1 / 28

Packet Vaccine: Black-box Exploit Detection and Signature Generation

Packet Vaccine: Black-box Exploit Detection and Signature Generation. Su Yong Kim. Contents. Stack Overflow Example Packet Vaccine Evaluation Limitation Conclusion. Vulnerable Program. void foo (char *bar) { char c[12]; strcpy (c, bar); // no bounds checking... }

eloise
Download Presentation

Packet Vaccine: Black-box Exploit Detection and Signature Generation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Packet Vaccine:Black-box Exploit Detection and Signature Generation Su Yong Kim

  2. Contents • Stack Overflow Example • Packet Vaccine • Evaluation • Limitation • Conclusion

  3. Vulnerable Program void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking... } int main (intargc, char **argv) { foo(argv[1]); return 1; }

  4. Stack Layout • Just After calling foo()

  5. Stack Layout Example • Calling foo(“hello”)

  6. Stack Overflow Example I • Calling foo(“AA……”) • Direct Jump

  7. Stack Overflow Example II • Indirect Jump • Calling foo(“AA……”) esp Code Section Ox 7e8ecf49 FF D4 (jmpesp) \x49 \xcf \x8e \x7e

  8. Stack Overflow Example III • Return into Library • Calling foo(“AA……”) Ox 7C8623AD Kernel32.dll Ox 7C8623AD WinExec API \xAD \x23 \x86 \x7C

  9. Main Idea • Detect the packet with any address-like string • Test if an anomalous packet is malicious or not • Scrambling the address-like string of the packet • Send the packet into the target server • If any exception will occur on the target server, drop the original packet and generate a signature • If no exception, send the original packet into the target server

  10. Detecting Anomalous Packets • Key Idea • Check every 4-byte existing-sequence(32 bit system) in a packet’s application payload • Detect a jump address to redirect the control flow of a vulnerable program • Jump Address • Stack & Heap address range • Address range of the global libraries such as msvcrt.dll or libc.so • system(), execve() • Empirical study on Linux • 0xbfff0000 to 0xbfffffff for the stack • 0x08040000 to 0x08ffffff for the heap

  11. Determining Stack & Heap Address range • Monitor stack and heap usage of the protected program • Calculate stack heap address range • From • Stack base address – α * (typical stack maximum usage), α > 1 • To • Stack base address • Calculate stack heap address range • From • Heap base address • To • Heap base address + α * (typical heap maximum usage), α > 1

  12. Making Packet Vaccine • Packet Vaccine • Weakened exploit packet with important elements scrambled • Issues • Preserving the exploit semantics • Control flow should not be changed • Preventing & Detecting malicious behavior by the exploit • Scrambling some fields of the exploit

  13. Preserving the exploit semantics Does User’s Input contains “GET”? Does User’s Input contains “/default.ida”? Call strcpy

  14. Preventing & Detecting Malicious Behavior • After scrambling • Exploit fails • Exception happens \x41

  15. Detecting Exploit • If an exception occurs on protected program • Correlate the exception with one of the byte sequences being scrambled • Value of EIP or CR2 regster == byte sequence • Validate the correlation • Randomize all bytes of byte sequence • Check whether the exception happens again

  16. Generating Signature(1/2) • Application-independent Signature Generation • Generates packet vaccines randomizing each byte except scrambled jump address • Test them in the vulnerable application • If no exception, record the randomized byte as a signature token • Repeat all bytes except scrambled jump address • Signature : Signature Tokens + Target Address Set • Good Performance : Small size of exploit, Parallel testing and Block-searching technique

  17. Generating Signature(2/2) • Using Protocol Information • Identify the application field that includes the jump address • Estimate that field’s length using the number of the bytes prior to the address • Iteratively alters the field size to generate new vaccines • If a new vaccine makes the exception disappear, increate the size • Otherwize, shrink the size • Signature form (application, command, field.name, max.field.size)

  18. Signature Quality Evaluation • Comparison Target • Brumley’s approach to generate a signature on the basis of static analysis of a vulnerable program’s binary code • Comparison Measure • Source code of vulnerable application

  19. Quality of the Token-Sequence Signature • Vulnerable Program • BIND 8.2.2 • Signature Result

  20. Quality of the Application-level Signature • Vulnerable Program • ATP-httpd • Brumley’s Signature • Command : GET or HEAD • Max.field.size : 812 bytes • Performance : more than a second • Packet Vaccine • Command : GET • Max.field.size : 703 bytes • Performance : 0.274 seconds

  21. In Summary • Brumley’s approach is more accurate than Packet Vaccine • Packet Vaccine is nearly as accurate as Brumley’s approach when Packet Vaccine can use multiple exploits • Brumley’s approach cannot be used in obfuscated binaries, while Packet Vaccine can • Packet Vaccine is significantly faster

  22. Performance Evaluation • Experiments Environment • Protected Program • Apache 2.0.55 on Linux • Performance Tester • ApacheBench 2.0.41-dev • Architecture

  23. Server overheads • D0, D1 : On different hosts • S0, S1 : On the Same host Apache Apache, proxy Apache, proxy, packet vaccine Apache, proxy Apache, proxy, packet vaccine

  24. Client-side Delay • Local Round Trip Delay : 300μs • Remote Round Trip Delay : 75ms

  25. Limitation by Author • False negative in exploit detection • If packet vaccine destroy the exploit semantics • Especially for binary protocol • Difficulty to applyon packets with encrypted payload or checksums • Application-level proxy is needed • Less expressive signature • Description for exploit condition is impossible

  26. Limitation by Presenter • Alphanumeric return address can be used to fool Packet Vaccine • Exceptions are more common than exploitable vulnerabilities • Packet Vaccine is so application-dependent • Heap & Stack size should be calculated • Whenever the application is updated • Syntax tokens should be gathered • Decoding mechanism is not simple • It is difficult to protect single-threaded application by using Packet Vaccine • Test Server is needed • Parallel vaccine testing is impossible

  27. Conclusion • Black-box exploit detection • Effective signature generation • Low false positive by using host information • Low overhead and easy deployment • It is needed to install only a lightweight collector to gather forensic data from an exception on the host

  28. Q&A • Thanks for Listening!

More Related