Upload
bertina-clark
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Analyzing and DetectingNetwork Security Vulnerability
Weekly report
1Fan-Cheng Wu
1. Do some statistics on Cisco Advisories.– Classification methodology (on-going)
2. Classify the Advisories in various ways.– Read and classify Cisco advisories (on-going)
3. Select one Advisory from each category.4. Find the root cause by reading program diff files,
engineering notes, or interview development engineers.
5. For each Advisory/vulnerability category, develop ways to parse programs to look for such vulnerability.
6. Write the parser with the above detection capability.
Approach
2Fan-Cheng Wu
Initial start
Weekly report2007/08/17
3Fan-Cheng Wu
Weekly Report
4Fan-Cheng Wu
Cisco Advisories
5Fan-Cheng Wu
Example for Vulnerability ClassificationCharacteristic tree for protocol vulnerabilitiesCharacteristic tree for protocol vulnerabilities
A network time protocol (NTP) exploitA network time protocol (NTP) exploit
6Fan-Cheng Wu
Analyzing Cisco Advisories
Weekly report2007/08/23
7Fan-Cheng Wu
Outline
• Overview Cisco advisories• Classifying Cisco advisories• Tools to detect problems in code• Secure coding
8Fan-Cheng Wu
Overview Cisco Advisories
• What information does Cisco advisory provide?– For example:
[Multiple Vulnerabilities in the IOS FTP server]Table of Content
9Fan-Cheng Wu
Overview Cisco Advisories (cont.)
• Details Cause
• Impact Symptom
Cause
Symptom
Protocol
10Fan-Cheng Wu
Overview Cisco Advisories (cont.)
• Vulnerability Scoring Details
11Fan-Cheng Wu
Example for Vulnerability ClassificationCharacteristic tree for protocol vulnerabilitiesCharacteristic tree for protocol vulnerabilities
A network time protocol (NTP) exploitA network time protocol (NTP) exploit
12Fan-Cheng Wu
Classifying Cisco Advisory
• For example: [Multiple Vulnerabilities in the IOS FTP server]– Information in advisory• Protocol, Cause, Symptom, Access, Impact …
– Impossible to classify advisory by
Improper authorization checking in IOS FTP serverIOS reload when transferring files via FTP
Design flaw? Implementation flaw? 13Fan-Cheng Wu
Detecting Vulnerability
• Design flaw– Function extraction [1]
• Implementation flaw – Secure coding [2]
[1] Pleszkoch, M. & Linger, R. “Improving Network System Security with Function Extraction Technology for Automated Calculation of Program Behavior.” IEEE Computer Society Press, 2004.[2] “Secure coding,” http://www.securecoding.cert.org/
14Fan-Cheng Wu
Detecting Design Flaw
15Fan-Cheng Wu
Implementation flaw
• Language– C
• Preprocessor• Memory management• Array• …
– C++
16Fan-Cheng Wu
Classification Methodology for Vulnerability
Weekly report2007/09/14
17Fan-Cheng Wu
Outline
• Previous work– Landwehr’s taxonomies [1] – Bishop’s taxonomies [2]– Piessen’s taxonomy [4]– Du’s categorization [3] – Engle’s tree classification[5]
• Applying Engle’s scheme to Cisco advisory
18Fan-Cheng Wu
Consider single dimension
Consider multiple dimensions
• By Genesis• By Time of
introduction• By Location
Landwehr’s taxonomies
19Fan-Cheng Wu
Ambiguous
ill-defined
• Describing the vulnerabilities in a form which useful for the intrusion detection mechanisms
• Each vulnerability is classified by– The nature of the flaw– The time of introduction– The exploitation domain of the vulnerability– The effect domain– …
Bishop’s taxonomies
20Fan-Cheng Wu
• Classifying with software life-cycle
Piessen’s taxonomy
21Fan-Cheng Wu
• Describing security flaw in several area
• Categorization of sample security flaws
Du’s categorization
22Fan-Cheng Wu
• Vulnerabilities may fall into multiple classes.• Classification steps:
1. Define characteristic set for vulnerability2. Create characteristic tree by bottom-up approach3. Classify vulnerability
• For example:
Engle’s tree classification
23Fan-Cheng Wu
Complete characteristic treeComplete characteristic tree Characteristic tree for {Q, Heart}Characteristic tree for {Q, Heart}
Step 1
Step 2
• A table for summarizing previous works (not ready)
Previous Works
24Fan-Cheng Wu
Complete Characteristic Tree for exploit
25Fan-Cheng Wu
Exploit
Vulnerability Symptoms
Landwehr's taxonomyGenesis
Landwehr's taxonomy Time of introduction
DoS
Privilege escalation
InformationDisclosure
Design MaintenanceTrojan horse Trapdoor
Classifying CSCek55259
26Fan-Cheng Wu
Exploit CSCek55259
Vulnerability Symptoms
Genesis Time of introduction Privilege escalation
Specification/DesignIdentification/Authentication …
Inadvertent During Development
Improper authorization checking in IOS FTP
1. Landwehr CE, Bull AR, McDermott JP, et al. "A Taxonomy of Computer Program Security Flaws," ACM Computing Surveys, 1994,26(3):211-254.
2. Matt Bishop, "A Taxonomy of UNIX System and Network Vulnerabilities," Technical Report CSE-95-10, Department of Computer Science, University of California at Davis, May 1995.
3. Du W,Mathur A P, "Categorization of software errors that led to security breaches," Proceedings of the 21st National Information Systems Security Conference (NISSC' 98), 1998.
4. F. Piessens, "A taxonomy of causes of software vulnerabilities in Internet software," Proceedings of the. 13th International Symposium on Software Reliability Engineering, Annapolis, Maryland, USA, November 2002.
5. Sophie Engle, Sean Whalen, Damien Howard, "Tree Approach to Vulnerability Classification", Technical Report CSE-2006-10, Dept. of Computer Science, University of California at Davis, May 2006.
Reference
27Fan-Cheng Wu
28Fan-Cheng Wu
<exploit id="CSCek55259" desc="Improper authorization checking in IOS FTP"> <vulnerability> <genesis>
<identification></identification>
</genesis> </vulnerability> <time> <development> <design></design> </development> </time> <symptom> <dos></dos> <privilege></privilege> </symptom></exploit>
<exploit id="CSCek55259" desc="Improper authorization checking in IOS FTP"> <vulnerability> <genesis>
<identification></identification>
</genesis> </vulnerability> <time> <development> <design></design> </development> </time> <symptom> <dos></dos> <privilege></privilege> </symptom></exploit>
Exploit CSCek55259
Vulnerability Symptoms
Genesis Time of introduction
DoS
Privilege escalation
Specification/Design
Identification/Authentication …
Inadvertent During Development
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation
of Exploits [1]
Weekly report2007/09/28
29Fan-Cheng Wu
[1] Newsome J,Song D. Dynamic Taint Analysis for Automatic Detection,Analysis, and Signature Generation of Exploits on Commodity Software. Proceedings of the 12th Annual Network and Distributed System Security Symposium(NDSS 2005), 2005
• Goal– Fine-grained attack detector for commodity software– Automatic tools for signature generation
• Design and Implementation• Evaluation– Precision– Performance
• Attack Detector• Automatic Signature Generation
Outline
30Fan-Cheng Wu
• Fine-grained attack detector for commodity software– Fine-grained attack detector– No need to recompile source code and libraries
• Automatic tools for signature generation
Goal
31Fan-Cheng Wu
• In order to monitor program in run-time, we run PUT(program under test) on a virtual machine.
• Valgrind [2]
– An open-source virtual machine on Linux– Providing skin(tool) mechanism to instrument
program in various ways• TaintCheck, a skin of Valgrind that – marks untruthful input as tainted (TaintSeed)– traces tainted data (TaintTracker)– checks whether policies is violated by instructions
(TaintAssert)
Monitoring program in run-time
32Fan-Cheng Wu[2] Valgrind, http://valgrind.org/
System Architecture
33Fan-Cheng Wu
Hardware
OS
Program Under Test
Valgrind
Exploit AnalyzerExploit Analyzer
Analyzing TaintAssert’s log to useful information
about how the exploit happened
Analyzing TaintAssert’s log to useful information
about how the exploit happened
Basic Infrastructure
[Skin ]MemCheck
False Positive
• Possible cause of false positive– The program contains a vulnerability that should
be fixed– The program performs sanity checks on the
tainted data before it is used• Evaluation– Tested 13 programs– False positive is produced in 2 programs when
reading data from configuration file as an offset to a jump address
Fan-Cheng Wu 34
• Possible cause of false negative– Tainted attribute of flags is not considered, for
example:Suppose x is taintedif ( x == 1 ) y=1; else if ( x == 2 ) y=2; …
is semantically the same asx = y
– Tainted data is used as an index into a table.– TaintCheck is configured to trust input that should
not be trusted.
False Negative
35Fan-Cheng Wu
• CPU-bound: bzip2• Short-lived: cfingerd
Performance
36Fan-Cheng Wu
• Common case: Apache
Performance (cont.)
37Fan-Cheng Wu
• Performance overhead• Using TaintCheck with– sampling– anomaly detection
Attack Detector
38Fan-Cheng Wu
• Identifying the value used to overwrite a function pointer or return address
Automatic Signature Generation
39Fan-Cheng Wu