How to Sandbox IIS Automatically without 0 False Positive and Negative

Similar documents
How to Automatically and Accurately Sandbox Microsoft IIS

Transparent Monitoring of a Process Self in a Virtual Environment

Automating Mimicry Attacks Using Static Binary Analysis

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Automatic Application-Specific Sandboxing for Win32/X86 Binaries

Application Intrusion Detection

Intrusion Detection via Static Analysis

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Bypassing Memory Protections: The Future of Exploitation

Defense in Depth: Protecting Against Zero-Day Attacks

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

Attacking Obfuscated Code with IDA Pro. Chris Eagle

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Bypassing Browser Memory Protections in Windows Vista

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Building accurate intrusion detection systems. Diego Zamboni Global Security Analysis Lab IBM Zürich Research Laboratory

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Scalable Network-Based Buffer Overflow Attack Detection

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Run-Time Deep Virtual Machine Introspection & Its Applications

Habanero Extreme Scale Software Research Project

Where s the FEEB? The Effectiveness of Instruction Set Randomization

Software Vulnerabilities

On Gray-Box Program Tracking for Anomaly Detection

Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense

Buffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015

Korset: Code-based Intrusion Detection for Linux

Chapter 14 Analyzing Network Traffic. Ed Crowley

Automatic Logging of Operating System Effects to Guide Application-Level Architecture Simulation

CSC 405 Introduction to Computer Security

90% of data breaches are caused by software vulnerabilities.

Introduction to Information Security

Custom Penetration Testing

Homeland Security Red Teaming

Fine-Grained User-Space Security Through Virtualization. Mathias Payer and Thomas R. Gross ETH Zurich

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS

What is Web Security? Motivation

The Advantages of Block-Based Protocol Analysis for Security Testing

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation IBM System p, AIX 5L & Linux Technical University

Hotpatching and the Rise of Third-Party Patches

Korset: Automated, Zero False-Alarm Intrusion Detection for Linux

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

N-Variant Systems. Slides extracted from talk by David Evans. (provenance in footer)

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering

Basics of VTune Performance Analyzer. Intel Software College. Objectives. VTune Performance Analyzer. Agenda

Firewalls and Intrusion Detection

Betriebssysteme KU Security

Interpreters and virtual machines. Interpreters. Interpreters. Why interpreters? Tree-based interpreters. Text-based interpreters

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Cloud Computing. Up until now

CS 155 Final Exam. CS 155: Spring 2013 June 11, 2013

Idea: Measuring the Effect of Code Complexity on Static Analysis Results

Data Structure Reverse Engineering

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Taxonomic Modeling of Security Threats in Software Defined Networking

Return-oriented programming without returns

USING LOCAL NETWORK AUDIT SENSORS AS DATA SOURCES FOR INTRUSION DETECTION. Integrated Information Systems Group, Ruhr University Bochum, Germany

IJOART. 1. Introduction. 2. Evolution of Cloud Services

Chapter 15 Operating System Security

X86-64 Architecture Guide

Midterm. Name: Andrew user id:

Quiz I Solutions MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Department of Electrical Engineering and Computer Science

CSCE 465 Computer & Network Security

Replication on Virtual Machines

Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc()

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

A very short history of networking

Understanding Precision in Host Based Intrusion Detection

Exceptions in MIPS. know the exception mechanism in MIPS be able to write a simple exception handler for a MIPS machine

Full System Emulation:

Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications

Secure cloud access system using JAR ABSTRACT:

EECS 354 Network Security. Introduction

Architecture Overview

Advanced Endpoint Protection Overview

Asynchronous intrusion recovery for interconnected web services

C Compiler Targeting the Java Virtual Machine

Vigilante: End-to-End Containment of Internet Worms

An Analysis of Address Space Layout Randomization on Windows Vista

Barracuda Intrusion Detection and Prevention System

Database Application Developer Tools Using Static Analysis and Dynamic Profiling

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

System Calls and Standard I/O

Stack machines The MIPS assembly language A simple source language Stack-machine implementation of the simple language Readings:

Intrusion Detection in AlienVault

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

Transcription:

How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 2/8/06 Blackhat Federal 2006 1

Big Picture Ways to get malicious code/data into victim sites (1) Break cryptography (2) Exploit design flaws in security protocols (3) Leverage applications convenience features (4) Exploit application-level implementation bugs (5) Exploit language-level implementation bugs (6) Non-technical attacks: insider, social engineering, etc. The majority of attacks are based on (3), (4) and (5) 2/8/06 Blackhat Federal 2006 2

Software Security Bugs in programs lead to vulnerabilities that attackers exploit Design vs. Implementation bugs How to detect security-related bugs Static analysis Dynamic checking Intrusion detection/prevention 2/8/06 Blackhat Federal 2006 3

Control- Hijacking Attacks Network applications whose control gets hijacked because of software bugs: Most worms, including MS Blast, exploit such vulnerabilities Three-step recipe: Insert malicious code/data into the victim application Sneaking weapons into a plane Trick the attacked application to transfer control to the inserted code or some existing code Taking over the victim plane Execute damaging system calls as the owner of the attacked application process Hit a target with the hijacked plane 2/8/06 Blackhat Federal 2006 4

Control-Hijacking Attack Three types of overflows: buffer overflow integer overflow input argument list overflow (format string attack) Consequences Code Injection Return-to-libc Data attack 2/8/06 Blackhat Federal 2006 5

Example: Stack Overflow Attack main() { input(); } input() { int i = 0;; int userid[5]; while ((scanf( %d, &(userid[i])))!= EOF) i ++; } STACK LAYOUT FP 124 Return address of input() 100 120 Local variable i 116 userid[4] 112 userid[3] 108 userid[2] INT 80 104 userid[1] SP 100 userid[0] 2/8/06 Blackhat Federal 2006 6

Proposed Defenses Stop the attack at either of the three steps: Overflowing some data structures Bounds checking compiler, e.g., CASH (world s fastest array bound checking compiler on Linux/X86 platform) Triggering control transfer Branch target check, e.g., FOOD (Foreign code detection on Windows/X86 platform) Issuing damaging system calls System call pattern check, e.g., PAID 2/8/06 Blackhat Federal 2006 7

Program semantics-aware Intrusion Detection (PAID) As a last line of defense, prevent intruders from causing damages even when they successfully take control of a target victim application Key observation: Most damages can only be done through system calls, including denial of service attacks Idea: Prevent a hijacked application from issuing system calls that deviate from its semantic model 2/8/06 Blackhat Federal 2006 8

System Call Model Checking Achilles Heel: How to derive a system call model for an arbitrary application? Manual specification: error-prone, labor intensive, non-scalable Machine learning: error-prone, training efforts required PAID s approach: Use compiler to extract the sites and ordering of system calls from the source code of any given application automatically Guarantees zero false positives and very-close-to-zero false negatives System call policy is extracted automatically and accurately 2/8/06 Blackhat Federal 2006 9

PAID Architecture Compile Time Extraction Application Run Time Checking Application Compiler System Call Graph System Call Graph Legitimacy Check User Kernel 2/8/06 Blackhat Federal 2006 10

System Call Flow Graph Take a program s control flow graph, and eliminate all nodes that are not related to system calls Traverse the SCFG at run time to verify the legitimacy of every incoming system call Non-determinism: If-then-else statements Function with multiple call sites 2/8/06 Blackhat Federal 2006 11

System Call Instance Coordinate Each system call instance is uniquely identified by The sequence of return addresses used in the function call chain leading to the corresponding int 80 instruction The return address of the int 80 instruction itself Example: Main F1 F2 F4 system_call_1 vs. Main F3 F5 F4 system_call_1 2/8/06 Blackhat Federal 2006 12

System Call Flow Graph Traversal Is there a path from the previous system call instance (R 1, R 2, R 3, R n ) to the current system call instance (S 1, S 2, S 3, S m )? Largely deterministic low latency 2/8/06 Blackhat Federal 2006 13

Dynamic Branch Targets Not all branch targets are known at compile time: function pointers and indirect jumps Insert a notify system call to tell the kernel the target address of these indirect branch instructions The kernel moves the current cursor of the system call graph to the designated target accordingly Notify system call is itself protected 2/8/06 Blackhat Federal 2006 14

Asynchronous Control Transfer Setjmp/Longjmp At the time of setjmp(), store the current cursor At the time of longjmp(), restore the current cursor Signal handler When signal is delivered, store the current cursor After signal handler is done, restore the current cursor Dynamically linked library such as dlopen() Load the library s system call graph at run time 2/8/06 Blackhat Federal 2006 15

Mimicry Attack Hijack the control of a victim application by overwriting some control-sensitive data structure, such as return address Issue a legitimate sequence of system calls after the hijack point to fool the IDS until reaching a desired system call, e.g., exec() None of existing commercial host-based IDS can handle mimicry attacks 2/8/06 Blackhat Federal 2006 16

Mimicry Attack Example Legitimate sequence: open() read() receive() send() exec() Buffer overflow vulnerability exists between open() and read() Hijack the program s control between open() and read() Execute read() receive() send() exec() 2/8/06 Blackhat Federal 2006 17

Mimicry Attack Details To mount a mimicry attack, attacker needs to Issue each intermediate system call without being detected Nearly all system calls can be turned into no-ops For example (void) getpid() or open(null,0) Grab the control back after each intermediate system call Set up the stack so that the injected code can take control after each system call invocation 2/8/06 Blackhat Federal 2006 18

Countermeasures Minimize non-determinism in the system call model If (a>1) { open(..)} else {open(..); write(..)} Checking system call argument values whenever possible Random insertion of null system calls at load time to defeat guessing Different SCFGs for different instances of the same program 2/8/06 Blackhat Federal 2006 19

Impossible Path Example main() { Entry(main) 1 Entry(foo) foo(); foo(); % W % X call(foo) sys_foo exit(); } foo() { for(.){ % E return(foo) call(foo) return(foo) 3 2 4 sys_foo Exit(foo) sys_foo(); % Y sys_foo(); % Z Exit() } } Exit(main) 2/8/06 Blackhat Federal 2006 20

With PAID Legitimate Path: WY WZ XY XZ E Impossible Path: WY WZ E 2/8/06 Blackhat Federal 2006 21

PAID Checks Ordering Site: return address sequence Arguments Checking performed in the kernel with SCFG stored in the user space 2/8/06 Blackhat Federal 2006 22

System Call Argument Check Start from each file name system call argument, e.g., open() and exec(), and compute a backward slice towards the inputs Perform symbolic constant propagation through the slice, and the result could be A constant: static constant A program segment that depends on initialization-time inputs only: dynamic constant A program segment that depends on run-time inputs: dynamic variables 2/8/06 Blackhat Federal 2006 23

Dynamic Variables Derive partial constraints, e.g., prefix or suffix, /home/httpd/html Enforce the system call argument computation path by inserting null system calls between where dynamic inputs are entered and where the corresponding system call arguments are used 2/8/06 Blackhat Federal 2006 24

Ordering Check Only main function call setreuid Buffer Overflow read open stat setreuid read open stat write write Compromised! 2/8/06 Blackhat Federal 2006 25

Ordering and Site Check main function call int 0x80 instruction Buffer Overflow Compromised! setreuid read open stat write 2/8/06 Blackhat Federal 2006 26

Ordering, Site and Stack Check (1) main function call int 0x80 instruction Buffer Overflow setreuid read open stat write 2/8/06 Blackhat Federal 2006 27

Ordering, Site and Stack Check (2) main function call int 0x80 instruction Buffer Overflow Stack check passes exec 2/8/06 Blackhat Federal 2006 28

Random Insertion of Notify Calls main function call int 0x80 instruction Buffer Overflow notify Attack failed notify exec 2/8/06 Blackhat Federal 2006 29

Window of Vulnerabilities Buffer Overflow notify Buffer Overflow Desired system call follows Immediately exec Argument replacement notify exec 2/8/06 Blackhat Federal 2006 30

Prototype Implementation GCC 3.1 and Gnu ld 2.11.94, Red Hat Linux 7.2 Compiles GLIBC successfully Compiles several production-mode network server applications successfully, including Apache-1.3.20, Qpopper-4.0, Sendmail-8.11.3, Wuftpd-2.6.0, etc. 2/8/06 Blackhat Federal 2006 31

Throughput Overhead PAID PAID/stack PAID/random PAID/stack random Apache Qpopper Sendmail Wuftpd 4.89% 5.39% 6.48% 7.09% 5.38% 5.52% 6.03% 6.22% 6.81% 7.73% 9.36% 10.44% 2.23% 2.69% 3.60% 4.38% 2/8/06 Blackhat Federal 2006 32

However PAID assumes source code availability, but most users do not have access to the source code of their applications, especially on the Windows platform What is the SCFG for Microsoft s IIS? Enters the BIRD (Binary Interpretation using Runtime Disassembly) project Binary PAID = BIRD + PAID 2/8/06 Blackhat Federal 2006 33

Motivation Many state-of-the-art solutions to software security problem are based on program transformation techniques Achilles Heel: cannot be applied to existing executable binaries, especially for Windows PE32 binaries From source code to binary code: Static disassembly does not always work Binary instrumentation is non-trivial 2/8/06 Blackhat Federal 2006 34

Static Disassembly No guarantee for 100% recovery: no way to know for sure Distinguishing between instruction and data is fundamentally undecidable Linear sweeping: data (e.g., jump table) could be embedded code section Recursive traversal: some functions do not any explicit call sites in the binary Windows DLLs are full of hand-crafted code sequences designed to defeat reverse engineering tools Bottom line: about 90% coverage with absolute confidence 2/8/06 Blackhat Federal 2006 35

BIRD A binary analysis and instrumentation infrastructure on the Windows platform Do as much static disassembly as possible Uncover statically unknown instructions through dynamic invocation of disassembler Provide an API for developers to add applicationspecific analysis and/or instrumentation routines Guarantee 100% disassembly accuracy and coverage 2/8/06 Blackhat Federal 2006 36

Architecture 2/8/06 Blackhat Federal 2006 37

Dynamic Disassembly Statically redirect all indirect jumps/calls to a check() routine Redirect delivery of exception handlers to the check() routine also In the check() routine Check if the target address is known or not If known, jump to the target; else invoke the dynamic disassembler to disassembly the target area and jump Update the unknown-area list and modify indirect jumps/calls in dynamically disassembled instructions 2/8/06 Blackhat Federal 2006 38

Binary Instrumentation Need to find enough bytes in a given instrumentation point to put in a 5-byte jump instruction Can use neighboring instructions only if they are not targets of other direct jump instructions in the same function Use INT 3 as a fall-back mechanism, which goes through an exception handler to invoke check() 2/8/06 Blackhat Federal 2006 39

Performance Penalty Works for all programs in MS Office suite and IE Latency overhead Program Description Original Modified gzip Encrypt a 10MB file 3.4% 0.18% comp Compare two similar5mb files 10.0% 0.15% strings List all strings in a binary file 6.4% 2.4% find Find a string in a 500KB file 19.0% 16.7% objdump Show object headers in an EXE file 3.5% 0.8% 2/8/06 Blackhat Federal 2006 40

Binary PAID 2/8/06 Blackhat Federal 2006 41

Throughput Overhead 2/8/06 Blackhat Federal 2006 42

Other Application: FOOD Goal: Ensure no dynamically injected code can run by monitoring target addresses of all indirect branches Assumption: no self modifying code, thus read-only text segment Approach: check the legitimacy of each instruction based on its location rather than its content Intercept at all indirect jumps/calls, return instructions and invocation of exception handlers Overhead: 10-25% 2/8/06 Blackhat Federal 2006 43

Conclusion PAID is the most efficient, comprehensive and accurate host-based intrusion prevention (HIPS) system on both Linux and Windows platform Automatically generates per-application system call policy Guarantee 0 false positive and almost 0 false negative Effective countermeasures against mimicry attacks, Extensive system call argument checks Load-time insertion of random null system calls Return address sequence check Can handle function pointers, asynchronous control transfer, threads, exceptions, and DLL 2/8/06 Blackhat Federal 2006 44

Future Work Further reduce the latency/throughput overhead of Binary PAID Reduce the percentage of dynamic variable category of system call arguments Apply it to generate security policy for SELinux automatically Create a counterpart of PAID for NIDS 2/8/06 Blackhat Federal 2006 45

For more information Project Page: http://www.ecsl.cs.sunysb.edu/paid Thank You! 2/8/06 Blackhat Federal 2006 46

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information