MIT-6-determina-vps.ppt

380 views
299 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
380
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Published analyst reports consistent – more vulnerabilities, attack motives changing from fame to fortune. Symantec Internet Security Threat Report marks a shift in the threat landscape. Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets. The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers. Whereas traditional attack activity has been motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud
  • Another specific instance. This is even more illustrative that using patching for securing systems is a losing battle because in this case there was no patch available until 30 days after the exploits were 1 st released. Lots of ways to get hurt, costing millions of dollars waiting for a patch and for the patch to be deployed. Recent example – the critical IE vulnerability in late March. Determina issued a stand-alone fix for download, for free, to highlight our capabilities. VPS was the only solution that protected the IE vulnerability. VPS customers were protected without taking any additional actions. No other solution did this! Over 90% of security exploits are carried out through vulnerabilities for which there are known patches (Gartner)
  • What is the basis of the threat? Vulnerabilities are the root cause. In OS, server apps, desktop apps. Look at the stats, share these with your customers. How to protect vulnerabilities against these attacks and exploits?
  • Days Until Mass Exploit: --- Means no mass exploit 0-Day?: --- means MS announced the vulnerability with the patch Some examples of recent vulnerabilities to illustrate the protections provided by MF and LS, as well as the threat and window of attacks without the protection.
  • What is a customer looking for in a Host IPS/endpoint security solution? Stress here that it “just works.” Many solutions out there don’t live up to their claims or simply don’t work properly (crashes, conflicts, etc.). Stress here that while Determina is a young company, VPS is based on mature, proven technology going back over 8 years in development.
  • 2:48
  • 2:48
  • 2:50
  • 3:00
  • 3:03
  • 3:06
  • 3:09
  • 3:12
  • 3:15
  • 3:16 Ask problems with False positives
  • 3:17
  • 3:18
  • 3:20
  • 3:22
  • 3:23 Ask Should we give up? Ask about Crypto fool-proof?
  • 3:24
  • MIT-6-determina-vps.ppt

    1. 1. Determina’s Vulnerability Protection Suite Saman Amarasinghe CTO, Determina Inc. Associate Professor, MIT EECS/CSAIL
    2. 2. Corporate Overview <ul><li>Founded Early 2003 </li></ul><ul><ul><li>Core technology developed at MIT over 8 years </li></ul></ul><ul><ul><li>Venture backed </li></ul></ul><ul><ul><li>Headquarters in Redwood City, CA </li></ul></ul><ul><ul><li>CTO & founding engineering team from MIT </li></ul></ul>
    3. 3. Overview <ul><li>Corporate Overview </li></ul><ul><li>Vulnerability Protection Suite </li></ul><ul><li>Managed Program Execution Engine </li></ul><ul><li>Memory Firewall </li></ul><ul><li>LiveShield </li></ul><ul><li>Evaluation Criteria </li></ul><ul><li>Research Plan </li></ul>
    4. 4. Overview <ul><li>Corporate Overview </li></ul><ul><li>Vulnerability Protection Suite </li></ul><ul><li>Managed Program Execution Engine </li></ul><ul><li>Memory Firewall </li></ul><ul><li>LiveShield </li></ul><ul><li>Evaluation Criteria </li></ul><ul><li>Research Plan </li></ul>
    5. 5. Market Trends <ul><li>Attacks and vulnerabilities still increasing </li></ul><ul><ul><li>Security incidents have nearly doubled each year (CERT) </li></ul></ul><ul><ul><li>Endpoint security often last line of security </li></ul></ul><ul><ul><li>to be addressed. </li></ul></ul><ul><li>SYMC Threat Report </li></ul><ul><ul><li>Trend towards directed attacks </li></ul></ul><ul><ul><li>Threat landscape dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks </li></ul></ul><ul><ul><li>Current threats increasingly motivated by profit </li></ul></ul>Increasing vulnerabilities, more directed attacks
    6. 6. Recent Example: WMF Vulnerability NO Patch Available Patch fully deployed *Wipro, Ltd 2005, “The Total Cost of Security Patch Management” Day 14 : December 14: Sites first post WMF Exploits Day 35 : January 5 th : Microsoft Releases Patch Average exploit window: 25 days* before patches deployed Vulnerable w/no Official Patch 35 Days Vulnerability Made Public Total exploit window for average organization: 60 days Day 27: December 27: Initial Disclosure of Vulnerability Day 28 : December 28: MS Announces Awareness…No Patch for Issue Day 29: December 29: 50+ variants, 1000+ sites reported: Thursday 12/29 Day 31: December 31: Instant messaging,Trojan horses & botnets begin exploiting WMF and Unofficial patch released by Ilfak Guilfanov Day 33: January 3rd: 1,000,000+ WMF exploited downloads reported from just 1 site Day 0 : December 1: Vulnerability Discovered 1 and Exploit Code Being Sold for $4000 Shortly Afterward 1 Computerworld.com, “Russian hackers sold WMF exploit, analyst says” Patch issued by MS Determina 0-day protection active before vulnerability is known Zero-days
    7. 7. Vulnerability Protection Suite <ul><li>What is VPS </li></ul><ul><ul><li>Enterprise Host IPS security solution for Fortune 1000 </li></ul></ul><ul><ul><li>Patented Technology </li></ul></ul><ul><ul><li>“ Vulnerability Protection” focus vs. Attack focus </li></ul></ul><ul><ul><li>Stops both known and unknown (zero-day) attacks </li></ul></ul><ul><ul><li>A zero complexity / zero maintenance solution </li></ul></ul><ul><ul><ul><li>No attack signatures / no post attack cleanup </li></ul></ul></ul><ul><ul><ul><li>No policies to maintain </li></ul></ul></ul><ul><ul><ul><li>No behavior to model </li></ul></ul></ul><ul><ul><ul><li>No false positives </li></ul></ul></ul><ul><li>Application Communities </li></ul><ul><ul><li>The core of VPS (DyanmoRIO, Memory Firewall and LiveShield) are core building blocks </li></ul></ul>
    8. 8. Vulnerability Protection Suite <ul><li>What is VPS </li></ul><ul><ul><li>Enterprise Host IPS security solution for Fortune 1000 </li></ul></ul><ul><ul><li>Stops both known and unknown (zero-day) attacks </li></ul></ul><ul><ul><li>A zero complexity / zero maintenance solution </li></ul></ul><ul><ul><ul><li>No attack signatures / no post attack cleanup </li></ul></ul></ul><ul><ul><ul><li>No policies to maintain </li></ul></ul></ul><ul><ul><ul><li>No behavior to model </li></ul></ul></ul><ul><ul><ul><li>No false positives </li></ul></ul></ul>Managed Program Execution Engine Memory Firewall LiveShield
    9. 9. Software Vulnerabilities: The “Root Cause” of Attacks <ul><li>4,000 new software vulnerabilities are discovered each year (Symantec) </li></ul><ul><li>422 new vulnerabilities in Q2 ‘05, a 20% increase YoY (SANS) </li></ul><ul><li>Microsoft issued 53 security bulletins in 2005. (Microsoft) </li></ul><ul><li>Directed attackers (hackers) are increasingly targeting enterprise information for profit </li></ul><ul><ul><li>$30M Total losses in 2005 due to theft of proprietary data - a 270% increase YoY. (CSI/FBI) </li></ul></ul><ul><li>Mass worm attacks have caused billions in damage </li></ul><ul><ul><li>Zero-Day costs - SQL Slammer costs $950M to $1.2 billion in first five days alone (Cnet) </li></ul></ul>100% of Microsoft critical vulnerabilities are memory-related
    10. 10. Zero-Day Endpoint Protection Without Tuning or Maintenance <ul><li>Memory Firewall protects without updates </li></ul><ul><li>LiveShield shields released within days of vulnerability, without waiting for patches, exploit behavior or attack signatures </li></ul> 0 Y (9 days) Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (WMF) 27-Dec-2005  -- -- IE HTTPS Proxy Basic Authentication Information Leak 13-Dec-2005  8 Y (23 days) Remote Code Execution Vulnerability in MS IE 21-Nov-2005  -- Y (no patch) Memory Allocation Denial of Service via RPC 16-Nov-2005   -- -- Windows Metafile Vulnerability 08-Nov-2005 LiveShield Protection Memory Firewall Protection Days Until Mass Exploit 0-Day? (days before patch) 0-Day Vulnerability Date --  -- COM Object Instatiation Memory Corruption Vulnerability 13-Dec-2005
    11. 11. VPS Advantages <ul><li>Ensure non-stop availability </li></ul><ul><ul><li>Must be able to deploy and maintain without disrupting business operations </li></ul></ul><ul><li>Accessibility </li></ul><ul><ul><li>Must be easy, simple to manage </li></ul></ul><ul><li>Guarantee reliability for critical servers and applications </li></ul><ul><ul><li>“ It just works!” </li></ul></ul><ul><li>Scalability </li></ul><ul><ul><li>Be able to support thousands of machines </li></ul></ul><ul><li>Flexibility </li></ul><ul><ul><li>Integration with a variety of management solutions through support of standard protocols </li></ul></ul>
    12. 12. Overview <ul><li>Corporate Overview </li></ul><ul><li>Vulnerability Protection Suite </li></ul><ul><li>Managed Program Execution Engine </li></ul><ul><li>Memory Firewall </li></ul><ul><li>LiveShield </li></ul><ul><li>Evaluation Criteria </li></ul><ul><li>Research Plan </li></ul>
    13. 13. Managed Program Execution Engine Derek Bruening
    14. 14. Overview <ul><li>Corporate Overview </li></ul><ul><li>Vulnerability Protection Suite </li></ul><ul><li>Managed Program Execution Engine </li></ul><ul><li>Memory Firewall </li></ul><ul><li>LiveShield </li></ul><ul><li>Evaluation Criteria </li></ul><ul><li>Research Plan </li></ul>
    15. 15. <ul><li>Enter </li></ul><ul><ul><li>Monitoring is simple </li></ul></ul><ul><ul><ul><li>Port monitoring or system call monitoring </li></ul></ul></ul><ul><ul><li>Don’t know good guy from bad guy </li></ul></ul><ul><ul><ul><li>only known criminals can be identified </li></ul></ul></ul><ul><ul><li>Even known bad guys are hard to detect </li></ul></ul><ul><ul><ul><li>encrypted channels </li></ul></ul></ul><ul><li>Compromise </li></ul><ul><ul><li>Monitoring can be done </li></ul></ul><ul><ul><ul><li>System call monitoring </li></ul></ul></ul><ul><ul><li>Hard to distinguish between actions of a normal program vs. a compromised program </li></ul></ul><ul><ul><ul><li>Leads to false positives </li></ul></ul></ul>Attack Lifecycle <ul><li>Hijack </li></ul><ul><ul><li>“ Catch in the act of criminal behavior” </li></ul></ul><ul><ul><li>All programs follow strict conventions </li></ul></ul><ul><ul><ul><li>ABI (Application Binary Interface) </li></ul></ul></ul><ul><ul><ul><li>The Calling Convention </li></ul></ul></ul><ul><ul><li>Currently no enforcement </li></ul></ul><ul><ul><li>All attacks violate some of these conventions </li></ul></ul>NETWORK KERNEL Make payment Change prefs Read statement Write Record Update Registry Open port HIJACK COMPROMISE ENTER APPLICATIONS
    16. 16. Stop before Hijack <ul><li>Enforcing conventions </li></ul><ul><ul><li>Systematically catch an entire class of attacks </li></ul></ul><ul><ul><li>No false positives </li></ul></ul><ul><ul><li>Catch them before they do ANY bad activity  no attack code is ever run </li></ul></ul><ul><li>Conventional Wisdom: Impossible to do without a large performance penalty </li></ul><ul><ul><li>Need to be inside the application </li></ul></ul><ul><ul><li>Need to monitor activity at a very fine-grain – each instruction at a time </li></ul></ul><ul><ul><li>Overhead will be overwhelming </li></ul></ul><ul><li>The Memory Firewall lets you do just that! </li></ul><ul><ul><li>Able to amortize the cost of enforcement, eliminating the overhead </li></ul></ul><ul><li>Hijack </li></ul><ul><ul><li>“ Catch in the act of criminal behavior” </li></ul></ul><ul><ul><li>All programs follow strict conventions </li></ul></ul><ul><ul><ul><li>ABI (Application Binary Interface) </li></ul></ul></ul><ul><ul><ul><li>The Calling Convention </li></ul></ul></ul><ul><ul><li>Currently no enforcement </li></ul></ul><ul><ul><li>All attacks violate some of these conventions </li></ul></ul>Processor Execution Environment ABI Restricted Execution Environment
    17. 17. How Program Shepherding Work? Restricted Control Transfer: Is it legal to go from here to there? Restricted Code Origins: Is this code came from a code page? Restricted Control Transfer: Is it legal to go from here to there? Restricted Code Origins: Is this code came from a code page? Program Run-time System Code Cache Program Counter: Executes the Program Instruction by Instruction Never Let go of the Program Counter Restricted Code Origins: Is this code came from a code page? jmp call br ret call jmp br
    18. 18. Technique 1: Restricted Code Origins <ul><li>As code is copied to the code cache, check where it’s coming from </li></ul><ul><li>Check the security policy only once </li></ul>A B D E Code Cache Unmodified code pages Modified pages
    19. 19. Technique 1: Restricted Code Origins <ul><li>Catches all the injected code attacks </li></ul><ul><ul><li>Most of the popular attacks are of this type </li></ul></ul><ul><li>What is left? </li></ul><ul><li>Malicious reuse of existing code </li></ul><ul><ul><li>Change addresses used by return and indirect jump and indirect branch instructions </li></ul></ul><ul><ul><li>Much more difficult </li></ul></ul>
    20. 20. An Example: Chained Call Attack Local Variables: URL Local Variables: tmp Return Address Argument: h Local Variables: … Return Address Arguments: … Stack http://001110110110111011010001010110101101010110 10110110110110101011010101010110101011010101... URL: 0x7F8B0 Fake arguments handle_URL(handle * h) { char url[64]; … char * tmp =geturl(h) strcpy(url, tmp); … } Code 0x8A234 Fake arguments Libraries setuid() … unlink() … 0x7F8B0 0x8A234
    21. 21. Technique 2: Restricted Control Transfers context switch indirect branch lookup trace branch taken? BASIC BLOCK CACHE TRACE CACHE non-control-flow instructions non-control-flow instructions Restrict based on source address, destination address, and/or transfer type
    22. 22. Technique 2: Restricted Control Transfers <ul><li>Inter-Segment Indirect Calls and Jumps </li></ul><ul><ul><li>Only to known function entry points </li></ul></ul><ul><ul><li>Only if the function is exported by the destination segment </li></ul></ul><ul><ul><li>Only if the function is imported by the source segment </li></ul></ul><ul><li>Intra-Segment Jumps </li></ul><ul><ul><li>Only within a known function or to a known function entry point </li></ul></ul><ul><li>Intra-Segment Indirect Calls </li></ul><ul><ul><li>Only to known function entry points </li></ul></ul>
    23. 23. Technique 2: Restricted Control Transfers <ul><li>Returns </li></ul><ul><ul><li>Only to after a call instruction </li></ul></ul><ul><ul><li>If a direct call, called function should be the same as the function returning from </li></ul></ul>
    24. 24. Technique 3: Un-circumventable Sandboxing <ul><li>Typical problem with sandboxing: </li></ul><ul><ul><li>If attacker gains control, can bypass checks </li></ul></ul><ul><li>MPEE-inserted sandboxing is un-circumventable </li></ul><ul><ul><li>MPEE enforces unique entry points </li></ul></ul>
    25. 25. Protecting MPEE Itself <ul><li>MPEE runs in the application’s address space </li></ul><ul><li>Must not allow application to manipulate MPEE data or code cache </li></ul><ul><li>How? </li></ul><ul><ul><li>Protect MPEE data structures and the code cache </li></ul></ul><ul><ul><li>Sandbox system calls that can change protection and thread behavior </li></ul></ul>
    26. 26. Memory protection R R Application code RW RW Application data RW R Code cache RW R MPEE data R R MPEE code MPEE Privileges Application Privileges Page type
    27. 27. Memory protection R R Application code RW RW Application data RW RE Code cache RW R MPEE data RE R MPEE code MPEE Privileges Application Privileges Page type
    28. 28. Overview <ul><li>Corporate Overview </li></ul><ul><li>Vulnerability Protection Suite </li></ul><ul><li>Managed Program Execution Engine </li></ul><ul><li>Memory Firewall </li></ul><ul><li>LiveShield </li></ul><ul><li>Evaluation Criteria </li></ul><ul><li>Research Plan </li></ul>
    29. 29. What is a Vulnerability? <ul><li>Anatomy of a Vulnerability </li></ul><ul><ul><li>A corner case that should never happen in normal operations </li></ul></ul><ul><ul><li>The programmer forgot to check for that corner case </li></ul></ul><ul><ul><li>Vulnerability is the ability to invoke that corner case by an exploit to do something that is not allowed in normal operation. </li></ul></ul><ul><li>In most vulnerabilities: </li></ul><ul><ul><li>A simple check (a few assembly instructions) identify the corner case </li></ul></ul><ul><ul><ul><li>Check if value is out of range </li></ul></ul></ul><ul><ul><ul><li>Check a string for certain patterns </li></ul></ul></ul><ul><ul><li>The check never passes in normal operations </li></ul></ul><ul><ul><li>When an exploit is caught by the check, simple remediation exist </li></ul></ul><ul><ul><ul><li>Return an error code from the function </li></ul></ul></ul><ul><ul><ul><li>Put the value within range </li></ul></ul></ul><ul><ul><ul><li>Truncate the string </li></ul></ul></ul>
    30. 30. LiveShield <ul><li>Reactive elimination of vulnerabilities </li></ul><ul><li>Triggered by: </li></ul><ul><ul><li>the availability of a proof-of-concept exploit against a vulnerability </li></ul></ul><ul><ul><li>the availability of a patch release fixing a vulnerability </li></ul></ul><ul><ul><li>the availability of an attack taking advantage of a vulnerability </li></ul></ul><ul><ul><li>when the remediation for a memory based vulnerability (or attack) destabilize the system </li></ul></ul>
    31. 31. LiveShield <ul><li>Inject two very small pieces of code in to a running program </li></ul><ul><ul><li>Detector </li></ul></ul><ul><ul><ul><li>Check when the corner case is invoked </li></ul></ul></ul><ul><ul><ul><li>Guaranteed no impact on the program (cannot change program state or crash the program) </li></ul></ul></ul><ul><ul><li>Remediator </li></ul></ul><ul><ul><ul><li>Take remediation action once an exploit is detected </li></ul></ul></ul><ul><ul><ul><li>Will minimally change the program behavior, but it is to stop an attack. </li></ul></ul></ul>
    32. 32. LiveShield <ul><li>LiveShields improves the availability of systems </li></ul><ul><ul><li>minimizes the disruption of a working system </li></ul></ul><ul><ul><li>Faster deployment cycle than a typical patch </li></ul></ul><ul><ul><li>Surgical fix for the root cause of the problem </li></ul></ul><ul><ul><li>In conjunction with the Memory Firewall, eliminates most vulnerabilities </li></ul></ul><ul><ul><li>Reduce the patch frequency and need for emergency patching </li></ul></ul>
    33. 33. Different Levels of Updates Power of a Patch, Operates like a DAT         Administration can be fully automated Minutes Within a day Hours Weeks to Months Months Months to never Typical time from release to deployment       Easy to undo     Patch update     Detect     Protect LiveShield     DAT file update     Dot upgrade     Major upgrade Manageable at a fine granularity Will not change current behavior No need to reboot or restart app No need to upgrade hardware or other programs
    34. 34. Using MPEE infrastructure as the LiveShield Framework <ul><li>Invisible injection </li></ul><ul><ul><li>Don’t need to put trampolines in the visible address space </li></ul></ul><ul><ul><ul><li>Issues with atomicity, instruction alignment etc. </li></ul></ul></ul><ul><ul><li>Basic Block/Trace building naturally leads to a direct implementation </li></ul></ul><ul><li>Fully isolated execution especially for the detect mode </li></ul><ul><ul><li>MPEE provides an environment isolated from the application </li></ul></ul><ul><ul><li>Detect mode can give strong promises on not impacting the normal program behavior </li></ul></ul><ul><li>Existing central management framework </li></ul><ul><ul><li>Easy to manage dynamic updates and changes of status </li></ul></ul><ul><ul><li>Can store the shields without impacting application </li></ul></ul><ul><ul><li>Can do I/O without impacting the application </li></ul></ul>
    35. 35. LiveShield Properties <ul><li>Dynamic </li></ul><ul><li>Customer Visible </li></ul><ul><li>Individually Manageable/Undoable </li></ul><ul><li>Live Testing Capable </li></ul><ul><li>Targeted </li></ul><ul><li>Micro-Sized </li></ul><ul><li>Control-flow Triggered Execution </li></ul>
    36. 36. Detector Requirements <ul><li>Checks if the corner case gets invoked </li></ul><ul><ul><li>If so, indicates that to the LiveShield runtime system </li></ul></ul><ul><ul><ul><li>In the detect mode: will report that fact </li></ul></ul></ul><ul><ul><ul><li>In the protect mode: call the remediator </li></ul></ul></ul><ul><li>Guarantee that the detector will not impact the the program </li></ul><ul><ul><li>Cannot change normal program state </li></ul></ul><ul><ul><ul><li>Cannot modify any program visible memory or program registers </li></ul></ul></ul><ul><ul><ul><li>Cannot acquire program visible resources </li></ul></ul></ul><ul><ul><ul><li>Cannot modify the control-flow of the program </li></ul></ul></ul><ul><ul><ul><li>Cannot crash or hang the program </li></ul></ul></ul><ul><ul><ul><ul><li>Need to catch any exception condition </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Need to check for infinite loops </li></ul></ul></ul></ul><ul><ul><li>If a problem is encountered, exit the Shield </li></ul></ul><ul><ul><li>If the problem is recurring, disable the Shield </li></ul></ul><ul><li>Implementation </li></ul><ul><ul><li>Restricted ISA that can be validated and sandboxed at load time </li></ul></ul>
    37. 37. Remediator Requirements <ul><li>Ability to change the application to fix a vulnerability </li></ul><ul><ul><li>Change any application visible memory location </li></ul></ul><ul><ul><li>Change control-flow of the program </li></ul></ul><ul><ul><ul><li>Return from the current application function </li></ul></ul></ul><ul><ul><ul><li>Jump over a few application instructions after the trampoline </li></ul></ul></ul><ul><ul><li>Take allowed program-level remediation action </li></ul></ul><ul><ul><ul><li>Kill thread and throw exception </li></ul></ul></ul><ul><li>More expressiveness than the detector </li></ul><ul><ul><li>Still will need some limitations… </li></ul></ul>
    38. 38. LiveShield Development Operations Flow POC Exploit Released Acquire the exploit Identify vulnerability Patch Released Diff the patched version against previous version Attack Released Trace the exploit activity Acquire the attack Trace the attack’s activity Develop a Shield Port it to multiple versions Test the Shield Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N best case is 24 hours, Cannot take more than 7 days Minimal QA a. la. DAT update
    39. 39. LiveShield Flow Read - only memory Read - only memory DLL load eventlog Determina Web site Controller @ Customer Site Node Manager Core Files available MP - v3 - 011604.xml const - v3base.dll const - v3a.dll const - v3b.dll … . const - v3u.dll const - v3v.dll Internet xml file per host Up - to - date dll cache Mode information Status information Events Controller - Node Manager Communication Interface Per processor policy data structure with mode info dll cache Stats Events Policy data structure with mode info Loaded dll ’ s Read - only memory Read - only memory DLL load eventlog Determina Web site Controller @ Customer Site Node Manager Core Files available MP - v3 - 011604.xml const - v3base.dll const - v3a.dll const - v3b.dll … . const - v3u.dll const - v3v.dll Internet xml file per host Up - to - date dll cache Mode information Status information Events Controller - Node Manager Communication Interface Per processor policy data structure with mode info dll cache Stats Events Policy data structure with mode info Loaded dll ’ s
    40. 40. Overview <ul><li>Corporate Overview </li></ul><ul><li>Vulnerability Protection Suite </li></ul><ul><li>Managed Program Execution Engine </li></ul><ul><li>Memory Firewall </li></ul><ul><li>LiveShield </li></ul><ul><li>Evaluation Criteria </li></ul><ul><li>Research Plan </li></ul>
    41. 41. Evaluation Criteria <ul><li>Accuracy </li></ul><ul><li>Maintainability </li></ul><ul><li>Scalability </li></ul><ul><li>Coverage </li></ul><ul><li>Proactivity </li></ul><ul><li>Uncircumventability </li></ul><ul><li>Containment </li></ul>
    42. 42. 1. Accuracy: The cure cannot be deadlier than the illness! <ul><li>False Positives </li></ul><ul><ul><li>More common than the attacks </li></ul></ul><ul><ul><li>In an IDS  a nuisance </li></ul></ul><ul><ul><li>In an IPS  Can destabilize the system </li></ul></ul><ul><ul><ul><li>Applications aren’t resilient to squashing random system calls </li></ul></ul></ul>
    43. 43. 2. Maintainability: The cost of the solution should be less than the attack cleanup cost <ul><li>What is a typical enterprise like? </li></ul><ul><ul><li>How many machines, how many IT people? </li></ul></ul><ul><ul><li>Cost of operations… </li></ul></ul><ul><li>How do you manage a large enterprise? </li></ul><ul><li>What impact maintainability? </li></ul><ul><li>Shelfware vs. deployed software </li></ul>
    44. 44. 3. Scalability: Worms are equal opportunity attackers. Need to protect every box <ul><li>Requirements to run enterprise-wide… </li></ul><ul><li>Critical bottlenecks </li></ul><ul><ul><li>Deployment / maintenance </li></ul></ul><ul><ul><li>Performance </li></ul></ul>
    45. 45. 4. Coverage: No partial band-aid solutions please! % of vulnerabilities Source: CVE, Microsoft Security Bulletins, 2003-2004
    46. 46. 5. Proactivity: Should be ready to protect when attacked! Application Released With a bug Vulnerability announced Patch released Attack Released Good guys Patch like crazy Bad guys analyze patch & create attack 17 Previously Unknown Vulnerability 2 26 Previously Unknown Vulnerability 46 31 06/01 03/02 04/02 07/02 07/02 03/03 07/03 03/04 04/04 11/04 Code Red Digispid Spida Slammer Slapper WebDAV Blaster Witty Sasser Mydoom.ag 185 # of days from the Publication of the Vulnerability (availability of a patch) to Attack 77 34
    47. 47. Speed of Propagation The Witty Worm
    48. 48. 6. Uncirumventability: Don’t be an emperor with no clothes! <ul><li>Phrack Article – “Smashing Stack for Fun and Profit” </li></ul><ul><li>Any fool-proof systems? </li></ul><ul><ul><li>Complex systems are never fool-proof </li></ul></ul><ul><ul><li>Should we just give up? </li></ul></ul><ul><li>Compare system security with crypto </li></ul><ul><ul><li>Is crypto fool-proof? </li></ul></ul><ul><ul><li>How do you evaluate crypto? </li></ul></ul><ul><li>Evaluating system security </li></ul><ul><ul><li>10/90 rule of thumb </li></ul></ul><ul><ul><li>Nothing is perfect, make it hard... </li></ul></ul>
    49. 49. 7. Containment: What good of stopping an attack after it happens? <ul><li>Where was the attack stopped? </li></ul><ul><ul><li>At the gates vs. inner chamber </li></ul></ul><ul><li>How far did the attack propagate </li></ul><ul><ul><li>Did malicious code got executed? </li></ul></ul><ul><ul><li>Any machine got infected? </li></ul></ul><ul><ul><li>Other machines got compromised? </li></ul></ul>
    50. 50. Overview <ul><li>Corporate Overview </li></ul><ul><li>Vulnerability Protection Suite </li></ul><ul><li>Managed Program Execution Engine </li></ul><ul><li>Memory Firewall </li></ul><ul><li>LiveShield </li></ul><ul><li>Evaluation Criteria </li></ul><ul><li>Research Plan </li></ul>
    51. 51. VPS impact on the Project Managed Program Execution Engine Memory Firewall LiveShield Client Interface Injected code detection Patch Generation and Deployment Constraint Leaning and Monitoring Data Structure Consistency Checking Application State Probing Repair Generation, Evaluation and Filtering
    52. 52. Determina Stmt of Work <ul><li>Client Interface for MPEE </li></ul><ul><li>Application State Probing </li></ul><ul><li>LiveShield Constraint Creation Framework </li></ul><ul><li>LieShield Coordination Center </li></ul><ul><li>Hybrid System for Binary Analysis </li></ul><ul><li>Proactive Situational Awareness </li></ul><ul><li>Vulnerability Analysis </li></ul><ul><li>Integration, Testing and Deployment </li></ul>
    53. 53. Client Interface for MPEE <ul><li>The basic framework to build the tools </li></ul><ul><ul><li>Support the necessary API’s </li></ul></ul><ul><ul><li>Support on windows services and server applications </li></ul></ul><ul><li>Status </li></ul><ul><ul><li>Was an active research topic at MIT </li></ul></ul><ul><ul><li>Currently dormant </li></ul></ul><ul><ul><li>Will bring it back to life, improve and extend for this project </li></ul></ul>Managed Program Execution Engine Memory Firewall LiveShield Client Interface
    54. 54. Application State Probing <ul><li>Build probes to check internal state of the application </li></ul><ul><ul><li>Probes can be client programs </li></ul></ul><ul><ul><li>Simpler probes can be even liveshields </li></ul></ul><ul><li>Framework to collect the probe information to the central mgmt console </li></ul>Managed Program Execution Engine Memory Firewall LiveShield Client Interface Application State Probing
    55. 55. LiveShiled Constraint Creation Framework POC Exploit Released Acquire the exploit Identify vulnerability Patch Released Diff the patched version against previous version Attack Released Trace the exploit activity Acquire the attack Trace the attack’s activity Develop a Shield Port it to multiple versions Test the Shield Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N best case is 24 hours, Cannot take more than 7 days Minimal QA a. la. DAT update
    56. 56. LiveShiled Constraint Creation Framework <ul><li>Interface for </li></ul><ul><ul><li>Creating constraints </li></ul></ul><ul><ul><li>Deploying them through the central management console </li></ul></ul><ul><ul><li>Gather feedback and manage the deployment </li></ul></ul><ul><li>Used for deploying automatically generted patches </li></ul>Framework for Constraint Creation Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N Minimal QA a. la. DAT update
    57. 57. LiveShiled Coordination Center <ul><li>Liveshields can have problems </li></ul><ul><ul><li>Minimal dev and QA (or no QA for auto developed) </li></ul></ul><ul><ul><li>Can adversely impact the application </li></ul></ul><ul><li>Mitigate the risk by using the application community </li></ul><ul><ul><li>Gradual deployment while monitoring </li></ul></ul><ul><ul><li>Find anomalies that are correlated with deployment </li></ul></ul>Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N Minimal QA a. la. DAT update
    58. 58. Hybrid System for Binary Analysis <ul><li>Manage Program Execution Engine – all analysis at runtime </li></ul><ul><ul><li>Pros: Full visibility and simple workflow </li></ul></ul><ul><ul><li>Cons: Expensive analysis affects the performance </li></ul></ul><ul><li>Hybrid system </li></ul><ul><ul><li>Do some analysis at installation or first invocation </li></ul></ul><ul><ul><li>Pre-compute and memoize information when available </li></ul></ul><ul><ul><li>Reduce the runtime overhead </li></ul></ul>
    59. 59. Proactive Situational Awareness <ul><li>Attacks are mostly on known vulnerabilities </li></ul><ul><ul><li>No prior knowledge on day-zero attacks </li></ul></ul><ul><ul><li>But… vulnerabilities are known </li></ul></ul><ul><li>“ Are your applications open to known vulnerabilities?” </li></ul><ul><li>Proactive Situational Awareness will </li></ul><ul><ul><li>Gather info on known vulnerabilities and attacks </li></ul></ul><ul><ul><li>Gather current status of the applications </li></ul></ul><ul><ul><li>Identify what vulnerabilities are unprotected </li></ul></ul><ul><ul><li>Identify when an application deviate from the community </li></ul></ul>
    60. 60. Vulnerability Analysis <ul><li>Determina’s LiveShield Operations team </li></ul><ul><ul><li>Troll for new vulnerabilities and attacks in the wild </li></ul></ul><ul><ul><li>Analyze any new vulnerabilities and attacks </li></ul></ul><ul><ul><li>Analyze Microsoft security updates </li></ul></ul><ul><ul><li>Pinpoint the exact vulnerability </li></ul></ul><ul><ul><li>Develop LiveShields to stop them </li></ul></ul><ul><li>We have a large knowledge base </li></ul><ul><li>Develop scenarios using the state-of-the-black-art </li></ul>
    61. 61. Integrate, Testing, Deployment <ul><li>Build a prototype version of the product that integrate successful AC components </li></ul><ul><ul><li>Identify commercially-viable and ready components </li></ul></ul><ul><ul><li>Prototype product development </li></ul></ul><ul><ul><li>Integration </li></ul></ul><ul><ul><li>QA and test </li></ul></ul><ul><li>Deployment </li></ul><ul><ul><li>Interact with the Red Team </li></ul></ul><ul><ul><li>Get feedback </li></ul></ul><ul><ul><li>Iterate </li></ul></ul>

    ×