Dr. XiaoFeng Wang Spring 2006
Packet Vaccine: Black-box Exploit Detection and Signature Generation
XiaoFeng Wang, Zhuowei LiJun Xu, Mike ReiterChongkyung Kil and Jong Youl Choi
Dr. XiaoFeng Wang Spring 2006
Automated Exploit Defense
Dr. XiaoFeng Wang Spring 2006
Expectations for Automated Defense?
A perfect fix to vulnerable software?
A reasonably secure and fast-generated fix seems more realistic
Dr. XiaoFeng Wang Spring 2006
Automatic Exploit Defense: the State of Art
Source code instrument Static analysis of source code
Monitor an application’s execution to the break point Static analysis of binary code
Dr. XiaoFeng Wang Spring 2006
Vaccine
Vaccine: a weakened viruses or bacteria for stimulating antibody production
How about a black-box “packet vaccine” ?
Dr. XiaoFeng Wang Spring 2006
IDEAS
1. scramble anomalous payload
2. exception and analysis
3. Injection of vaccine variances
Dr. XiaoFeng Wang Spring 2006
Properties
Fast Exploit Detection
Black-box Signature GenerationWork on obfuscated code
Little or no modification to the protected system
Dr. XiaoFeng Wang Spring 2006
Design
1. Vaccine Generation2. Exploit Detection
3. Vulnerability Analysis
4. Signature Generation
Dr. XiaoFeng Wang Spring 2006
Vaccine Generation
How to generate a weakened exploit?
Our approach1. Identify an address-like byte token on a packet
2. Randomize it
Dr. XiaoFeng Wang Spring 2006
Address-like Tokens
Use address range stack: 0xc0000000 heap: 0x08048000 entries of some libc functions
Where to get them?Linux: /proc/pid/maps Windows: debugging tools/memory monitoring tools
Dr. XiaoFeng Wang Spring 2006
Example
Byte sequence `7801cbd3' falls in the address range of “msvcrt.dll”
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0\r\n
Orignal Code Red:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%ua001%u9090%u6858%ucbd3%u0401%u9090%u6858%ucbd3%u8c01%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0\r\n
Vaccine for Code Red:
Dr. XiaoFeng Wang Spring 2006
Exploit Detection and Vuln. Diagnosis
Detection: Exception happens
DiagnosisPickup the contents from CR2 and EIPMatch them to the scrambled byte sequencesLocate the corrupted pointer
Dr. XiaoFeng Wang Spring 2006
Signature Generation (1)
App-independent Signatures Byte sequences
Byte-based Vaccine Injection (BVI)Modify one byte and the jump addressSend to the applicationnot crash important byte
Dr. XiaoFeng Wang Spring 2006
Signature Generation (2)
Application-level Signatures field length (buffer overrun) special symbols (e.g, “%n” for formate string)
App-based Vaccine Injection (AVI) the minimal field length crash remove special tokens no crash
Dr. XiaoFeng Wang Spring 2006
Performance
BVI is parallelizable for multi-process application
AVI can be enhanced by binary search
Dr. XiaoFeng Wang Spring 2006
Implementation
Intercept application-level dataflow to detect suspicious tokens
Scramble them to generate vaccines
Signature generation (RedHat Linux 7.3)Verifier: implemented using ptraceProber: local/remoteProber and verifier: a persistent connection Verifier notifies Prober of exceptions
Dr. XiaoFeng Wang Spring 2006
Experiment: Vaccine Effectiveness
Dr. XiaoFeng Wang Spring 2006
Experiment: Signature Generation
Dr. XiaoFeng Wang Spring 2006
Signature Quality: BIND
Comparison between our signature and MEP (oakland 06)
Dr. XiaoFeng Wang Spring 2006
Signature Quality: ATP http
MEP get “GET” and “HEAD”But specific tokens ‘/’ and ‘//’ and longer field length (812)
AVI:Only “GET”But more precise field length (703)
The real buffer size is 680
Dr. XiaoFeng Wang Spring 2006
False positives
Dr. XiaoFeng Wang Spring 2006
Application: Protecting Internet Servers
Packet Vaccine
Signatures
BVI/AVI
Vaccines
Suspicious
T T
Server Farm
T
Packet Filter
Application-based signatures
Protocol Parser
Known protocol specifications, e.g.
RFC of http
Service Proxy
A high-performance router can be applied here, e.g. IXP1200
Exp
loits
Dropped
Detector
e.g., using suspicious return addressess or
existing NADs
Normal
Service Requests
Dr. XiaoFeng Wang Spring 2006
Server Workload
0: Apache, S1: Proxy+Vaccine-same-Apache S0: Proxy-same-Apache, D1: Proxy+Vaccine-diff-Apache, D0: Proxy-diff-Apache
Workload Capacity of Apache Server
812.97 804.63
1043.09 1016.07
1435.56
0
500
1000
1500
D0 D1 S0 S1 0
Req
ue
sts
per
sec
on
d
1043.09-1016.07=27.02
812.97-804.63=8.34
Dr. XiaoFeng Wang Spring 2006
Local Client Delay
The average client-delay (by local clients)
0.00
0.50
1.00
1.50
2.00
0 10 20 30 40 50 60 70 80 90 100False Alarm Rate (%)
Clie
nt
De
lay
(m
s)
Apache with Packet Vaccine
Apache without Packet Vaccine
Dr. XiaoFeng Wang Spring 2006
Remote Client Delay
The average client-delay (by remote clients)
0
20
40
60
80
0 10 20 30 40 50 60 70 80 90 100
False Alarm Rate(%)
Clie
nt
Del
ay (
ms)
Apache without Packet Vaccine
Apache with Packet Vaccine
Dr. XiaoFeng Wang Spring 2006
Other Applications
Vulnerability Scanner
A lightweight replacement for Grey-box approaches
Proactive discovery and fix of vulnerabilities
Dr. XiaoFeng Wang Spring 2006
Limitations
False negatives in exploit detection
Encrypted payload and checksums
Signature limitations in representation
Dr. XiaoFeng Wang Spring 2006
Future Work
Generation of more accurate signatures
Proactive detection of software vulnerabilities