250 likes | 385 Views
Detecting past and present intrusions through vulnerability-specific predicates. Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of Michigan. vulnerability introduced. vulnerability discovered. patch released. Motivation. time.
E N D
Detecting past and present intrusions through vulnerability-specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of Michigan
vulnerability introduced vulnerability discovered patch released Motivation time • Software contains bugs, including flaws that may be exploited by an attacker • Some time passes before vendor becomes aware of bug • Software vendors try to release patches quickly
vulnerability introduced vulnerability discovered patch released patch applied Motivation • Users don’t always apply patches quickly • Concerns about unstable patches • Unacceptable downtime • Can I somehow protect my system before I install the patch? time
vulnerability introduced patch released patch applied Motivation time • Was this vulnerability triggered on my machine in the past?
Predicates • Patch writer knows exactly what conditions during program execution indicate triggering of vulnerability • Use this knowledge to write exploit-generic, vulnerability-specific predicates that check these conditions • No false positives or false negatives
An example 1 char *str = some_string; 2 int length = strlen (str); 3 char buf [BUFSIZE]; 4 strcpy(buf,str); // D’oh! Predicate: (length >= BUFSIZE)
vulnerability introduced patch released patch applied Approach “past” “present” time Using replay, detect if vulnerability was triggered in past Monitor ongoing execution to detect and respond to attempts to trigger vulnerability
Goals The system must… • Not perturb the target software • Work for both OS and application-level vulnerabilities • Allow predicates to be installed dynamically • Allow predicates to be written easily • Have low overhead
predicate engine OS hardware Challenge #1: Where do predicates execute? application application predicate engine operating system predicate engine hardware
IntroVirt structure predicates application application state predicate engine intrusionsdetected guest OS control host OS VMM hardware
Challenge #2: Semantic gap Problem: VMM exposes guest state at the wrong level of abstraction • It gives us registers, memory locations, disk blocks, … • We want program variables, files, … 1 uid = getuid(); 2// forget to check group membership 3 perform privileged action Predicate • Perform missing authentication, e.g., read /etc/group
Bridging the semantic gap • How could the programmer write this predicate? • Determine memory location where uid is stored; if page not resident, read from disk; read value of uid; traverse guest OS file system structures to see if /etc/group in file cache, if so, read from memory; if not, traverse FS structures to see which disk blocks contain it, then read blocks from disk; … • i.e., emulate guest functionality • Our solution: call guest code • Leverages existing guest code that does what we want • Here, we cause the guest itself to read the file and check group membership
Challenge #3: Avoiding perturbations to target state • Calling guest functions perturbs target • Solution: use checkpoint and restore • Take a checkpoint before changing guest state • Restore to checkpoint after predicate execution • Also protects from (buggy) predicates that modify guest state incorrectly
relink(file); relink(file); Challenge #4: Preemptions between the predicate and the bug 1 if (access(file, W_OK)) { 2 unlink(file); 3 } • Check in line 1 should be atomic with use in line 2 Predicate: (!access(file, W_OK))
Predicate refresh • Detect and respond to race • “Predicate refresh” • Observation: in uniprocessors, a scheduling event must occur before any other process can run • Re-execute predicate on scheduling events to detect relevant changes in state
Predicate engine functionality • Translate symbolic information from guest • Parse debugging information • Allow predicates to control guest execution • Breakpoints • Read guest state • Call guest functions • Manipulate guest stack and registers • Checkpoint and restore • Guarantee safety
Predicates for applications • Need additional support for application predicates • Processes are created and destroyed • Shared libraries can be mapped in different locations of application address space • Memory pages are not always resident • Use kernel predicates in fork, exec, exit, mmap, try_to_swap_out
Predicate for CAN-2003-0961 Actual Patch: if((addr + len) > TASK_SIZE || (addr + len) < addr) return –EINVAL; Predicate: registerBreak(“mmap.c:1044:begin”, brkEventHandler); void brkEventHandler() { unsigned long addr = readVar(“addr”); unsigned long len = readVar(“len”); if((addr+len) > TASK_SIZE || (addr+len) < addr) { cout << “brk bug triggered” << endl; } }
“find” race condition find /tmp –atime +3 –exec rm –f – {} \; • Run as root • Delete all files in /tmp that haven’t been accessed in past 3 days (“old files”) • Problem: file pointed to by filename may change between time of identification and time of deletion “delete old file” “identify old file”
“find” predicate find /tmp –atime +3 –exec rm –f – {} \; Save inode number of file “identify old file” • Get inode # of file • Compare with saved inode # • Enable predicate refresh “delete old file” Predicate refresh Ensure the inode # of the file stays the same
Experience • Wrote predicates for 20 real vulnerabilities (Linux kernel, bind, emacs, gv, imapd, OpenSSL, php, smbd, squid, wu-ftpd, xpdf) • Easy to write once vulnerability is understood • Length and complexity comparable to patch • Most are simple, e.g., just read a few variables • Overhead for most predicates is less than 10% • Many predicates are on infrequently executed code paths • Frequently executed predicates are simple and fast • Checkpoint/restore adds 5ms
Usage • Vendors distribute predicates along with patches • Users can install and run in past and present • For past attacks • Alert user; take corrective measures • For present attacks, lots of possibilities • Alert, kill process, halt machine, drop offending connection, imitate patch, install patch, … • For anything other than “alert”, you must trust the predicate
Limitations and future work • Predicates change timing • Software breakpoints • Current implementation only works on native code • Only works for uniprocessors • ReVirt • Predicate refresh • Predicates must be written by hand
Related work • VM introspection [Rosenblum97] • VM introspection for intrusion detection [Garfinkel03] • Shield [Wang04] • Vigilante [Costa05]
Conclusions • Vulnerability-specific predicates detect triggering of software vulnerabilities • IntroVirt predicate engine • Simple to write general-purpose predicates • No perturbations in state • Alert users about past attacks • Detect and respond to attacks in the present