Dr. XiaoFeng Wang Spring 2006

Packet Vaccine: Black-box Exploit Detection and Signature Generation

XiaoFeng Wang, Zhuowei LiJun Xu, Mike ReiterChongkyung Kil and Jong Youl Choi

Dr. XiaoFeng Wang Spring 2006

Automated Exploit Defense

Dr. XiaoFeng Wang Spring 2006

Expectations for Automated Defense?

A perfect fix to vulnerable software?

A reasonably secure and fast-generated fix seems more realistic

Dr. XiaoFeng Wang Spring 2006

Automatic Exploit Defense: the State of Art

Source code instrument Static analysis of source code

Monitor an application’s execution to the break point Static analysis of binary code

Dr. XiaoFeng Wang Spring 2006

Vaccine

Vaccine: a weakened viruses or bacteria for stimulating antibody production

How about a black-box “packet vaccine” ?

Dr. XiaoFeng Wang Spring 2006

IDEAS

1. scramble anomalous payload

2. exception and analysis

3. Injection of vaccine variances

Dr. XiaoFeng Wang Spring 2006

Properties

Fast Exploit Detection

Black-box Signature GenerationWork on obfuscated code

Little or no modification to the protected system

Dr. XiaoFeng Wang Spring 2006

Design

1. Vaccine Generation2. Exploit Detection

3. Vulnerability Analysis

4. Signature Generation

Dr. XiaoFeng Wang Spring 2006

Vaccine Generation

How to generate a weakened exploit?

Our approach1. Identify an address-like byte token on a packet

2. Randomize it

Dr. XiaoFeng Wang Spring 2006

Address-like Tokens

Use address range stack: 0xc0000000 heap: 0x08048000 entries of some libc functions

Where to get them?Linux: /proc/pid/maps Windows: debugging tools/memory monitoring tools

Dr. XiaoFeng Wang Spring 2006

Example

Byte sequence `7801cbd3' falls in the address range of “msvcrt.dll”

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0\r\n

Orignal Code Red:

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%ua001%u9090%u6858%ucbd3%u0401%u9090%u6858%ucbd3%u8c01%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0\r\n

Vaccine for Code Red:

Dr. XiaoFeng Wang Spring 2006

Exploit Detection and Vuln. Diagnosis

Detection: Exception happens

DiagnosisPickup the contents from CR2 and EIPMatch them to the scrambled byte sequencesLocate the corrupted pointer

Dr. XiaoFeng Wang Spring 2006

Signature Generation (1)

App-independent Signatures Byte sequences

Byte-based Vaccine Injection (BVI)Modify one byte and the jump addressSend to the applicationnot crash important byte

Dr. XiaoFeng Wang Spring 2006

Signature Generation (2)

Application-level Signatures field length (buffer overrun) special symbols (e.g, “%n” for formate string)

App-based Vaccine Injection (AVI) the minimal field length crash remove special tokens no crash

Dr. XiaoFeng Wang Spring 2006

Performance

BVI is parallelizable for multi-process application

AVI can be enhanced by binary search

Dr. XiaoFeng Wang Spring 2006

Implementation

Intercept application-level dataflow to detect suspicious tokens

Scramble them to generate vaccines

Signature generation (RedHat Linux 7.3)Verifier: implemented using ptraceProber: local/remoteProber and verifier: a persistent connection Verifier notifies Prober of exceptions

Dr. XiaoFeng Wang Spring 2006

Experiment: Vaccine Effectiveness

Dr. XiaoFeng Wang Spring 2006

Experiment: Signature Generation

Dr. XiaoFeng Wang Spring 2006

Signature Quality: BIND

Comparison between our signature and MEP (oakland 06)

Dr. XiaoFeng Wang Spring 2006

Signature Quality: ATP http

MEP get “GET” and “HEAD”But specific tokens ‘/’ and ‘//’ and longer field length (812)

AVI:Only “GET”But more precise field length (703)

The real buffer size is 680

Dr. XiaoFeng Wang Spring 2006

False positives

Dr. XiaoFeng Wang Spring 2006

Application: Protecting Internet Servers

Packet Vaccine

Signatures

BVI/AVI

Vaccines

Suspicious

T T

Server Farm

T

Packet Filter

Application-based signatures

Protocol Parser

Known protocol specifications, e.g.

RFC of http

Service Proxy

A high-performance router can be applied here, e.g. IXP1200

Exp

loits

Dropped

Detector

e.g., using suspicious return addressess or

existing NADs

Normal

Service Requests

Dr. XiaoFeng Wang Spring 2006

Server Workload

0: Apache, S1: Proxy+Vaccine-same-Apache S0: Proxy-same-Apache, D1: Proxy+Vaccine-diff-Apache, D0: Proxy-diff-Apache

Workload Capacity of Apache Server

812.97 804.63

1043.09 1016.07

1435.56

0

500

1000

1500

D0 D1 S0 S1 0

Req

ue

sts

per

sec

on

d

1043.09-1016.07=27.02

812.97-804.63=8.34

Dr. XiaoFeng Wang Spring 2006

Local Client Delay

The average client-delay (by local clients)

0.00

0.50

1.00

1.50

2.00

0 10 20 30 40 50 60 70 80 90 100False Alarm Rate (%)

Clie

nt

De

lay

(m

s)

Apache with Packet Vaccine

Apache without Packet Vaccine

Dr. XiaoFeng Wang Spring 2006

Remote Client Delay

The average client-delay (by remote clients)

0

20

40

60

80

0 10 20 30 40 50 60 70 80 90 100

False Alarm Rate(%)

Clie

nt

Del

ay (

ms)

Apache without Packet Vaccine

Apache with Packet Vaccine

Dr. XiaoFeng Wang Spring 2006

Other Applications

Vulnerability Scanner

A lightweight replacement for Grey-box approaches

Proactive discovery and fix of vulnerabilities

Dr. XiaoFeng Wang Spring 2006

Limitations

False negatives in exploit detection

Encrypted payload and checksums

Signature limitations in representation

Dr. XiaoFeng Wang Spring 2006

Future Work

Generation of more accurate signatures

Proactive detection of software vulnerabilities