Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Published byChastity Williamson Modified over 8 years ago

Similar presentations

Presentation on theme: "Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David."— Presentation transcript:

1 Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David Brumley, and Dawn Song and Dawn SongPublisher: Network and Distributed Systems Security Symposium (NDSS), Feb 2006 Presented by: Arun Krishnamurthy Arun Krishnamurthy

2 Presentation Outline The Problem. The Problem. Intro to VSEF: Intro to VSEF: Taint Based VSEF. Taint Based VSEF. Destination Based VSEF. Destination Based VSEF. Implementation and Performance. Implementation and Performance. My Comments. My Comments.

3 The Problem Exploits for new vulnerabilities can compromise almost all vulnerable hosts in a very short amount of time! Exploits for new vulnerabilities can compromise almost all vulnerable hosts in a very short amount of time! We need to find an automated defense system that can react to these vulnerabilities quickly! We need to find an automated defense system that can react to these vulnerabilities quickly!

4 Requirements for Defense System 1. Fast Defense Development/Deployment Must fix vulnerability very quickly as worms spread very fast. Must fix vulnerability very quickly as worms spread very fast. 2. No requirement for source code Most source code are proprietary and can not be shown to end user. Most source code are proprietary and can not be shown to end user. 3. High accuracy and effectiveness Low false positives/negatives. Low false positives/negatives. 4. Low performance overhead Does not degrade performance. Does not degrade performance.

5 Vulnerability Specific Execution-Based Filtering (VSEF) Definition: Definition: An automated defense system that defends against “just discovered” attacks. An automated defense system that defends against “just discovered” attacks. Properties: Properties: Robust Filters – Vulnerability specific, but exploit agnostic. Robust Filters – Vulnerability specific, but exploit agnostic. Efficient generation of VSEF Filters – Generates filters very quickly once a vulnerability is detected. Efficient generation of VSEF Filters – Generates filters very quickly once a vulnerability is detected. Efficient Detection – Contains very little overhead. Efficient Detection – Contains very little overhead.

6 VSEF Architecture Two Main Components: Two Main Components: VSEF Filter Generator – Uses an exploit execution trace to create a VSEF filter which encodes the info needed for the monitoring to detect future attacks on the vulnerability. VSEF Filter Generator – Uses an exploit execution trace to create a VSEF filter which encodes the info needed for the monitoring to detect future attacks on the vulnerability. VSEF Binary Instrumentation Engine – Used by vulnerable hosts in order to apply a VSEF filter to a binary. VSEF Binary Instrumentation Engine – Used by vulnerable hosts in order to apply a VSEF filter to a binary.

7 VSEF Architecture Diagram

8 Types of VSEF Two Types: Two Types: Taint Based VSEF – Based on dynamic taint analysis. Has high accuracy. Taint Based VSEF – Based on dynamic taint analysis. Has high accuracy. Destination Based VSEF – An more optimistic version of Tainted Based VSEF. Normally requires fewer instructions to be instrumented. Destination Based VSEF – An more optimistic version of Tainted Based VSEF. Normally requires fewer instructions to be instrumented.

9 Taint-Based VSEF (Overview) Marks data coming from untrusted sources. Marks data coming from untrusted sources. Inserts instrumentation instructions to track tainted data from untrusted sources. Inserts instrumentation instructions to track tainted data from untrusted sources. Accurately detects wide range of attacks: Accurately detects wide range of attacks: Buffer overruns, format strings, double free attacks. Buffer overruns, format strings, double free attacks. Requires instrumenting many instructions. Requires instrumenting many instructions.

10 Taint-Based VSEF (Filter Generation) Two Parts: Two Parts: 1. List of instruction positions needed to add instrumentation for taint propagation 2. Instruction position needed to add instrumentation to detect misuse of tainted data. Examines the trace in a backwards manner: Examines the trace in a backwards manner: Begins at the end of the trace (the exploit point), then traces backwards to determine source of the taint. Begins at the end of the trace (the exploit point), then traces backwards to determine source of the taint.

11 Taint-Based VSEF (Taint Example)

12 Taint-Based VSEF (Binary Instrumentation) Checks to see if source operand is a tainted location. Checks to see if source operand is a tainted location. If yes, then mark destination operand as tainted. If yes, then mark destination operand as tainted. Also checks whether sensitive value is being tainted. Also checks whether sensitive value is being tainted. If yes, then there is an attack! If yes, then there is an attack!

13 Taint-Based VSEF (Performance & Accuracy) Performance: Performance: Filter generation is almost instantaneous. Filter generation is almost instantaneous. Execution overhead is proportional to number of instructions in the program. Execution overhead is proportional to number of instructions in the program. Accuracy: Accuracy: No false positives when watchpoint techniques are used. No false positives when watchpoint techniques are used. False negatives happen if tainted input is propagated along a different code path, or the overwritten sensitive value is misused at a different location. False negatives happen if tainted input is propagated along a different code path, or the overwritten sensitive value is misused at a different location.

14 Destination Based VSEF (Overview) Definition: Definition: An optimistic filter that focuses on instrumenting the point where sensitive data was illegitimately overwritten, rather than the point where tainted data was illegitimately used. An optimistic filter that focuses on instrumenting the point where sensitive data was illegitimately overwritten, rather than the point where tainted data was illegitimately used. In other words, it ONLY monitors the overwrite point! In other words, it ONLY monitors the overwrite point!

15 Destination Based VSEF (Filter Generation) Determines: Determines: The overwrite point. The overwrite point. The vulnerable context. The vulnerable context. The destinations that should not be overwritten by that context. The destinations that should not be overwritten by that context. Checks the chain of instructions that propagated the tainted data to the overwrite point in a similar manner to taint-based VSEF. Checks the chain of instructions that propagated the tainted data to the overwrite point in a similar manner to taint-based VSEF.

16 Destination Based VSEF (Binary Instrumentation) Checks that that data movement instruction at overwrite point does not write to sensitive destination. Checks that that data movement instruction at overwrite point does not write to sensitive destination. Can be done by instrumenting a small number of instructions. Can be done by instrumenting a small number of instructions. Data movement instruction. Data movement instruction. Call instruction corresponding to each activation record in vulnerable context. Call instruction corresponding to each activation record in vulnerable context.

17 Destination Based VSEF (Accuracy & Performance) Accuracy: Accuracy: Usually no false positives, but it can happen if: Usually no false positives, but it can happen if: 1. VSEF Filter Generator identified wrong instruction at overwrite point. 2. Instruction at overwrite point can LEGALLY write to monitored location in vulnerable context. Performance: Performance: Filters can be created almost instantly! Filters can be created almost instantly! Performance can be improved if fewer instructions are implemented. Performance can be improved if fewer instructions are implemented.

18 VSEF Implementation (Taint-Based) Implemented by modifying TaintCheck: Implemented by modifying TaintCheck: Saves the set of instruction addresses from the part of directed acyclic graph into a file. Saves the set of instruction addresses from the part of directed acyclic graph into a file. Saves the instruction addresses where tainted data is misused. Saves the instruction addresses where tainted data is misused. Binary Instrumentation Engine implemented as an extension to TaintCheck. Binary Instrumentation Engine implemented as an extension to TaintCheck.

19 VSEF Implementation (Destination-Based) Implemented using Dyninst: Implemented using Dyninst: A binary implementation tool. A binary implementation tool. Performs static rewriting of target binary. Performs static rewriting of target binary. Filter Contains: Filter Contains: Address of overwrite point. Address of overwrite point. Activation records of stack when the overwrite point was executed. Activation records of stack when the overwrite point was executed. Normalized address of the data that was overwritten. Normalized address of the data that was overwritten.

20 VSEF Performance & Accuracy (Taint-Based) Performance: Performance: Due to efficient instrumentation techniques, VSEF had very little performance overhead. Due to efficient instrumentation techniques, VSEF had very little performance overhead. Only 14% slower than running server natively. Only 14% slower than running server natively. Only 2% slower than running DynamoRIO alone. Only 2% slower than running DynamoRIO alone. Accuracy: Accuracy: Correctly handled exploits without any false positives or false negatives. Correctly handled exploits without any false positives or false negatives.

21 VSEF Performance & Accuracy (Destination-Based) Performance: Performance: Takes some time to create a filter from TaintCheck’s long. Takes some time to create a filter from TaintCheck’s long. Also takes some time to use Binary Instrumentation Engine to harden the vulnerable binary. Also takes some time to use Binary Instrumentation Engine to harden the vulnerable binary. However, only ran 3% slower than running server natively. However, only ran 3% slower than running server natively. Accuracy: Accuracy: Successfully defended against original exploits and its variants (No False Positives). Successfully defended against original exploits and its variants (No False Positives). Correctly unidentified any similar, but non-exploiting requests as attacks (No False Negatives). Correctly unidentified any similar, but non-exploiting requests as attacks (No False Negatives).

22 VSEF Performance (Chart)

23 VSEF Strengths Successfully satisfied all original requirements: Successfully satisfied all original requirements: Fast Deployment. Fast Deployment. No need for source code. No need for source code. Very high accuracy. Very high accuracy. Low overhead. Low overhead. Can be deployed in Windows and Linux/Unix OS. Can be deployed in Windows and Linux/Unix OS.

24 VSEF Weaknesses Can still have false positives/false negatives: Can still have false positives/false negatives: False Negatives for Taint Based VSEF: False Negatives for Taint Based VSEF: If tainted input is propagated along a different code path. If tainted input is propagated along a different code path. If the overwritten sensitive value is misused at a different location. If the overwritten sensitive value is misused at a different location. False Positives for Destination Based VSEF: False Positives for Destination Based VSEF: If VSEF Filter Generator identified wrong instruction at overwrite point. If VSEF Filter Generator identified wrong instruction at overwrite point. If instruction at overwrite point legally writes to monitored location in vulnerable context. If instruction at overwrite point legally writes to monitored location in vulnerable context.

25 Suggestions for Enhancement Go commercially! Go commercially! Sell VSEF to third party companies. Sell VSEF to third party companies. They can use VSEF for product testing and enhancements. They can use VSEF for product testing and enhancements. Other than that, it’s almost perfect! Other than that, it’s almost perfect! I can’t think of anymore enhancements. I can’t think of anymore enhancements.

26 Conclusion Hosts can be compromised very quickly due to vulnerabilities that can easily be exploited! Hosts can be compromised very quickly due to vulnerabilities that can easily be exploited! Thus, we need to find an automated system that can react to these vulnerabilities! Thus, we need to find an automated system that can react to these vulnerabilities! VSEF can quickly defend and filter out those exploits with high accuracy and low overhead! VSEF can quickly defend and filter out those exploits with high accuracy and low overhead! Would make good commercial use! Would make good commercial use!

Download ppt "Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.

Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,

SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
seminar on Intrusion detection system

seminar on Intrusion detection system
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Similar presentations

Ads by Google