDS by System Calls (k=1) Intrusion Detection ?

7 Topics in Information Security, Prof. Avishai Wool char buf[96]; printf(“what’s u’r name?”); gets(buf); printf(“hi %s!\n”, buf); exit(0); Example 1 OK !

8 Topics in Information Security, Prof. Avishai Wool fd = open(“/etc/passwd”); if(time() < YEAR2009) read(fd, buf, 50); else write(fd,”new-user”); close(fd); Example 2 False Positive

9 Topics in Information Security, Prof. Avishai Wool char buf[50]; if(!fork()) execve(“stam_job”); gets(buf); printf(“got %s\n”, buf); exit(0); Example 3 False Negative

10 Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); if(i == 50) { write(fd, buf, 50); } close(fd); read write close Solution (four of them, not exactly) 1. Build a syscall Graph (NDFA) 2. Monitor syscalls 3. Kill if diverges 2. Monitor syscalls 3. Kill if diverges

11 Topics in Information Security, Prof. Avishai Wool Need source code Static, not Statistical  0 false positives ! may have false negatives Large branching factor…  Tough computations Need source code Static, not Statistical  0 false positives ! may have false negatives Large branching factor…  Tough computations Result

12 Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); func(); write(fd, buf, 50); func(); close(fd); read write close Functions func(): gettimeofday(); settimeofday(); gettimeofday settimeofday

13 Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); func(); write(fd, buf, 50); func(); close(fd); read write close Impossible Paths ! func(): gettimeofday(); settimeofday(); gettimeofday settimeofday

14 Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); func(); write(fd, buf, 50); func(); close(fd); context free grammar func(): gettimeofday(); settimeofday(); read write close gettimeofday settimeofday stack

15 Topics in Information Security, Prof. Avishai Wool (*func)(); Signals setjmp(); libraries dynamic linking Threads, execve()s (*func)(); Signals setjmp(); libraries dynamic linking Threads, execve()s Real World Problems

16 Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); (*func)(); close(fd); read close Function Pointers A()B()C()

17 Topics in Information Security, Prof. Avishai Wool signal(i, handlerA); signal(j, handlerB); signal(k, handlerC); i = read(fd, buf, 50); close(fd); read close Signals handlerA()handlerB()handlerC()

18 Topics in Information Security, Prof. Avishai Wool i = read(fd, buf, 50); close(fd); read close Signals handlerA()handlerB()handlerC()

19 Topics in Information Security, Prof. Avishai Wool setjmp(x); i = read(fd, buf, 50); setjmp(y); close(fd); longjmp(?); read close setjmp/longjmp x-statey-state

20 Topics in Information Security, Prof. Avishai Wool Graphs via gcc+manual fixes Used Java Framework (JIT) Heavy computational task Stop if Latencies > 1 hour Ignored common sys calls Analyze Parameters, too Graphs via gcc+manual fixes Used Java Framework (JIT) Heavy computational task Stop if Latencies > 1 hour Ignored common sys calls Analyze Parameters, too Experiments

21 Topics in Information Security, Prof. Avishai Wool Experiments

22 Topics in Information Security, Prof. Avishai Wool One Model Per App Small branchings  Precise Precise  no impossible paths Mimicry Attacks Precise Models too Expensive Jave framework too slow Failed to run Precise Models One Model Per App Small branchings  Precise Precise  no impossible paths Mimicry Attacks Precise Models too Expensive Jave framework too slow Failed to run Precise Models Conclusions

23 Topics in Information Security, Prof. Avishai Wool The End

24 Topics in Information Security, Prof. Avishai Wool begin: fd = open(“file”); while(1) { i = read(fd, buf, 50); if(i) goto begin; } exit(0); open read exit 1. what is the correct callgraph ? open read exit open read exit open read exit a) b) c) d) HomeWork

25 Topics in Information Security, Prof. Avishai Wool 2.What is IDA Pro ? 3.What are the sketches that make the background of this presentation ? any idea how were they created ? 4.Do you think Snort (see Elad’d hw) has 0 false positives like the paper claims to achieve ? 5.Bonus: which movie were the two swords in the background taken from ? HW – cont. (tip: all answers are short!) HW – cont. (tip: all answers are short!)

Download ppt "Topics in Information Security, Prof. Avishai Wool Ohad Ben-Cohen ohadbc at eng.tau.ac.il Ohad Ben-Cohen ohadbc at eng.tau.ac.il Intrusion Detection via."

Similar presentations

Artemis: Practical Runtime Monitoring of Applications for Execution Anomalies Long Fei and Samuel P. Midkiff School of Electrical and Computer Engineering.

Artemis: Practical Runtime Monitoring of Applications for Execution Anomalies Long Fei and Samuel P. Midkiff School of Electrical and Computer Engineering.
Runtime Techniques for Efficient and Reliable Program Execution Harry Xu CS 295 Winter 2012.

Runtime Techniques for Efficient and Reliable Program Execution Harry Xu CS 295 Winter 2012.
HARDWARE SOFTWARE PARTITIONING AND CO-DESIGN PRINCIPLES MADHUMITA RAMESH BABU SUDHI PROCH 1/37.

HARDWARE SOFTWARE PARTITIONING AND CO-DESIGN PRINCIPLES MADHUMITA RAMESH BABU SUDHI PROCH 1/37.
1 Deadlocks Chapter 3 3.1. Resource 3.2. Introduction to deadlocks 3.3. The ostrich algorithm 3.4. Deadlock detection and recovery 3.5. Deadlock avoidance.

1 Deadlocks Chapter Resource 3.2. Introduction to deadlocks 3.3. The ostrich algorithm 3.4. Deadlock detection and recovery 3.5. Deadlock avoidance.
Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.

Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
1 Chapter 7: Runtime Environments. int * larger (int a, int b) { if (a > b) return &a; //wrong else return &b; //wrong } int * larger (int *a, int *b)

1 Chapter 7: Runtime Environments. int * larger (int a, int b) { if (a > b) return &a; //wrong else return &b; //wrong } int * larger (int *a, int *b)
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
KB-IDS. Academic Advisor: Dr. Yuval Elovici Technical Advisor: Asaf Shabtai Team Members: Eliya Rahamim Elad Ankry Uri Kanonov.

KB-IDS. Academic Advisor: Dr. Yuval Elovici Technical Advisor: Asaf Shabtai Team Members: Eliya Rahamim Elad Ankry Uri Kanonov.
Signal Signal : - is a notification sent to a process to notify it of some event - interrupts whatever the process is doing and force it to handle a signal.

Signal Signal : - is a notification sent to a process to notify it of some event - interrupts whatever the process is doing and force it to handle a signal.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.

Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.
Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1.

Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
15-740/18-740 Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Today’s Topics Introducing process: the basic mechanism for concurrent programming –Process management related system calls Process creation Process termination.

Today’s Topics Introducing process: the basic mechanism for concurrent programming –Process management related system calls Process creation Process termination.
C questions A great programmer codes excellent code in C and Java. The code does video decoding. Java code works faster then C on my computer. how come?

C questions A great programmer codes excellent code in C and Java. The code does video decoding. Java code works faster then C on my computer. how come?
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Similar presentations

Ads by Google