Determina’s Vulnerability Protection Suite Saman Amarasinghe CTO, Determina Inc.  Associate Professor, MIT EECS/CSAIL
Corporate Overview Founded Early 2003 Core technology developed at MIT over 8 years  Venture backed Headquarters in Redwood City, CA CTO & founding engineering team from MIT
Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria  Research Plan
Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria  Research Plan
Market Trends Attacks and vulnerabilities still increasing Security incidents have nearly  doubled each year (CERT) Endpoint security often last line of security to be addressed. SYMC Threat Report Trend towards directed attacks Threat landscape dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks Current threats increasingly motivated by profit Increasing vulnerabilities, more directed attacks
Recent Example: WMF Vulnerability NO Patch Available Patch fully deployed *Wipro, Ltd 2005, “The Total Cost of Security Patch Management” Day 14 : December 14:  Sites first post WMF Exploits Day 35 : January 5 th :   Microsoft Releases Patch Average exploit window: 25 days* before patches deployed Vulnerable w/no  Official Patch 35 Days Vulnerability Made Public Total exploit window for average organization: 60 days   Day 27: December 27:  Initial Disclosure of Vulnerability Day 28 : December 28:  MS Announces Awareness…No Patch for Issue Day 29: December 29:   50+ variants, 1000+ sites reported: Thursday 12/29  Day 31: December 31:   Instant messaging,Trojan horses & botnets begin exploiting WMF and Unofficial patch released by Ilfak Guilfanov Day 33: January 3rd:   1,000,000+ WMF exploited downloads reported from just 1 site Day 0 : December 1:  Vulnerability Discovered 1  and Exploit Code Being Sold for $4000 Shortly Afterward 1 Computerworld.com, “Russian hackers sold WMF exploit, analyst says”  Patch issued  by MS Determina 0-day protection active before vulnerability is known Zero-days
Vulnerability Protection Suite What is VPS   Enterprise Host IPS security solution for Fortune 1000  Patented Technology  “ Vulnerability Protection” focus vs. Attack focus Stops both known and unknown (zero-day) attacks A zero complexity / zero maintenance solution No attack signatures / no post attack cleanup No policies to maintain No behavior to model No false positives Application Communities The core of VPS (DyanmoRIO, Memory Firewall and LiveShield) are core building blocks
Vulnerability Protection Suite What is VPS   Enterprise Host IPS security solution for Fortune 1000  Stops both known and unknown (zero-day) attacks A zero complexity / zero maintenance solution No attack signatures / no post attack cleanup No policies to maintain No behavior to model No false positives Managed Program  Execution Engine Memory Firewall LiveShield
Software Vulnerabilities:  The “Root Cause” of Attacks 4,000  new software vulnerabilities are discovered each year  (Symantec) 422  new vulnerabilities in Q2 ‘05, a 20% increase YoY  (SANS) Microsoft issued  53  security bulletins in 2005.  (Microsoft)   Directed attackers (hackers) are increasingly targeting enterprise information for profit $30M  Total losses in 2005 due to theft of proprietary data - a  270%  increase YoY.  (CSI/FBI) Mass worm attacks have caused billions in damage Zero-Day costs - SQL Slammer costs $950M to $1.2 billion in first five days alone  (Cnet) 100% of Microsoft critical vulnerabilities are memory-related
Zero-Day Endpoint Protection  Without Tuning or Maintenance Memory Firewall protects without updates LiveShield shields released within days of vulnerability, without waiting for patches, exploit behavior or attack signatures  0 Y (9 days) Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (WMF) 27-Dec-2005  -- -- IE HTTPS Proxy Basic Authentication Information Leak 13-Dec-2005  8 Y (23 days) Remote Code Execution Vulnerability in MS IE 21-Nov-2005  -- Y (no patch) Memory Allocation Denial of Service via RPC 16-Nov-2005   -- -- Windows Metafile Vulnerability 08-Nov-2005 LiveShield Protection Memory Firewall Protection Days Until Mass Exploit 0-Day? (days before patch) 0-Day Vulnerability Date --  -- COM Object Instatiation Memory Corruption Vulnerability 13-Dec-2005
VPS Advantages Ensure non-stop availability  Must be able to deploy and maintain without disrupting business operations Accessibility Must be easy, simple to manage Guarantee reliability for critical servers and applications “ It just works!” Scalability Be able to support thousands of machines Flexibility Integration with a variety of management solutions through support of standard protocols
Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria  Research Plan
Managed Program Execution Engine Derek Bruening
Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria  Research Plan
Enter Monitoring is simple Port monitoring or system call monitoring  Don’t know good guy from bad guy  only known criminals can be identified  Even known bad guys are hard to detect  encrypted channels Compromise Monitoring can be done System call monitoring Hard to distinguish between actions of a normal program vs. a compromised program Leads to false positives Attack Lifecycle Hijack “ Catch in the act of criminal behavior” All programs follow strict conventions ABI (Application Binary Interface) The Calling Convention  Currently no enforcement All attacks violate some of these conventions  NETWORK KERNEL Make payment Change prefs Read statement Write Record Update Registry Open port HIJACK COMPROMISE ENTER APPLICATIONS
Stop before Hijack Enforcing conventions  Systematically catch an entire class of attacks No false positives Catch them before they do ANY bad activity    no attack code is ever run Conventional Wisdom: Impossible to do without a large performance penalty Need to be inside the application Need to monitor activity at a very fine-grain – each instruction at a time Overhead will be overwhelming The Memory Firewall  lets you do just that! Able to amortize the cost of enforcement, eliminating the overhead Hijack “ Catch in the act of criminal behavior” All programs follow strict conventions ABI (Application Binary Interface) The Calling Convention  Currently no enforcement All attacks violate some of these conventions  Processor Execution Environment ABI Restricted Execution Environment
How Program Shepherding Work? Restricted Control Transfer: Is it legal to go from here to there? Restricted Code Origins: Is this code came from a code page? Restricted Control Transfer: Is it legal to go from here to there? Restricted Code Origins: Is this code came from a code page? Program Run-time  System Code Cache Program Counter: Executes the Program Instruction by Instruction Never Let go of the  Program Counter Restricted Code Origins: Is this code came from a code page? jmp  call br  ret call jmp  br
Technique 1:  Restricted Code Origins As code is copied to the code cache, check where it’s coming from Check the security policy only once A B D E Code Cache Unmodified code pages Modified pages
Technique 1:  Restricted Code Origins Catches all the injected code attacks Most of the popular attacks are of this type What is left? Malicious reuse of existing code Change addresses used by return and indirect jump and indirect branch instructions Much more difficult
An Example: Chained Call Attack Local Variables: URL Local Variables: tmp Return Address Argument: h Local Variables: … Return Address Arguments: … Stack http://001110110110111011010001010110101101010110 10110110110110101011010101010110101011010101... URL: 0x7F8B0 Fake arguments handle_URL(handle * h) { char url[64]; … char * tmp =geturl(h) strcpy(url, tmp); … } Code 0x8A234 Fake arguments Libraries setuid() … unlink() … 0x7F8B0 0x8A234
Technique 2: Restricted Control Transfers context switch indirect branch lookup trace branch taken? BASIC BLOCK CACHE TRACE  CACHE non-control-flow instructions non-control-flow instructions Restrict based on source address, destination address, and/or transfer type
Technique 2: Restricted Control Transfers Inter-Segment Indirect Calls and Jumps Only to known function entry points Only if the function is exported by the destination segment Only if the function is imported by the source segment Intra-Segment Jumps Only within a known function or to a known function entry point Intra-Segment Indirect Calls Only to known function entry points
Technique 2: Restricted Control Transfers Returns  Only to after a call instruction If a direct call, called function should be the same as the function returning from
Technique 3:  Un-circumventable Sandboxing Typical problem with sandboxing: If attacker gains control, can bypass checks MPEE-inserted sandboxing is un-circumventable MPEE enforces  unique entry points
Protecting MPEE Itself MPEE runs in the application’s address space Must not allow application to manipulate MPEE data or code cache How? Protect MPEE data structures and the code cache Sandbox system calls that can change protection and thread behavior
Memory protection R R Application code RW RW Application data RW R  Code cache RW R MPEE data R  R MPEE code MPEE Privileges Application Privileges Page type
Memory protection R R Application code RW RW Application data RW RE  Code cache RW R MPEE data RE  R MPEE code MPEE Privileges Application Privileges Page type
Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria  Research Plan
What is a Vulnerability? Anatomy of a Vulnerability A corner case that should never happen in normal operations The programmer forgot to check for that corner case Vulnerability is the ability to invoke that corner case by an exploit to do something that is not allowed in normal operation.  In most vulnerabilities: A simple check (a few assembly instructions) identify the corner case Check if value is out of range Check a string for certain patterns The check never passes in normal operations When an exploit is caught by the check, simple remediation exist Return an error code from the function Put the value within range Truncate the string
LiveShield Reactive elimination of vulnerabilities  Triggered by: the availability of a proof-of-concept exploit against a vulnerability the availability of a patch release fixing a vulnerability  the availability of an attack taking advantage of a vulnerability when the remediation for a memory based vulnerability (or attack) destabilize the system
LiveShield Inject two very small pieces of code in to a running program Detector Check when the corner case is invoked  Guaranteed no impact on the program (cannot change program state or crash the program) Remediator  Take remediation action once an exploit is detected Will minimally change the program behavior, but it is to stop an attack.
LiveShield LiveShields improves the availability of systems minimizes the disruption of a working system Faster deployment cycle than a typical patch Surgical fix for the root cause of the problem In conjunction with the Memory Firewall, eliminates most vulnerabilities Reduce the patch frequency and need for emergency patching
Different Levels of Updates Power of a Patch, Operates like a DAT             Administration can be fully automated Minutes Within a day Hours Weeks to Months Months Months to never Typical time from  release to deployment       Easy to undo     Patch update     Detect     Protect LiveShield     DAT file update     Dot upgrade     Major upgrade  Manageable at a fine granularity Will not change current behavior No need to reboot or restart app No need to upgrade hardware or other programs
Using MPEE infrastructure as the LiveShield Framework Invisible injection Don’t need to put trampolines in the visible address space Issues with atomicity, instruction alignment etc. Basic Block/Trace building naturally leads to a direct implementation  Fully isolated execution especially for the detect mode MPEE provides an environment isolated from the application  Detect mode can give strong promises on not impacting the normal program behavior Existing central management framework Easy to manage dynamic updates and changes of status Can store the shields without impacting application Can do I/O without impacting the application
LiveShield Properties  Dynamic Customer Visible Individually Manageable/Undoable  Live Testing Capable Targeted Micro-Sized Control-flow Triggered Execution
Detector Requirements Checks if the corner case gets invoked If so, indicates that to the LiveShield runtime system In the detect mode: will report that fact  In the protect mode: call the remediator  Guarantee that the detector will not impact the the program Cannot change normal program state Cannot modify any program visible memory or program registers  Cannot acquire program visible resources Cannot modify the control-flow of the program Cannot crash or hang the program Need to catch any exception condition Need to check for infinite loops If a problem is encountered, exit the Shield If the problem is recurring, disable the Shield Implementation Restricted ISA that can be validated and sandboxed at load time
Remediator Requirements Ability to change the application to fix a vulnerability Change any application visible memory location Change control-flow of the program Return from the current application function Jump over a few application instructions after the trampoline  Take allowed program-level remediation action Kill thread and throw exception  More expressiveness than the detector Still will need some limitations…
LiveShield Development Operations Flow POC  Exploit  Released Acquire  the  exploit Identify  vulnerability Patch  Released Diff the patched version against previous version Attack Released Trace the  exploit  activity Acquire  the  attack Trace the  attack’s  activity Develop a Shield Port it to multiple  versions Test the  Shield Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into  protect mode Put in a full QA System in protect mode No problems in 24  hours Report the  problems to Determina Y Y N N best case  is 24 hours,  Cannot take more than 7 days Minimal QA a. la. DAT  update
LiveShield Flow Read - only memory Read - only memory DLL load eventlog Determina Web site Controller @ Customer Site Node  Manager Core Files available MP - v3 - 011604.xml const - v3base.dll const - v3a.dll const - v3b.dll … . const - v3u.dll const - v3v.dll Internet xml file per host Up - to - date  dll cache Mode information Status information Events Controller - Node Manager  Communication Interface Per processor policy data structure with mode info dll cache Stats Events Policy data structure with mode info Loaded  dll ’ s Read - only memory Read - only memory DLL load eventlog Determina Web site Controller @ Customer Site Node  Manager Core Files available MP - v3 - 011604.xml const - v3base.dll const - v3a.dll const - v3b.dll … . const - v3u.dll const - v3v.dll Internet xml file per host Up - to - date  dll cache Mode information Status information Events Controller - Node Manager  Communication Interface Per processor policy data structure with mode info dll cache Stats Events Policy data structure with mode info Loaded  dll ’ s
Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria  Research Plan
Evaluation Criteria  Accuracy Maintainability Scalability Coverage Proactivity Uncircumventability Containment
1. Accuracy:   The cure cannot be deadlier than the illness! False Positives  More common than the attacks In an IDS    a nuisance  In an IPS    Can destabilize the system Applications aren’t resilient to squashing random system calls
2. Maintainability:   The cost of the solution should be less than the  attack cleanup cost What is a typical enterprise like? How many machines, how many IT people? Cost of operations… How do you manage a large enterprise? What impact maintainability? Shelfware vs. deployed software
3. Scalability:  Worms are equal opportunity attackers. Need to protect every box Requirements to run enterprise-wide… Critical bottlenecks Deployment / maintenance  Performance
4. Coverage:   No partial band-aid solutions please! % of vulnerabilities  Source: CVE, Microsoft Security Bulletins, 2003-2004
5. Proactivity:   Should be ready to protect when attacked!   Application  Released With a bug Vulnerability  announced Patch released Attack    Released Good guys Patch like crazy Bad guys analyze  patch & create attack 17 Previously Unknown Vulnerability 2 26 Previously Unknown Vulnerability 46 31 06/01 03/02 04/02 07/02 07/02 03/03 07/03 03/04 04/04 11/04 Code Red Digispid Spida Slammer Slapper WebDAV Blaster Witty Sasser Mydoom.ag 185 # of days from the Publication of the Vulnerability (availability of a patch) to Attack 77 34
Speed of Propagation The Witty Worm
6. Uncirumventability:  Don’t be an emperor with no clothes! Phrack Article – “Smashing Stack for Fun and Profit” Any fool-proof systems? Complex systems are never fool-proof Should we just give up? Compare system security with crypto Is crypto fool-proof? How do you evaluate crypto? Evaluating system security 10/90 rule of thumb Nothing is perfect, make it hard...
7. Containment:   What good of stopping an attack after it happens? Where was the attack stopped? At the gates vs. inner chamber  How far did the attack propagate Did malicious code got executed? Any machine got infected? Other machines got compromised?
Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria  Research Plan
VPS impact on the Project Managed Program Execution Engine Memory Firewall LiveShield Client Interface Injected code detection Patch Generation  and Deployment Constraint Leaning  and Monitoring Data Structure Consistency Checking Application State Probing Repair Generation,  Evaluation and Filtering
Determina Stmt of Work Client Interface for MPEE Application State Probing LiveShield Constraint Creation Framework LieShield Coordination Center Hybrid System for Binary Analysis Proactive Situational Awareness Vulnerability Analysis Integration, Testing and Deployment
Client Interface for MPEE The basic framework to build the tools Support the necessary API’s  Support on windows services and server applications Status Was an active research topic at MIT Currently dormant Will bring it back to life, improve and extend for this project Managed Program Execution Engine Memory Firewall LiveShield Client Interface
Application State Probing Build probes to check internal state of the application Probes can be client programs Simpler probes can be even liveshields Framework to collect the probe information to the central mgmt console Managed Program Execution Engine Memory Firewall LiveShield Client Interface Application State Probing
LiveShiled Constraint Creation Framework POC  Exploit  Released Acquire  the  exploit Identify  vulnerability Patch  Released Diff the patched version against previous version Attack Released Trace the  exploit  activity Acquire  the  attack Trace the  attack’s  activity Develop a Shield Port it to multiple  versions Test the  Shield Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into  protect mode Put in a full QA System in protect mode No problems in 24  hours Report the  problems to Determina Y Y N N best case  is 24 hours,  Cannot take more than 7 days Minimal QA a. la. DAT  update
LiveShiled Constraint Creation Framework Interface for  Creating constraints  Deploying them through the central management console Gather feedback and manage the deployment Used for deploying automatically generted patches Framework for Constraint Creation Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into  protect mode Put in a full QA System in protect mode No problems in 24  hours Report the  problems to Determina Y Y N N Minimal QA a. la. DAT  update
LiveShiled Coordination Center Liveshields can have problems Minimal dev and QA (or no QA for auto developed) Can adversely impact the application Mitigate the risk by using the application community Gradual deployment while monitoring  Find anomalies that are correlated with deployment Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into  protect mode Put in a full QA System in protect mode No problems in 24  hours Report the  problems to Determina Y Y N N Minimal QA a. la. DAT  update
Hybrid System for Binary Analysis Manage Program Execution Engine  – all analysis at runtime Pros: Full visibility and simple workflow Cons: Expensive analysis affects the performance Hybrid system Do some analysis at installation or first invocation Pre-compute and memoize information when available Reduce the runtime overhead
Proactive Situational Awareness Attacks are mostly on known vulnerabilities No prior knowledge on day-zero attacks  But… vulnerabilities are known “ Are your applications open to known vulnerabilities?” Proactive Situational Awareness will Gather info on known vulnerabilities and attacks Gather current status of the applications Identify what vulnerabilities are unprotected Identify when an application deviate from the community
Vulnerability Analysis Determina’s LiveShield Operations team Troll for new vulnerabilities and attacks in the wild Analyze any new vulnerabilities and attacks Analyze Microsoft security updates Pinpoint the exact vulnerability  Develop LiveShields to stop them We have a large knowledge base Develop scenarios using the  state-of-the-black-art
Integrate, Testing, Deployment Build a prototype version of the product that integrate successful AC components Identify commercially-viable and ready components Prototype product development Integration  QA and test Deployment Interact with the Red Team Get feedback Iterate

MIT-6-determina-vps.ppt

  • 1.
    Determina’s Vulnerability ProtectionSuite Saman Amarasinghe CTO, Determina Inc. Associate Professor, MIT EECS/CSAIL
  • 2.
    Corporate Overview FoundedEarly 2003 Core technology developed at MIT over 8 years Venture backed Headquarters in Redwood City, CA CTO & founding engineering team from MIT
  • 3.
    Overview Corporate OverviewVulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
  • 4.
    Overview Corporate OverviewVulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
  • 5.
    Market Trends Attacksand vulnerabilities still increasing Security incidents have nearly doubled each year (CERT) Endpoint security often last line of security to be addressed. SYMC Threat Report Trend towards directed attacks Threat landscape dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks Current threats increasingly motivated by profit Increasing vulnerabilities, more directed attacks
  • 6.
    Recent Example: WMFVulnerability NO Patch Available Patch fully deployed *Wipro, Ltd 2005, “The Total Cost of Security Patch Management” Day 14 : December 14: Sites first post WMF Exploits Day 35 : January 5 th : Microsoft Releases Patch Average exploit window: 25 days* before patches deployed Vulnerable w/no Official Patch 35 Days Vulnerability Made Public Total exploit window for average organization: 60 days Day 27: December 27: Initial Disclosure of Vulnerability Day 28 : December 28: MS Announces Awareness…No Patch for Issue Day 29: December 29: 50+ variants, 1000+ sites reported: Thursday 12/29 Day 31: December 31: Instant messaging,Trojan horses & botnets begin exploiting WMF and Unofficial patch released by Ilfak Guilfanov Day 33: January 3rd: 1,000,000+ WMF exploited downloads reported from just 1 site Day 0 : December 1: Vulnerability Discovered 1 and Exploit Code Being Sold for $4000 Shortly Afterward 1 Computerworld.com, “Russian hackers sold WMF exploit, analyst says” Patch issued by MS Determina 0-day protection active before vulnerability is known Zero-days
  • 7.
    Vulnerability Protection SuiteWhat is VPS Enterprise Host IPS security solution for Fortune 1000 Patented Technology “ Vulnerability Protection” focus vs. Attack focus Stops both known and unknown (zero-day) attacks A zero complexity / zero maintenance solution No attack signatures / no post attack cleanup No policies to maintain No behavior to model No false positives Application Communities The core of VPS (DyanmoRIO, Memory Firewall and LiveShield) are core building blocks
  • 8.
    Vulnerability Protection SuiteWhat is VPS Enterprise Host IPS security solution for Fortune 1000 Stops both known and unknown (zero-day) attacks A zero complexity / zero maintenance solution No attack signatures / no post attack cleanup No policies to maintain No behavior to model No false positives Managed Program Execution Engine Memory Firewall LiveShield
  • 9.
    Software Vulnerabilities: The “Root Cause” of Attacks 4,000 new software vulnerabilities are discovered each year (Symantec) 422 new vulnerabilities in Q2 ‘05, a 20% increase YoY (SANS) Microsoft issued 53 security bulletins in 2005. (Microsoft) Directed attackers (hackers) are increasingly targeting enterprise information for profit $30M Total losses in 2005 due to theft of proprietary data - a 270% increase YoY. (CSI/FBI) Mass worm attacks have caused billions in damage Zero-Day costs - SQL Slammer costs $950M to $1.2 billion in first five days alone (Cnet) 100% of Microsoft critical vulnerabilities are memory-related
  • 10.
    Zero-Day Endpoint Protection Without Tuning or Maintenance Memory Firewall protects without updates LiveShield shields released within days of vulnerability, without waiting for patches, exploit behavior or attack signatures  0 Y (9 days) Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (WMF) 27-Dec-2005  -- -- IE HTTPS Proxy Basic Authentication Information Leak 13-Dec-2005  8 Y (23 days) Remote Code Execution Vulnerability in MS IE 21-Nov-2005  -- Y (no patch) Memory Allocation Denial of Service via RPC 16-Nov-2005   -- -- Windows Metafile Vulnerability 08-Nov-2005 LiveShield Protection Memory Firewall Protection Days Until Mass Exploit 0-Day? (days before patch) 0-Day Vulnerability Date --  -- COM Object Instatiation Memory Corruption Vulnerability 13-Dec-2005
  • 11.
    VPS Advantages Ensurenon-stop availability Must be able to deploy and maintain without disrupting business operations Accessibility Must be easy, simple to manage Guarantee reliability for critical servers and applications “ It just works!” Scalability Be able to support thousands of machines Flexibility Integration with a variety of management solutions through support of standard protocols
  • 12.
    Overview Corporate OverviewVulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
  • 13.
    Managed Program ExecutionEngine Derek Bruening
  • 14.
    Overview Corporate OverviewVulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
  • 15.
    Enter Monitoring issimple Port monitoring or system call monitoring Don’t know good guy from bad guy only known criminals can be identified Even known bad guys are hard to detect encrypted channels Compromise Monitoring can be done System call monitoring Hard to distinguish between actions of a normal program vs. a compromised program Leads to false positives Attack Lifecycle Hijack “ Catch in the act of criminal behavior” All programs follow strict conventions ABI (Application Binary Interface) The Calling Convention Currently no enforcement All attacks violate some of these conventions NETWORK KERNEL Make payment Change prefs Read statement Write Record Update Registry Open port HIJACK COMPROMISE ENTER APPLICATIONS
  • 16.
    Stop before HijackEnforcing conventions Systematically catch an entire class of attacks No false positives Catch them before they do ANY bad activity  no attack code is ever run Conventional Wisdom: Impossible to do without a large performance penalty Need to be inside the application Need to monitor activity at a very fine-grain – each instruction at a time Overhead will be overwhelming The Memory Firewall lets you do just that! Able to amortize the cost of enforcement, eliminating the overhead Hijack “ Catch in the act of criminal behavior” All programs follow strict conventions ABI (Application Binary Interface) The Calling Convention Currently no enforcement All attacks violate some of these conventions Processor Execution Environment ABI Restricted Execution Environment
  • 17.
    How Program ShepherdingWork? Restricted Control Transfer: Is it legal to go from here to there? Restricted Code Origins: Is this code came from a code page? Restricted Control Transfer: Is it legal to go from here to there? Restricted Code Origins: Is this code came from a code page? Program Run-time System Code Cache Program Counter: Executes the Program Instruction by Instruction Never Let go of the Program Counter Restricted Code Origins: Is this code came from a code page? jmp call br ret call jmp br
  • 18.
    Technique 1: Restricted Code Origins As code is copied to the code cache, check where it’s coming from Check the security policy only once A B D E Code Cache Unmodified code pages Modified pages
  • 19.
    Technique 1: Restricted Code Origins Catches all the injected code attacks Most of the popular attacks are of this type What is left? Malicious reuse of existing code Change addresses used by return and indirect jump and indirect branch instructions Much more difficult
  • 20.
    An Example: ChainedCall Attack Local Variables: URL Local Variables: tmp Return Address Argument: h Local Variables: … Return Address Arguments: … Stack http://001110110110111011010001010110101101010110 10110110110110101011010101010110101011010101... URL: 0x7F8B0 Fake arguments handle_URL(handle * h) { char url[64]; … char * tmp =geturl(h) strcpy(url, tmp); … } Code 0x8A234 Fake arguments Libraries setuid() … unlink() … 0x7F8B0 0x8A234
  • 21.
    Technique 2: RestrictedControl Transfers context switch indirect branch lookup trace branch taken? BASIC BLOCK CACHE TRACE CACHE non-control-flow instructions non-control-flow instructions Restrict based on source address, destination address, and/or transfer type
  • 22.
    Technique 2: RestrictedControl Transfers Inter-Segment Indirect Calls and Jumps Only to known function entry points Only if the function is exported by the destination segment Only if the function is imported by the source segment Intra-Segment Jumps Only within a known function or to a known function entry point Intra-Segment Indirect Calls Only to known function entry points
  • 23.
    Technique 2: RestrictedControl Transfers Returns Only to after a call instruction If a direct call, called function should be the same as the function returning from
  • 24.
    Technique 3: Un-circumventable Sandboxing Typical problem with sandboxing: If attacker gains control, can bypass checks MPEE-inserted sandboxing is un-circumventable MPEE enforces unique entry points
  • 25.
    Protecting MPEE ItselfMPEE runs in the application’s address space Must not allow application to manipulate MPEE data or code cache How? Protect MPEE data structures and the code cache Sandbox system calls that can change protection and thread behavior
  • 26.
    Memory protection RR Application code RW RW Application data RW R Code cache RW R MPEE data R R MPEE code MPEE Privileges Application Privileges Page type
  • 27.
    Memory protection RR Application code RW RW Application data RW RE Code cache RW R MPEE data RE R MPEE code MPEE Privileges Application Privileges Page type
  • 28.
    Overview Corporate OverviewVulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
  • 29.
    What is aVulnerability? Anatomy of a Vulnerability A corner case that should never happen in normal operations The programmer forgot to check for that corner case Vulnerability is the ability to invoke that corner case by an exploit to do something that is not allowed in normal operation. In most vulnerabilities: A simple check (a few assembly instructions) identify the corner case Check if value is out of range Check a string for certain patterns The check never passes in normal operations When an exploit is caught by the check, simple remediation exist Return an error code from the function Put the value within range Truncate the string
  • 30.
    LiveShield Reactive eliminationof vulnerabilities Triggered by: the availability of a proof-of-concept exploit against a vulnerability the availability of a patch release fixing a vulnerability the availability of an attack taking advantage of a vulnerability when the remediation for a memory based vulnerability (or attack) destabilize the system
  • 31.
    LiveShield Inject twovery small pieces of code in to a running program Detector Check when the corner case is invoked Guaranteed no impact on the program (cannot change program state or crash the program) Remediator Take remediation action once an exploit is detected Will minimally change the program behavior, but it is to stop an attack.
  • 32.
    LiveShield LiveShields improvesthe availability of systems minimizes the disruption of a working system Faster deployment cycle than a typical patch Surgical fix for the root cause of the problem In conjunction with the Memory Firewall, eliminates most vulnerabilities Reduce the patch frequency and need for emergency patching
  • 33.
    Different Levels ofUpdates Power of a Patch, Operates like a DAT         Administration can be fully automated Minutes Within a day Hours Weeks to Months Months Months to never Typical time from release to deployment       Easy to undo     Patch update     Detect     Protect LiveShield     DAT file update     Dot upgrade     Major upgrade Manageable at a fine granularity Will not change current behavior No need to reboot or restart app No need to upgrade hardware or other programs
  • 34.
    Using MPEE infrastructureas the LiveShield Framework Invisible injection Don’t need to put trampolines in the visible address space Issues with atomicity, instruction alignment etc. Basic Block/Trace building naturally leads to a direct implementation Fully isolated execution especially for the detect mode MPEE provides an environment isolated from the application Detect mode can give strong promises on not impacting the normal program behavior Existing central management framework Easy to manage dynamic updates and changes of status Can store the shields without impacting application Can do I/O without impacting the application
  • 35.
    LiveShield Properties Dynamic Customer Visible Individually Manageable/Undoable Live Testing Capable Targeted Micro-Sized Control-flow Triggered Execution
  • 36.
    Detector Requirements Checksif the corner case gets invoked If so, indicates that to the LiveShield runtime system In the detect mode: will report that fact In the protect mode: call the remediator Guarantee that the detector will not impact the the program Cannot change normal program state Cannot modify any program visible memory or program registers Cannot acquire program visible resources Cannot modify the control-flow of the program Cannot crash or hang the program Need to catch any exception condition Need to check for infinite loops If a problem is encountered, exit the Shield If the problem is recurring, disable the Shield Implementation Restricted ISA that can be validated and sandboxed at load time
  • 37.
    Remediator Requirements Abilityto change the application to fix a vulnerability Change any application visible memory location Change control-flow of the program Return from the current application function Jump over a few application instructions after the trampoline Take allowed program-level remediation action Kill thread and throw exception More expressiveness than the detector Still will need some limitations…
  • 38.
    LiveShield Development OperationsFlow POC Exploit Released Acquire the exploit Identify vulnerability Patch Released Diff the patched version against previous version Attack Released Trace the exploit activity Acquire the attack Trace the attack’s activity Develop a Shield Port it to multiple versions Test the Shield Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N best case is 24 hours, Cannot take more than 7 days Minimal QA a. la. DAT update
  • 39.
    LiveShield Flow Read- only memory Read - only memory DLL load eventlog Determina Web site Controller @ Customer Site Node Manager Core Files available MP - v3 - 011604.xml const - v3base.dll const - v3a.dll const - v3b.dll … . const - v3u.dll const - v3v.dll Internet xml file per host Up - to - date dll cache Mode information Status information Events Controller - Node Manager Communication Interface Per processor policy data structure with mode info dll cache Stats Events Policy data structure with mode info Loaded dll ’ s Read - only memory Read - only memory DLL load eventlog Determina Web site Controller @ Customer Site Node Manager Core Files available MP - v3 - 011604.xml const - v3base.dll const - v3a.dll const - v3b.dll … . const - v3u.dll const - v3v.dll Internet xml file per host Up - to - date dll cache Mode information Status information Events Controller - Node Manager Communication Interface Per processor policy data structure with mode info dll cache Stats Events Policy data structure with mode info Loaded dll ’ s
  • 40.
    Overview Corporate OverviewVulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
  • 41.
    Evaluation Criteria Accuracy Maintainability Scalability Coverage Proactivity Uncircumventability Containment
  • 42.
    1. Accuracy: The cure cannot be deadlier than the illness! False Positives More common than the attacks In an IDS  a nuisance In an IPS  Can destabilize the system Applications aren’t resilient to squashing random system calls
  • 43.
    2. Maintainability: The cost of the solution should be less than the attack cleanup cost What is a typical enterprise like? How many machines, how many IT people? Cost of operations… How do you manage a large enterprise? What impact maintainability? Shelfware vs. deployed software
  • 44.
    3. Scalability: Worms are equal opportunity attackers. Need to protect every box Requirements to run enterprise-wide… Critical bottlenecks Deployment / maintenance Performance
  • 45.
    4. Coverage: No partial band-aid solutions please! % of vulnerabilities Source: CVE, Microsoft Security Bulletins, 2003-2004
  • 46.
    5. Proactivity: Should be ready to protect when attacked! Application Released With a bug Vulnerability announced Patch released Attack Released Good guys Patch like crazy Bad guys analyze patch & create attack 17 Previously Unknown Vulnerability 2 26 Previously Unknown Vulnerability 46 31 06/01 03/02 04/02 07/02 07/02 03/03 07/03 03/04 04/04 11/04 Code Red Digispid Spida Slammer Slapper WebDAV Blaster Witty Sasser Mydoom.ag 185 # of days from the Publication of the Vulnerability (availability of a patch) to Attack 77 34
  • 47.
    Speed of PropagationThe Witty Worm
  • 48.
    6. Uncirumventability: Don’t be an emperor with no clothes! Phrack Article – “Smashing Stack for Fun and Profit” Any fool-proof systems? Complex systems are never fool-proof Should we just give up? Compare system security with crypto Is crypto fool-proof? How do you evaluate crypto? Evaluating system security 10/90 rule of thumb Nothing is perfect, make it hard...
  • 49.
    7. Containment: What good of stopping an attack after it happens? Where was the attack stopped? At the gates vs. inner chamber How far did the attack propagate Did malicious code got executed? Any machine got infected? Other machines got compromised?
  • 50.
    Overview Corporate OverviewVulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
  • 51.
    VPS impact onthe Project Managed Program Execution Engine Memory Firewall LiveShield Client Interface Injected code detection Patch Generation and Deployment Constraint Leaning and Monitoring Data Structure Consistency Checking Application State Probing Repair Generation, Evaluation and Filtering
  • 52.
    Determina Stmt ofWork Client Interface for MPEE Application State Probing LiveShield Constraint Creation Framework LieShield Coordination Center Hybrid System for Binary Analysis Proactive Situational Awareness Vulnerability Analysis Integration, Testing and Deployment
  • 53.
    Client Interface forMPEE The basic framework to build the tools Support the necessary API’s Support on windows services and server applications Status Was an active research topic at MIT Currently dormant Will bring it back to life, improve and extend for this project Managed Program Execution Engine Memory Firewall LiveShield Client Interface
  • 54.
    Application State ProbingBuild probes to check internal state of the application Probes can be client programs Simpler probes can be even liveshields Framework to collect the probe information to the central mgmt console Managed Program Execution Engine Memory Firewall LiveShield Client Interface Application State Probing
  • 55.
    LiveShiled Constraint CreationFramework POC Exploit Released Acquire the exploit Identify vulnerability Patch Released Diff the patched version against previous version Attack Released Trace the exploit activity Acquire the attack Trace the attack’s activity Develop a Shield Port it to multiple versions Test the Shield Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N best case is 24 hours, Cannot take more than 7 days Minimal QA a. la. DAT update
  • 56.
    LiveShiled Constraint CreationFramework Interface for Creating constraints Deploying them through the central management console Gather feedback and manage the deployment Used for deploying automatically generted patches Framework for Constraint Creation Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N Minimal QA a. la. DAT update
  • 57.
    LiveShiled Coordination CenterLiveshields can have problems Minimal dev and QA (or no QA for auto developed) Can adversely impact the application Mitigate the risk by using the application community Gradual deployment while monitoring Find anomalies that are correlated with deployment Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N Minimal QA a. la. DAT update
  • 58.
    Hybrid System forBinary Analysis Manage Program Execution Engine – all analysis at runtime Pros: Full visibility and simple workflow Cons: Expensive analysis affects the performance Hybrid system Do some analysis at installation or first invocation Pre-compute and memoize information when available Reduce the runtime overhead
  • 59.
    Proactive Situational AwarenessAttacks are mostly on known vulnerabilities No prior knowledge on day-zero attacks But… vulnerabilities are known “ Are your applications open to known vulnerabilities?” Proactive Situational Awareness will Gather info on known vulnerabilities and attacks Gather current status of the applications Identify what vulnerabilities are unprotected Identify when an application deviate from the community
  • 60.
    Vulnerability Analysis Determina’sLiveShield Operations team Troll for new vulnerabilities and attacks in the wild Analyze any new vulnerabilities and attacks Analyze Microsoft security updates Pinpoint the exact vulnerability Develop LiveShields to stop them We have a large knowledge base Develop scenarios using the state-of-the-black-art
  • 61.
    Integrate, Testing, DeploymentBuild a prototype version of the product that integrate successful AC components Identify commercially-viable and ready components Prototype product development Integration QA and test Deployment Interact with the Red Team Get feedback Iterate

Editor's Notes

  • #6 Published analyst reports consistent – more vulnerabilities, attack motives changing from fame to fortune. Symantec Internet Security Threat Report marks a shift in the threat landscape. Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets. The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers. Whereas traditional attack activity has been motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud
  • #7 Another specific instance. This is even more illustrative that using patching for securing systems is a losing battle because in this case there was no patch available until 30 days after the exploits were 1 st released. Lots of ways to get hurt, costing millions of dollars waiting for a patch and for the patch to be deployed. Recent example – the critical IE vulnerability in late March. Determina issued a stand-alone fix for download, for free, to highlight our capabilities. VPS was the only solution that protected the IE vulnerability. VPS customers were protected without taking any additional actions. No other solution did this! Over 90% of security exploits are carried out through vulnerabilities for which there are known patches (Gartner)
  • #10 What is the basis of the threat? Vulnerabilities are the root cause. In OS, server apps, desktop apps. Look at the stats, share these with your customers. How to protect vulnerabilities against these attacks and exploits?
  • #11 Days Until Mass Exploit: --- Means no mass exploit 0-Day?: --- means MS announced the vulnerability with the patch Some examples of recent vulnerabilities to illustrate the protections provided by MF and LS, as well as the threat and window of attacks without the protection.
  • #12 What is a customer looking for in a Host IPS/endpoint security solution? Stress here that it “just works.” Many solutions out there don’t live up to their claims or simply don’t work properly (crashes, conflicts, etc.). Stress here that while Determina is a young company, VPS is based on mature, proven technology going back over 8 years in development.
  • #16 2:48
  • #17 2:48
  • #18 2:50
  • #19 3:00
  • #21 3:03
  • #22 3:06
  • #25 3:09
  • #26 3:12
  • #42 3:15
  • #43 3:16 Ask problems with False positives
  • #44 3:17
  • #45 3:18
  • #46 3:20
  • #48 3:22
  • #49 3:23 Ask Should we give up? Ask about Crypto fool-proof?
  • #50 3:24