Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam...
-
date post
21-Dec-2015 -
Category
Documents
-
view
215 -
download
0
Transcript of Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam...
![Page 1: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/1.jpg)
Detecting past and present intrusions through vulnerability-
specific predicates
Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen
University of Michigan
![Page 2: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/2.jpg)
2
Motivation
• Software contains bugs, including flaws that may be exploited by an attacker
• Some time passes before vendor becomes aware of bug
• Software vendors try to release patches quickly
vulnerability discovered
timevulnerability introduced
patch released
![Page 3: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/3.jpg)
3
Motivation
• Users don’t always apply patches quickly– Concerns about unstable patches– Unacceptable downtime
• Can I somehow protect my system before I install the patch?
vulnerability introduced
timevulnerability discovered
patch released patch applied
![Page 4: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/4.jpg)
4
Motivation
timepatch released patch
applied
• Was this vulnerability triggered on my machine in the past?
vulnerability introduced
![Page 5: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/5.jpg)
5
Predicates
• Patch writer knows exactly what conditions during program execution indicate triggering of vulnerability
• Use this knowledge to write exploit-generic, vulnerability-specific predicates that check these conditions– No false positives or false negatives
![Page 6: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/6.jpg)
6
An example
1 char *str = some_string;2 int length = strlen (str);3 char buf [BUFSIZE];4 strcpy(buf,str); // D’oh!Predicate: (length >= BUFSIZE)
![Page 7: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/7.jpg)
7
Approach
vulnerability introduced
“past” “present”
timepatch released patch
applied
Using replay, detect if vulnerability was triggered in past
Monitor ongoing execution to detect and respond to attempts to trigger vulnerability
![Page 8: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/8.jpg)
8
Goals
The system must…1. Not perturb the target software
2. Work for both OS and application-level vulnerabilities
3. Allow predicates to be installed dynamically
4. Allow predicates to be written easily
5. Have low overhead
![Page 9: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/9.jpg)
9
Challenge #1: Where do predicates execute?
hardware
operating system
application applicationpredicate
engine
predicate engine
predicate engine
hardware
OS
![Page 10: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/10.jpg)
10
control
IntroVirt structure
hardware
host OS
guest OS
application
predicate engine
state
predicates
intrusionsdetected
VMM
application
![Page 11: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/11.jpg)
11
Challenge #2: Semantic gap
Problem: VMM exposes guest state at the wrong level of abstraction– It gives us registers, memory locations, disk blocks, …– We want program variables, files, …
1 uid = getuid();2 // forget to check group membership3 perform privileged action
Predicate– Perform missing authentication, e.g., read /etc/group
![Page 12: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/12.jpg)
12
Bridging the semantic gap
• How could the programmer write this predicate?– Determine memory location where uid is stored; if
page not resident, read from disk; read value of uid; traverse guest OS file system structures to see if /etc/group in file cache, if so, read from memory; if not, traverse FS structures to see which disk blocks contain it, then read blocks from disk; …
– i.e., emulate guest functionality• Our solution: call guest code
– Leverages existing guest code that does what we want
– Here, we cause the guest itself to read the file and check group membership
![Page 13: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/13.jpg)
13
Challenge #3: Avoiding perturbations to target state
• Calling guest functions perturbs target
• Solution: use checkpoint and restore– Take a checkpoint before changing guest
state– Restore to checkpoint after predicate
execution
• Also protects from (buggy) predicates that modify guest state incorrectly
![Page 14: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/14.jpg)
14
1 if (access(file, W_OK)) {2 unlink(file);3 }
• Check in line 1 should be atomic with use in line 2
Challenge #4: Preemptions between the predicate and the bug
Predicate: (!access(file, W_OK))
relink(file);relink(file);
![Page 15: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/15.jpg)
15
Predicate refresh
• Detect and respond to race– “Predicate refresh”– Observation: in uniprocessors, a scheduling
event must occur before any other process can run
– Re-execute predicate on scheduling events to detect relevant changes in state
![Page 16: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/16.jpg)
16
Predicate engine functionality
• Translate symbolic information from guest– Parse debugging information
• Allow predicates to control guest execution– Breakpoints
• Read guest state• Call guest functions
– Manipulate guest stack and registers
• Checkpoint and restore• Guarantee safety
![Page 17: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/17.jpg)
17
Predicates for applications
• Need additional support for application predicates– Processes are created and destroyed– Shared libraries can be mapped in different
locations of application address space– Memory pages are not always resident
• Use kernel predicates in fork, exec, exit, mmap, try_to_swap_out
![Page 18: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/18.jpg)
18
Predicate for CAN-2003-0961
Actual Patch:if((addr + len) > TASK_SIZE || (addr + len) < addr)
return –EINVAL;
Predicate:registerBreak(“mmap.c:1044:begin”, brkEventHandler);
void brkEventHandler() {unsigned long addr = readVar(“addr”);unsigned long len = readVar(“len”);
if((addr+len) > TASK_SIZE || (addr+len) < addr) {cout << “brk bug triggered” << endl;
}}
![Page 19: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/19.jpg)
19
“find” race condition
• Run as root• Delete all files in /tmp that haven’t been
accessed in past 3 days (“old files”)• Problem: file pointed to by filename may
change between time of identification and time of deletion
find /tmp –atime +3 –exec rm –f – {} \;“identify old file” “delete old file”
![Page 20: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/20.jpg)
20
“find” predicate
find /tmp –atime +3
–exec rm –f – {} \;
“identify old file”
“delete old file”
Save inode number of file
1. Get inode # of file
2. Compare with saved inode #
3. Enable predicate refresh
Predicate refresh
Ensure the inode # of the file stays the same
![Page 21: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/21.jpg)
21
Experience
• Wrote predicates for 20 real vulnerabilities (Linux kernel, bind, emacs, gv, imapd, OpenSSL, php, smbd, squid, wu-ftpd, xpdf)– Easy to write once vulnerability is understood– Length and complexity comparable to patch– Most are simple, e.g., just read a few variables
• Overhead for most predicates is less than 10%– Many predicates are on infrequently executed code
paths– Frequently executed predicates are simple and fast– Checkpoint/restore adds 5ms
![Page 22: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/22.jpg)
22
Usage
• Vendors distribute predicates along with patches• Users can install and run in past and present• For past attacks
– Alert user; take corrective measures
• For present attacks, lots of possibilities– Alert, kill process, halt machine, drop offending
connection, imitate patch, install patch, …– For anything other than “alert”, you must trust the
predicate
![Page 23: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/23.jpg)
23
Limitations and future work
• Predicates change timing
• Software breakpoints
• Current implementation only works on native code
• Only works for uniprocessors– ReVirt– Predicate refresh
• Predicates must be written by hand
![Page 24: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/24.jpg)
24
Related work
• VM introspection [Rosenblum97]
• VM introspection for intrusion detection [Garfinkel03]
• Shield [Wang04]
• Vigilante [Costa05]
![Page 25: Detecting past and present intrusions through vulnerability- specific predicates Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen University of.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d645503460f94a46b7c/html5/thumbnails/25.jpg)
25
Conclusions
• Vulnerability-specific predicates detect triggering of software vulnerabilities
• IntroVirt predicate engine– Simple to write general-purpose predicates– No perturbations in state
• Alert users about past attacks
• Detect and respond to attacks in the present