vulnerability-specific execution filtering (vsef) for exploit prevention on commodity software...
TRANSCRIPT
Vulnerability-Specific Execution Vulnerability-Specific Execution Filtering (VSEF) for Exploit Filtering (VSEF) for Exploit Prevention on Commodity Prevention on Commodity
SoftwareSoftwareAuthors:Authors:
James Newsome,James Newsome, David Brumley,David Brumley, and Dawn Songand Dawn Song
Publisher:Publisher:Network and Distributed Systems Security Network and Distributed Systems Security
Symposium (NDSS), Feb 2006 Symposium (NDSS), Feb 2006
Presented by:Presented by: Arun KrishnamurthyArun Krishnamurthy
Presentation OutlinePresentation Outline
The Problem.The Problem.
Intro to VSEF:Intro to VSEF: Taint Based VSEF.Taint Based VSEF. Destination Based VSEF.Destination Based VSEF.
Implementation and Performance.Implementation and Performance.
My Comments.My Comments.
The ProblemThe Problem
Exploits for new vulnerabilities Exploits for new vulnerabilities can compromise almost all can compromise almost all vulnerable hosts in a very short vulnerable hosts in a very short amount of time!amount of time!
We need to find an automated We need to find an automated defense system that can react to defense system that can react to these vulnerabilities quickly!these vulnerabilities quickly!
Requirements for Defense Requirements for Defense SystemSystem
1.1. Fast Defense Development/DeploymentFast Defense Development/Deployment Must fix vulnerability very quickly as worms spread Must fix vulnerability very quickly as worms spread
very fast.very fast.
2.2. No requirement for source codeNo requirement for source code Most source code are proprietary and can not be Most source code are proprietary and can not be
shown to end user. shown to end user.
3.3. High accuracy and effectivenessHigh accuracy and effectiveness Low false positives/negatives.Low false positives/negatives.
4.4. Low performance overheadLow performance overhead Does not degrade performance.Does not degrade performance.
Vulnerability Specific Execution-Based Vulnerability Specific Execution-Based Filtering (VSEF)Filtering (VSEF)
Definition:Definition: An automated defense system that defends against An automated defense system that defends against
“just discovered” attacks.“just discovered” attacks.
Properties:Properties: Robust FiltersRobust Filters – Vulnerability specific, but exploit – Vulnerability specific, but exploit
agnostic.agnostic.
Efficient generation of VSEF FiltersEfficient generation of VSEF Filters – Generates – Generates filters very quickly once a vulnerability is detected.filters very quickly once a vulnerability is detected.
Efficient DetectionEfficient Detection – Contains very little overhead. – Contains very little overhead.
VSEF ArchitectureVSEF Architecture
Two Main Components:Two Main Components: VSEF Filter GeneratorVSEF Filter Generator – Uses an – Uses an
exploit execution trace to create a exploit execution trace to create a VSEF filter which encodes the info VSEF filter which encodes the info needed for the monitoring to detect needed for the monitoring to detect future attacks on the vulnerability.future attacks on the vulnerability.
VSEF Binary Instrumentation EngineVSEF Binary Instrumentation Engine – Used by vulnerable hosts in order to – Used by vulnerable hosts in order to apply a VSEF filter to a binary.apply a VSEF filter to a binary.
VSEF Architecture VSEF Architecture DiagramDiagram
Types of VSEFTypes of VSEF
Two Types:Two Types: Taint Based VSEFTaint Based VSEF – Based on – Based on
dynamic taint analysis. Has high dynamic taint analysis. Has high accuracy.accuracy.
Destination Based VSEFDestination Based VSEF – An more – An more optimistic version of Tainted Based optimistic version of Tainted Based VSEF. Normally requires fewer VSEF. Normally requires fewer instructions to be instrumented.instructions to be instrumented.
Taint-Based VSEFTaint-Based VSEF(Overview)(Overview)
Marks data coming from untrusted sources.Marks data coming from untrusted sources.
Inserts instrumentation instructions to track Inserts instrumentation instructions to track tainted data from untrusted sources.tainted data from untrusted sources.
Accurately detects wide range of attacks:Accurately detects wide range of attacks: Buffer overruns, format strings, double free attacks.Buffer overruns, format strings, double free attacks.
Requires instrumenting many Requires instrumenting many instructions.instructions.
Taint-Based VSEFTaint-Based VSEF(Filter Generation)(Filter Generation)
Two Parts:Two Parts:1.1. List of instruction positions needed to add List of instruction positions needed to add
instrumentation for taint propagationinstrumentation for taint propagation
2.2. Instruction position needed to add Instruction position needed to add instrumentation to detect misuse of tainted data.instrumentation to detect misuse of tainted data.
Examines the trace in a backwards Examines the trace in a backwards manner:manner:
Begins at the end of the trace (the exploit point), Begins at the end of the trace (the exploit point), then traces backwards to determine source of the then traces backwards to determine source of the taint.taint.
Taint-Based VSEFTaint-Based VSEF(Taint Example)(Taint Example)
Taint-Based VSEFTaint-Based VSEF(Binary Instrumentation)(Binary Instrumentation)
Checks to see if source operand is a Checks to see if source operand is a tainted location.tainted location. If yes, then mark destination operand as If yes, then mark destination operand as
tainted.tainted.
Also checks whether sensitive value Also checks whether sensitive value is being tainted.is being tainted. If yes, then there is an attack!If yes, then there is an attack!
Taint-Based VSEFTaint-Based VSEF(Performance & Accuracy)(Performance & Accuracy)
Performance:Performance: Filter generation is almost instantaneous. Filter generation is almost instantaneous. Execution overhead is proportional to number of Execution overhead is proportional to number of
instructions in the program.instructions in the program.
Accuracy:Accuracy: No false positives when watchpoint techniques are No false positives when watchpoint techniques are
used.used. False negatives happen if tainted input is False negatives happen if tainted input is
propagated along a different code path, or the propagated along a different code path, or the overwritten sensitive value is misused at a different overwritten sensitive value is misused at a different location.location.
Destination Based VSEFDestination Based VSEF(Overview)(Overview)
Definition:Definition: An optimistic filter that focuses on An optimistic filter that focuses on
instrumenting the point where sensitive instrumenting the point where sensitive data was illegitimately overwritten, data was illegitimately overwritten, rather than the point where tainted rather than the point where tainted data was illegitimately used.data was illegitimately used.
In other words, it ONLY monitors In other words, it ONLY monitors the overwrite point!the overwrite point!
Destination Based VSEFDestination Based VSEF(Filter Generation)(Filter Generation)
Determines:Determines: The overwrite point.The overwrite point. The vulnerable context.The vulnerable context. The destinations that should not be The destinations that should not be
overwritten by that context.overwritten by that context.
Checks the chain of instructions that Checks the chain of instructions that propagated the tainted data to the propagated the tainted data to the overwrite point in a similar manner overwrite point in a similar manner to taint-based VSEF.to taint-based VSEF.
Destination Based VSEFDestination Based VSEF(Binary Instrumentation)(Binary Instrumentation)
Checks that that data movement Checks that that data movement instruction at overwrite point does instruction at overwrite point does not write to sensitive destination.not write to sensitive destination.
Can be done by instrumenting a Can be done by instrumenting a small number of instructions.small number of instructions. Data movement instruction.Data movement instruction. Call instruction corresponding to each Call instruction corresponding to each
activation record in vulnerable context.activation record in vulnerable context.
Destination Based VSEFDestination Based VSEF(Accuracy & Performance)(Accuracy & Performance)
Accuracy:Accuracy: Usually Usually no false positivesno false positives, but it can , but it can
happen if:happen if:1.1. VSEF Filter Generator identified wrong VSEF Filter Generator identified wrong
instruction at overwrite point.instruction at overwrite point.2.2. Instruction at overwrite point can LEGALLY Instruction at overwrite point can LEGALLY
write to monitored location in vulnerable write to monitored location in vulnerable context.context.
Performance:Performance: Filters can be created almost instantly!Filters can be created almost instantly! Performance can be improved if fewer Performance can be improved if fewer
instructions are implemented.instructions are implemented.
VSEF Implementation VSEF Implementation (Taint-Based)(Taint-Based)
Implemented by modifying TaintCheck:Implemented by modifying TaintCheck: Saves the set of instruction addresses from Saves the set of instruction addresses from
the part of directed acyclic graph into a the part of directed acyclic graph into a file.file.
Saves the instruction addresses where Saves the instruction addresses where tainted data is misused.tainted data is misused.
Binary Instrumentation Engine Binary Instrumentation Engine implemented as an extension to implemented as an extension to TaintCheck.TaintCheck.
VSEF Implementation VSEF Implementation (Destination-Based)(Destination-Based)
Implemented using Dyninst:Implemented using Dyninst: A binary implementation tool.A binary implementation tool. Performs static rewriting of target binary.Performs static rewriting of target binary.
Filter Contains:Filter Contains: Address of overwrite point.Address of overwrite point. Activation records of stack when the Activation records of stack when the
overwrite point was executed.overwrite point was executed. Normalized address of the data that was Normalized address of the data that was
overwritten.overwritten.
VSEF Performance & VSEF Performance & Accuracy Accuracy
(Taint-Based)(Taint-Based) Performance:Performance:
Due to efficient instrumentation techniques, Due to efficient instrumentation techniques, VSEF had very little performance overhead.VSEF had very little performance overhead. Only 14% slower than running server natively.Only 14% slower than running server natively. Only 2% slower than running DynamoRIO alone.Only 2% slower than running DynamoRIO alone.
Accuracy:Accuracy: Correctly handled exploits without any false Correctly handled exploits without any false
positives or false negatives.positives or false negatives.
VSEF Performance & VSEF Performance & Accuracy Accuracy
(Destination-Based)(Destination-Based) Performance:Performance:
Takes some time to create a filter from TaintCheck’s Takes some time to create a filter from TaintCheck’s long.long.
Also takes some time to use Binary Instrumentation Also takes some time to use Binary Instrumentation Engine to harden the vulnerable binary.Engine to harden the vulnerable binary.
However, only ran 3% slower than running server However, only ran 3% slower than running server natively.natively.
Accuracy:Accuracy: Successfully defended against original exploits and Successfully defended against original exploits and
its variants (its variants (No False PositivesNo False Positives).). Correctly unidentified any similar, but non-Correctly unidentified any similar, but non-
exploiting requests as attacks (exploiting requests as attacks (No False NegativesNo False Negatives).).
VSEF PerformanceVSEF Performance(Chart)(Chart)
VSEF StrengthsVSEF Strengths
Successfully satisfied all original Successfully satisfied all original requirements:requirements: Fast Deployment.Fast Deployment. No need for source code.No need for source code. Very high accuracy.Very high accuracy. Low overhead.Low overhead.
Can be deployed in Windows and Can be deployed in Windows and Linux/Unix OS.Linux/Unix OS.
VSEF WeaknessesVSEF Weaknesses
Can still have false positives/false Can still have false positives/false negatives:negatives: False Negatives for Taint Based VSEF:False Negatives for Taint Based VSEF:
If tainted input is propagated along a different code If tainted input is propagated along a different code path.path.
If the overwritten sensitive value is misused at a If the overwritten sensitive value is misused at a different location.different location.
False Positives for Destination Based VSEF:False Positives for Destination Based VSEF: If VSEF Filter Generator identified wrong instruction If VSEF Filter Generator identified wrong instruction
at overwrite point.at overwrite point. If instruction at overwrite point legally writes to If instruction at overwrite point legally writes to
monitored location in vulnerable context.monitored location in vulnerable context.
Suggestions for Suggestions for EnhancementEnhancement
Go commercially!Go commercially! Sell VSEF to third party companies.Sell VSEF to third party companies.
They can use VSEF for product testing They can use VSEF for product testing and enhancements.and enhancements.
Other than that, it’s almost Other than that, it’s almost perfect!perfect! I can’t think of anymore I can’t think of anymore
enhancements. enhancements.
ConclusionConclusion Hosts can be compromised very quickly Hosts can be compromised very quickly
due to vulnerabilities that can easily be due to vulnerabilities that can easily be exploited!exploited! Thus, we need to find an automated system Thus, we need to find an automated system
that can react to these vulnerabilities!that can react to these vulnerabilities!
VSEF can quickly defend and filter out VSEF can quickly defend and filter out those exploits with high accuracy and those exploits with high accuracy and low overhead!low overhead!
Would make good commercial use!Would make good commercial use!