Some Anti-Worm Efforts at Microsoft. Acknowledgements



Similar documents
HoneyBOT User Guide A Windows based honeypot solution

The Security Development Lifecycle

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

Computer Security: Principles and Practice

Bypassing Memory Protections: The Future of Exploitation

Windows Remote Access

Chapter 15 Operating System Security

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

Software Vulnerabilities

Integrated Protection for Systems. João Batista Territory Manager

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Metasploit Beginners

TIME TO LIVE ON THE NETWORK

ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows

Bypassing Browser Memory Protections in Windows Vista

Where every interaction matters.

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

Securing and Accelerating Databases In Minutes using GreenSQL

Why should I care about PDF application security?

The monsters under the bed are real World Tour

Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

Elements to a Secure Environment Becoming Resilient Towards Modern Cyberthreats. Windows XP Support Has Ended Why It Concerns You

Exploiting Transparent User Identification Systems

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 21

Internet Worms, Firewalls, and Intrusion Detection Systems

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation

Building A Secure Microsoft Exchange Continuity Appliance

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

Secure Software Programming and Vulnerability Analysis

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Intrusion Defense Firewall

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

5 Steps to Advanced Threat Protection

DMZ Network Visibility with Wireshark June 15, 2010

INTRODUCTION TO FIREWALL SECURITY

Maximizing customer protections

NetDefend Firewall UTM Services

Web Application Security

Implementing Security Update Management

Windows Server Virtualization & The Windows Hypervisor

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications

SAST, DAST and Vulnerability Assessments, = 4

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Microsoft Security Bulletin MS Critical

Security and Compliance. Robert Nottoli Principal Technology Specialist Microsoft Corporation

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

Penetration Testing Report Client: Business Solutions June 15 th 2015

Protecting Your Organisation from Targeted Cyber Intrusion

Windows 7. Qing Liu Michael Stevens

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

INTRUSION DETECTION SYSTEMS and Network Security

SecureIIS Web Server Protection Guarding Microsoft Web Servers When bad things happen to good web app servers

Announcements. Lab 2 now on web site

SecureIIS Web Server Protection Guarding Microsoft Web Servers

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

Intrusion Detection for Mobile Ad Hoc Networks

Vulnerability-Focused Threat Detection: Protect Against the Unknown

Chapter 9 Firewalls and Intrusion Prevention Systems

Second-generation (GenII) honeypots

Agnitum SMB Solutions. Outpost Network Security Version 3.2 Securing your network

International Journal of Computer Science and Network (IJCSN) Volume 1, Issue 5, October ISSN Bhopal, M.P.

The Leader in Cloud Security SECURITY ADVISORY

2010 White Paper Series. Layer 7 Application Firewalls

Detecting P2P-Controlled Bots on the Host

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them

Tutorial 3. June 8, 2015

CSE331: Introduction to Networks and Security. Lecture 18 Fall 2006

ABB s approach concerning IS Security for Automation Systems

Demystifying the Myth of Passive Network Discovery and Monitoring Systems

Web App Security Audit Services

Objectives. Windows 7 Security. Desktop OS Market Share. Windows Background. CS140M Fall Lake

Citect and Microsoft Windows XP Service Pack 2

Defeating Windows Personal Firewalls: Filtering Methodologies, Attacks, and Defenses

Is Your Network a Sitting Duck? 3 Secrets to Securing Your Information Systems. Presenter: Matt Harkrider. Founder, Alert Logic

Ovation Security Center Data Sheet

Fighting Advanced Threats

Flashback: Internet design goals. Security Part Two: Attacks and Countermeasures. Security Vulnerabilities. Why did they leave it out?

Technical White Paper BlackBerry Enterprise Server

Locking down a Hitachi ID Suite server

Deep Security Vulnerability Protection Summary

Proxy Server, Network Address Translator, Firewall. Proxy Server

Ovation Security Center Data Sheet

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Computer Security DD2395

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

CMPT 471 Networking II

Kaspersky Endpoint Security 8 for Windows and Kaspersky Security Center

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Attacks from the Inside

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Transcription:

Some Anti-Worm Efforts at Microsoft Helen J. Wang System and Networking Research Group Microsoft Research Oct 29, 2004 1 Acknowledgements Matt Braverman, Opher Dubrovsky, John Dunagan, Louis Lafreniere, Steve Lipner, Jon Pincus, Pat Stemen, Yi-Min Wang 2 1

Outline Product side: Software Development Life cycle (SDL) Compile-time solutions: /GS compiler option Static checking Windows XP SP2 Research side: Shielding before patching (Shield, research) System management research (Strider) 3 New MS Software Development Life cycle Training Requirement Security at outset; security advisor, security milestone, exit criteria Design Identify trusted base, minimize/document attack surface, secure default setting Development Static checking, code review Verification Beta, regression testing, code review, penetration testing, auto tool check, Release: Final security review: 2-6 months before; go back to previous phases if necessary; additional (external) penetration testing Response: Microsoft Security Response Center Sustain Engineering Teams Patch Management 4 2

Outline Product side: Software Development Life cycle (SDL) Compile-time solutions: /GS compiler option Static checking Windows XP SP2 Research side: Shielding before patching (Shield, research) System management research (Strider) 5 /GS Compiler Option Goal: defeat return address hijacking /GS insert a cookie between the locally declared buffer and the return address test cookie for corruption before using return address If test fails, terminate the process Various challenges Exception handler function pointer hijacking User installable function pointer hijacking Pointer subterfuge hijacking local pointers or function parameters Global cookie hijacking 6 3

/GS Compiler Option: Trampoline (Pointer subterfuge ) void vulnerable( char* buf, int cb) { char name[8]; int *p = &G; int i = value(); } 2 stages attack memcpy(name, buf, cb); *p = i; Previous function s stack frame cb Attack Code &buf Return address Cookie p = &Return Addr i = &Attack Code name Garbage Garbage 7 /GS Compiler Option, Cont. Mitigations Reorder local variables to avoid local pointer hijacking Shadow parameters as local variables to avoid function parameter hijacking Safe Exception Handling (SEH): OS detects invalid exception handlers CRT detects corrupted SEH info table Cookie protection: Hiding the local cookie to mitigate global cookie hijacking: XOR (ESP, cookie) Leading 0 s for cookie to prevent strcpy buffer overruns Arms race 8 4

Static Checking MSR PPRC MS CSE Static checking for software defects such as buffer overflows, un-initialized data, resource leakage, etc. Tools: espx Use code annotation to enable effective local data flow and control flow analysis 9 espx Usage 10 5

Outline Product side: Software Development Life cycle (SDL) Compile-time solutions: /GS compiler option Static checking Windows XP SP2 Research side: Shielding before patching (Shield, research) System management research (Strider) 11 Windows XP SP2: Securing the Network Windows firewall (ICF) On by default Stateful: automatically matching inbound traffic with outgoing requests Boot time security Limit the number of half open TCP connections to 10 Application affected: those listen for unsolicited traffic (e.g., file/printer sharing, upnp, remote desktop, remote admin, ICMP options) RPC/DCOM Reduce attack surface Make it easier to restrict RPC interfaces to local machine Block unauthenticated calls to DCOM and RPC services Attachments: Unsafe attachments not trusted by default Block/Prompt/Allow determined by combination of file type & zone Dangerous file type + Restricted Zone = Block Dangerous file type + Internet Zone = Prompt 12 6

Windows XP SP2: Memory Protection /GS: Most critical components that take network or untrusted input have been recompiled NX: Prevents execution of injected code Leverages processor technology Marks memory regions as non-executable Processor raises exception when injected code is executed Supported on 64-bit extensions processors SP2 runs in 32-bit compatibility mode with NX support On by default only for system components User applications can be opted in Some app compatibility issues 13 Outline Product side: Software Development Life cycle (SDL) Compile-time solutions: /GS compiler option Static checking Windows XP SP2 Research side: Shielding before patching (Shield, research) System management research (Strider) 14 7

Software patching not an effective first line worm defense Sasser, MSBlast, CodeRed, Slammer, Nimda, Slapper all exploited known vulnerabilities whose patches were released months or weeks before 90+% of worm attacks exploit known vulnerabilities [Arbaugh2002] People don t patch immediately 15 Why don t people patch? Disruption Service or machine reboot Unreliability Software patches inherently hard to test Irreversibility Cannot always undo a patch Unawareness Automatic patch installation not possible 16 8

Firewall also not an effective first line worm defense Traditional firewalls Course-grained High false positive rate Typically in the network One-size-fits-all solution, lack application-awareness, miss end-to-end encrypted traffic Exploit-driven firewalls Filter according to exploit (attack) signatures Attack code obfuscation, e.g., polymorphism, metamorphism, can evade the firewall Worms spread fast (in minutes or seconds!) Real-time signature generation and distribution difficult 17 Shields: End-host Vulnerability- Driven Network Filters Goal: Protect the time window between vulnerability disclosure and patch application. Approach: Characterize the vulnerability instead of its exploits and use the vulnerability signature for end-host firewalling Shields combine the best features of Patches: vulnerability-specific, code level, executable Firewall: exploit-specific, network level, data-driven Advantages of Shield: Protection as good as patches (resilient to attack variations), unlike exploit-driven firewalls Easier to test and deploy, more reliable than patches 18 9

Overview of Shield Usage New Shield Policy Incoming or Outgoing Network Traffic Shield Policies End-Host Shield Shielded Traffic to Processes or Remote Hosts Shield intercepts vulnerable application traffic above the transport layer. Policy distribution very much like anti-virus signature model automatic, non-disruptive, reversible 19 Vulnerability State Machine Vulnerability Modeling S0 Message S0 S2 S1 S2 S3 Exploit Event S4 V4 Protocol State Machine S5 V4 S5 Application Functionality in S2 Shield Policy (Vulnerability Signature): Vulnerability state machine + how to recognize and react to exploits in the vulnerable state 20 10

Shield Implementation and Evaluation Prototype implemented as Windows Layered Service Provider (LSP) Uses Generic Protocol Analyzer Working shields for vulnerabilities behind Blaster, Slammer, and CodeRed Performance and scalability results promising: Negligible overhead for end user machines 14-30% throughput overhead for an artificial scenario stressing Shield MSRC 2003 Bulletin study All 12 worm-able vulnerabilities are easily shield-able Some of the other 37 may also be shield-able 21 Ongoing Work Generic protocol analyzer (GPA): Implements common elements of application protocol functions State machine operations, event dispatching, Policy language specifies variations of individual protocols State machine transitions, payload format, Key advantage: Minimize efforts for releasing new shields ShieldPot: Distributed shield-equipped honeypots Detect (stealthy) unknown attacks against known vulnerabilities 22 11

Outline Product side: Software Development Life cycle (SDL) Compile-time solutions: /GS compiler option Static checking Windows XP SP2 Research side: Shielding before patching (Shield, research) System management (Strider, research) 23 Strider: Patch Management The challenge of software patches: testing Patch Impact Analysis Use file and registry tracing to quickly narrow down the set of apps that need to be tested 24 12

Strider: Security Access Check Tracer Problem: user-level app runs with Admin privilege compromise of user-level app is a system compromise Security Access Check Tracing A developer tool for identifying every access that would fail for a non-admin, along with helpful debugging information Kernel-mode tracing around security subsystem Most admin dependencies are easy to remove once pinpointed 25 Questions? 26 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information