Packet Vaccine Black-box Exploit Detection and Signature Generation

Not for redistribution. The definitive version is available at http://doi.acm.org/10.1145/1180405.1180412.

PacketVaccine:Black-boxExploitDetection

andSignatureGeneration

XiaoFengWang,ZhuoweiLi

IndianaUniversity

{xw7,zholi}@indiana.edu

GoogleInc.&NCSU

JunXu

CarnegieMellonUniversity

MichaelK.Reiterreiter@cmu.edu

jxu3@unity.ncsu.edu

NorthCarolinaStateUniversity

ChongkyungKilckil@ncsu.edu

JongYoulChoi

IndianaUniversity

jychoi@indiana.edu

Similarly,a“weakened”exploitpacketwithimportantele-mentsofitspayloadscrambledwouldquicklyexposeitselfthroughtheexceptionitcausesinavulnerableprogram.Forensicanalysisoftheexceptioncoulduncovertherelatedprogramvulnerabilityandenablethegenerationofan“im-munity”,asignatureforcapturingfutureexploitsonthesamevulnerability.

Theaboveintuitioncanbeappliedtoexploitdetection,vulnerabilitydiagnosisandautomaticsignaturegeneration.Designofsuchmechanismshasbeenimpededbythecon-straintsofcommoditysoftware,forwhichaccesstosourceorbinaryrecompilationisoftenprohibited.Existingap-proaches[23,7,5]havesuggestedtrackingtheinputdataastheprogramexecutesuntilthepointatwhichcontrol-flowhijackinghappens.Wecalltheseapproachesgray-boxanaly-sis,astheydonotneedsourcecode(asawhite-boxapproachwould)butdohavetomonitoraprogram’sexecutionflowclosely(ablack-boxapproachwouldnot).Gray-boxanalysisisaccurateandapplicabletocommoditysoftware.How-ever,itincurssignificantruntimeoverheads,oftenslowingthesystembyanorderofmagnitude.

Inspiredbytheprincipleofvaccination,wedevelopamuchfasterblack-boxapproach.Ratherthanusingexpen-sivedataflowtracking,itdetectsandanalyzesanexploitusingtheoutputsofavulnerableprogram.Specifically,wefirstidentifyanomaloustokensinpacketpayloads,e.g.,bytestringsresemblinginjectedjumpaddressesinacontrol-flowhijackingattack,andrandomizethecontentsofthesetokenstogenerateavaccine.Ifthepacketscarryingthesetokensindeedcontainanexploit,thevaccinewilllikelycauseanexceptioninthevulnerablesoftware.Whenthishappens,ourapproachwillautomaticallygenerateasignaturetopro-tectthesoftwareusingtheforensicdatagleanedfromtheexceptionandfaultinjectiontechniques[18].Wecallthisapproachpacketvaccine.

Comparedtoothertechniques,packetvaccineofferssomeimportantbenefits:

Fast,black-boxexploitdetection.Packetvaccinede-tectsanexploitattemptbydirectlyinjectingvaccinepacketsintoaprogram.Therefore,itperformsasfastasanor-malrunofthatprogram,anduptoanorderofmagnitudefasterthangray-boxapproaches.Inaddition,packetvaccinedoesnotusesourcecodeorrecompiledbinariesandtherebyworkswellwithcommoditysoftware.

ABSTRACT

Inbiology,avaccineisaweakenedstrainofavirusorbac-teriumthatisintentionallyinjectedintothebodyforthepurposeofstimulatingantibodyproduction.Inspiredbythisidea,weproposeapacketvaccinemechanismthatran-domizesaddress-likestringsinpacketpayloadstocarryoutfastexploitdetection,vulnerabilitydiagnosisandsignaturegeneration.Anexploitwitharandomizedjumpaddressbe-haveslikeavaccine:itwilllikelycauseanexceptioninavulnerableprogram’sprocesswhenattemptingtohijackthecontrolflow,andtherebyexposeitself.Takingthatexploitasatemplate,oursignaturegeneratorcreatesasetofnewvaccinestoprobetheprogram,inanattempttouncoverthenecessaryconditionsfortheexploittohappen.Asigna-tureisbuiltupontheseconditionstoshieldtheunderlyingvulnerabilityfromfurtherattacks.Inthisway,packetvac-cinedetectsandfiltersexploitsinablack-boxfashion,i.e.,avoidingtheexpenseoftrackingtheprogram’sexecutionflow.Wepresentthedesignofthepacketvaccinemecha-nismandanexampleofitsapplication.Wealsodescribeourproof-of-conceptimplementationandtheevaluationofourtechniqueusingrealexploits.

CategoriesandSubjectDescriptors:K.6.5[SecurityandProtection]:Invasivesoftware,UnauthorizedaccessGeneralTerms:Security

Keywords:Black-BoxDefense,ExploitDetection,Signa-tureGeneration,Worm,VaccineInjection

1.INTRODUCTION

Inbiology,avaccineisaliving,weakenedstrainofavirusorbacteriumthatisintentionallyinjectedintothebodyforthepurposeofstimulatingantibodyproduction.Thatstrainisweakenedsoastopreventitfromcausinginfection.

Permissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributedforprofitorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitationonthefirstpage.Tocopyotherwise,torepublish,topostonserversortoredistributetolists,requirespriorspecificpermissionand/orafee.

CCS’06,October30–November3,2006,Alexandria,Virginia,USA.Copyright2006ACM1-59593-518-5/06/0010...$5.00.

37

Effectivesignaturegeneration.Packetvaccinegener-atessignaturesusinghostinformation,soitisimmunetoin-terferencefromInternetnoise[28]andpoisoning[25],whichcanmisleadnetwork-basedsignaturegenerators(e.g.,EarlyBird[30],Polygraph[22],Nemean[41])intogeneratingfalsesignatures.Moreover,theresultingsignaturetendstocap-turesomekeypropertiesofavulnerabilitysuchasthesizeofavulnerablebuffer,whichcanbeusedtodetectarangeofexploitmutationsemployedbypolymorphicworms.

Usingaconfirmedexploitasatemplate,packetvaccinecangenerateanumberofvaccines,i.e.,variationsofthatexploit,togainabettercharacterizationofasoftwareap-plication’svulnerability.Forinstance,onetypeofoursigna-turesusesapacket’sfieldlengthasanattributetoidentifyabuffer-overflowattack;injectionofvaccineswithdifferentfieldlengthsallowsustoaccuratelyestimatethesizeoftheunderlyingvulnerablebufferandtherebygenerateamoreaccuratesignature(Section2.3).Moreover,ourtechniquecangenerateasignaturewithoutanyinformationaboutanapplicationoritsprotocol.

Somegray-boxapproachesperformstaticanalysis[3,21]overavulnerableprogram’sbinarycodeandcouldgener-atesignaturesmoreaccuratethanoursignatures.However,ourblack-boxapproachtendstobefasterthanthoseap-proachesandevenworkswithobfuscatedcode[37,19].Formanyexploits,ourblack-boxtechniquecanproducesigna-turesclosetotheirsignaturesinquality,aswereportinourexperimentalstudy.Wearguethatarapidly-generatedandreasonablyaccuratesignaturecouldbemoreusefulinpracticebecausesuchasignatureissupposedtoserveasaband-aidtoavulnerableapplicationratherthanaperma-nentfix[20],forusebeforeasoftwaremanufacturerfinishesdevelopingitspatch.

Lowoverheadandeasydeployment.Packetvaccineismorelightweightandeasiertodeploythanmanyexistingtechniques.Exploitdetectionusingourapproachdoesnotrequireinstallinganythingonthehostrunningvulnerableprograms.Vulnerabilitydiagnosisneedsonlyalightweightcollectortogatherforensicdatafromanexception,andeventhisrequirementcanbewaivedforoperatingsystemswhichalreadyoffererrorlogginganddebuggingservices.Forexample,WindowsXP’seventlogscontaineverythingweneed,suchascorruptedpointercontents.

Wepresentthedesignofthepacketvaccinemechanism(Section2)andtheimplementationofthistechniqueinthepaper.Weevaluateitusingrealexploitsandsignaturesgen-eratedbyagray-boxapproach(Section3).Ourstudyshowsthatpacketvaccinecaneffectivelydetectexploits,andeffi-cientlygeneratesignaturesofhighquality.Aproblemofavaccineisthatitcouldmodifyaserver’sstate,andinterruptitsservice.Toapplythistechniquetoprotectanonlineser-vice,wepresentanarchitecturewhichemploystestserverstocarryoutexploitdetection,andempiricallyevaluateitsperformancewithaproof-of-conceptimplementation(Sec-tion4).Wealsodiscussthelimitationsofourapproach(Section5)andreviewrelatedwork(Section6).

proach:vaccinegeneration,exploitdetection,vulnerabilitydiagnosisandsignaturegeneration.

Vaccinegenerationisbasedupondetectionofanomalouspacketpayloads,e.g.,abytesequenceresemblingajumpaddress,andrandomizationofselectedcontents.Avac-cinegeneratedinthiswaycandetectanexploitattempt,sinceitshouldnowtriggeranexceptioninavulnerablepro-gram.Vulnerabilitydiagnosiscorrelatestheexceptionwiththevaccinetoacquireinformationregardingtheexploit,inparticularthecorruptedpointercontentanditslocationintheexploitpacket.Usingthisinformation,thesignaturegenerationenginecreatesvariationsoftheoriginalexploittoprobethevulnerableprogram,inanefforttoidentifynecessaryexploitconditionsforgenerationofasignature.

2.1VaccineGeneration

Togenerateavaccine,weneedtopreservetheexploitsemantics—i.e.,itsbehaviorthatleadstoanattempttohijackcontrolflow—whileweakeningitenoughtopreventacontrol-flowhijackingfromsucceeding.Here,wedescribeasimplewaytodothat.

Akeystepinmostexploitsistoinjectajumpaddresstoredirectthecontrolflowofavulnerableprogram.Suchanaddresspointstosomewhereinthestackorheapinacode-injectionattack,ortoagloballibraryentryinanexisting-codeattack.Ourapproachistocheckevery4-bytesequence(32-bitsystem)or8-bytesequence(64-bitsystem)inapacket’sapplicationpayload,andthenrandomizethosewhichfallintheaddressrangeofthepotentialjumptar-getsinaprotectedprogram.Thevaccinegeneratedinthiswayshouldcauseanexception,segmentationfault(SEGV)orillegalinstructionfault(ILL),toavulnerableprogram’sprocessifanexploitisindeedpresentintheoriginalpacket.Aquestionhereishowtodeterminetheaddressrange.AddressRange.Aprocess’svirtualmemorylayoutisusuallyeasytoobtain.OnLinuxandUNIX,theprocvir-tualfilesystemmaintainsafilecalledmapsunderthedirec-tory/proc/pid/thatofferstheruntimememorylayoutfortheprocesspid.Fromthatfile,wecanobtainthebasead-dressesforthestack(usuallyfrom0xc00000000downwards)andtheentryforfunctionlibraries(insegment0x40000000).ThebaseaddressforheapistheendoftheBSSsegment,whichcanbedeterminedbyanalyzingthebinaryexecutableusingtoolssuchasobjdumporreadelf.Tofindoutthead-dressrange,wealsoneedtoknowanapplication’sstackandheapsizes.Thesecanbeestimatedbymonitoringstackandheapusagerecordedinthestatusfileoftheapplica-tion’sprocessforaperiodoftime.Usingthesedata,wedeterminetheaddressrangesasfollows.Letbsandusbethestack’sbaseaddressandtypicalmaximumusage,respec-tively.Stackaddressesareestimatedtorangefrombs−αustobs,whereα≥1isaratioforkeepingasafemargin.Sim-ilarly,theheaprangeisapproximatedasbhtobh+αuh,wherebhanduharetheheap’sbaseandtypicalmaximumusage,respectively.1Addressrangescanalsobecustomizedbytheuser.Forexample,onecouldrestrictmonitoringtotheheaponanoperatingsystemwithanonexecutablestack.Aprocessmayhavemultipleheapregions,whichcanbeobservedfromitsmemorymaps.Inthiscase,wecanusethebaseaddressesoftheseregionsplusαuhtoestimatemultipleheapaddressranges.

1

2.DESIGN

Inthissection,wepresentthedesignofthepacketvaccinemechanism.Figure1illustratesthemajorstepsofourap-

38

Vaccine GenerationControl-flow Hijacking Suspicious Jump Addresses(e.g., worms)

Vaccine PacketsExploit Detectionan end hostExceptionsForensic InfoVulnerability DiagnosisSignature GenerationImmunitiesCorrelationsAfter installing immunities

Figure1:Thedesignofpacketvaccine.

Wecanpinpointtheaddressrangeofthegloballibrariesintensivelyusedbyexploits,e.g.,msvcrt.dllorlibc.so,andeventheentryaddressesofsome“dangerous”func-tions,suchassystem()andexecve().TheseaddressescanbeeasilyacquiredonLinuxorUNIXusingthemapsfileandthecommandnm.AWindowsapplication’smem-oryinformationcanbecollectedusingmemorymonitoringtoolslikeMemview[16]ordebuggingtoolssuchasCDBorNTSD[34].Theaddressrangecouldalsocovertheglobaloffsettable(GOT),thoughthismightnotbenecessary:anexploitusuallychangesafunctionpointerintheGOTtoanaddressinthestackorheap,wheretheattackcodelies.Again,itisattheuser’sdiscretiontodecidethecoverageoftheaddressrange.Thelargertherangebecomes,themorepacketsmustbecheckedandrandomized.

Addressrangescanalsobeapproximatedthroughanem-piricalstudyofknownexploits,whichcouldreveal‘hotspots’towhichmostexploitsjump.Inourresearch,wecollectedaround1000jumpaddressesfromknownexploitsanddis-coveredthatonLinux,mostcode-injectionattacksusethejumpaddresseseitherintherange0xbfff0000to0xbfffffffforthestackor0x08040000to0x08fffffffortheheap.Thistreatmentalsoworksforexisting-codeattacks,asmostoftheseexploitsuseasmallsetoflibc(LinuxorUNIX)ordll(Windows)functionsassteppingstones.

VaccineGenerationAlgorithm.Nowwearereadytopresentthevaccinegenerationalgorithm,whichisformallydescribedasfollows.

•GatherdatafromtheapplicationbeingprotectedandbuildatargetaddresssetT=[bs−αus,bs]∪[bh,bh+αuh]∪S,whereSisasetcontainingtheaddressrangesofobjectsotherthanthestackandheap,suchastheentriesforgloballibraryfunctions.

•Aggregatetheapplicationpayloadsofthepacketsinonesessionintoadataflow,carryoutaproperdecod-ing(e.g.,Unicodedecoding,URLdecoding,etc.)ifnecessaryandscanthatdataflowtofindallbytese-quencesτ∈T.

•Foreveryτ,replaceitsmostsignificantbytewithabyterandomlydrawnfromascramblersetRtooutputanewdataflow.

•Constructvaccinepacketsusingthenewdataflowasapplicationpayloads.Intheabovealgorithm,thescramblersetRcouldbesettoavoidintroducingundesiredsymbols(suchassyntaxtokens)whichcouldinterruptaprotocol,andensurearandomizedbytesequencefallsoutsideaprocess’smemorymap.AnexampleofRis{AtoZ,atoz,0to9,‘+’and‘-’}.

Forexample,thepayloadoftheCodeRedIIwormispresentedinFigure2.Ourvaccinegeneratoridentifiesmul-tipleoccurrencesofthebytesequence0x7801cbd3fromthepayloadafterUnicodedecoding.Thissequencefallsintheaddressrangeofmsvcrt.dll,whichisbeingmonitored.Therefore,avaccineisgeneratedasillustratedinFigure2,

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0\\r\\nGET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%ua001%u9090%u6858%ucbd3%u0401%u9090%u6858%ucbd3%u8c01%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0\\r\\n

The Orignal Packet of Code Red:A Vaccine Packet for Code Red:Figure2:AvaccinegeneratedfromCodeRedIIworm.inwhichthemostsignificantbytesofthesequencehavebeenscrambled.

Discussion.Acentralquestionhereiswhetherthevac-cinegeneratedaboveiseffectiveindetectinganexploitifitisindeedpresent.Exploitstendtobefragile—arandomperturbationcouldcausethemtovanish.Forexample,ran-domizationofprotocolsyntaxtokens,suchasthekeyword‘GET’intheaboveexample,rendersthevaccineimpossibletoparse;modificationofotherexploittokenscanmodifytheexploitsemantics,i.e.,interferewiththeexploit’sattempttohijackcontrolflow.Weaddresstheseconcernsasfollows.Ourapproachisveryunlikelytomodifyaprotocol’ssyn-taxtokens,whichusuallylookquitedifferentfromasuspi-ciousjumpaddress.WecheckedthemostfrequentlyusedsyntaxtokensinHTTP,FTPandSMTP,andfoundnoneofthemcoincidewithatypicalLinuxstacksegment(0xbfff)andheapsegment(0x08).Tomakethebreakofprotocolsyntaxevenlesslikelytohappen,wecanuseawhitelisttoguidevaccinegeneration.Thewhitelistcontainsallsyn-taxtokensofaprotocol,whichcanbeeithercollectedfromtheprotocol’sRFCorextractedfromusers’normaltraf-fic.Inourresearch,wewereabletoextractallimportantHTTPsyntaxtokensfromonemillionHTTPtraces.Whengeneratingvaccines,thegeneratorchecksabytesequenceτagainstthatwhitelist.Ifitcontainsasyntaxtoken,oritisasubstringofsuchatoken,thegeneratorwillrefrainfromscramblingit.

Ourapproachcanalsopreserveexploitsemanticsinmostcases.Exploitstypicallyprovidecertainprotocolparame-tersinthepayload,inordertodrivethetargetprogram’sstatetoa“breakpoint”whereexploitpayloadcanbein-jected[3,7].Theoretically,itispossiblefortheseparame-terstocoincidewithaddressesinT.However,thisseemstoberareinpractice,especiallyforprotocolswithanun-evendistributionofbytevalues(e.g.,text-basedprotocolssuchasHTTP).Theappearanceofanaddress-likestringisuncommonfortheseprotocols,asdiscoveredinpreviousresearch[24,39].Furthermore,althoughbinaryprotocolssuchasDNScouldhaveanevendistributionofbytevalues,thesetTisusuallysmall,occupyinglessthan0.1%ofthevirtualmemoryaddressspace,andanexploit’sparameters

39

(excepttheinjectedcode)areusuallyshort,lessthantensofbytesasweobservedinourexperiments.Therefore,itseemsthatthechanceabytesequenceinTcoincideswithanecessaryexploitparameterissmall.Inourresearch,wecarefullystudied26exploits,includingattacksthroughbi-naryprotocols,andfoundnoneoftheirparametersweretamperedwithbyourapproach.Inaddition,thoseparam-etersaremostlydependentontheunderlyingvulnerability,whichcouldleaveanattackerlittleroomtovarythem.Ourrandomizationstrategyalsohelpspreserveexploitsemantics:insteadofscramblingthewholebytesequence,weonlymodifyonebyte—themostsignificantbyte.Wecouldextendtheidea,forexample,bygeneratingthreevac-cines,eachofwhichscramblesoneofthethreemostsignif-icantbytesofthesequence.Thesevaccinescanthenusedtoprobeanapplicationinparallel.Asaresult,evenifanexploitdoesuseanaddress-liketwo-byteparameter(suchas0xbfff),wecanstilldetecttheexploit.Anotherapproachinvolvesasimplenetworkanomalydetector(NAD)whichnarrowsthesearchforaddress-likesubstringstoonlypartofananomalouspacket’spayload.Forexample,aNADmon-itoringthelengthofpackets’applicationfieldsmayidentifyanoverlongCGIparameter;thisallowsavaccinegeneratortoscanonlythatfield,avoidingrandomizingotherparam-eterseveniftheylooklikeaddresses.Wecanalsowhitelistwell-knownexploittokenssuchas%n,andtokenspresentinnormaltrafficsuchas.ida?.Allofthesewillthenbekeptintactduringvaccinegeneration.

ciallyforbinaryprotocolssuchasDNS.Moreinformationisrequiredtoformahigh-qualitysignature.Here,wedescribeasignaturegenerationenginethatusesaknownexploitasatemplatetogeneratevaccinesandinjectsthemintoavul-nerableprogramtoacquirekeyattributesoftheunderly-ingvulnerability.Wecallthistechniquevaccine-injection(VI).Ourapproachcangeneratesignatureswithorwithoutapplication-specificinformation,asweelaboratebelow.Application-independentSignatureGeneration.Wecangenerateasignaturewithoutanyknowledgeaboutanapplication’sprotocol.Suchasignatureisintheformofatokensequence,whichconsistsofanorderedsequenceofbytestrings(tokens)[22].Thesetokens’locationsintheexploitpacket’spayloadcouldalsobeincludedasapartofthesignatureforabinaryapplicationprotocolsuchasDNS.Ourideaistodeterminetherolesplayedbyindividualbytesinanexploitbyscramblingthemtocreatevaccinesandtestingtheminthevulnerableapplication,inanefforttoidentifytheinputsnecessaryfortheexploittooccur.

LetLbethebytelengthofanapplication-levelexploitdataflow,andB[i]betheithbyteonthatdataflow,where1≤i≤L.Supposethescrambledjumpaddressτwithabytelengthlstartsfromtherthbyte.ThesignaturegenerationenginegeneratesL−lvaccines,{v1,v2,...,vr−1,vr+l,...,vL},suchthatvi(1≤i≤L)randomizestheithbyteoftheexploitpayloadandalsokeepsthetokenτ.Then,itinjectsallthesevaccinesintoavulnerableprogram.Ifvidoesnotcauseanyexception,werecordB[i](andalsoiforabinaryprotocol)asasignaturetoken.AsignatureisformedusingthesetokensandthetargetaddresssetT.AdataflowisdeemedtomatchsuchasignatureifitcontainsallthesetokensandatleastonebytesequenceinT.Werefertothisapproachasbyte-basedvaccineinjection(BVI).Someserversprocessrequestsusingmultipleprocesses,suchthatcrashingonedoesnotaffecttheothers.Thisprop-ertyallowsustotestmanyvaccinesinparallel.Manyex-ploitshaveexploitpayloadofamodestsize,usuallybelow1kB.Therefore,webelieveBVIcanoffergoodperformance.Wealsoadopteda‘block-searching’techniquetoreducethenumberofvaccinesforgeneratingasignature.Wefirsttestavaccinewhichrandomizesablockofcontiguousbytesonanexploitpacket.Ifthevaccinestillcausestheexception,wemoveontorandomizeanotherbyteblock;otherwise,wetesteverybyteinsidethatblocktoidentifysignaturetokens.However,BVIcouldstillbeslowifthepayloadislarge.Anattackermightduplicateanexploittokentoseveralplaces.Forexample,theCodeRedIIworm(Figure2)hasmultiple%utokens,anyofwhichissufficientfortheexploittooccur.ThispreventstheBVIalgorithmfromdetectingthattoken,asrandomizationofoneofitsreplicasdoesnotmaketheexceptiondisappear.WecansolvethisproblemusinganimprovedBVIalgorithmdescribedasfollows.A

󰀁

scramblesthefirstibytesontheexploitdataflowvaccinevi

exceptallthesignaturetokensidentifiedsofar.Ifthevac-cinedoesnotcauseanyexceptiontothevulnerableprogram,thesignatureenginerecordstheithbyteasanewsignaturetoken.Otherwise,ourapproachscramblesthatbytebefore

󰀁

generatingthenextvaccinevi+1.Thisapproachcancaptureoneoftheduplicatedtokens.However,itisnotparalleliz-able.Fortunately,suchaduplicationtrickcannotbeplayedonmosttokens(e.g.,.idaandGET)andthustheoriginalBVIalgorithmworksinmanycases.

2.2ExploitDetectionandVulnerability

Diagnosis

Exploitattemptsfromvaccinepacketsaredetectedfromtheexceptionstheycauseinavulnerableprogram,suchasSEGVandILL.Suchexceptionshappenwithhighproba-bilityifexploits’jumpaddresseshavebeenscrambled.

Theobjectiveofvulnerabilitydiagnosisistoreliablycor-relateanexceptionwithoneofthebytesequencesbeingrandomized,whichidentifiesthelocationofthejumpad-dressonanexploitpacket.Thiscorrelationisestablishedbymatchingthesebytesequencestotheforensicdatagath-eredfromanexception,inwhichthecorruptedpointerisofparticularimportance.Onx86systems,thecorruptedpointerwhichcausesaSEGVexceptioncanbefoundinregisterCR2.ItmayalsoappearinEIP.Ourapproachlogsthecontentsoftheseregistersonceanexceptionhappens.Formally,vulnerabilitydiagnosisworksasfollows.Letτ1,τ2,...,τnbethebytesequences(tokens)ofavaccinepacketthathavebeenscrambled(i.e.,thehigh-orderbyterandomized)bythevaccinegenerator.Letpbetheforen-sicstring—thecorruptedpointercollectedfromregisters.Ifp=τifor1≤i≤n,wecorrelateτiwiththeexception.Thiscorrelationcanbevalidatedusingthefollowingtest:werandomizeallbytesofτitoproduceanewtokenτanduseittogenerateanewvaccine;sendingthisvaccinetothevulnerableprogram,wecheckwhethertheexceptionhap-pensagainandthecorruptedpointeralsochangestoτ.Thevalidationtestcanberepeatedtoincreasetheconfidenceinthecorrelation.

2.3SignatureGeneration

Aftervulnerabilitydiagnosis,wehaveidentifiedthejumpaddressanditslocationinanexploitpacket.Theaddressalone,however,couldbetoogeneraltobeasignature,espe-

40

UsingProtocolInformation.Ifanapplication’sproto-colspecificationsareavailable,insomecaseswecangenerateaveryaccuratesignature,closetoavulnerability-basedsig-nature.Suchasignaturemakesuseofthecharacteristicsofbuffer-overflowexploitsandformat-stringexploitstode-scribeavulnerability.ThealgorithmforgeneratingthesesignaturesisalsobuiltupontheVItechnique,andsowecalltheapproachapplication-basedvaccineinjection(AVI).Buffer-overflowexploitsusuallyemployanomalouslylongfields[14].Thus,asignatureoftheform(application,com-mand,field.name,max.field.size)offersagooddescriptionofthevulnerabilitybeingexploited.Oursignaturegenera-tionenginefirstidentifiestheapplicationfieldthatincludesthejumpaddress,andthenmakesaquickestimateofthatfield’slengthusingthenumberofthebytespriortotheaddress.Thisgivesacoarsesignature.Torefinethatsigna-ture,ourapproachiterativelyaltersthefieldsizetogeneratenewvaccines,andinjectsthemintothevulnerableprogram.Ifavaccinemakestheexceptiondisappear,weinferthatthefieldistooshortandthenincreaseit.Otherwise,weshrinkthatfield.Usingabinarysearch,wecanquicklydeterminetheminimallengthfortheexploittohappen.Thesigna-turegeneratedinthiswaycanbeprettyclosetothesizeofavulnerablebuffer:forexample,ourexperimentoverATPhttpd(seeSection3.3)producedasignatureonly23byteslongerthantherealsizeoftheprogram’svulnerablebuffer.Format-stringexploitsusuallycontainthespecialsymbol%n.Inaddition,theaddresstokenusuallyappearspriortothissymbol.Therefore,asimplerepresentationofthesigna-turecouldbeasfollows:(application,command,field.name,%n).Theaccuracyofthissignaturecanbeverifiedbyremov-ingthe%nfromavaccinetotestthevulnerableprogram.

kernelmode.Inourresearch,wedevelopedakernelpatchforLinux2.4.18toreaditscontent.

Thesignaturegenerationenginehastwocomponents,aproberandaverifier.Theprobertestsanapplicationus-ingvaccinestoidentifysignaturetokens.Itcanworkre-motely.Theverifiermonitorsprocessesforexceptionsig-nals,andrestartstheapplicationifnecessary.Inourimple-mentation,theverifierwasembeddedintheptrace-basedmonitor.Onstartingsignaturegeneration,theproberfirstmakesapersistentconnectionwiththeverifier,andthensendsavaccinepackettotheapplication.Iftheapplica-tion’sprocesscrashes,theverifierinterceptstheexceptionsignalandnotifiestheproberthroughtheconnection.Oth-erwise,theverifierwaitsforaperiodoftime(longerthanthemaximumcrashtime)beforesignalingthatnoexcep-tionhasoccurred.OurimplementationsupportsboththeBVIandAVIalgorithmsandcangeneratetoken-sequenceandapplication-levelsignatures.Weimplementedonlyse-quentialvaccineinjectioninourprototypesystem,whichunfortunatelyintroducedperformancepenalties.Inourex-periments,wefoundthatsomeapplicationscouldtaketensofmillisecondstocrash.Thedelaycausedbyawaitingthecrashesofmultipleprocessescouldbegreatlyreducedbyaparallelapproach.

3.2VaccineEffectiveness

Aparamountquestionforpacketvaccineisavaccine’sabilitytodetectanexploit.Weaddressthisquestionthroughanempiricalevaluationreportedinthissection.Wecarriedoutexperimentsonrealexploitsofsevenvulnerableappli-cationsobtainedfromSecurityFocus.2Theyhavealsobeenwidelyusedforevaluatingothertechniques(e.g.,[14,40,7]).Inourresearch,wemadesurethatalltheseexploitsweresuccessfulinthevulnerableapplicationsbyspawningaremoteshellbeforetestingthemwithourtechnique.

Packetvaccinesuccessfullydetectedtheseexploits,andadditionallydiagnosedtherelatedvulnerabilitiestogener-ateprecisesignatures.ThedetailsofexploitsanddetectionresultsarelistedinTable1.Whileweimplementedourproof-of-conceptsystemonlyonLinux,wealsoanalyzedan-other19exploitswhichincludeWindows-basedexploitssuchasCodeRedII.Wefoundnoneoftheirsemanticswouldbedamagedbyourapproach.Thisimpliesthatpacketvaccineshouldalsodetectthem.

Detectingaheap-basedoverflowturnedouttobealit-tletrickier.Intheexperimentonopenssl,thevalueofthebytesequencewegotfromCR2waslargerthanthatoftherandomizedtokenby12.Weexplainthisasfollows.Theexploittookadvantageofthefree()functiontooverwriteafunction’sreturnaddress.Thelocationofthataddresswasfakedasthecontentofalinkingpointerinabogusidlememorysegment’sheapmanagementdatastructure.Ontheexploit’spayload,theaddressofthatsegment’sheaderwasprovided.Thataddresswassupposedtobelowerthanthelinkingpointer’saddressby12.Theexceptionhap-penedwhentheheapmanagementsystemattemptedtoac-cessthatlinkingpointerusingtheheader’saddresswhichwasrandomizedbyourapproach.

3.EVALUATION

Weevaluatedpacketvaccineusingaproof-of-conceptim-plementation.Inthissection,wefirstdescribethisimple-mentationandthenpresentourexperimentalresultsandanalysisonvaccineeffectivenessandsignaturequality.

OurexperimentswerecarriedoutontwoLinuxworksta-tions:onewithRedhat7.3operatingsystem,IntelPentium41.5GHzCPUand256MBmemory,andtheotherwithRedhat6.2,Pentium31GHzCPUand256MBmemory.WeusedtheRedhat7.3systemforallexperimentsexceptthoseinvolvingtheBindTSIGexploit,whichrequiresRedhat6.2.Wealsousedseveralnetworktracestoevaluatethequalityofthesignaturesgeneratedbyourapproach.OurdatasetincludesatraceofonemillionHTTPflowsandonemillionDNSflowsinandoutofIndianauniversity.

3.1PrototypeImplementation

WeimplementedpacketvaccineonLinux.ThetargetaddresssetTisextractedfromanapplication’sprocessprocfiles,includingmapsandstatus,andsenttoavac-cinegenerationmodule.ThismodulescansthedataflowofarecordedsessionforthebytesequencesinsideT,scramblestheirmostsignificantbytes,createsasockettoconvertthenewdataflowintovaccinepacketsandtransportsthemtotheapplication.Onthesystemsrunningtheapplication,weinstalledaprocessmonitordevelopedusingptrace,whichservesasacollectortogatherthecontentsofimportantregistersshouldanexceptionhappentotheprocessbeingmonitored.RegistersimportanttovulnerabilitydiagnosisareCR2andEIP.However,CR2canbeaccessedonlyin

TechnicaldetailsoftheseexploitscanbefoundbysearchingtheirBugtraqIDfromhttp://www.securityfocus.com.

2

41

ExploitsBINDtsigLighthttpdATPhttpdSamba

OpenSSLv2wu-ftpdrpc.statdBugtraqID2402616287097294536313781480VulnerabilityType

stack-basedbufferoverflowstack-basedbufferoverflowstack-basedbufferoverflowstack-basedbufferoverflowheap-basedbufferoverflowformatstringattackformatstringattackExploitPacketLength51023182030974744351076DetectedYesYesYesYesYesYesYesNumberofAddress-likeTokens3139026418

Table1:ExploitDetection.

ExploitsBINDtsigLighthttpdATPhttpdSambaOpenSSLv2wu-ftpdrpc.statd

ApplicationSignature—

(.,‘GET’,filename,178)(.,‘GET’,filename,703)(.,‘TRANS2OPEN2’,filename,2000)

(.,‘MasterKey’,arguments,298)

(.,‘SITE’,‘EXEC’,%n)(.,‘STAT’,name,%n)

Time(s)—0.3450.2740.6220.3580.1300.116

ByteSequenceSignature

4-12(00,01,00,00,00,00,00,01,3c),73(3c),134(0c),147(31),197(0c),210(3e),273(3e),336(1e),367(10),384(3e),447(34),500(00),505-507(00,00,fa)

0-3(47,45,54,20),229-230(0a,0a)0-4(47,45,54,20,2f),818(0a)

0-2(00,04,08),4-8(ff,53,4d,42,32),28-29(01,00),32-33(64,00),37-40(d0,07,0c,00),55-56(d0,07),58-60(00,0c,00),63-66(01,00,00,00)

0-11(81,d8,02,01,00,80,00,00,00,80,01,4e)

0-9(53,49,54,45,20,45,58,45,43,20),431-432(25,6e)

4-31(00,00,00,00,00,00,00,02,00,01,86,b8,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,20),36-39(00,00,00,00,09),60-63(00,00,00,00),68-74(00,00,00,00,00,00,03),164-165(25,6e)

Time(s)4.8811.3602.7087.6365.0124.2285.780

Table2:SignaturesGenerated.Atokeninabytesequencesignatureisrepresentedasi−j(Bi,...,Bj)(i≤j),where

iandjarethepositionsoftheindividualbytesonthetokenandBiisabyte’shexadecimalvalue.Forexample,229-230(0a,0a)indicatesthatthetoken0x0a0aliesbetweenthe229thandthe230thbytesinthepayload.Thepositioninformationisoptionalandnotusefulfortext-basedprotocolssuchasHTTP.

3.3SignatureQualityandPerformance

Asummaryofresultsofourexperimentsonsignaturegen-erationcanbefoundinTable2.Toevaluatethequalityofoursignatures,wecomparedthemwithsignaturesreportedinrecentliterature[3].Avulnerability-basedsignaturecanpreventallpossibleexploitsonavulnerability[7].Recently,Brumleyetal.haveproposedagray-boxapproachtogen-eratesuchasignatureonthebasisofstaticanalysisofavulnerableprogram’sbinarycode[3].Theirtechniquein-tensivelyutilizesapplicationinformation.

Brumleyetal.describeintheirpapertwomonomorphic-execution-path(MEP)signatures,oneforBindTSIGandtheotherforATPhttpd.MEPsignaturescomputedfromasingleexploitareusuallynotvulnerability-based.Never-theless,withtheinformationextractedfromthevulnerableapplication,theyarestillveryaccurate.Here,weanalyzeoursignaturesusingthesesignatures.

QualityoftheToken-SequenceSignature:Bind-TSIG.BindisaverypopularDNSserver.Itsupportsasecret-keytransactionauthenticationinwhichmessagesbeartransac-tionsignatures(TSIG).Thereisabuffer-overflowvulnera-bilityinBind8.2.xwhichallowsanattackertogaincon-trolofasystemrunningBind.ThisvulnerabilitycanbeexploitedthroughbothUDPandTCPqueries.Ourexper-imentswereonUDP-basedexploitsandBind8.2.2.Fig-ure3presentstheMEPsignature(thefirstrow)andourtoken-sequencesignature(thesecondrow)computedusingtheBVIalgorithm.3

Bothsignaturesincludebytes6to10whicharezeroandbytes505to507whichare0x0000fa(azero-lengthQnamefollowedbythefieldtypeTSIG).FromBind’ssourcecode,OursignaturemayalsoincludethetargetaddresssetT,whichwebelievedoesnotmakethesignaturetoospecificforacontrol-flowhijackingattack.Thisisbecausethatsetincludesallpossiblejumptargets,notaspecificaddress.

3

wefoundthatthesebytesarethemostimportanttokensforasuccessfulexploit.Besidesthesetokens,oursignaturealsocontainssomeotherbytes.Bytes4to5arethenumberofqueriesinsidethepacket.Byte4mustbezerofortheUDP-baseexploitduetothesizelimitofaUDP-basedpacket.However,byte5’scontentisunnecessarilyspecificbecauseanexploitusingmorethanonequerycouldalsosucceed.Ontheotherhand,byte5mustbenonzero,whichhasnotbeenpointedoutbytheMEPsignature.Bytes10-11arethe‘ARcount’field,whichindicatesthenumberofresourcerecordsintheadditionalrecordspart.ItmustbenonzerotoaccommodatetheTSIGfield,butoursignatureisun-necessarilyspecificinfixingitsvalue.Byte12appearsinbothsignatures,butoursspecifiesitscontent.Tenbytesintheinterval73to447inoursignaturearealsounnecessarilyspecific.Thesetenbytesserveasthelengthoctetsinthe‘Qname’fieldofaquery,whichareimportantforthesuc-cessfulparsingofaDNSquery.However,anattackermaychangethestructureoftheexploitpackettoavoidthesebytes.Thisproblemishardtoavoidwithonlyasinglein-stanceoftheexploitandnoapplicationinformationatall.TheMEPsignaturealsohassomeproblems.Itmissesbytes4and11,andalsocontainsunnecessarilyspecificto-kens,suchasbytes268and500.Byte500isalsopresentinoursignature.Bothbytessignaltheendofaqueryinaparticularexploit.However,theattackercanavoidthembychanginganexploitpacket’sstructure,suchasthenumberofquestionsandtheirsizes.Forexample,byte268hasanonzerovalueintheexploitusedinourresearch.

Amoreaccuratesignaturecouldbegeneratedbyourtech-niquegivenmorethanoneexploitinstance.Inourresearch,wecomparedanotherexploitoftheBind-TSIGvulnerabil-itywiththeaboveone.Thesetwoexploitpacketsshare19bytesatthesamelocationsoftheirapplicationpayloads.Basedonthese19bytes,theBVIalgorithmgeneratedan-othersignature(thethirdrowinFigure3)with10bytes.

42

MEP Signature67890x000x000x000x00100x0012> 02680x005000x005055065070x000x000xfaToken-sequence Signature 4567891011120x000x010x000x000x000x000x000x010x3cbased on a single exploitToken-sequence Signature 40x00based on two exploitsDNS total questions

67890x000x000x000x0010110x000x01730x3c1340x0c1470x311970x0c2100x3e2730x3e3360x1e3670x103840x3e4470x345000x005055065070x000x000xfa5055065070x000x000xfaField type TSIG

DNS total DNS total DNS total answer RRsauthority RRsadditional RRs

Qname length, index+content+1 is the index of next record, e.g. 273+0x3e+1=336

Figure3:SignaturesforBindTSIG.

Onlyoneofthem,byte11,isunnecessarilyspecific.ThissignatureiscomparabletotheMEPsignatureinqualityandcapableoffendingoffmanyattacksonthevulnerability.Usingtheblock-searchingtechnique,asequentialBVIal-gorithmtook4.881secondstogeneratethefirsttoken-sequencesignatureforBind.Webelieveanoptimizedimplementationandintroductionofparallelizationcouldimprovethatper-formance.Thesecondsignaturewasgeneratedwithin0.2seconds.

QualityoftheApplication-levelSignature:ATP-httpd.Wealsocomparedourapplication-levelsignatureforATP-httpdwiththeMEPsignaturein[3].ATP-httpdcontainsavulnerablebufferwhichwillbeoverrunbyare-questedfilenamelongerthan680bytes.Builtupontheanal-ysisoftheprogram’sbinarycode,theMEPsignaturecon-tainsricherinformationthanours.ItpointsouttheHTTPcommandwhichleadstothevulnerabilitycouldbeeither‘GET’or‘HEAD’,whileoursignatureonlyidentifies‘GET’fromasingleexploitinstance.However,theMEPsignaturecontainstwospecifictokens,‘//’and‘/’,whichactuallyarepartsoftheshellcode.Inaddition,thetotalfieldlengthre-quiredbytheirsignatureis812bytes,whichisnotnecessaryforanexploit.Oursignatureoffersabetterestimateofthevulnerablebuffersize.TheAVIalgorithmdeterminedthemaximallengthofthefield‘filename’as703,23byteslongerthanthevulnerablebuffer.These23bytesturnedouttobethelocalvariablesbetweenthebufferandthepointerover-writtenbytheexploit.Ourapproachtook0.274secondstogeneratethesignature.Bycomparison,thealgorithmin[3]spentmorethanasecondtocompleteasinglestepofsignaturegenerationwhichconvertstheresultsfromstaticanalysisintoasignature.

Insummary,itcomesaslittlesurprisethattheMEPsig-naturesaremoreaccuratethanoursignaturesingeneral.However,theirqualityadvantagesdiminishsomewhatwiththeavailabilityofmultipleexploitinstancesandapplicationinformation.Furthermore,ourblack-boxapproachcanper-formsignificantlyfasterinsomecases,andevenworkswithobfuscatedbinarieswhichstaticanalysismightnotmanagewell.

ExploitsBINDtsigLighthttpdATPhttpd

False+(Applica-tionSignature)—

0.602%0.0077%

False+(Byte-SequenceSig-nature)

w/T,0%,w/oT,0%

w/T,0%,w/oT,0.0006%w/T,0%,w/oT,0.142%

tivescomefromapplication-levelsignatures,whicharesup-posedtobeveryaccurate!Furtheranalysisofferstheex-planation:thesesignaturesareapplication-dependent,onlyworkingforspecifichttpdservers,andsupposedtobein-stalledonthefirewallsconnectingtotheseservers.How-ever,theHTTPtraceswerecollectedfromedgerouters,containingthetrafficofotherHTTPsoftwarethatcouldaccommodatealongerfield.

4.EXAMPLEAPPLICATION:PROTECTING

INTERNETSERVERS

Inthesection,wepresentanarchitecturewhichappliespacketvaccinetoprotectInternetserversfromremotecontrol-flowhijackingattacks.Thisarchitectureservesasanex-ampletodemonstratethepotentialapplicationofourtech-nique.WealsoprototypedthearchitectureunderLinuxandempiricallyevaluateditsperformance.

4.1Architecture

Figure4illustratesthearchitecturewepropose.Aservicerequestisfirstinterceptedandcachedbyaserviceproxyandparsedbyaparser.Theparserisoptionalhereandonlyuse-fulwhenweuseapplication-levelsignatures.Then,there-questisscreenedbyafilterwhichidentifiesanddropsknownexploitsusingexploitsignatures.Behindthefilter,adetec-torexaminestherequestandlabelsitaseithernormalorsuspicious.Thedetectorcouldsimplybepartofourpacketvaccinemechanism,whichclassifiespacketswithregardtotheappearanceofaddress-liketokensintheirpayloads.Al-ternatively,wecouldemployothersimpledetectiontech-niques,suchasonewhichidentifiespacketswithoverlongfields.Afterclassification,anormalrequestisforwardedtoaserverfarmdirectly,whileasuspiciousrequesttrig-gersthepacketvaccinemechanismwhichactsasdiscussedinSection2.Ifthatrequestisdeterminedtocontainanexploit,packetvaccinegeneratesanewsignatureandaddsittothefilter.Otherwise,theproxyforwardstheoriginalrequesttotheserverfarm.

Thepacketvaccinemechanismmakesuseofasmallsetoftestserversintheserverfarmtotestvaccinepackets.Atestserverhasacollectoronit,whichservestogleaninforma-tionfromregisters’contentsshouldanexceptionhappen.Inthecasethattheservicebeingprovidedisstateful,thetestserveralsoneedsacheckpoint/rollback(CR)mechanismtorecoverthestatebeforeeachtest.Sucharollbackmecha-nismcouldbeextremelylightweight(e.g.,[8,31]).Signaturegenerationcanalsohappenonatestserver.

Table3:FalsePositives.Treferstothetargetaddress

setofthevulnerableapplication.

4.2PerformanceStudy

ToimplementaprototypesystemforHTTPservice,wedevelopedaserviceproxyandafilter(includinganHTTPparser),andcombinedthemwithourimplementationof

FalsePositives.WetestedoursignaturesforBind-TSIG,ATP-httpdandlight-httpdusingtheaforementionedDNSandHTTPtraces(Table3).Surprisingly,mostfalseposi-

43

NormalService RequestsServer FarmPacket VaccineService ProxyProtocol ParserPacket FilterDetectorExploitsDroppedVaccinesSuspiciousBVI/AVISignaturesTest ServersFigure4:AnarchitecturetoprotectInternetserversusingpacketvaccine.

packetvaccine(Section3.1)whichcontainsadetector.SinceHTTPisastatelessservice,wedidnotimplementtheprocess-levelCRinthisprototype.

Overtheprototypesystem,wecarriedoutaperformancetest.Twohostswereusedinourexperiment,oneforboththeproxyandthetestserverandtheotherforthewebserver.Bothwereequippedwith2.53GHzIntelPentium4Processorand1GBRAM,andrunningRedhatEnter-prise2.6.9-22.0.1.EL.Theywereinterconnectedthrougha100MBswitch.WeutilizedanApache2.0.55toprovidewebservice.Inourexperiment,weevaluatedtheperformanceofourimplementationfromthefollowingperspectives:(1)Serveroverheads,wherewecomparedtheworkloadcapacityofourimplementationwiththatofanunprotectedApacheserver;(2)Client-sidedelay,wherewestudiedtheaveragedelayaclientexperiencesunderdifferenttestrates.Serveroverheads.WetestedtheworkloadcapacityusingApacheBench(ab)2.0.41-dev,whichcomesbundledwiththeApachesourcedistribution.ApacheBenchisatoolforbenchmarkingtheApachewebserver.Inourexperiment,wemeasuredtheworkloadcapabilityintermsofrequestsprocessedpersecond(requests/second)underthefollowingfiveserverconfigurations:(0)‘Apacheonly’,(D0)‘Apacheandtheproxyondifferenthosts’,(S0)‘Apacheandtheproxyonthesamehost’,(D1)‘Apacheononehost,andtheproxyandpacketvaccineonanother’,(S1)‘Apache,proxyandpacket-vaccineallonthesamehost’.

2%.Therefore,wetendtobelievethatahigh-performanceHTTPproxycouldgreatlyimprovetheworkloadcapability.Client-sidedelay.Oncethedetectoridentifiesasuspi-ciousrequest,aroundofexploitdetectionwillbetriggeredtotestthatrequest.Thisintroducesdelaytoalegitimateclientiftherequestturnsouttobeinnocent.Here,wecalltheratioofservicerequestsbeingtested(i.e.,thefractiondeemedsuspicious)thetestrate.Ifthetestrateincreases,theaveragedelayexperiencedbyalegitimateclientwillalsoincrease.Inourexperiment,westudiedthechangeoftheclient-sidedelayagainstdifferenttestrates.WecarriedoutbothalocalexperimentwithinIU’scampusnetworkandacross-campusexperimentbetweenIUandNCSU.Theex-perimentalresultsarepresentedinFigure6.

The average delay of local clientsDelay (ms)2.001.501.000.500.000102030405060708090100Apache with Packet VaccineApache onlyTest Rate (%)The average delay of remote clients80Delay (ms)Workload Capacity of Apache ServerRequests/s60402000102030405060708090100Apache onlyApache with Packet Vaccine150010005000D0D1S0S1812.97804.631043.091016.071435.56Test Rate(%)0Figure6:Theaveragedelayexperiencedbyalocalor

remoteclient.

Figure5:Theworkloadcapacitiesinfivedifferentserver

settings.

Figure5illustratestheexperimentresults.Atafirstglance,itseemsthatourimplementationbroughtdowntheApache’sperformancebyabout44%inthesetting(D1)andabout29%inthesetting(S1),whichisquiteunpleasant.Acloselookattheresults,however,revealsthatthema-jorperformancepenaltycamefromtheserviceproxy.Thehomegrownproxyusedinourproof-of-conceptimplementa-tioncouldnotkeepupwiththehigh-performanceofApacheandthereforedraggeddowntheperformanceofthewholesystem.Simplyaddingtheproxyintothesystemintroducedabout43%performancepenaltyin(D0)and27%in(S0).Ontheotherhand,thepacketvaccinecomponentsworkedprettyfast.Theyonlyaffectedtheperformanceby1%to

Asweexpected,theaveragedelayforalocalclientin-creasedalmostlinearlywiththetestrate.However,thisresultcouldbemisleading,asthelocalclientexperiencedmuchsmallerroundtripdelay(RTD)thananaverageIn-ternetuser:theRTDinacampuswemeasuredisaround300μs,whiletheaverageRTDontheInternetismuchlarger.Therefore,anInternetclient’sperceptionofthepresenceofpacketvaccinecouldbecompletelyovershadowedbytheRTD.Thiswasconfirmedinthecross-campusexperiment:aspresentedinFigure6,the75msRTDbetweenthetwocampusesdominatedtheclient-sidedelay,makingthe1msoverheadofourprotectionmechanismnegligible.

Insummary,packetvaccinedoesintroduceperformancepenaltiestotheserver,butwebelievethispenaltyisaccept-ableifweighedagainstthesecurityenhancementsitoffers.

44

Ontheotherhand,theclient-sideoverheadisalmostnegli-gible,beingdwarfedbytheRTDanaverageInternetclientexperiences.

5.LIMITATIONS

Packetvaccinemayhavefalsenegativesinexploitdetec-tion.Forexample,thereisapossibilitythattherandom-izationsperformedbyourapproachdestroytheexploit’ssemantics.Thisseemsmorelikelytooccurforapplicationsusingbinaryprotocols,thoughsofarwehavenotfoundanexample“inthewild”.Ingeneral,ourapproachismorere-liableinprotectingapplicationsusingtext-basedprotocols.SeveralwaystoreducethelikelihoodofthisproblemwerediscussedinSection2.3.Asimpleapproachistogeneratemultiplevaccines,eachrandomizingonebyteofanaddress-liketoken.Inthisway,iftheexploitsemanticssurvivesanyoftheserandomizations,ourapproachwilldetecttheexploit.

Ourapproachcannotworkdirectlyonpacketswithen-cryptedpayloadorchecksums.Inthiscase,weneedanapplication-levelproxytodecodethesepacketsandcon-structnewpacketsforvaccinegeneration.

Bothtypesofsignaturesweuseinourresearcharelim-itedintheircapabilitiestorepresentnecessaryexploitcon-ditions.Forexample,null-httpdcontainsavulnerabilitythatallowsonetospecifyasmallerbufferwhilesupplyingalongerpayload.Anidealsignatureistocheckwhethertherealpayloadsizematchesthespecifiedsize.However,noneofoursignaturescandescribethiscondition.Weleaveittofutureworktoexaminehowtouseourblack-boxtechniquestoacquireinformationformoreexpressivesignatures[38,3].

6.RELATEDWORK

Networkanomalydetection(NAD)hasbeenwidelyusedtodetectexploitattemptsfromnetworktraffic[41,39,35,12].Atypicalnetworksignaturegeneratorextractscom-monsubstringsfromattackdataflowasanexploitsigna-ture.ExamplesincludeEarlybird[30],Honeycomb[11],Au-tograph[10],SweetBait[26],Polygraph[22],Hamsa[13]andPADS[32].Signaturegenerationsolelyrelyingonnetworkinformationcanbemisledintogeneratinganincorrectsig-naturebycarefullycraftedattackpackets,whichhelpsawormtoevadedetection[25]orcauseslegitimatepacketstobedropped.

Host-basedapproachesmakeuseofhostinformationtodetectanomaliesandgeneratesignatures.Asexploitsac-tuallyhappenonahost,theseapproachescanbemoreaccuratethannetwork-basedapproaches.TaintCheck[23],VSEF[21],Minos[6],Vigilante[5]andDACODA[7]trackdataflowthroughaprocessfromthereceiptofanetworkpacket(ormodificationthereof[23])tothepointwhereananomalyhappens,e.g.,jumpingtoanaddressofferedbytheinputdata.Theseapproachescanslowtherunningprocesssignificantly,however,byanorderofmagnitudeormore.Incontrast,ourvaccinemechanismtrackssuspiciousdataflowinablack-boxfashion,whichissignificantlyfasterthanthesegray-boxapproachesandstillpreservesmuchoftheiraccuracyincaseswehaveexplored.Somehost-basedapproachesapplystaticanalysis[3]toidentifyaprogram’svulnerabilities.Suchanapproachnolongerworksoverwell-obfuscatedbinaries.

Liangetal.andXuetal.proposedtwoapproaches[40,14]thatusememoryaddress-spacerandomization(ASR)tofoilexploitattempts,andthenautomaticallygeneratesig-naturesthroughforensicanalysisoftherelatedexceptions.Inparticular,COVERS[14]wasthefirsttoproposeanovelconstructionofapplication-levelsignaturewhichusesfieldlengthtocharacterizeabufferoverflowvulnerability.Al-thoughwealsousethissignature,ourAVItechniqueaug-mentstheirapproachbymakinganaccurateestimateofthefieldlength.Ourtechniquealsooffersamorereliablewaytocorrelateexceptionswiththeexploitpackets.

Inanattempttofindabalancebetweenperformanceandaccuracy,severalhybridapproachescombiningnetwork-basedandhost-basedtechniqueshavebeendeveloped[1,15,29].However,manyofthemarebasedoninstrumentingavulnerableprogram’ssourcecode,andarethereforelesssuitableforprotectingcommoditysoftware.HACQIT[27]invokesatestprocessafteranexploitcrashesaprotectedprogram,andreplayssuspiciouspacketstoasandboxrun-ningthesameprogramtomonitorwhetherthesameex-ceptionhappensagain.However,thisapproachdoesnotofferareliablemeanstoestablishacorrelationbetweentheexceptionandtheexploitinputs.

Thevaccinetechniquecantraceitsroottosoftwarero-bustnesstesting,especiallysoftware-implementedfaultin-jection(SWIFI)[18].SWIFIisasoftwaretestingandeval-uationmethodwhichinvolvesinsertingrandomfaultsintoasystemtodetermineitsresponsetothesefaults.Someim-portantSWIFIsystemsincludetheCrashmeprogram[4],theFuzzproject[17],theFIATsystem[2],theFERRARIsystem[9],theFTAPEsystem[36],andBallista[33].Ourproposaldiffersfundamentallyfromtheseapproachesintworespects.First,werelyonanomalouspacketstoguidevac-cinegeneration,makingourvaccinesmorelikelytorevealaprogram’svulnerabilitiesthantherandomfaultsusedinatypicalSWIFIapproach.Second,weaimatexploitpre-ventionandwillgenerateexploitsignaturestoshieldthesoftwarevulnerabilitiesdiscovered.

7.CONCLUSIONS

Inthispaper,wepresentedpacketvaccine,afast,black-boxtechniqueforexploitdetection,vulnerabilitydiagnosisandsignaturegeneration.Wedescribeditsdesignandex-amplesforitsapplication.Wealsoimplementedaproof-of-conceptprototype,andevaluatedourtechniqueusingit.Ourexperimentalresultsdemonstratetheeffectivenessofourtechnique,whichsuccessfullycapturesrealexploitsandgenerateseffectivesignatures,anditsefficiency,whichim-provesovergray-boxapproachesinmanycases.

8.REFERENCES

[1]K.G.Anagnostakis,S.Siridoglou,P.Akritidis,K.Xinidis,

E.Markatos,andA.Keromytis.Detectingtargetedattacksusingshadowhoneypots.InProceedingsofUSENIXSecuritySymposium2005,August2005.

[2]J.H.Barton,E.W.Czeck,Z.Z.Segall,andD.P.Siewiorek.

FaultinjectionexperimentsusingFIAT.IEEETrans.Comput.,39(4):575–582,1990.

[3]DavidBrumley,JamesNewsome,DawnSong,HaoWang,and

SomeshJha.Towardsautomaticgenerationof

vulnerability-basedsignatures.InProceedingsofthe2006IEEESymposiumonSecurityandPrivacy,2006.

[4]GeorgeJ.Carrette.CRASHME:Randominputtesting.

http://people.delphiforums.com/gjc/crashme.html,asofMarch,2006.

45

[5]ManuelCosta,JonCrowcroft,MiguelCastro,AntonyI.T.

Rowstron,LidongZhou,LintaoZhang,andPaulT.Barham.Vigilante:end-to-endcontainmentofinternetworms.InSOSP,pages133–147,2005.

[6]JedidiahR.CrandallandFredericT.Chong.Minos:Control

dataattackpreventionorthogonaltomemorymodel.InMICRO,pages221–232,2004.

[7]JedidiahR.Crandall,ZhendongSu,andS.FelixWu.On

derivingunknownvulnerabilitiesfromzero-daypolymorphicandmetamorphicwormexploits.InCCS’05:Proceedingsofthe12thACMconferenceonComputerandcommunicationssecurity,pages235–248,2005.

[8]GeorgeW.Dunlap,SamuelT.King,SukruCinar,MurtazaA.

Basrai,andPeterM.Chen.Revirt:Enablingintrusionanalysisthroughvirtual-machineloggingandreplay.InProceedingsofOSDI,2002.

[9]GhaniA.Kanawati,NasserA.Kanawati,andJacobA.

Abraham.FERRARI:Aflexiblesoftware-basedfaultanderrorinjectionsystem.IEEETrans.Comput.,44(2):248–260,1995.[10]Hyang-AhKimandBradKarp.Autograph:Toward

automated,distributedwormsignaturedetection.In

Proceedingsof13thUSENIXSecuritySymposium,pages271–286,SanDiego,CA,USA,August2004.

[11]ChristianKreibichandJonCrowcroft.Honeycomb:creating

intrusiondetectionsignaturesusinghoneypots.SIGCOMMComputerCommunicationReview,34(1):51–56,2004.

[12]C.Kruegel,E.Kirda,D.Mutz,W.Robertson,andG.Vigna.

Polymorphicwormdetectionusingstructuralinformationofexecutables.InProceedingsofRAID’05,pages207–226,September2005.

[13]ZhichunLi,MananSanghi,YanChen,Ming-YangKao,and

BrianChavez.Hamsa:Fastsignaturegenerationforzero-daypolymorphicwormswithprovableattackresilience.InSP’06:Proceedingsofthe2006IEEESymposiumonSecurityandPrivacy(S&P’06),pages32–47,2006.

[14]ZhenkaiLiangandR.Sekar.Fastandautomatedgenerationof

attacksignatures:abasisforbuildingself-protectingservers.InCCS’05:Proceedingsofthe12thACMconferenceon

Computerandcommunicationssecurity,pages213–222,2005.[15]MichaelE.Locasto,KeWang,AngelosD.Keromytis,and

SalvatoreJ.Stolfo.Flips:Hybridadaptiveintrusionprevention.InProceedingsofthe8thInternational

SymposiumonRecentAdvancesinIntrusionDetection(RAID),September2005.

[16]MemView.http://www2.biglobe.ne.jp/~sota/memview-e.html,

asofMay,2006.

[17]BartonMiller,DavidKoski,CjinPheowLee,Vivekananda

Maganty,RaviMurthy,AjitkumarNatarajan,andJeffSteidl.Fuzzrevisited:Are-examinationofthereliabilityofUNIXutilitiesandservices.Technicalreport,1995.

[18]J.D.Musa,G.Fuoco,N.Irving,B.Juhlin,andD.Kropfl.

HandbookofSoftwareReliabilityEngineering,chapterTheOperationalProfile,pages167–216.McGraw-Hill,1996.[19]GlebNaumovichandNasirD.Memon.Preventingpiracy,

reverseengineering,andtampering.IEEEComputer,36(7):64–71,2003.

[20]AssociatePressNews.Microsoftwarnsagainstoutsidefixes.

http://biz.yahoo.com/ap/060331/microsoft_s_security_snags.html?.v=4,March31,2006.

[21]JamesNewsome,DavidBrumley,andDawnSong.

Vulnerability-specificexecutionfilteringforexploitpreventiononcommoditysoftware.InProceedingsofthe13thAnnualNetworkandDistributedSystemsSecuritySymposium,2005.[22]JamesNewsome,BradKarp,andDawnSong.Polygraph:

Automaticallygeneratingsignaturesforpolymorphicworms.InProceedingsofIEEESymposiumonSecurityandPrivacy,pages226–241,Okaland,CA,USA,May2005.

[23]JamesNewsomeandDawnSong.Dynamictaintanalysisfor

automaticdetection,analysis,andsignaturegenerationofexploitsoncommoditysoftware.InProceedingsofthe12thAnnualNetworkandDistributedSystemSecuritySymposium,SanDiego,CA,USA,Feburary2005.

[24]A.Pasupulati,J.Coit,K.Levitt,S.F.Wu,S.H.Li,R.C.Kuo,

andK.P.Fan.Buttercup:Onnetwork-baseddetectionof

polymorphicbufferoverflowvulnerabilities.InProceedingsofthe9thIEEE/IFIPNetworkOperationandManagementSymposium(NOMS’2004),May2004.

[25]RobertoPerdisci,DavidDagon,WenkeLee,PrahladFogla,

andMonirulSharif.Misleadingwormsignaturegeneratorsusingdeliberatenoiseinjection.InIEEESymposiumonSecurityandPrivacy,pagetoappear,May2006.

[26]GeorgiosPortokalidisandHerbertBos.SweetBait:Zero-hour

wormdetectionandcontainmentusinghoneypots.TechnicalReportIR-CS-015,VrijeUniversiteitAmsterdam,May2005.[27]JamesC.Reynolds,JamesJust,LarryClough,andRyan

Maglich.On-lineintrusiondetectionandattackpreventionusingdiversity,generate-and-test,andgeneralization.InHICSS’03:Proceedingsofthe36thAnnualHawaii

InternationalConferenceonSystemSciences(HICSS’03)-Track9,page335.2,2003.

[28]DavidW.Richardson,StevenD.Gribble,andEdwardD.

Lazowska.Thelimitsofglobalscanningwormdetectorsinthepresenceofbackgroundnoise.InWORM’05:Proceedingsofthe2005ACMworkshoponRapidmalcode,pages60–70.ACMPress,2005.

[29]SteliosSidiroglou,MichaelE.Locasto,StephenW.Boyd,and

AngelosD.Keromytis.Buildingareactiveimmunesystemforsoftwareservices.InUSENIXAnnualTechnicalConference,pages149–161,April,2005.

[30]SumeetSingh,CristianEstan,GeorgeVarghese,andStefan

Savage.Automatedwormfingerprinting.InProceddingsofOSDI,pages45–60,2004.

[31]SudarshanM.Srinivasan,SrikanthKandula,ChristopherR.

Andrews,andYuanyuanZhou.Flashback:Alightweightextensionforrollbackanddeterministicreplayforsoftwaredebugging.InUSENIXAnnualTechnicalConference,GeneralTrack,pages29–44,2004.

[32]YongTangandShigangChen.Defendingagainstinternet

worms:Asignature-basedapproach.InProceedingsofIEEEINFOCOM05,Miami,Florida,USA,May2005.

[33]TheBallista@Project:COTSSoftwareRobustnessTesting.

http://www.ece.cmu.edu/~koopman/ballista/,asofJanuary,2006.

[34]MicrosoftDebugingTools.http:

//www.microsoft.com/whdc/devtools/debugging/default.mspx,asofMay,2006.

[35]ThomasTothandChristopherKr¨ugel.Accuratebuffer

overflowdetectionviaabstractpayloadexecution.InProceedingsofRAID,pages274–291,2002.

[36]TimothyK.TsaiandRavishankarK.Iyer.Measuringfault

tolerancewiththeftapefaultinjectiontool.InMMB’95:

Proceedingsofthe8thInternationalConferenceonModellingTechniquesandToolsforComputerPerformanceEvaluation,pages26–40.Springer-Verlag,1995.

[37]PaulC.vanOorschot.Revisitingsoftwareprotection.In

ProceedingsofISC,pages1–13,2003.

[38]HelenJ.Wang,ChuanxiongGuo,DanielR.Simon,andAlf

Zugenmaier.Shield:vulnerability-drivennetworkfiltersforpreventingknownvulnerabilityexploits.InSIGCOMM,pages193–204,2004.

[39]KeWangandSalvatoreJ.Stolfo.Anomalouspayload-based

networkintrusiondetection.InProceedingsofRAIDSymposium2004,pages203–222,2004.

[40]JunXu,PengNing,ChongkyungKil,YanZhai,andChris

Bookholt.Automaticdiagnosisandresponsetomemorycorruptionvulnerabilities.InCCS’05:Proceedingsofthe12thACMconferenceonComputerandcommunicationssecurity,pages223–234,2005.

[41]VinodYegneswaran,JonathonT.Giffin,PaulBarford,and

SomeshJha.Anarchitectureforgeneratingsemantics-awaresignatures.InProceedingsofUSENIXSecuritySymposium2005,August2005.

46