幻灯片 1 - Pennsylvania State University
Download
Report
Transcript 幻灯片 1 - Pennsylvania State University
Sencun Zhu
Assistant Professor
CSE and IST, PSU
Research
Interest
security, networking
Recent Professional activities
Program Co-Chair: ACM SASN’06.
TPC member: ACM CCS’07, IEEE Infocom’07,
ICICS’06
Treasure: ACM CCS’07
Current Support
Army Research Office (ARO), NSF CyberTrust
Current Projects
Security and reliability for sensor networks
Key management framework that supports in-network processing as well
as localizes the impact of node compromises
Secure sensor data aggregation
Security and privacy for data-centric sensor networks
Source location anonymity
Applications of sensor networks to public safety
Security for ad hoc networks
Network access control for combating resource consumption attacks
Traceback of compromised nodes in mobile ad hoc networks
Security for Peer-to-Peer Networks
Efficient key managements and DDoS attack prevention
Detection and identification of malicious nodes
Worm containment
Code Security
Containing email worm
Blocking buffer overflow attacks by static code analysis
SigFree: A Signature-free Buffer
Overflow Attack Blocker
with Xinran Wang, Chi-Chun Pan, Peng Liu
A related paper appeared in Usenix Security 2006
Motivation
Buffer overflow attacks typically
contain executables whereas
legitimate client requests never
contain executables in most Internet
services
E.g., Web Servers, Microsoft SQL Servers,
BIND, SNMP, and other remote access
services
SigFree blocks attacks by detecting
the presence of code
Code or Data?
Instruction Sequence Distiller (ISD)
distill instruction sequences from the
requests by disassembly
however, instruction sequences may be
distilled from any binary strings
Instruction Sequence Analyzer (ISA)
use a data flow analysis method called
code abstraction to check whether an
instruction sequence is really a segment
of a program.
Exploiting Data Flow Anomaly
Observation
a random instruction sequence normally is full of data flow
anomalies, whereas a real program has few or no data flow
anomalies
however, due to possible obfuscation, the number of data flow
anomalies cannot be directly used to distinguish a program
from a random instruction sequence
Code Abstraction
based on data flow anomalies, some instructions are
“useless”, whereas in a real program at least one execution
path have a certain number of “useful” instructions
remove those useless instructions
Criteria
if the number of useful instructions after code abstraction
exceeds a threshold, the instruction sequence is a segment
of a program
Evaluation– Inputs
50 attack messages generated by the
Metasploit Toolkit
Worm Slammer
Code Red and one of its variations
1500 binary normal requests
encrypted data
audio
jpeg, png, gif
flash
.
Evaluation Results
1000
12
900 826
10
Number of attacks
800
Number of normal requests
10
10
700
600
500
400
300
166
200
117 119
100
8
6
4
2
80 73
2
44 25 15
12
9
5
5
3
6
6
1
2
1
2
1
1
1
2
1
2
1
1
1
1
1
1
0
0
0
1
2
3
4
5
6
7
8
9
10 11
Number of useful instructions
12 13 14
19 26 29 30 33 34 38 39 40 41 52 59 64 72 73 82 83 92 407 517
Number of useful instructions
• normal requests contain less than 15 useful instructions
• attack requests contain more than 18
We can set the threshold a value between 15 and 17
Detection of Polymorphic Shellcode
40
38
.
36
34
Useful instructions
ADMmutate
. encrypted shellcode
. replace NOP with one-byte
instruction
. 100
CLET
. decipher routine varies
each time
. replace NOP with 2~3 byte
instruction
. 100
ADMmutate
CLET
32
30
28
26
24
22
20
18
16
14
12
10
0
10
20
30
40
50
60
Polymorph shellcode
Observations:
. ADMmutate: #useful instructions: 17~39
. CLET:
#useful instructions: 18~25
70
80
90
100
Impact of SigFree Processing on
The Normal Web Requests