1 / 31

High-Speed Matching of Vulnerability Signatures

16 September 2008. High-Speed Matching of Vulnerability Signatures. Nabil Schear * David R. Albrecht † Nikita Borisov † University of Illinois at Urbana-Champaign * Department of Computer Science † Department of Electrical and Computer Engineering

kyria
Download Presentation

High-Speed Matching of Vulnerability Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 16 September 2008 High-Speed Matching of Vulnerability Signatures Nabil Schear* David R. Albrecht † Nikita Borisov † University of Illinois at Urbana-Champaign * Department of Computer Science † Department of Electrical and Computer Engineering {nschear2, dalbrech, nikita}@illinois.edu

  2. Exploit vs. Vulnerability Signatures • Exploit Signatures – Match a specific example of an exploit • Vulnerability Signatures – Match the condition at which the program is vulnerable + fast to match - imprecise, false positives + exploit generic, very precise - expensive

  3. attribute Example – CUPS/IPP HTTP/1.1 200 OK Content-Type: ipp Transfer-Encoding: chunked A05 HTTP header attribute attribute IPP attribute attribute extra data

  4. attribute tag name_len name value_len value Example – CUPS/IPP HTTP/1.1 200 OK Content-Type: ipp Transfer-Encoding: chunked A05 HTTP header attribute attribute IPP attribute attribute extra data

  5. attribute tag name_len name value_len value Example – CUPS/IPP HTTP/1.1 200 OK Content-Type: ipp Transfer-Encoding: chunked A05 HTTP Buffer overflow: uint16 name_len used to copy name into 8KB buffer without checks header attribute attribute IPP attribute attribute extra data

  6. attribute tag name_len value_len value Example – CUPS/IPP Exploit Signature alert tcp any any -> any 631 (content: “|EB 10 5B 4B 33 C9 66 B9 96 03…|”) HTTP/1.1 200 OK Content-Type: ipp Transfer-Encoding: chunked A05 HTTP header attribute attribute IPP attribute attribute 0xA190909090EB105B4B33C966B9960380340BFDE2FAEB05E8EBFFFFFF extra data Shell code stored in name field

  7. Example – CUPS/IPP • Now split shell code across two HTTP chunks HTTP Chunk 1 HTTP/1.1 200 OK Content-Type: ipp Transfer-Encoding: chunked E5 Chunk 2 920 header 60380340BFDE2FAEB05E8EBFFFFFF value_len value attribute attribute attribute attribute attribute tag name_len 0xA190909090EB105B4B33C966B99 attribute extra data

  8. attribute tag name_len name value_len value Example – CUPS/IPP HTTP/1.1 200 OK Content-Type: ipp Transfer-Encoding: chunked A05 HTTP Vulnerability Signature if(name_len > 8192) Exception! header attribute attribute IPP attribute attribute extra data

  9. Motivation: Matching Performance Throughput (Mbits/s) of vulnerability matchers • Hand-coded 3x to 37x faster! • Many vulnerabilities do not require full protocol parsing

  10. Introducing VESPA • A vulnerability signature and protocol parsing architecture • Focus on performance • Hardware acceleration friendly design • Future work: Offload to FPGA, network processor • Target use in NIC or switch • 1 Gbps+ • Low latency

  11. Outline • Parsing Architecture Design • Text Protocols • Binary Protocols • Vulnerability Specification Language • Performance Evaluation • Related Work • Conclusions

  12. VESPA Design • Couple protocol and vulnerability specifications • maximum parser optimization • Design Principles • Fast matching primitives • Explicit State Management • Avoid parsing irrelevant message parts • Basic Idea: Construct matching specs based on primitives and marry to state control functions

  13. Protocol State • Core State • Example: HTTP Content-Length header • Define structure and semantics of the message • Always parse

  14. Protocol State • Core State • Example: HTTP Content-Length header • Define structure and semantics of the message • Always parse • Application State • Example: HTTP Accept-Charset header • Only relevant to the application • Skip by default

  15. Text Protocols • Often use explicit field labeling • e.g., RCPT TO: <nschear2@illinois.edu> • multi-string matching primitive to flatten irrelevant protocol structure • e.g., search for “HTTP/1.”, “Content-Length:”, “Transfer-Encoding:”, “POST”, and “\r\n\r\n” simultaneously • Use control logic to drive matching primitive

  16. Binary Protocols • Field meaning based on position in message • Binary traversalprimitive • Parses only core fields • No full in-memory representation • Parses vulnerability relevant fields when desired • Implemented with binpac language

  17. VESPA Language String Matcher Primitive Spec Handler Spec • Stores each var as a member of generated C++ class • Extraction function within %{…}% bool is_post = str_matcher “POST” handler handle_post() %{ is_post = true; }% handle_post() %{ if(is_post) deploy(content_length); }% • Embedded C++ code • deploy(var) function to control match state • Check vulnerability predicates here

  18. Binary Protocols VESPA uint16 name_len = bin_matcher IPP.binpac:IPP_Attr_Data.name_len handler handle_name() default; handle_name() %{ if(name_len > 8192) // throw exception }% • VESPA controls: • vulnerability state • predicate evaluation

  19. Binary Protocols VESPA uint16 name_len = bin_matcher IPP.binpac:IPP_Attr_Data.name_len handler handle_name() default; handle_name() %{ if(name_len > 8192) // throw exception }% • binpac controls protocol binary traversal binpac IPP specification type IPP_Attr_Data = record { name_len: uint16; name: bytestring &length = name_len &transient; value_len: uint16; value: bytestring &length = value_len &transient; };

  20. Modifying binpac for Binary Traversal • Optimized binpac dynamic memory usage • Pre-allocate one of each object that could be parsed in oneobject • Remove STL vector storage for all array elements

  21. Modifying binpac for Binary Traversal • Optimized binpac dynamic memory usage • Pre-allocate one of each object that could be parsed in oneobject • Remove STL vector storage for all array elements • Use &pointer attribute to specify objects that must be dynamically created • e.g., DNS name pointers…

  22. Evaluation • Focus on vulnerabilities difficult to match with exploit sigs • Tested raw vuln sig matcher/parser performance • Network reassembly and reporting stages studied elsewhere • Test System • 2.6 GHz AMD Athlon64 • 4GB RAM • Ubuntu Linux 2.6.22-x86-64

  23. Tested Vulnerabilities • HTTP/IPP • Negative Content-Length causes integer overflow • uint16 name_len used to store size of 8KB buffer • DNS • Pointer cycle can cause denial of service • WMF • Vulnerable feature: allows arbitrary abort procedure to execute malicious code

  24. Memory Micro-benchmarks • 6x to 40x reduction in number of calls to new • IPP and WMF call new 6x for any file • DNS proportional to num of DNS pointers Calls to new/malloc per message Bytes allocated per message

  25. Memory Micro-benchmarks • 6x to 40x reduction in number of calls to new • IPP and WMF call new 6x for any file • DNS proportional to num of DNS pointers Calls to new/malloc per message Bytes allocated per message

  26. String Primitive Micro-benchmarks • Multi-string matching dominates text performance • VESPA approximates performance of pattern based IDS for simple signatures

  27. Parser Performance • VESPA outperforms binpac by 3 to 5 times

  28. Parser Performance • VESPA DNS considerably faster than binpac • Recall, hand-coded 9x faster than VESPA (2.6 Gbits/s) • Room for improvement in binary traversal

  29. Related Work • Pattern Matching • Wu-Manber, Aho-Corasik, flex, pcre, XFA, Protomatching • Vulnerability Signatures • Shield, GAPA, binpac, NetShield, Prospector • IDS/IPS • Snort, Bro, SafeCard

  30. Conclusions • Key Insight: Vulnerability signatures often do not require full protocol parsing • Specialize protocol parser to signature matching • Developed VESPA language and architecture • 3-5 times faster than binpac • Performance tied to speed of primitives • Able to hardware accelerate multi-string matching • Improved performance of binary traversal • Vulnerability signatures can be matched at 1 Gbps+ • Suitable for server NICs, switches, inline IPS

  31. Thank you! Questions?

More Related