The document summarizes Determina's Vulnerability Protection Suite, which uses patented technology to stop both known and unknown (zero-day) attacks without needing updates, signatures, or behavior modeling. It focuses on vulnerability prevention rather than attack detection. The core technologies include the Managed Program Execution Engine, Memory Firewall, and LiveShield, which provide zero-day endpoint protection.

1. Determina’s Vulnerability Protection Suite Saman Amarasinghe CTO, Determina Inc. Associate Professor, MIT EECS/CSAIL

2. Corporate Overview Founded Early 2003 Core technology developed at MIT over 8 years Venture backed Headquarters in Redwood City, CA CTO & founding engineering team from MIT

3. Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan

4. Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan

5. Market Trends Attacks and vulnerabilities still increasing Security incidents have nearly doubled each year (CERT) Endpoint security often last line of security to be addressed. SYMC Threat Report Trend towards directed attacks Threat landscape dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks Current threats increasingly motivated by profit Increasing vulnerabilities, more directed attacks

6. Recent Example: WMF Vulnerability NO Patch Available Patch fully deployed *Wipro, Ltd 2005, “The Total Cost of Security Patch Management” Day 14 : December 14: Sites first post WMF Exploits Day 35 : January 5 th : Microsoft Releases Patch Average exploit window: 25 days* before patches deployed Vulnerable w/no Official Patch 35 Days Vulnerability Made Public Total exploit window for average organization: 60 days Day 27: December 27: Initial Disclosure of Vulnerability Day 28 : December 28: MS Announces Awareness…No Patch for Issue Day 29: December 29: 50+ variants, 1000+ sites reported: Thursday 12/29 Day 31: December 31: Instant messaging,Trojan horses & botnets begin exploiting WMF and Unofficial patch released by Ilfak Guilfanov Day 33: January 3rd: 1,000,000+ WMF exploited downloads reported from just 1 site Day 0 : December 1: Vulnerability Discovered 1 and Exploit Code Being Sold for $4000 Shortly Afterward 1 Computerworld.com, “Russian hackers sold WMF exploit, analyst says” Patch issued by MS Determina 0-day protection active before vulnerability is known Zero-days

7. Vulnerability Protection Suite What is VPS Enterprise Host IPS security solution for Fortune 1000 Patented Technology “ Vulnerability Protection” focus vs. Attack focus Stops both known and unknown (zero-day) attacks A zero complexity / zero maintenance solution No attack signatures / no post attack cleanup No policies to maintain No behavior to model No false positives Application Communities The core of VPS (DyanmoRIO, Memory Firewall and LiveShield) are core building blocks

8. Vulnerability Protection Suite What is VPS Enterprise Host IPS security solution for Fortune 1000 Stops both known and unknown (zero-day) attacks A zero complexity / zero maintenance solution No attack signatures / no post attack cleanup No policies to maintain No behavior to model No false positives Managed Program Execution Engine Memory Firewall LiveShield

9. Software Vulnerabilities: The “Root Cause” of Attacks 4,000 new software vulnerabilities are discovered each year (Symantec) 422 new vulnerabilities in Q2 ‘05, a 20% increase YoY (SANS) Microsoft issued 53 security bulletins in 2005. (Microsoft) Directed attackers (hackers) are increasingly targeting enterprise information for profit $30M Total losses in 2005 due to theft of proprietary data - a 270% increase YoY. (CSI/FBI) Mass worm attacks have caused billions in damage Zero-Day costs - SQL Slammer costs $950M to $1.2 billion in first five days alone (Cnet) 100% of Microsoft critical vulnerabilities are memory-related

10. Zero-Day Endpoint Protection Without Tuning or Maintenance Memory Firewall protects without updates LiveShield shields released within days of vulnerability, without waiting for patches, exploit behavior or attack signatures  0 Y (9 days) Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (WMF) 27-Dec-2005  -- -- IE HTTPS Proxy Basic Authentication Information Leak 13-Dec-2005  8 Y (23 days) Remote Code Execution Vulnerability in MS IE 21-Nov-2005  -- Y (no patch) Memory Allocation Denial of Service via RPC 16-Nov-2005   -- -- Windows Metafile Vulnerability 08-Nov-2005 LiveShield Protection Memory Firewall Protection Days Until Mass Exploit 0-Day? (days before patch) 0-Day Vulnerability Date --  -- COM Object Instatiation Memory Corruption Vulnerability 13-Dec-2005

11. VPS Advantages Ensure non-stop availability Must be able to deploy and maintain without disrupting business operations Accessibility Must be easy, simple to manage Guarantee reliability for critical servers and applications “ It just works!” Scalability Be able to support thousands of machines Flexibility Integration with a variety of management solutions through support of standard protocols

12. Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan

13. Managed Program Execution Engine Derek Bruening

14. Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan

15. Enter Monitoring is simple Port monitoring or system call monitoring Don’t know good guy from bad guy only known criminals can be identified Even known bad guys are hard to detect encrypted channels Compromise Monitoring can be done System call monitoring Hard to distinguish between actions of a normal program vs. a compromised program Leads to false positives Attack Lifecycle Hijack “ Catch in the act of criminal behavior” All programs follow strict conventions ABI (Application Binary Interface) The Calling Convention Currently no enforcement All attacks violate some of these conventions NETWORK KERNEL Make payment Change prefs Read statement Write Record Update Registry Open port HIJACK COMPROMISE ENTER APPLICATIONS

16. Stop before Hijack Enforcing conventions Systematically catch an entire class of attacks No false positives Catch them before they do ANY bad activity  no attack code is ever run Conventional Wisdom: Impossible to do without a large performance penalty Need to be inside the application Need to monitor activity at a very fine-grain – each instruction at a time Overhead will be overwhelming The Memory Firewall lets you do just that! Able to amortize the cost of enforcement, eliminating the overhead Hijack “ Catch in the act of criminal behavior” All programs follow strict conventions ABI (Application Binary Interface) The Calling Convention Currently no enforcement All attacks violate some of these conventions Processor Execution Environment ABI Restricted Execution Environment

17. How Program Shepherding Work? Restricted Control Transfer: Is it legal to go from here to there? Restricted Code Origins: Is this code came from a code page? Restricted Control Transfer: Is it legal to go from here to there? Restricted Code Origins: Is this code came from a code page? Program Run-time System Code Cache Program Counter: Executes the Program Instruction by Instruction Never Let go of the Program Counter Restricted Code Origins: Is this code came from a code page? jmp call br ret call jmp br

18. Technique 1: Restricted Code Origins As code is copied to the code cache, check where it’s coming from Check the security policy only once A B D E Code Cache Unmodified code pages Modified pages

19. Technique 1: Restricted Code Origins Catches all the injected code attacks Most of the popular attacks are of this type What is left? Malicious reuse of existing code Change addresses used by return and indirect jump and indirect branch instructions Much more difficult

20. An Example: Chained Call Attack Local Variables: URL Local Variables: tmp Return Address Argument: h Local Variables: … Return Address Arguments: … Stack http://001110110110111011010001010110101101010110 10110110110110101011010101010110101011010101... URL: 0x7F8B0 Fake arguments handle_URL(handle * h) { char url[64]; … char * tmp =geturl(h) strcpy(url, tmp); … } Code 0x8A234 Fake arguments Libraries setuid() … unlink() … 0x7F8B0 0x8A234

21. Technique 2: Restricted Control Transfers context switch indirect branch lookup trace branch taken? BASIC BLOCK CACHE TRACE CACHE non-control-flow instructions non-control-flow instructions Restrict based on source address, destination address, and/or transfer type

22. Technique 2: Restricted Control Transfers Inter-Segment Indirect Calls and Jumps Only to known function entry points Only if the function is exported by the destination segment Only if the function is imported by the source segment Intra-Segment Jumps Only within a known function or to a known function entry point Intra-Segment Indirect Calls Only to known function entry points

23. Technique 2: Restricted Control Transfers Returns Only to after a call instruction If a direct call, called function should be the same as the function returning from

24. Technique 3: Un-circumventable Sandboxing Typical problem with sandboxing: If attacker gains control, can bypass checks MPEE-inserted sandboxing is un-circumventable MPEE enforces unique entry points

25. Protecting MPEE Itself MPEE runs in the application’s address space Must not allow application to manipulate MPEE data or code cache How? Protect MPEE data structures and the code cache Sandbox system calls that can change protection and thread behavior

26. Memory protection R R Application code RW RW Application data RW R Code cache RW R MPEE data R R MPEE code MPEE Privileges Application Privileges Page type

27. Memory protection R R Application code RW RW Application data RW RE Code cache RW R MPEE data RE R MPEE code MPEE Privileges Application Privileges Page type

28. Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan

29. What is a Vulnerability? Anatomy of a Vulnerability A corner case that should never happen in normal operations The programmer forgot to check for that corner case Vulnerability is the ability to invoke that corner case by an exploit to do something that is not allowed in normal operation. In most vulnerabilities: A simple check (a few assembly instructions) identify the corner case Check if value is out of range Check a string for certain patterns The check never passes in normal operations When an exploit is caught by the check, simple remediation exist Return an error code from the function Put the value within range Truncate the string

30. LiveShield Reactive elimination of vulnerabilities Triggered by: the availability of a proof-of-concept exploit against a vulnerability the availability of a patch release fixing a vulnerability the availability of an attack taking advantage of a vulnerability when the remediation for a memory based vulnerability (or attack) destabilize the system

31. LiveShield Inject two very small pieces of code in to a running program Detector Check when the corner case is invoked Guaranteed no impact on the program (cannot change program state or crash the program) Remediator Take remediation action once an exploit is detected Will minimally change the program behavior, but it is to stop an attack.

32. LiveShield LiveShields improves the availability of systems minimizes the disruption of a working system Faster deployment cycle than a typical patch Surgical fix for the root cause of the problem In conjunction with the Memory Firewall, eliminates most vulnerabilities Reduce the patch frequency and need for emergency patching

33. Different Levels of Updates Power of a Patch, Operates like a DAT         Administration can be fully automated Minutes Within a day Hours Weeks to Months Months Months to never Typical time from release to deployment       Easy to undo     Patch update     Detect     Protect LiveShield     DAT file update     Dot upgrade     Major upgrade Manageable at a fine granularity Will not change current behavior No need to reboot or restart app No need to upgrade hardware or other programs

34. Using MPEE infrastructure as the LiveShield Framework Invisible injection Don’t need to put trampolines in the visible address space Issues with atomicity, instruction alignment etc. Basic Block/Trace building naturally leads to a direct implementation Fully isolated execution especially for the detect mode MPEE provides an environment isolated from the application Detect mode can give strong promises on not impacting the normal program behavior Existing central management framework Easy to manage dynamic updates and changes of status Can store the shields without impacting application Can do I/O without impacting the application

35. LiveShield Properties Dynamic Customer Visible Individually Manageable/Undoable Live Testing Capable Targeted Micro-Sized Control-flow Triggered Execution

36. Detector Requirements Checks if the corner case gets invoked If so, indicates that to the LiveShield runtime system In the detect mode: will report that fact In the protect mode: call the remediator Guarantee that the detector will not impact the the program Cannot change normal program state Cannot modify any program visible memory or program registers Cannot acquire program visible resources Cannot modify the control-flow of the program Cannot crash or hang the program Need to catch any exception condition Need to check for infinite loops If a problem is encountered, exit the Shield If the problem is recurring, disable the Shield Implementation Restricted ISA that can be validated and sandboxed at load time

37. Remediator Requirements Ability to change the application to fix a vulnerability Change any application visible memory location Change control-flow of the program Return from the current application function Jump over a few application instructions after the trampoline Take allowed program-level remediation action Kill thread and throw exception More expressiveness than the detector Still will need some limitations…

38. LiveShield Development Operations Flow POC Exploit Released Acquire the exploit Identify vulnerability Patch Released Diff the patched version against previous version Attack Released Trace the exploit activity Acquire the attack Trace the attack’s activity Develop a Shield Port it to multiple versions Test the Shield Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N best case is 24 hours, Cannot take more than 7 days Minimal QA a. la. DAT update

39. LiveShield Flow Read - only memory Read - only memory DLL load eventlog Determina Web site Controller @ Customer Site Node Manager Core Files available MP - v3 - 011604.xml const - v3base.dll const - v3a.dll const - v3b.dll … . const - v3u.dll const - v3v.dll Internet xml file per host Up - to - date dll cache Mode information Status information Events Controller - Node Manager Communication Interface Per processor policy data structure with mode info dll cache Stats Events Policy data structure with mode info Loaded dll ’ s Read - only memory Read - only memory DLL load eventlog Determina Web site Controller @ Customer Site Node Manager Core Files available MP - v3 - 011604.xml const - v3base.dll const - v3a.dll const - v3b.dll … . const - v3u.dll const - v3v.dll Internet xml file per host Up - to - date dll cache Mode information Status information Events Controller - Node Manager Communication Interface Per processor policy data structure with mode info dll cache Stats Events Policy data structure with mode info Loaded dll ’ s

40. Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan

41. Evaluation Criteria Accuracy Maintainability Scalability Coverage Proactivity Uncircumventability Containment

42. 1. Accuracy: The cure cannot be deadlier than the illness! False Positives More common than the attacks In an IDS  a nuisance In an IPS  Can destabilize the system Applications aren’t resilient to squashing random system calls

43. 2. Maintainability: The cost of the solution should be less than the attack cleanup cost What is a typical enterprise like? How many machines, how many IT people? Cost of operations… How do you manage a large enterprise? What impact maintainability? Shelfware vs. deployed software

44. 3. Scalability: Worms are equal opportunity attackers. Need to protect every box Requirements to run enterprise-wide… Critical bottlenecks Deployment / maintenance Performance

45. 4. Coverage: No partial band-aid solutions please! % of vulnerabilities Source: CVE, Microsoft Security Bulletins, 2003-2004

46. 5. Proactivity: Should be ready to protect when attacked! Application Released With a bug Vulnerability announced Patch released Attack Released Good guys Patch like crazy Bad guys analyze patch & create attack 17 Previously Unknown Vulnerability 2 26 Previously Unknown Vulnerability 46 31 06/01 03/02 04/02 07/02 07/02 03/03 07/03 03/04 04/04 11/04 Code Red Digispid Spida Slammer Slapper WebDAV Blaster Witty Sasser Mydoom.ag 185 # of days from the Publication of the Vulnerability (availability of a patch) to Attack 77 34

47. Speed of Propagation The Witty Worm

48. 6. Uncirumventability: Don’t be an emperor with no clothes! Phrack Article – “Smashing Stack for Fun and Profit” Any fool-proof systems? Complex systems are never fool-proof Should we just give up? Compare system security with crypto Is crypto fool-proof? How do you evaluate crypto? Evaluating system security 10/90 rule of thumb Nothing is perfect, make it hard...

49. 7. Containment: What good of stopping an attack after it happens? Where was the attack stopped? At the gates vs. inner chamber How far did the attack propagate Did malicious code got executed? Any machine got infected? Other machines got compromised?

50. Overview Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan

51. VPS impact on the Project Managed Program Execution Engine Memory Firewall LiveShield Client Interface Injected code detection Patch Generation and Deployment Constraint Leaning and Monitoring Data Structure Consistency Checking Application State Probing Repair Generation, Evaluation and Filtering

52. Determina Stmt of Work Client Interface for MPEE Application State Probing LiveShield Constraint Creation Framework LieShield Coordination Center Hybrid System for Binary Analysis Proactive Situational Awareness Vulnerability Analysis Integration, Testing and Deployment

53. Client Interface for MPEE The basic framework to build the tools Support the necessary API’s Support on windows services and server applications Status Was an active research topic at MIT Currently dormant Will bring it back to life, improve and extend for this project Managed Program Execution Engine Memory Firewall LiveShield Client Interface

54. Application State Probing Build probes to check internal state of the application Probes can be client programs Simpler probes can be even liveshields Framework to collect the probe information to the central mgmt console Managed Program Execution Engine Memory Firewall LiveShield Client Interface Application State Probing

55. LiveShiled Constraint Creation Framework POC Exploit Released Acquire the exploit Identify vulnerability Patch Released Diff the patched version against previous version Attack Released Trace the exploit activity Acquire the attack Trace the attack’s activity Develop a Shield Port it to multiple versions Test the Shield Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N best case is 24 hours, Cannot take more than 7 days Minimal QA a. la. DAT update

56. LiveShiled Constraint Creation Framework Interface for Creating constraints Deploying them through the central management console Gather feedback and manage the deployment Used for deploying automatically generted patches Framework for Constraint Creation Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N Minimal QA a. la. DAT update

57. LiveShiled Coordination Center Liveshields can have problems Minimal dev and QA (or no QA for auto developed) Can adversely impact the application Mitigate the risk by using the application community Gradual deployment while monitoring Find anomalies that are correlated with deployment Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N Minimal QA a. la. DAT update

58. Hybrid System for Binary Analysis Manage Program Execution Engine – all analysis at runtime Pros: Full visibility and simple workflow Cons: Expensive analysis affects the performance Hybrid system Do some analysis at installation or first invocation Pre-compute and memoize information when available Reduce the runtime overhead

59. Proactive Situational Awareness Attacks are mostly on known vulnerabilities No prior knowledge on day-zero attacks But… vulnerabilities are known “ Are your applications open to known vulnerabilities?” Proactive Situational Awareness will Gather info on known vulnerabilities and attacks Gather current status of the applications Identify what vulnerabilities are unprotected Identify when an application deviate from the community

60. Vulnerability Analysis Determina’s LiveShield Operations team Troll for new vulnerabilities and attacks in the wild Analyze any new vulnerabilities and attacks Analyze Microsoft security updates Pinpoint the exact vulnerability Develop LiveShields to stop them We have a large knowledge base Develop scenarios using the state-of-the-black-art

61. Integrate, Testing, Deployment Build a prototype version of the product that integrate successful AC components Identify commercially-viable and ready components Prototype product development Integration QA and test Deployment Interact with the Red Team Get feedback Iterate