1 / 11

Sencun Zhu Assistant Professor CSE and IST, PSU

Sencun Zhu Assistant Professor CSE and IST, PSU. Research. Interest security, networking Recent Professional activities Program Co-Chair: ACM SASN’06. TPC member: ACM CCS’07, IEEE Infocom’07, ICICS’06 Treasure: ACM CCS’07 Current Support Army Research Office (ARO), NSF CyberTrust.

keitha
Download Presentation

Sencun Zhu Assistant Professor CSE and IST, PSU

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sencun Zhu Assistant Professor CSE and IST, PSU

  2. Research • Interest • security, networking • Recent Professional activities • Program Co-Chair: ACM SASN’06. • TPC member: ACM CCS’07, IEEE Infocom’07, ICICS’06 • Treasure: ACM CCS’07 • Current Support • Army Research Office (ARO), NSF CyberTrust

  3. Current Projects • Security and reliability for sensor networks • Key management framework that supports in-network processing as well as localizes the impact of node compromises • Secure sensor data aggregation • Security and privacy for data-centric sensor networks • Source location anonymity • Applications of sensor networks to public safety • Security for ad hoc networks • Network access control for combating resource consumption attacks • Traceback of compromised nodes in mobile ad hoc networks • Security for Peer-to-Peer Networks • Efficient key managements and DDoS attack prevention • Detection and identification of malicious nodes • Worm containment • Code Security • Containing email worm • Blocking buffer overflow attacks by static code analysis

  4. SigFree: A Signature-free Buffer Overflow Attack Blocker with Xinran Wang, Chi-Chun Pan, Peng Liu A related paper appeared in Usenix Security 2006

  5. Motivation • Buffer overflow attacks typically contain executables whereas legitimate client requests never contain executables in most Internet services • E.g., Web Servers, Microsoft SQL Servers, BIND, SNMP, and other remote access services • SigFree blocks attacks by detecting the presence of code

  6. Code or Data? • Instruction Sequence Distiller (ISD) • distill instruction sequences from the requests by disassembly • however, instruction sequences may be distilled from any binary strings • Instruction Sequence Analyzer (ISA) • use a data flow analysis method called code abstraction to check whether an instruction sequence is really a segment of a program.

  7. Exploiting Data Flow Anomaly • Observation • a random instruction sequence normally is full of data flow anomalies, whereas a real program has few or no data flow anomalies • however, due to possible obfuscation, the number of data flow anomalies cannot be directly used to distinguish a program from a random instruction sequence • Code Abstraction • based on data flow anomalies, some instructions are “useless”, whereas in a real program at least one execution path have a certain number of “useful” instructions • remove those useless instructions • Criteria • if the number of useful instructions after code abstraction exceeds a threshold, the instruction sequence is a segment of a program

  8. Evaluation– Inputs • 50 attack messages generated by the Metasploit Toolkit • Worm Slammer • Code Red and one of its variations • 1500 binary normal requests • encrypted data • audio • jpeg, png, gif • flash

  9. Evaluation Results • normal requests contain less than 15 useful instructions • attack requests contain more than 18 • We can set the threshold a value between 15 and 17

  10. Detection of Polymorphic Shellcode ADMmutate . encrypted shellcode . replace NOP with one-byte instruction . 100 CLET . decipher routine varies each time . replace NOP with 2~3 byte instruction . 100 Observations: . ADMmutate: #useful instructions: 17~39 . CLET: #useful instructions: 18~25

  11. Impact of SigFree Processing on The Normal Web Requests

More Related