Determina’s Vulnerability Protection Suite Saman Amarasinghe CTO, Determina Inc. Associate...

Determina’s Vulnerability

Protection SuiteSaman Amarasinghe

CTO, Determina Inc. Associate Professor, MIT EECS/CSAIL

Corporate Overview

Founded Early 2003 Core technology developed at MIT over 8 years Venture backed Headquarters in Redwood City, CA CTO & founding engineering team from MIT

Overview

Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan

Market Trends Attacks and vulnerabilities still increasing

Security incidents have nearly doubled each year (CERT)

Endpoint security often last line of security

to be addressed.

SYMC Threat Report Trend towards directed attacks Threat landscape dominated by emerging threats such as bot

networks, customizable modular malicious code, and targeted attacks Current threats increasingly motivated by profit

Increasing vulnerabilities, more directed attacks

Recent Example: WMF VulnerabilityNO Patch Available

Patch fully deployed

*Wipro, Ltd 2005, “The Total Cost of Security Patch Management”

Day 14: December 14: Sites first post WMF Exploits

Day 35: January 5th: Microsoft Releases Patch

Average exploit window: 25 days*before patches deployed

Vulnerable w/no Official Patch

35 Days

VulnerabilityMade Public

Total exploit window for average organization: 60 days

Day 27: December 27: Initial Disclosure of Vulnerability

Day 28: December 28: MS Announces Awareness…No Patch for Issue

Day 29: December 29: 50+ variants, 1000+ sites reported: Thursday 12/29

Day 31: December 31: Instant messaging,Trojan horses & botnets begin exploiting WMF and Unofficial patch released by Ilfak Guilfanov

Day 33: January 3rd: 1,000,000+ WMF exploited downloads reported from just 1 site

Day 0: December 1: Vulnerability Discovered1 and Exploit Code Being Sold for $4000 Shortly Afterward

1Computerworld.com, “Russian hackers sold WMF exploit, analyst says”

Patch issued by MS

Zero-days

Determina 0-day protection active

before vulnerability is known

Vulnerability Protection Suite What is VPS

Enterprise Host IPS security solution for Fortune 1000 Stops both known and unknown (zero-day) attacks A zero complexity / zero maintenance solution

No attack signatures / no post attack cleanup No policies to maintain No behavior to model No false positives

Managed Program Execution Engine

Memory Firewall LiveShield

Zero-Day Endpoint Protection Without Tuning or Maintenance

Memory Firewall protects without updates LiveShield shields released within days of vulnerability, without waiting for

patches, exploit behavior or attack signatures

Date 0-Day Vulnerability0-Day?

(days before patch)

Days Until Mass

Exploit

Memory Firewall

Protection

LiveShield Protection

08-Nov-2005 Windows Metafile Vulnerability -- -- 16-Nov-2005

Memory Allocation Denial of Service via RPC

Y(no patch)

-- 21-Nov-2005

Remote Code Execution Vulnerability in MS IE

Y(23 days)

8 13-Dec-2005

COM Object Instatiation Memory Corruption Vulnerability -- --

13-Dec-2005IE HTTPS Proxy Basic Authentication Information Leak -- --

27-Dec-2005Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (WMF)

Y(9 days)

0

VPS Advantages Ensure non-stop availability

Must be able to deploy and maintain without disrupting business operations

Accessibility Must be easy, simple to manage

Guarantee reliability for critical servers and applications

“It just works!”

Scalability Be able to support thousands of

machines

Flexibility Integration with a variety of

management solutions through support of standard protocols

Overview



Derek Bruening

Overview


Enter Monitoring is simple

Port monitoring or system call monitoring Don’t know good guy from bad guy

only known criminals can be identified Even known bad guys are hard to detect

encrypted channels

Compromise Monitoring can be done

System call monitoring Hard to distinguish between actions of a normal

program vs. a compromised program Leads to false positives

Attack Lifecycle

Hijack “Catch in the act of criminal behavior” All programs follow strict conventions

ABI (Application Binary Interface) The Calling Convention

Currently no enforcement All attacks violate some of these conventions

NETWORK

KERNEL

Make paymentChange prefsRead statement

Write Record Update Registry

Open port

HIJA

CK

HIJA

CK

CO

MP

RO

MIS

E C

OM

PR

OM

ISE

EN

TE

RE

NT

ER

APPLICATIONS

Stop before Hijack

Enforcing conventions Systematically catch an entire class of attacks No false positives Catch them before they do ANY bad activity no attack code is ever run

Conventional Wisdom: Impossible to do without a large performance penalty Need to be inside the application Need to monitor activity at a very fine-grain – each instruction at a time Overhead will be overwhelming

The Memory Firewall lets you do just that! Able to amortize the cost of enforcement, eliminating the overhead

Hijack “Catch in the act of criminal behavior” All programs follow strict conventions

ABI (Application Binary Interface) The Calling Convention

Currently no enforcement All attacks violate some of these conventions

Processor Execution Environment

ABI

Restricted Control Transfer:Restricted Control Transfer:Is it legal to go from here to there?Is it legal to go from here to there?

Restricted Code Origins:Restricted Code Origins:Is this code came from a code page?Is this code came from a code page?

Restricted Control Transfer:Restricted Control Transfer:Is it legal to go from here to there?Is it legal to go from here to there?


jmp

How Program Shepherding Work?

ProgramProgram

call

br

ret

Run-time Run-time SystemSystem

CodeCodeCacheCache

call

jmp

br

Program Counter: Program Counter: Executes the Executes the

Program Program Instruction by Instruction by

InstructionInstruction

Never Let go of the Never Let go of the Program CounterProgram Counter


Overview


What is a Vulnerability? Anatomy of a Vulnerability

A corner case that should never happen in normal operations The programmer forgot to check for that corner case Vulnerability is the ability to invoke that corner case by an exploit to do

something that is not allowed in normal operation.

In most vulnerabilities: A simple check (a few assembly instructions) identify the corner case

Check if value is out of range Check a string for certain patterns

The check never passes in normal operations When an exploit is caught by the check, simple remediation exist

Return an error code from the function Put the value within range Truncate the string

LiveShield

Reactive elimination of vulnerabilities Triggered by:

the availability of a proof-of-concept exploit against a vulnerability

the availability of a patch release fixing a vulnerability the availability of an attack taking advantage of a vulnerability when the remediation for a memory based vulnerability (or

attack) destabilize the system

LiveShield

Inject two very small pieces of code in to a running program Detector

Check when the corner case is invoked Guaranteed no impact on the program (cannot change program

state or crash the program) Remediator

Take remediation action once an exploit is detected Will minimally change the program behavior, but it is to stop an

attack.

LiveShield

LiveShields improves the availability of systems minimizes the disruption of a working system Faster deployment cycle than a typical patch Surgical fix for the root cause of the problem In conjunction with the Memory Firewall, eliminates most

vulnerabilities Reduce the patch frequency and need for emergency patching

Using MPEE infrastructure as the LiveShield Framework

Invisible injection Don’t need to put trampolines in the visible address space

Issues with atomicity, instruction alignment etc. Basic Block/Trace building naturally leads to a direct implementation

Fully isolated execution especially for the detect mode MPEE provides an environment isolated from the application Detect mode can give strong promises on not impacting the normal

program behavior

Existing central management framework Easy to manage dynamic updates and changes of status Can store the shields without impacting application Can do I/O without impacting the application

LiveShield Properties

Dynamic

Customer Visible

Individually Manageable/Undoable

Live Testing Capable

Targeted

Micro-Sized

Control-flow Triggered Execution

LiveShield Development Operations FlowPOC

Exploit Released

Acquire the

exploit

Identify vulnerability

Patch Released

Diff the patchedversion against

previous version

AttackReleased

Trace the exploit activity

Acquire the

attack

Trace the attack’s activity

Develop aShield

Port it tomultiple versions

Test the Shield

Releaseto customers

ReceiveLiveShield

Push theShield in

detect mode

No triggerin

gin 24 hours

Put into protect mode

Put in a full QASystem in protect

mode

No problems

in 24 hours

Report the problems

to Determina

Y

Y N

N

best case is 24 hours, Cannot take more than 7 days

Minimal QAa. la. DAT

update

LiveShield Flow

Read-onlymemory

Read-onlymemory

DLL load

eventlog

DeterminaWeb site

Controller @Customer Site

Node Manager Core

Files availableMP-v3-011604.xml

const-v3base.dllconst-v3a.dllconst-v3b.dll….const-v3u.dllconst-v3v.dll

Inte

rnet

xml file per host

Up-to-date dll cache

Mode information

Status information

EventsCon

trol

ler-

Nod

e M

anag

er

Com

mun

icat

ion

Inte

rfac

e

Per processorpolicy data structurewith mode info

dll cache

Stats

Events

Policy data structurewith mode info

Loaded dll’s

Read-onlymemory

Read-onlymemory

DLL load

eventlog

DeterminaWeb site

Controller @Customer Site

Node Manager Core

Files availableMP-v3-011604.xml

const-v3base.dllconst-v3a.dllconst-v3b.dll….const-v3u.dllconst-v3v.dll

Inte

rnet

xml file per host

Up-to-date dll cache

Mode information

Status information

EventsCon

trol

ler-

Nod

e M

anag

er

Com

mun

icat

ion

Inte

rfac

e

Per processorpolicy data structurewith mode info

dll cache

Stats

Events

Policy data structurewith mode info

Loaded dll’s

Overview


Evaluation Criteria

1. Accuracy

2. Maintainability

3. Scalability

4. Coverage

5. Proactivity

6. Uncircumventability

7. Containment

1. Accuracy: The cure cannot be deadlier than the illness!

False Positives More common than the attacks In an IDS a nuisance In an IPS Can destabilize the system

Applications aren’t resilient to squashing random system calls

2. Maintainability: The cost of the solution should be less than the attack cleanup cost

What is a typical enterprise like? How many machines, how many IT people? Cost of operations…

How do you manage a large enterprise?

What impact maintainability?

Shelfware vs. deployed software

3. Scalability: Worms are equal opportunity attackers. Need to protect every box

Requirements to run enterprise-wide…

Critical bottlenecks Deployment / maintenance Performance

4. Coverage: No partial band-aid solutions please!

% o

f vu

lner

abili

ties

Source: CVE, Microsoft Security Bulletins, 2003-2004

5. Proactivity: Should be ready to protect when attacked!

Application Released

With a bug

Vulnerability announced

Patch released

Attack Released

Good guys Patch like crazy

Bad guys analyze patch & create attack

17

PreviouslyUnknown

Vulnerability

2

26

PreviouslyUnknown

Vulnerability

4631

06/01 03/02 04/02 07/02 07/02 03/03 07/03 03/04 04/04 11/04Code Red

DigispidSpida

SlammerSlapper

WebDAVBlaster

WittySasser

Mydoom.ag

185

# of days from the Publication of the Vulnerability (availability of a patch) to Attack

7734

6. Uncirumventability: Don’t be an emperor with no clothes!

Phrack Article – “Smashing Stack for Fun and Profit” Any fool-proof systems?

Complex systems are never fool-proof Should we just give up?

Compare system security with crypto Is crypto fool-proof? How do you evaluate crypto?

Evaluating system security 10/90 rule of thumb Nothing is perfect, make it hard...

7. Containment: What good of stopping an attack after it happens?

Where was the attack stopped? At the gates vs. inner chamber

How far did the attack propagate Did malicious code got executed? Any machine got infected? Other machines got compromised?

Overview


VPS impact on the Project


Memory Firewall LiveShield Client Interface

Injected code detectionPatch Generation and Deployment

Constraint Leaning and Monitoring

Data StructureConsistency Checking

Application StateProbing

Repair Generation, Evaluation and Filtering

Determina Stmt of Work

Client Interface for MPEE Application State Probing LiveShield Constraint Creation Framework LieShield Coordination Center Hybrid System for Binary Analysis Proactive Situational Awareness Vulnerability Analysis Integration, Testing and Deployment

Client Interface for MPEE The basic framework to build the tools

Support the necessary API’s Support on windows services and server

applications Status

Was an active research topic at MIT Currently dormant Will bring it back to life, improve and extend for

this project



Application State Probing

Build probes to check internal state of the application Probes can be client programs Simpler probes can be even liveshields

Framework to collect the probe information to the central mgmt console



Application StateProbing

LiveShiled Constraint Creation FrameworkPOC

Exploit Released

Acquire the

exploit

Identify vulnerability

Patch Released

Diff the patchedversion against

previous version

AttackReleased

Trace the exploit activity

Acquire the

attack

Trace the attack’s activity

Develop aShield

Port it tomultiple versions

Test the Shield

Releaseto customers

ReceiveLiveShield

Push theShield in

detect mode

No triggerin

gin 24 hours



mode

No problems

in 24 hours

Report the problems

to Determina

Y

Y N

N

best case is 24 hours, Cannot take more than 7 days


update

LiveShiled Constraint Creation Framework Interface for

Creating constraints Deploying them through the central

management console Gather feedback and manage the deployment

Used for deploying automatically generted patches

Framework for ConstraintCreation

Releaseto customers

ReceiveLiveShield

Push theShield in

detect mode

No triggerin

gin 24 hours



mode

No problems

in 24 hours

Report the problems

to Determina

Y

Y N

N


update

LiveShiled Coordination Center Liveshields can have problems

Minimal dev and QA (or no QA for auto developed) Can adversely impact the application

Mitigate the risk by using the application community Gradual deployment while monitoring Find anomalies that are correlated with deployment

ReceiveLiveShield

Push theShield in

detect mode

No triggerin

gin 24 hours



mode

No problems

in 24 hours

Report the problems

to Determina

Y

Y N

N


update

Hybrid System for Binary Analysis

Manage Program Execution Engine – all analysis at runtime Pros: Full visibility and simple workflow Cons: Expensive analysis affects the performance

Hybrid system Do some analysis at installation or first invocation Pre-compute and memoize information when

available Reduce the runtime overhead

Proactive Situational Awareness

Attacks are mostly on known vulnerabilities No prior knowledge on day-zero attacks But… vulnerabilities are known

“Are your applications open to known vulnerabilities?”

Proactive Situational Awareness will Gather info on known vulnerabilities and attacks Gather current status of the applications Identify what vulnerabilities are unprotected Identify when an application deviate from the community

Vulnerability Analysis

Determina’s LiveShield Operations team Troll for new vulnerabilities and attacks in the wild Analyze any new vulnerabilities and attacks Analyze Microsoft security updates Pinpoint the exact vulnerability Develop LiveShields to stop them

We have a large knowledge base Develop scenarios using the

state-of-the-black-art

Integrate, Testing, Deployment

Build a prototype version of the product that integrate successful AC components Identify commercially-viable and ready components Prototype product development Integration QA and test

Deployment Interact with the Red Team Get feedback Iterate

Determina’s Vulnerability Protection Suite Saman Amarasinghe CTO, Determina Inc. Associate...

Documents

Transcript of Determina’s Vulnerability Protection Suite Saman Amarasinghe CTO, Determina Inc. Associate...