02/06/2006 s. felix wu @ cs club
DESCRIPTION
TRANSCRIPT
![Page 1: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/1.jpg)
02/06/2006 S. Felix Wu @ CS Club 1
CS Club Presentation:
On Network-based Defense On Network-based Defense against Software Vulnerabilitiesagainst Software Vulnerabilities
Dr. S. Felix Wu
Computer Science Department
University of California, Davishttp://www.cs.ucdavis.edu/~wu/
![Page 2: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/2.jpg)
02/06/2006 S. Felix Wu @ CS Club 2
WORMWORM Since November 2nd of 1988…
– Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others…
inject infect spread
![Page 3: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/3.jpg)
02/06/2006 S. Felix Wu @ CS Club 3
WORMWORM Since November 2nd of 1988…
– Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others…
inject infect spread
WORM is causing Internet-wide instability.
![Page 4: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/4.jpg)
02/06/2006 S. Felix Wu @ CS Club 4
2T
Slammer BGPInternet routing stability analysis on a Beijing prefix
09/01/2002 01/31/2003
![Page 5: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/5.jpg)
02/06/2006 S. Felix Wu @ CS Club 5
Network meets SoftwareNetwork meets Software An interesting interaction among the
Internet, the software on the hosts, and the worms themselves.
The “short-term” Reality:– Estimated 40~50% of Internet hosts are still
vulnerable to CodeRed (one+ year ago).
![Page 6: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/6.jpg)
02/06/2006 S. Felix Wu @ CS Club 6
WORMWORM Since November 2nd of 1988…
– Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others…
inject infect spread WORM is causing Internet-wide instability. WORM is a critical first step for the attacker
to quickly build the large-scale attacking infrastructure.
![Page 7: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/7.jpg)
02/06/2006 S. Felix Wu @ CS Club 7
WORM + DDoSWORM + DDoS
Victim
ISP.com
![Page 8: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/8.jpg)
02/06/2006 S. Felix Wu @ CS Club 8
Two Types of VulnerabilitiesTwo Types of Vulnerabilities
code code
codecode
injected
Memory-LevelWithin the same active process File-Level
Different/new process
Clickme.exe MSword.exe
![Page 9: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/9.jpg)
02/06/2006 S. Felix Wu @ CS Club 9
They are getting better…They are getting better…
The rapid evolution of the “attacker’s community”
And, many thanks to our rapid growing software industry in the past “N” years as well…
![Page 10: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/10.jpg)
02/06/2006 S. Felix Wu @ CS Club 10
Software VulnerabilitySoftware Vulnerability Software vulnerabilities are weaknesses,
being introduced during the “software engineering” process, that can potentially be exploited by attackers.– OS kernels, device drivers, applications…
There are other types of vulnerabilities in our software systems that can be exploited.
![Page 11: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/11.jpg)
02/06/2006 S. Felix Wu @ CS Club 11
Software VulnerabilitySoftware Vulnerability
Difficulties in security management– we don’t know how attackers are going to attack
us,– And, we don’t know which vulnerabilities
can/will be exploited, either.
![Page 12: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/12.jpg)
02/06/2006 S. Felix Wu @ CS Club 12
Software VulnerabilitySoftware Vulnerability Focus on Software Vulnerabilities Two approaches
– better software engineering– better vulnerabilities understanding
![Page 13: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/13.jpg)
02/06/2006 S. Felix Wu @ CS Club 13
Software VulnerabilitySoftware Vulnerability Focus on Software Vulnerabilities Two approaches
– better software engineering– better vulnerabilities understanding
Practically, around the Internet, we currently have and will still have a large number of legacy software systems around for “quite a while.”
![Page 14: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/14.jpg)
02/06/2006 S. Felix Wu @ CS Club 14
What is a “vulnerability”?What is a “vulnerability”?
???
![Page 15: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/15.jpg)
02/06/2006 S. Felix Wu @ CS Club 15
Vulnerability vs. ExploitVulnerability vs. Exploit
Vulnerability– the “weak” points in the software– applications or even the kernel itself– “control flow hijack” based on buffer overflow.
Exploit– the attack code utilizing one or more
vulnerabilities
![Page 16: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/16.jpg)
02/06/2006 S. Felix Wu @ CS Club 16
Buffer OverflowBuffer OverflowSome unsafe functions in C library:strcpy(char *dest, const char *src);strcat(char *dest, const char *src);getwd(char *buf);gets(char *s);fscanf(FILE *stream, const char *format, ...);scanf(const char *format, ...);realpath(char *path, char resolved_path[]);sprintf(char *str, const char *format);
NoVerification
……
![Page 17: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/17.jpg)
02/06/2006 S. Felix Wu @ CS Club 17
![Page 18: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/18.jpg)
02/06/2006 S. Felix Wu @ CS Club 18
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
![Page 19: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/19.jpg)
02/06/2006 S. Felix Wu @ CS Club 19
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
bar( ){……}
foo( ){ …… call bar( ); ……}
foo
bar
![Page 20: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/20.jpg)
02/06/2006 S. Felix Wu @ CS Club 20
int bar(int a, int b){ int i, j; char buf[9]; i = 5; j = 123; strcpy(buf, “securephdbcde”);}
b
a
high
low
ret address
SFP
05 00 00 00
65 00 00 00
64 62 63 64
72 65 70 68
73 65 63 75Buffer Overflow
5
e
d b c d
r e p h
s e c u
![Page 21: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/21.jpg)
02/06/2006 S. Felix Wu @ CS Club 21
int bar(int a, int b){ int i, j; char buf[9]; i = 5; j = 123; strcpy(buf, “securephdaaabbbbcccceeeeffff”);}
b
a
high
low
ret address
SFP
5
123
63 63 63 63
62 62 62 62
64 61 61 61
72 65 70 68
73 65 63 75
65 65 65 65
64 64 64 64
Ret Overflow
Segmentation fault...
RetAddr = 0x65656565
![Page 22: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/22.jpg)
02/06/2006 S. Felix Wu @ CS Club 22
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
bar( ){……}
foo( ){ …… call bar( ); ……}
foo
bar
![Page 23: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/23.jpg)
02/06/2006 S. Felix Wu @ CS Club 23
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
bar( ){……}
foo( ){ …… call bar( ); ……}
foo
bar
![Page 24: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/24.jpg)
02/06/2006 S. Felix Wu @ CS Club 24
Control Flow HijackControl Flow Hijack I want “my code” executed!
– Malicious code injection– Control flow redirection/hijacking
code code
![Page 25: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/25.jpg)
02/06/2006 S. Felix Wu @ CS Club 25
A Single Packet ExploitA Single Packet Exploit
Attack CodeExploit
(ReturnAddr)
Return Address == 0x4739a304
![Page 26: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/26.jpg)
02/06/2006 S. Felix Wu @ CS Club 26
Network-based SolutionsNetwork-based Solutions
“Intrusion Prevention Systems” or “Advanced Firewalls”
IntrusionPreventionSystem
Legacyvictims
packet packet
analyze & drop
![Page 27: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/27.jpg)
02/06/2006 S. Felix Wu @ CS Club 27
0000000 9090 9090 9090 9090 9090 9090 9090 9090 *00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031 0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03 0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962 0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff 0000230 f822 bfff f822 bfff f822 bfff f822 bfff *00004a0 f822 bfff f822 bfff f822 bfff 9090 9090 00004b0 fa48 bfff
Example
![Page 28: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/28.jpg)
02/06/2006 S. Felix Wu @ CS Club 28
0000000 9090 9090 9090 9090 9090 9090 9090 9090 *00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031 0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03 0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962 0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff 0000230 f822 bfff f822 bfff f822 bfff f822 bfff *00004a0 f822 bfff f822 bfff f822 bfff 9090 9090 00004b0 fa48 bfff
Example: NOP-sled
Sometime we can not easily determine the “exact” memory address to jump into…
![Page 29: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/29.jpg)
02/06/2006 S. Felix Wu @ CS Club 29
““NOP Sled” EngineeringNOP Sled” Engineering
Attack CodeExploit
(ReturnAddr)
Attack CodeExploit
(ReturnAddr)NOP NOPNOP NOP
code[] = “\xeb\x2a\x5f\xc6\x47\x07\x00\x89\x7f\x08\xc7\x47”;
strcpy(buf, code);
buf = “\xeb\x2a\x5f\xc6\x47\x07”
And, sometimes, we simply want to find a way to avoid “\x00”.
![Page 30: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/30.jpg)
02/06/2006 S. Felix Wu @ CS Club 30
attack polymorphismattack polymorphism(many different ways)(many different ways)
Attack CodeExploit
(ReturnAddr)
Attack CodeExploit
(ReturnAddr)Decryption
Code
The Signature Explosion Problem!!
![Page 31: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/31.jpg)
02/06/2006 S. Felix Wu @ CS Club 31
Vulnerability vs. ExploitVulnerability vs. Exploit
1 M or N M Polymorphic tools available
– A Naïve approach: M
Can we find the “invariants”?– We need to avoid “signature explosion”…
![Page 32: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/32.jpg)
02/06/2006 S. Felix Wu @ CS Club 32
Attack CodeExploit
(ReturnAddr)Decryption
Code
Attack CodeExploit
(ReturnAddr)Decryption
CodeNOP NOPNOP NOP
![Page 33: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/33.jpg)
02/06/2006 S. Felix Wu @ CS Club 33
Detecting “NOP Sleds”Detecting “NOP Sleds”
“Intrusion Prevention Systems” or “Advanced Firewalls”
IntrusionPreventionSystem
Legacyvictims
packet packet
analyze & drop
NOP SledSignatures
![Page 34: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/34.jpg)
02/06/2006 S. Felix Wu @ CS Club 34
0000000 9090 9090 9090 9090 9090 9090 9090 9090 *00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031 0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03 0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962 0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff 0000230 f822 bfff f822 bfff f822 bfff f822 bfff *00004a0 f822 bfff f822 bfff f822 bfff 9090 9090 00004b0 fa48 bfff
A WORM with a NOP-Sled
![Page 35: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/35.jpg)
02/06/2006 S. Felix Wu @ CS Club 35
0000000 5247 5237 5759 9199 984e 602f 4b58 9555 0000010 3792 4997 6059 5a5d 979c 9199 9242 9349 0000020 495e 5b37 4740 5d4f 4f99 975f 4492 3797 0000030 4297 9e93 4598 404a 9696 4652 5150 5e4f 0000040 454d 99fc 5251 5042 9b37 4042 4a95 4459 0000050 4592 4998 935f 275f 985d f84e 4991 fc96 0000060 9796 4637 5b3f 9751 9754 9f5a 9543 4c9e 0000070 4740 9c96 499f 5652 934e 5355 479b 91f8 0000080 48fc 5d60 4742 9755 4450 4441 4697 5697 0000090 5b52 494f 434d 5899 f827 9957 4346 9796 00000a0 404c 4a45 6040 404c 4957 5798 99f9 569b 00000b0 4145 96fc 5140 4c56 f946 9348 4f4d f8f8 00000c0 2f59 4c46 9647 4747 9e48 5137 4142 5b4d 00000d0 545f 55f9 5e56 4191 9249 519e 559e 6099
A Polymorphic WORM
![Page 36: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/36.jpg)
02/06/2006 S. Felix Wu @ CS Club 36
NOP sledsNOP sleds
“NOP sled” can/will NOT be a useful signature in detecting future WORMs…
80~90% of the WORMs today don’t really need “NOP sleds” but, historically, they are still “left” there.
![Page 37: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/37.jpg)
02/06/2006 S. Felix Wu @ CS Club 37
BUTTERCUPBUTTERCUP
Ideas:– Given a software exploit, the hacker can
encrypt the malicious code but not the “hijacking” entry point (e.g., return address).
– The hacker can twist the “return address” but practically not infinitely a range of memory addresses.
![Page 38: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/38.jpg)
02/06/2006 S. Felix Wu @ CS Club 38
Memory Address RangesMemory Address Ranges
Arguments
Return address
Prev. frame pointer
Local variables
Arguments
Return address
Prev. frame pointer
Local variables
One “Exploit”has one “return address” value, but another exploit based on the same vulnerability might be using a different return address.
![Page 39: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/39.jpg)
02/06/2006 S. Felix Wu @ CS Club 39
size, offset and depthsize, offset and depth
Arguments
Return address
Prev. frame pointer
Local variables
Attack CodeExploit
(ReturnAddr)Decryption
CodeNOP NOPNOP NOP
0x42b0caa4
0x42b0c914
Is this packet a Slammer worm or a suspect “utilizing” the same vulnerability?
performance& false positive
![Page 40: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/40.jpg)
02/06/2006 S. Felix Wu @ CS Club 40
BUTTERCUPdetection/prevention victim
packet packet
memoryrangetable
analyze & drop
19 known exploits/vulnerabilities
IPUPR. LYR. PAYLOAD TCP/UDP HDR
IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack CodeExploit
(ReturnAddr)Decryption
CodeNOP NOPNOP NOP
False Positive??
IDS/IPSpreprocessing
![Page 41: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/41.jpg)
02/06/2006 S. Felix Wu @ CS Club 41
![Page 42: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/42.jpg)
02/06/2006 S. Felix Wu @ CS Club 42
about about 30~180 days30~180 days In July, 2002 Microsoft announced the vulnerabilities!
On January 25, 2003 05:30 UTC, slammer was out!
We had about 6 months back then!!
BUTTERCUP, a network based approach, might have been more practical and scaleable than Windows Update!!
![Page 43: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/43.jpg)
02/06/2006 S. Felix Wu @ CS Club 43
LimitationLimitation
BUTTERCUP will only work for “known vulnerabilities”!
– But, it may work for Zero-day exploits based on known vulnerabilities.
![Page 44: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/44.jpg)
02/06/2006 S. Felix Wu @ CS Club 44
Register SpringRegister Spring
We in general don’t know which “thread stack” will be used?! 4 millions in memory differences.
![Page 45: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/45.jpg)
02/06/2006 S. Felix Wu @ CS Club 45
Register SpringRegister SpringHigh
LowStack Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
jmp ESP
foo
barret
11,000
![Page 46: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/46.jpg)
02/06/2006 S. Felix Wu @ CS Club 46
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
![Page 47: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/47.jpg)
02/06/2006 S. Felix Wu @ CS Club 47
SlammerSlammer
![Page 48: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/48.jpg)
02/06/2006 S. Felix Wu @ CS Club 48
ESP (Stack Pointer)ESP (Stack Pointer)
Register springs off of ESP utilize the compiler conventions for managing stack frames
![Page 49: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/49.jpg)
02/06/2006 S. Felix Wu @ CS Club 49
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
ESP
![Page 50: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/50.jpg)
02/06/2006 S. Felix Wu @ CS Club 50
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Start+6
ESP
High
![Page 51: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/51.jpg)
02/06/2006 S. Felix Wu @ CS Club 51
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Start+6
Old EBP
ESP
High
![Page 52: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/52.jpg)
02/06/2006 S. Felix Wu @ CS Club 52
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Start+6
Old EBP
ESP/EBP
MyBuffer
High
![Page 53: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/53.jpg)
02/06/2006 S. Felix Wu @ CS Club 53
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
ESP/EBP
MyBuffer
Low
![Page 54: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/54.jpg)
02/06/2006 S. Felix Wu @ CS Club 54
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
ESP
MyBuffer
(EBP == Attack5)
code
jmp ESP
Low
![Page 55: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/55.jpg)
02/06/2006 S. Felix Wu @ CS Club 55
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
ESP
MyBuffer
(EBP == Attack5)
Attack6:JMP ESP
![Page 56: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/56.jpg)
02/06/2006 S. Felix Wu @ CS Club 56
NotesNotes
This is how Slammer worked, Sasser is very similar, as are a couple of others
Bogus return pointer is Attack6, payload starts at Attack7
![Page 57: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/57.jpg)
02/06/2006 S. Felix Wu @ CS Club 57
Other registersOther registers Register springs off of other registers utilize
the compiler conventions for managing buffers (i.e. EBX is the “base” register for indexing the base of a buffer, ESI is the “source” register for string operations, EDI is the “destination”, …)
Blaster RPC DCOM used EBX, ASN.1 uses EDI, Code Red II used EBX
![Page 58: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/58.jpg)
02/06/2006 S. Felix Wu @ CS Club 58
DCOM Exploits in svchostDCOM Exploits in svchost(Blaster)(Blaster)
0xff 0xd3 is CALL EBX which is the one Blaster used, but JMP EBX (0xff 0xe3) works just as well.
a little over 11,000 in svchost 0x0100139d is the only one that Blaster
used and is the one the publicly available DCOM exploit uses.
![Page 59: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/59.jpg)
02/06/2006 S. Felix Wu @ CS Club 59
High
LowStack Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
jmp ESP
foo
barret
11,000
…
…
![Page 60: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/60.jpg)
02/06/2006 S. Felix Wu @ CS Club 60
BUTTERCUPdetection/prevention victim
packet packet
memoryrangetable dropknown
exploits
11,000 Signatures for ONE vulnerability!!
False Positive on BUTTERCUP???
![Page 61: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/61.jpg)
02/06/2006 S. Felix Wu @ CS Club 61
Register Spring+PolymorphicRegister Spring+Polymorphic
Attack CodeExploit
(RegisterSpring)Decryption
CodeNOP NOPNOP NOP
????
“0x0100139d”
![Page 62: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/62.jpg)
02/06/2006 S. Felix Wu @ CS Club 62
Buttercup, the chickenButtercup, the chicken She liked to east worms among other stuffs. She attacked Mrs. Wu precious garden. She refused to lay eggs after being
quarantined. She died (about the same time the project
Buttercup died…) because of aggressiveness on eating too much junk foods.
![Page 63: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/63.jpg)
02/06/2006 S. Felix Wu @ CS Club 63
EBX-based ButtercupEBX-based Buttercup(a possible project idea)(a possible project idea)
Among all the memory address for call ebx (0xff 0xd3 -- 11000+ of them), only four of them are around 0x01001***, about another 600+ are from 0x719555a4 to 0x71c637b3. But, the rest of them (the majority 10000+) are all from 0x7585149f to 0x77fbc10b.
0x0100139d 0x010013a2 0x01001c83 0x01001cc7 0x719555a4 0x71c637b3 0x7585149f 0x77fbc10b
![Page 64: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/64.jpg)
02/06/2006 S. Felix Wu @ CS Club 64
Exploit Exploit VulnerabilityVulnerability
Exploit: controlled by the attackersVulnerability: controller/limited by the defense
![Page 65: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/65.jpg)
02/06/2006 S. Felix Wu @ CS Club 65
IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack CodeExploit
(ReturnAddr)Decryption
CodeNOP NOPNOP NOP System State Changes
How can each of the stages be polymorphic?
![Page 66: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/66.jpg)
02/06/2006 S. Felix Wu @ CS Club 66
Vulnerability and IDS/IPSVulnerability and IDS/IPS Software Vulnerability is a very difficult issue
to manage, especially on the wire.– Naïve payload analysis will be much less
meaningful– Not focus on the intention of the attacker first
Too many possibilities
– Focus on how their code can get in! A more humble goal
Signature: simple & yet powerful??
![Page 67: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/67.jpg)
02/06/2006 S. Felix Wu @ CS Club 67
BUTTERCUP MINOS
DACODA
packet packet
alertcorrelation ranges
Unknown-vulnerability Collaborative Defense(UCD)
1
2
3
![Page 68: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/68.jpg)
02/06/2006 S. Felix Wu @ CS Club 68
UCD-MINOS
MS-Host
MS-Host
MS-HostMS-Host
MS-Host
UCD-MINOS
UCD-BUTTERCUP
UCD-BUTTERCUP
Internet
UCD-DACODA
It is not perfect, but it is a reasonable & practical trade-off between large-scale system administration (manageability) and security!
![Page 69: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/69.jpg)
02/06/2006 S. Felix Wu @ CS Club 69
Host-based ApproachHost-based Approach Minos can resolve all the problems related
to control-flow hijacks with zero-false positive.
![Page 70: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/70.jpg)
02/06/2006 S. Felix Wu @ CS Club 70
Full Virtualization with Security Enhancements(Minos/DaCodA)
Unmodified OS (XP, Linux, Solaris, or, FreeBSD)
Unmodified Applications
Hardware
Secure virtualizationSecure virtualization
![Page 71: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/71.jpg)
02/06/2006 S. Felix Wu @ CS Club 71
MinosMinos Can we detect “vulnerabilities/exploits” with only
one signature/invariance at run-time?– We are not performing analysis on source code!
we might not have it, and, it might be too late.– “Run-Time” system monitoring– Anomaly detection False Positive/Negative
Detecting “Control Flow Hijacks”– from the CPU point of view
A surprisingly simple practical solution with “zero false positive”… at least empirically.
![Page 72: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/72.jpg)
02/06/2006 S. Felix Wu @ CS Club 72
Arguments
Return address
Prev. frame pointer
Local variables
Control Flow HijackControl Flow Hijack
code code
High Integrity Low Integrity
![Page 73: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/73.jpg)
02/06/2006 S. Felix Wu @ CS Club 73
Information Integrity LabelingInformation Integrity Labeling
“source identification” of information,– especially, when we are going to hand over the
“control flow” to a particular piece of data.– One extra integrity bit for every memory word.
Minos:– Low integrity: 0 - from the NIC– High integrity: 1 - other sources
![Page 74: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/74.jpg)
02/06/2006 S. Felix Wu @ CS Club 74
Bochs-Emulated MinosBochs-Emulated MinosWinXP Linux
PentiumEmulationmodifiedBochs VM
Host OSs
Virtual MemoryTracing
NE2000
![Page 75: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/75.jpg)
02/06/2006 S. Felix Wu @ CS Club 75
MinosMinos
MINOS
Bochs
TracingWithoutModifyingOS kernel orApplications(no source code or binary rewrite)
jmpcallret
Un-trusted low-integrity information is being propagated, combined, modified…
![Page 76: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/76.jpg)
02/06/2006 S. Felix Wu @ CS Club 76
Biba’s Low-water-markBiba’s Low-water-mark Integrity Policy Integrity Policy
Tracks the “taintedness” of data Access controls are based on accesses a
subject has made in the past
![Page 77: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/77.jpg)
02/06/2006 S. Felix Wu @ CS Club 77
When an attack is When an attack is caught…caught…
Control-flow related instructions low integrity data– Examples: call, jmp, ret
![Page 78: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/78.jpg)
02/06/2006 S. Felix Wu @ CS Club 78
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
ESP
![Page 79: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/79.jpg)
02/06/2006 S. Felix Wu @ CS Club 79
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Start+6
ESP
High
![Page 80: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/80.jpg)
02/06/2006 S. Felix Wu @ CS Club 80
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Start+6
Old EBP
ESP
High
![Page 81: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/81.jpg)
02/06/2006 S. Felix Wu @ CS Club 81
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Start+6
Old EBP
ESP/EBP
MyBuffer
High
![Page 82: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/82.jpg)
02/06/2006 S. Felix Wu @ CS Club 82
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
ESP/EBP
MyBuffer
Low
![Page 83: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/83.jpg)
02/06/2006 S. Felix Wu @ CS Club 83
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
ESP
MyBuffer
(EBP == Attack5)
code
jmp ESP
Low
![Page 84: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/84.jpg)
02/06/2006 S. Felix Wu @ CS Club 84
FP & FNFP & FN Against real attacks (30~50 per months) under 4
static IP addresses– We have changed/reconfigured to try different
software patches and versions.
– Many high-frequency attacks were patched.
Control Flow Hijack– Zero false positive (a proof?)
How about False Negative?– Information flow, and virtual memory
![Page 85: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/85.jpg)
02/06/2006 S. Felix Wu @ CS Club 85
Full Virtualization with Security Enhancements(Minos/DaCodA)
Unmodified OS (XP, Linux, Solaris, or, FreeBSD)
Unmodified Applications
Hardware
For Minos/DaCodA, we modified the Pentium architecture in Bochs, an open source VM, to prevent control flow hijack attacks with zero false positive.
Published in DIMVA’2005 & ACM CCS’2005
![Page 86: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/86.jpg)
02/06/2006 S. Felix Wu @ CS Club 86
MINOS MINOS DACODA DACODA
exploit vulnerability invariant signature
![Page 87: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/87.jpg)
02/06/2006 S. Felix Wu @ CS Club 87
MINOS MINOS DACODA DACODA Buttercup: NOMS’2004 Minos: Micro’2004 Minos Honeypot: DIMVA’2005
![Page 88: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/88.jpg)
02/06/2006 S. Felix Wu @ CS Club 88
MINOS MINOS DACODA DACODA Buttercup: NOMS’2004 Minos: Micro’2004 Minos Honeypot: DIMVA’2005 DACODA: ACM CCS’2005
– UnderStand the amount of possible Polymorphisms– “negative results”
Why Buttercup, Taintcheck, Polygraph, Earlybird, and basically all existing network-based solutions won’t work!!
![Page 89: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/89.jpg)
02/06/2006 S. Felix Wu @ CS Club 89
Understanding the Understanding the ExploitsExploits Attacks are much more complex than
our naïve belief, based on our analysis of 14+ recent exploits
![Page 90: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/90.jpg)
02/06/2006 S. Felix Wu @ CS Club 90
![Page 91: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/91.jpg)
02/06/2006 S. Felix Wu @ CS Club 91
Simple view of buffer Simple view of buffer overflowsoverflows
![Page 92: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/92.jpg)
02/06/2006 S. Felix Wu @ CS Club 92
IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack CodeExploit
(ReturnAddr)Decryption
CodeNOP NOPNOP NOP System State Changes
How can each of the stages be polymorphic?
![Page 93: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/93.jpg)
02/06/2006 S. Felix Wu @ CS Club 93
Network-based SolutionsNetwork-based Solutions
“Intrusion Prevention Systems” or “Advanced Firewalls”
IntrusionPreventionSystem
Legacyvictims
packet packet
analyze & drop
No simple payload signature!!
![Page 94: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/94.jpg)
02/06/2006 S. Felix Wu @ CS Club 94
Vulnerability Vulnerability Primitive Primitive Primitive
– The capability for the attacker to put a value in a particular memory address.
– A memory system state change
NoVerification
……
And, we “might” have to perform such analysis on the wire!!
![Page 95: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/95.jpg)
02/06/2006 S. Felix Wu @ CS Club 95
IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack CodeExploit
(ReturnAddr)Decryption
CodeNOP NOPNOP NOP System State Changes
Focus on “Primitives” being used in the “Epsilon” phase!
Application dependent analysis
![Page 96: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/96.jpg)
02/06/2006 S. Felix Wu @ CS Club 96
Asymmetric InformationAsymmetric Information
Can we fill the gap??
![Page 97: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/97.jpg)
02/06/2006 S. Felix Wu @ CS Club 97
Full Virtualization with Security Enhancements(Minos/DaCodA)
Unmodified OS (XP, Linux, Solaris, or, FreeBSD)
Unmodified Applications
Hardware
IPS IPS virtualization virtualization
NIDS/NIPS
Recovery in Memory
What types of roll-backs will make the most sense practically?OS versus Applications
![Page 98: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/98.jpg)
02/06/2006 S. Felix Wu @ CS Club 98
SecLab @ UCDavis
![Page 99: 02/06/2006 S. Felix Wu @ CS Club](https://reader030.vdocuments.mx/reader030/viewer/2022013003/54b80e624a7959530f8b46f7/html5/thumbnails/99.jpg)
02/06/2006 S. Felix Wu @ CS Club 99
AVISLet’s
Thursday10 a.m.~12 p.m.1131 Kemper