Transcript 幻灯片 1 - Pennsylvania State University

Sencun Zhu
Assistant Professor
CSE and IST, PSU
Research
 Interest
 security, networking
 Recent Professional activities
 Program Co-Chair: ACM SASN’06.
 TPC member: ACM CCS’07, IEEE Infocom’07,
ICICS’06
 Treasure: ACM CCS’07
 Current Support
 Army Research Office (ARO), NSF CyberTrust
Current Projects
 Security and reliability for sensor networks
 Key management framework that supports in-network processing as well
as localizes the impact of node compromises
 Secure sensor data aggregation
 Security and privacy for data-centric sensor networks
 Source location anonymity
 Applications of sensor networks to public safety
 Security for ad hoc networks
 Network access control for combating resource consumption attacks
 Traceback of compromised nodes in mobile ad hoc networks
 Security for Peer-to-Peer Networks
 Efficient key managements and DDoS attack prevention
 Detection and identification of malicious nodes
 Worm containment
 Code Security
 Containing email worm
 Blocking buffer overflow attacks by static code analysis
SigFree: A Signature-free Buffer
Overflow Attack Blocker
with Xinran Wang, Chi-Chun Pan, Peng Liu
A related paper appeared in Usenix Security 2006
Motivation
 Buffer overflow attacks typically
contain executables whereas
legitimate client requests never
contain executables in most Internet
services
 E.g., Web Servers, Microsoft SQL Servers,
BIND, SNMP, and other remote access
services
 SigFree blocks attacks by detecting
the presence of code
Code or Data?
 Instruction Sequence Distiller (ISD)
 distill instruction sequences from the
requests by disassembly
 however, instruction sequences may be
distilled from any binary strings
 Instruction Sequence Analyzer (ISA)
 use a data flow analysis method called
code abstraction to check whether an
instruction sequence is really a segment
of a program.
Exploiting Data Flow Anomaly
 Observation

a random instruction sequence normally is full of data flow
anomalies, whereas a real program has few or no data flow
anomalies

however, due to possible obfuscation, the number of data flow
anomalies cannot be directly used to distinguish a program
from a random instruction sequence
 Code Abstraction


based on data flow anomalies, some instructions are
“useless”, whereas in a real program at least one execution
path have a certain number of “useful” instructions
remove those useless instructions
 Criteria

if the number of useful instructions after code abstraction
exceeds a threshold, the instruction sequence is a segment
of a program
Evaluation– Inputs
 50 attack messages generated by the
Metasploit Toolkit
 Worm Slammer
 Code Red and one of its variations
 1500 binary normal requests




encrypted data
audio
jpeg, png, gif
flash
.
Evaluation Results
1000
12
900 826
10
Number of attacks
800
Number of normal requests
10
10
700
600
500
400
300
166
200
117 119
100
8
6
4
2
80 73
2
44 25 15
12
9
5
5
3
6
6
1
2
1
2
1
1
1
2
1
2
1
1
1
1
1
1
0
0
0
1
2
3
4
5
6
7
8
9
10 11
Number of useful instructions
12 13 14
19 26 29 30 33 34 38 39 40 41 52 59 64 72 73 82 83 92 407 517
Number of useful instructions
• normal requests contain less than 15 useful instructions
• attack requests contain more than 18
We can set the threshold a value between 15 and 17
Detection of Polymorphic Shellcode
40
38
.
36
34
Useful instructions
ADMmutate
. encrypted shellcode
. replace NOP with one-byte
instruction
. 100
CLET
. decipher routine varies
each time
. replace NOP with 2~3 byte
instruction
. 100
ADMmutate
CLET
32
30
28
26
24
22
20
18
16
14
12
10
0
10
20
30
40
50
60
Polymorph shellcode
Observations:
. ADMmutate: #useful instructions: 17~39
. CLET:
#useful instructions: 18~25
70
80
90
100
Impact of SigFree Processing on
The Normal Web Requests