Post on 13-Jan-2016
High-Speed Matching of Vulnerability Signatures
Nabil Schear *
David R. Albrecht †
Nikita Borisov †
University of Illinois at Urbana-Champaign* Department of Computer Science
† Department of Electrical and Computer Engineering
{nschear2, dalbrech, nikita}@illinois.edu
16 September 2008
2
Exploit vs. Vulnerability Signatures
• Exploit Signatures – Match a specific example of an exploit
• Vulnerability Signatures – Match the condition at which the program is vulnerable
+ fast to match
- imprecise, false positives
+ exploit generic, very precise
- expensive
3
Example – CUPS/IPPHTTP/1.1 200 OKContent-Type: ippTransfer-Encoding: chunked
A05
headerattribute attribute
attribute
HTTP
IPP
extra dataattribute
attribute
4
Example – CUPS/IPPHTTP/1.1 200 OKContent-Type: ippTransfer-Encoding: chunked
A05
headerattribute attribute
attribute
HTTP
IPP
extra dataattribute
attribute
tag name_len namevalue_len value
5
Example – CUPS/IPPHTTP/1.1 200 OKContent-Type: ippTransfer-Encoding: chunked
A05
headerattribute attribute
attribute
HTTP
IPP
extra dataattribute
attribute
tag name_len namevalue_len value
Buffer overflow: uint16 name_len used to copy name into 8KB buffer without checks
6
Example – CUPS/IPPHTTP/1.1 200 OKContent-Type: ippTransfer-Encoding: chunked
A05
headerattribute attribute
attribute
HTTP
IPP
extra dataattribute
attribute
tag name_lenvalue_len value
0xA190909090EB105B4B33C966B9960380340BFDE2FAEB05E8EBFFFFFF
Exploit Signature
alert tcp any any -> any 631(content: “|EB 10 5B 4B 33 C9 66 B9 96 03…|”)
Shell code stored in name field
7
Example – CUPS/IPP
HTTP/1.1 200 OKContent-Type: ippTransfer-Encoding: chunked
E5
headerattribute attribute
attribute tag name_len0xA190909090EB105B4B33C966B99
920
extra dataattribute
value_len value60380340BFDE2FAEB05E8EBFFFFFF
HTTP Chunk 1
Chunk 2
attribute attribute
• Now split shell code across two HTTP chunks
8
Example – CUPS/IPPHTTP/1.1 200 OKContent-Type: ippTransfer-Encoding: chunked
A05
headerattribute attribute
attribute
HTTP
IPP
extra dataattribute
attribute
tag name_len namevalue_len value
Vulnerability Signature
if(name_len > 8192) Exception!
9
Motivation: Matching Performance
Protocol binpac hand-coded
CUPS/HTTP 5,414 20,340
DNS 71 2,647
IPP 809 7,601
WMF 610 14,013
Throughput (Mbits/s) of vulnerability matchers
• Hand-coded 3x to 37x faster!• Many vulnerabilities do not
require full protocol parsing
10
Introducing VESPA
• A vulnerability signature and protocol parsing architecture
• Focus on performance– Hardware acceleration friendly design
• Future work: Offload to FPGA, network processor
– Target use in NIC or switch• 1 Gbps+• Low latency
11
Outline
• Parsing Architecture Design– Text Protocols– Binary Protocols
• Vulnerability Specification Language
• Performance Evaluation
• Related Work
• Conclusions
12
VESPA Design
• Couple protocol and vulnerability specifications– maximum parser optimization
• Design Principles– Fast matching primitives– Explicit State Management– Avoid parsing irrelevant message parts
• Basic Idea: Construct matching specs based on primitives and marry to state control functions
13
Protocol State
• Core State– Example: HTTP Content-Length header– Define structure and semantics of the message
• Always parse
14
Protocol State
• Core State– Example: HTTP Content-Length header– Define structure and semantics of the message
• Always parse
• Application State– Example: HTTP Accept-Charset header – Only relevant to the application
• Skip by default
15
Text Protocols
• Often use explicit field labeling– e.g., RCPT TO: <nschear2@illinois.edu>
• multi-string matching primitive to flatten irrelevant protocol structure– e.g., search for “HTTP/1.”, “Content-Length:”,
“Transfer-Encoding:”, “POST”, and “\r\n\r\n” simultaneously
• Use control logic to drive matching primitive
16
Binary Protocols
• Field meaning based on position in message
• Binary traversal primitive– Parses only core fields – No full in-memory representation– Parses vulnerability relevant fields when desired– Implemented with binpac language
17
VESPA Language
• Stores each var as a member of generated C++ class
• Extraction function within %{…}%
bool is_post = str_matcher “POST” handler handle_post() %{ is_post = true; }%
handle_post() %{ if(is_post) deploy(content_length);}%
Handler SpecString Matcher Primitive Spec
• Embedded C++ code• deploy(var) function to
control match state• Check vulnerability
predicates here
18
Binary Protocols
uint16 name_len = bin_matcher IPP.binpac:IPP_Attr_Data.name_len handler handle_name() default;
handle_name() %{ if(name_len > 8192) // throw exception}%
VESPA
• VESPA controls:– vulnerability state– predicate evaluation
19
Binary Protocols
• binpac controls protocol binary traversal
uint16 name_len = bin_matcher IPP.binpac:IPP_Attr_Data.name_len handler handle_name() default;
handle_name() %{ if(name_len > 8192) // throw exception}%
type IPP_Attr_Data = record { name_len: uint16; name: bytestring &length = name_len &transient; value_len: uint16; value: bytestring &length = value_len &transient; };
binpac IPP specification
VESPA
20
Modifying binpac for Binary Traversal
• Optimized binpac dynamic memory usage– Pre-allocate one of each object that could be
parsed in one object – Remove STL vector storage for all array elements
21
Modifying binpac for Binary Traversal
• Optimized binpac dynamic memory usage– Pre-allocate one of each object that could be
parsed in one object – Remove STL vector storage for all array elements
• Use &pointer attribute to specify objects that must be dynamically created– e.g., DNS name pointers…
22
Evaluation
• Focus on vulnerabilities difficult to match with exploit sigs• Tested raw vuln sig matcher/parser performance
– Network reassembly and reporting stages studied elsewhere
• Test System– 2.6 GHz AMD Athlon64– 4GB RAM– Ubuntu Linux 2.6.22-x86-64
23
Tested Vulnerabilities
• HTTP/IPP– Negative Content-Length causes integer overflow– uint16 name_len used to store size of 8KB buffer
• DNS– Pointer cycle can cause denial of service
• WMF– Vulnerable feature: allows arbitrary abort
procedure to execute malicious code
24
Memory Micro-benchmarks
• 6x to 40x reduction in number of calls to new• IPP and WMF call new 6x for any file• DNS proportional to num of DNS pointers
Protocol binpac traversal
DNS 15,812 2,296
IPP 1,360 432
WMF 3,824 312
Protocol binpac traversal
DNS 539 14
IPP 33 6
WMF 94 6
Bytes allocated per message
Calls to new/malloc per message
25
Memory Micro-benchmarks
• 6x to 40x reduction in number of calls to new• IPP and WMF call new 6x for any file• DNS proportional to num of DNS pointers
Protocol binpac traversal
DNS 15,812 2,296
IPP 1,360 432
WMF 3,824 312
Protocol binpac traversal
DNS 539 14
IPP 33 6
WMF 94 6
Bytes allocated per message
Calls to new/malloc per message
26
String Primitive Micro-benchmarks
• Multi-string matching dominates text performance
• VESPA approximates performance of pattern based IDS for simple signatures
27
Parser Performance
• VESPA outperforms binpac by 3 to 5 times
28
Parser Performance
• VESPA DNS considerably faster than binpac– Recall, hand-coded 9x faster than VESPA (2.6 Gbits/s)– Room for improvement in binary traversal
29
Related Work
• Pattern Matching– Wu-Manber, Aho-Corasik, flex, pcre, XFA,
Protomatching
• Vulnerability Signatures– Shield, GAPA, binpac, NetShield, Prospector
• IDS/IPS– Snort, Bro, SafeCard
30
Conclusions
• Key Insight: Vulnerability signatures often do not require full protocol parsing– Specialize protocol parser to signature matching
• Developed VESPA language and architecture– 3-5 times faster than binpac– Performance tied to speed of primitives
• Able to hardware accelerate multi-string matching• Improved performance of binary traversal
• Vulnerability signatures can be matched at 1 Gbps+– Suitable for server NICs, switches, inline IPS
31
Thank you!
Questions?