Packet Vaccine: Black-box Exploit Detection and Signature Generation

Dr. XiaoFeng Wang Spring 2006

Packet Vaccine: Black-box Exploit Detection and Signature Generation

XiaoFeng Wang, Zhuowei LiJun Xu, Mike ReiterChongkyung Kil and Jong Youl Choi


Automated Exploit Defense


Expectations for Automated Defense?

A perfect fix to vulnerable software?

A reasonably secure and fast-generated fix seems more realistic


Automatic Exploit Defense: the State of Art

Source code instrument Static analysis of source code

Monitor an application’s execution to the break point Static analysis of binary code


Vaccine

Vaccine: a weakened viruses or bacteria for stimulating antibody production

How about a black-box “packet vaccine” ?


IDEAS

1. scramble anomalous payload

2. exception and analysis

3. Injection of vaccine variances


Properties

Fast Exploit Detection

Black-box Signature GenerationWork on obfuscated code

Little or no modification to the protected system


Design

1. Vaccine Generation2. Exploit Detection

3. Vulnerability Analysis

4. Signature Generation


Vaccine Generation

How to generate a weakened exploit?

Our approach1. Identify an address-like byte token on a packet

2. Randomize it


Address-like Tokens

Use address range stack: 0xc0000000 heap: 0x08048000 entries of some libc functions

Where to get them?Linux: /proc/pid/maps Windows: debugging tools/memory monitoring tools


Example

Byte sequence `7801cbd3' falls in the address range of “msvcrt.dll”

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0\r\n

Orignal Code Red:

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%ua001%u9090%u6858%ucbd3%u0401%u9090%u6858%ucbd3%u8c01%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0\r\n

Vaccine for Code Red:


Exploit Detection and Vuln. Diagnosis

Detection: Exception happens

DiagnosisPickup the contents from CR2 and EIPMatch them to the scrambled byte sequencesLocate the corrupted pointer


Signature Generation (1)

App-independent Signatures Byte sequences

Byte-based Vaccine Injection (BVI)Modify one byte and the jump addressSend to the applicationnot crash important byte


Signature Generation (2)

Application-level Signatures field length (buffer overrun) special symbols (e.g, “%n” for formate string)

App-based Vaccine Injection (AVI) the minimal field length crash remove special tokens no crash


Performance

BVI is parallelizable for multi-process application

AVI can be enhanced by binary search


Implementation

Intercept application-level dataflow to detect suspicious tokens

Scramble them to generate vaccines

Signature generation (RedHat Linux 7.3)Verifier: implemented using ptraceProber: local/remoteProber and verifier: a persistent connection Verifier notifies Prober of exceptions


Experiment: Vaccine Effectiveness


Experiment: Signature Generation


Signature Quality: BIND

Comparison between our signature and MEP (oakland 06)


Signature Quality: ATP http

MEP get “GET” and “HEAD”But specific tokens ‘/’ and ‘//’ and longer field length (812)

AVI:Only “GET”But more precise field length (703)

The real buffer size is 680


False positives


Application: Protecting Internet Servers

Packet Vaccine

Signatures

BVI/AVI

Vaccines

Suspicious

T T

Server Farm

T

Packet Filter

Application-based signatures

Protocol Parser

Known protocol specifications, e.g.

RFC of http

Service Proxy

A high-performance router can be applied here, e.g. IXP1200

Exp

loits

Dropped

Detector

e.g., using suspicious return addressess or

existing NADs

Normal

Service Requests


Server Workload

0: Apache, S1: Proxy+Vaccine-same-Apache S0: Proxy-same-Apache, D1: Proxy+Vaccine-diff-Apache, D0: Proxy-diff-Apache

Workload Capacity of Apache Server

812.97 804.63

1043.09 1016.07

1435.56

0

500

1000

1500

D0 D1 S0 S1 0

Req

ue

sts

per

sec

on

d

1043.09-1016.07=27.02

812.97-804.63=8.34


Local Client Delay

The average client-delay (by local clients)

0.00

0.50

1.00

1.50

2.00

0 10 20 30 40 50 60 70 80 90 100False Alarm Rate (%)

Clie

nt

De

lay

(m

s)

Apache with Packet Vaccine

Apache without Packet Vaccine


Remote Client Delay

The average client-delay (by remote clients)

0

20

40

60

80

0 10 20 30 40 50 60 70 80 90 100

False Alarm Rate(%)

Clie

nt

Del

ay (

ms)

Apache without Packet Vaccine

Apache with Packet Vaccine


Other Applications

Vulnerability Scanner

A lightweight replacement for Grey-box approaches

Proactive discovery and fix of vulnerabilities


Limitations

False negatives in exploit detection

Encrypted payload and checksums

Signature limitations in representation


Future Work

Generation of more accurate signatures

Proactive detection of software vulnerabilities

Documents

Packet Vaccine: Black-box Exploit Detection and Signature Generation