Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. Nurul Haszeli Ahmad PM Dr Syed Ahmad Aljunid Dr. Jamalul-Lail Ab Manan Preventing Exploitation on.

Published byMarshall Hicks Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. Nurul Haszeli Ahmad PM Dr Syed Ahmad Aljunid Dr. Jamalul-Lail Ab Manan Preventing Exploitation on."— Presentation transcript:

1 www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. Nurul Haszeli Ahmad PM Dr Syed Ahmad Aljunid Dr. Jamalul-Lail Ab Manan Preventing Exploitation on Software Vulnerabilities – Why Static Analysis Failed? www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

2 Q&A Conclusion Result of Discussion Discussion Why Static Analysis Failed?Why not Dynamic Analysis?Can Static Analysis be improved? Static Analysis – What? When? How? Exploitation on Software Vulnerabilities Flow of content www.mimos.my© 2010 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

3 Software Vulnerabilities –Exist since program/applications exist –Due to: 1.Language behaviour (Viega & McGraw ‘02, Yoran ‘05) 2.Human factors (SANS Institute ‘10, Secunia ‘10) 3.Complexity of system –Unix Shell Command – sendmail, fingerd, and rsh/exec. Exploitation –1988 – First exploitation was unintended exploitation on fingerd command by Robert Morris Jr (Aleph One ‘96) Exploitation on Software Vulnerabilities www.mimos.my© 2010 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

4 Exploitation on Software Vulnerabilities... Continue.. www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. Exploitation using Buffer Overflow Attack Source: http://en.wikipedia.org/wiki/Stack_buffer_overflow www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

5 Exploitation on Software Vulnerabilities... Continue.. www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. Figure 1: Vulnerabilities disclose between 2000 – 2009 Source: IBM ’10, X-Force 2009 Trend and Risk Report Figure 2: Number of malicious program identified from 2003 – 2009 Source: Kaspersky ’09, Kaspersky Security Buletin 2009 www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

6 Exploitation on Software Vulnerabilities... Continue.. www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. Figure 3: Sample of malicious code reside in a web page exploiting visitor’s machine upon visiting the site. Source: M86 Security.com ‘09, Closing the Vulnerability Window in Today’s Web Environment, M86 Security Lab Report www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

7 Exploitation on Software Vulnerabilities... Continue.. www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

8 EC-Council & ISC ² www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. Exploitation on Software Vulnerabilities... Continue.. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved Impact ImageEconomyPrivacyDeath

9 Static Analysis –A branch of Program Analysis –Started in 1974 by King – Program Comprehension –Being used in security for the purpose of finding and removing vulnerabilities in software as early as 2000 – Wagner –Binkley ‘07 – “ Automation process of extracting information of a program for debugging, comprehension, validations, etc ”. –How? How does SA being apply in Security –2000 – To date – > 10 techniques and > 40 tools –Technique: Lexical Analysis, Inter-procedural Analysis, Intra-Procedural Analysis, Abstract Interpretation, Data Flow Analysis, Symbolic Analysis, Integer Range Analysis, and Annotation Based –Tools: BOON, ITS4, RATS, UNO, ARCHER, Flaw-Finder, F-Soft, ASTREE, SPLINT, GCC Security Analyzer, etc –The promised – A well verified & clean code Static Analysis – What? When? How? www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

10 Reports by major security advisors & experts – VULNERABILITIES & EXPLOITATION still EXISTS From the perspective of effectiveness and efficacy 2 different angle – Technique & Tools Focus on 5 most prominent technique –Lexical Analysis –Abstract Interpretation –Integer Range –Data Flow Analysis –Annotation Based Discussion – Why Static Analysis Failed? www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

11 1.Lexical Analysis –Straight forward analysis mechanism –Tools – extremely fast compare to other technique –Major drawback 1.Does not consider semantics & program flow ( Chess B. & McGraw G’04, Kolmonen ’07, Zitser ’04, Walden et.al ‘09 ) 2.Pattern Matching (Walden et. al. ‘09, Sotirov ‘05, Kolmonen ‘07) 2.Abstract Interpretation –One of the earliest and most complicated technique - establish by Naur –The technique looks into semantics of the program –Using formal method with mathematical formula; such as approximation –Most promises technique in Static Analysis (Logozzo ‘04, Ferrara ‘09) –Major drawback (Logozzo ‘04, Ferrara ’09, Lhee et. al ‘02) 1.Too complicated 2.Constraint of mathematical formula used Discussion – Why Static Analysis Failed?... continue www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

12 3.Integer Range –Comparable to Lexical Analysis in term of processing speed –Mathematically analysis, find and prove existence of vulnerabilities –Looking mostly at buffer related issues. –Major drawback (Pozza & Sisto ’08, Kolmonen ’07, Kratkiewicz ‘05, Zitser ‘04, Hugh & Bishop ‘03) 1.Ignores the program semantics 2.Wrong Focus - Focus on vulnerabilities than can be mathematically proven 4.Data Flow Analysis –Looking into the attribute of program (variables) and path taken –Nagy & Mancoridis (‘09) refer as Taint Analysis –Using Program Dependency Graph (PDG) or System Dependency Graph (SDG) –Major drawback (Nagy & Mancoridis ‘09, Pozza & Sisto ’08, Kratkiewicz ‘05, Zitser ‘04,) 1.Require few iteration of analysis 2.Implementation issues Discussion – Why Static Analysis Failed?... continue www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

13 5.Annotation Based –Introduce by Evans et. al. In 1994 (LCLINT) –Using annotation or specifications written together with source code which specified pre and post condition of an attribute –Analysis will ensure the pre and post condition satisfied the specifications. –Larochelle expand the technique with heuristic approach (Kratkiewicz ’05) – LCLINT later known as SPLINT – Major drawback (Mantere ‘09, Kratkiewicz ‘05, Zitser ‘04, Dor et. al ‘03) 1.Required annotation Discussion – Why Static Analysis Failed?... continue www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

14 In Summary Discussion – Why Static Analysis Failed?... continue www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. AcronymStrengthWeaknesses LA  Faster  Produce better result compare to grep (Chess B. & McGraw G – 2004)  High false positive due to does not took into consideration of program’s semantics (Chess B. & McGraw G’04, Kolmonen ’07, Zitser ’04, Walden et.al ‘09) AI  Very precise (Ferrara ’09, Logozzo’04, Jones ‘94)  Yet to proven as the tool still produce false positive and slow in performance (Zitser ’04, Kratkiewicz ’05)  Implementation Complexity (Logozzo ’04)  Approximation based thus resulting in false alarm (Lhee ’07, Ferrara ’09, Logozzo ’04) DFA  Reduce false positive (Nagy & Mancoridis ’09)  Almost as precise as AI (Nagy & Mancoridis ’09, Pozza & Sisto ’08)  Still produce false alarm (Nagy & Mancoridis ’09)  Overhead implementation (Nagy & Mancoridis ’09, Pozza & Sisto ’08) IRA  Detect string manipulation  Very fast analysis technique  Able to analyze very large complex program  Ignore semantics and loop, pointer aliasing, and inter- procedural dependencies thus produce low detection rate, high false positive, and false negatives (Chess B & McGra ’04) AB  Be able to produce precise result based on the annotation (Pozza D & Sisto R – 2008)  Annotation dependent (Pozza D & Sisto R – 2008)  False alarm and low detection rate (Zitser ’04, Kratkiewicz ’05, Mantere ’09) www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

15 Discussion – Why Static Analysis Failed?... Continue www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. TechniqueDetection Rate False Positive False Negatives Performance Lexical AnalysisLowHigh Very Fast Abstract Interpretation HighMedium Low Integer Range LowMedium Very Fast Data Flow AnalysisHighMedium Low Annotation-basedLowHigh Medium Table 1: Summary of Analysis on Static Analysis Technique www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

16 Dynamic Analysis? –Based on true semantics or program flow –At execution time The advantages (Cornell ‘09, Ernst ‘04, Haugh & Bishop ’03) –No source code required –No assumption or annotation required –Accurate result Drawback (Zitser et. al. ‘04, Xie et. al ‘03, Haugh & Bishop ’03) –Possibility of path covered –Possibility of DOS/DDOS –Performance Major Drawback - Cost ineffective (GrammaTech ‘10, Terry et. al. ‘06) Discussion – Why Not Dynamic Analysis? www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

17 Few ways of improving 1.Unification - Improving the technique itself 2.Multiplication - Improving the tools that implement the technique 3.Asymetrix concept – Different technique use at different time & space for better result 4.Division concept – Unity of methods Our Proposal 1.Combination of few techniques Discussion – Can Static Analysis be improved? www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

18 Combination of method/techniques Improvement of the techniques Improvement of the tool implementing the techniques Improving static analysis Future Work www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

19 Conclusion www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

20 THANK YOU www.mimos.my© 2010 MIMOS Berhad. All Rights Reserved. www.mimos.my© 2009 – 2010 MIMOS BERHAD. All Rights Reserved

Download ppt "Www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. Nurul Haszeli Ahmad PM Dr Syed Ahmad Aljunid Dr. Jamalul-Lail Ab Manan Preventing Exploitation on."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Model Driven Generative Programming Reza Azimi February 6, 2003 ECE1770: Trends in Middleware Systems.

Model Driven Generative Programming Reza Azimi February 6, 2003 ECE1770: Trends in Middleware Systems.
October 30, 2003CCS 2003 - Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha

October 30, 2003CCS Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
1 CS101 Introduction to Computing Lecture 17 Algorithms II.

1 CS101 Introduction to Computing Lecture 17 Algorithms II.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
LIFE CYCLE MODELS FORMAL TRANSFORMATION

LIFE CYCLE MODELS FORMAL TRANSFORMATION
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.

1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Weakest pre-conditions and towards machine consistency Saima Zareen.

Weakest pre-conditions and towards machine consistency Saima Zareen.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

Similar presentations

Ads by Google