determina’s vulnerability protection suite saman amarasinghe cto, determina inc. associate...
TRANSCRIPT
Determina’s Vulnerability
Protection SuiteSaman Amarasinghe
CTO, Determina Inc. Associate Professor, MIT EECS/CSAIL
Corporate Overview
Founded Early 2003 Core technology developed at MIT over 8 years Venture backed Headquarters in Redwood City, CA CTO & founding engineering team from MIT
Overview
Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
Overview
Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
Market Trends Attacks and vulnerabilities still increasing
Security incidents have nearly doubled each year (CERT)
Endpoint security often last line of security
to be addressed.
SYMC Threat Report Trend towards directed attacks Threat landscape dominated by emerging threats such as bot
networks, customizable modular malicious code, and targeted attacks Current threats increasingly motivated by profit
Increasing vulnerabilities, more directed attacks
Recent Example: WMF VulnerabilityNO Patch Available
Patch fully deployed
*Wipro, Ltd 2005, “The Total Cost of Security Patch Management”
Day 14: December 14: Sites first post WMF Exploits
Day 35: January 5th: Microsoft Releases Patch
Average exploit window: 25 days*before patches deployed
Vulnerable w/no Official Patch
35 Days
VulnerabilityMade Public
Total exploit window for average organization: 60 days
Day 27: December 27: Initial Disclosure of Vulnerability
Day 28: December 28: MS Announces Awareness…No Patch for Issue
Day 29: December 29: 50+ variants, 1000+ sites reported: Thursday 12/29
Day 31: December 31: Instant messaging,Trojan horses & botnets begin exploiting WMF and Unofficial patch released by Ilfak Guilfanov
Day 33: January 3rd: 1,000,000+ WMF exploited downloads reported from just 1 site
Day 0: December 1: Vulnerability Discovered1 and Exploit Code Being Sold for $4000 Shortly Afterward
1Computerworld.com, “Russian hackers sold WMF exploit, analyst says”
Patch issued by MS
Zero-days
Determina 0-day protection active
before vulnerability is known
Vulnerability Protection Suite What is VPS
Enterprise Host IPS security solution for Fortune 1000 Stops both known and unknown (zero-day) attacks A zero complexity / zero maintenance solution
No attack signatures / no post attack cleanup No policies to maintain No behavior to model No false positives
Managed Program Execution Engine
Memory Firewall LiveShield
Zero-Day Endpoint Protection Without Tuning or Maintenance
Memory Firewall protects without updates LiveShield shields released within days of vulnerability, without waiting for
patches, exploit behavior or attack signatures
Date 0-Day Vulnerability0-Day?
(days before patch)
Days Until Mass
Exploit
Memory Firewall
Protection
LiveShield Protection
08-Nov-2005 Windows Metafile Vulnerability -- -- 16-Nov-2005
Memory Allocation Denial of Service via RPC
Y(no patch)
-- 21-Nov-2005
Remote Code Execution Vulnerability in MS IE
Y(23 days)
8 13-Dec-2005
COM Object Instatiation Memory Corruption Vulnerability -- --
13-Dec-2005IE HTTPS Proxy Basic Authentication Information Leak -- --
27-Dec-2005Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (WMF)
Y(9 days)
0
VPS Advantages Ensure non-stop availability
Must be able to deploy and maintain without disrupting business operations
Accessibility Must be easy, simple to manage
Guarantee reliability for critical servers and applications
“It just works!”
Scalability Be able to support thousands of
machines
Flexibility Integration with a variety of
management solutions through support of standard protocols
Overview
Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
Overview
Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
Enter Monitoring is simple
Port monitoring or system call monitoring Don’t know good guy from bad guy
only known criminals can be identified Even known bad guys are hard to detect
encrypted channels
Compromise Monitoring can be done
System call monitoring Hard to distinguish between actions of a normal
program vs. a compromised program Leads to false positives
Attack Lifecycle
Hijack “Catch in the act of criminal behavior” All programs follow strict conventions
ABI (Application Binary Interface) The Calling Convention
Currently no enforcement All attacks violate some of these conventions
NETWORK
KERNEL
Make paymentChange prefsRead statement
Write Record Update Registry
Open port
HIJA
CK
HIJA
CK
CO
MP
RO
MIS
E C
OM
PR
OM
ISE
EN
TE
RE
NT
ER
APPLICATIONS
Stop before Hijack
Enforcing conventions Systematically catch an entire class of attacks No false positives Catch them before they do ANY bad activity no attack code is ever run
Conventional Wisdom: Impossible to do without a large performance penalty Need to be inside the application Need to monitor activity at a very fine-grain – each instruction at a time Overhead will be overwhelming
The Memory Firewall lets you do just that! Able to amortize the cost of enforcement, eliminating the overhead
Hijack “Catch in the act of criminal behavior” All programs follow strict conventions
ABI (Application Binary Interface) The Calling Convention
Currently no enforcement All attacks violate some of these conventions
Processor Execution Environment
ABI
Restricted Control Transfer:Restricted Control Transfer:Is it legal to go from here to there?Is it legal to go from here to there?
Restricted Code Origins:Restricted Code Origins:Is this code came from a code page?Is this code came from a code page?
Restricted Control Transfer:Restricted Control Transfer:Is it legal to go from here to there?Is it legal to go from here to there?
Restricted Code Origins:Restricted Code Origins:Is this code came from a code page?Is this code came from a code page?
jmp
How Program Shepherding Work?
ProgramProgram
call
br
ret
Run-time Run-time SystemSystem
CodeCodeCacheCache
call
jmp
br
Program Counter: Program Counter: Executes the Executes the
Program Program Instruction by Instruction by
InstructionInstruction
Never Let go of the Never Let go of the Program CounterProgram Counter
Restricted Code Origins:Restricted Code Origins:Is this code came from a code page?Is this code came from a code page?
Overview
Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
What is a Vulnerability? Anatomy of a Vulnerability
A corner case that should never happen in normal operations The programmer forgot to check for that corner case Vulnerability is the ability to invoke that corner case by an exploit to do
something that is not allowed in normal operation.
In most vulnerabilities: A simple check (a few assembly instructions) identify the corner case
Check if value is out of range Check a string for certain patterns
The check never passes in normal operations When an exploit is caught by the check, simple remediation exist
Return an error code from the function Put the value within range Truncate the string
LiveShield
Reactive elimination of vulnerabilities Triggered by:
the availability of a proof-of-concept exploit against a vulnerability
the availability of a patch release fixing a vulnerability the availability of an attack taking advantage of a vulnerability when the remediation for a memory based vulnerability (or
attack) destabilize the system
LiveShield
Inject two very small pieces of code in to a running program Detector
Check when the corner case is invoked Guaranteed no impact on the program (cannot change program
state or crash the program) Remediator
Take remediation action once an exploit is detected Will minimally change the program behavior, but it is to stop an
attack.
LiveShield
LiveShields improves the availability of systems minimizes the disruption of a working system Faster deployment cycle than a typical patch Surgical fix for the root cause of the problem In conjunction with the Memory Firewall, eliminates most
vulnerabilities Reduce the patch frequency and need for emergency patching
Using MPEE infrastructure as the LiveShield Framework
Invisible injection Don’t need to put trampolines in the visible address space
Issues with atomicity, instruction alignment etc. Basic Block/Trace building naturally leads to a direct implementation
Fully isolated execution especially for the detect mode MPEE provides an environment isolated from the application Detect mode can give strong promises on not impacting the normal
program behavior
Existing central management framework Easy to manage dynamic updates and changes of status Can store the shields without impacting application Can do I/O without impacting the application
LiveShield Properties
Dynamic
Customer Visible
Individually Manageable/Undoable
Live Testing Capable
Targeted
Micro-Sized
Control-flow Triggered Execution
LiveShield Development Operations FlowPOC
Exploit Released
Acquire the
exploit
Identify vulnerability
Patch Released
Diff the patchedversion against
previous version
AttackReleased
Trace the exploit activity
Acquire the
attack
Trace the attack’s activity
Develop aShield
Port it tomultiple versions
Test the Shield
Releaseto customers
ReceiveLiveShield
Push theShield in
detect mode
No triggerin
gin 24 hours
Put into protect mode
Put in a full QASystem in protect
mode
No problems
in 24 hours
Report the problems
to Determina
Y
Y N
N
best case is 24 hours, Cannot take more than 7 days
Minimal QAa. la. DAT
update
LiveShield Flow
Read-onlymemory
Read-onlymemory
DLL load
eventlog
DeterminaWeb site
Controller @Customer Site
Node Manager Core
Files availableMP-v3-011604.xml
const-v3base.dllconst-v3a.dllconst-v3b.dll….const-v3u.dllconst-v3v.dll
Inte
rnet
xml file per host
Up-to-date dll cache
Mode information
Status information
EventsCon
trol
ler-
Nod
e M
anag
er
Com
mun
icat
ion
Inte
rfac
e
Per processorpolicy data structurewith mode info
dll cache
Stats
Events
Policy data structurewith mode info
Loaded dll’s
Read-onlymemory
Read-onlymemory
DLL load
eventlog
DeterminaWeb site
Controller @Customer Site
Node Manager Core
Files availableMP-v3-011604.xml
const-v3base.dllconst-v3a.dllconst-v3b.dll….const-v3u.dllconst-v3v.dll
Inte
rnet
xml file per host
Up-to-date dll cache
Mode information
Status information
EventsCon
trol
ler-
Nod
e M
anag
er
Com
mun
icat
ion
Inte
rfac
e
Per processorpolicy data structurewith mode info
dll cache
Stats
Events
Policy data structurewith mode info
Loaded dll’s
Overview
Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
Evaluation Criteria
1. Accuracy
2. Maintainability
3. Scalability
4. Coverage
5. Proactivity
6. Uncircumventability
7. Containment
1. Accuracy: The cure cannot be deadlier than the illness!
False Positives More common than the attacks In an IDS a nuisance In an IPS Can destabilize the system
Applications aren’t resilient to squashing random system calls
2. Maintainability: The cost of the solution should be less than the attack cleanup cost
What is a typical enterprise like? How many machines, how many IT people? Cost of operations…
How do you manage a large enterprise?
What impact maintainability?
Shelfware vs. deployed software
3. Scalability: Worms are equal opportunity attackers. Need to protect every box
Requirements to run enterprise-wide…
Critical bottlenecks Deployment / maintenance Performance
4. Coverage: No partial band-aid solutions please!
% o
f vu
lner
abili
ties
Source: CVE, Microsoft Security Bulletins, 2003-2004
5. Proactivity: Should be ready to protect when attacked!
Application Released
With a bug
Vulnerability announced
Patch released
Attack Released
Good guys Patch like crazy
Bad guys analyze patch & create attack
17
PreviouslyUnknown
Vulnerability
2
26
PreviouslyUnknown
Vulnerability
4631
06/01 03/02 04/02 07/02 07/02 03/03 07/03 03/04 04/04 11/04Code Red
DigispidSpida
SlammerSlapper
WebDAVBlaster
WittySasser
Mydoom.ag
185
# of days from the Publication of the Vulnerability (availability of a patch) to Attack
7734
6. Uncirumventability: Don’t be an emperor with no clothes!
Phrack Article – “Smashing Stack for Fun and Profit” Any fool-proof systems?
Complex systems are never fool-proof Should we just give up?
Compare system security with crypto Is crypto fool-proof? How do you evaluate crypto?
Evaluating system security 10/90 rule of thumb Nothing is perfect, make it hard...
7. Containment: What good of stopping an attack after it happens?
Where was the attack stopped? At the gates vs. inner chamber
How far did the attack propagate Did malicious code got executed? Any machine got infected? Other machines got compromised?
Overview
Corporate Overview Vulnerability Protection Suite Managed Program Execution Engine Memory Firewall LiveShield Evaluation Criteria Research Plan
VPS impact on the Project
Managed Program Execution Engine
Memory Firewall LiveShield Client Interface
Injected code detectionPatch Generation and Deployment
Constraint Leaning and Monitoring
Data StructureConsistency Checking
Application StateProbing
Repair Generation, Evaluation and Filtering
Determina Stmt of Work
Client Interface for MPEE Application State Probing LiveShield Constraint Creation Framework LieShield Coordination Center Hybrid System for Binary Analysis Proactive Situational Awareness Vulnerability Analysis Integration, Testing and Deployment
Client Interface for MPEE The basic framework to build the tools
Support the necessary API’s Support on windows services and server
applications Status
Was an active research topic at MIT Currently dormant Will bring it back to life, improve and extend for
this project
Managed Program Execution Engine
Memory Firewall LiveShield Client Interface
Application State Probing
Build probes to check internal state of the application Probes can be client programs Simpler probes can be even liveshields
Framework to collect the probe information to the central mgmt console
Managed Program Execution Engine
Memory Firewall LiveShield Client Interface
Application StateProbing
LiveShiled Constraint Creation FrameworkPOC
Exploit Released
Acquire the
exploit
Identify vulnerability
Patch Released
Diff the patchedversion against
previous version
AttackReleased
Trace the exploit activity
Acquire the
attack
Trace the attack’s activity
Develop aShield
Port it tomultiple versions
Test the Shield
Releaseto customers
ReceiveLiveShield
Push theShield in
detect mode
No triggerin
gin 24 hours
Put into protect mode
Put in a full QASystem in protect
mode
No problems
in 24 hours
Report the problems
to Determina
Y
Y N
N
best case is 24 hours, Cannot take more than 7 days
Minimal QAa. la. DAT
update
LiveShiled Constraint Creation Framework Interface for
Creating constraints Deploying them through the central
management console Gather feedback and manage the deployment
Used for deploying automatically generted patches
Framework for ConstraintCreation
Releaseto customers
ReceiveLiveShield
Push theShield in
detect mode
No triggerin
gin 24 hours
Put into protect mode
Put in a full QASystem in protect
mode
No problems
in 24 hours
Report the problems
to Determina
Y
Y N
N
Minimal QAa. la. DAT
update
LiveShiled Coordination Center Liveshields can have problems
Minimal dev and QA (or no QA for auto developed) Can adversely impact the application
Mitigate the risk by using the application community Gradual deployment while monitoring Find anomalies that are correlated with deployment
ReceiveLiveShield
Push theShield in
detect mode
No triggerin
gin 24 hours
Put into protect mode
Put in a full QASystem in protect
mode
No problems
in 24 hours
Report the problems
to Determina
Y
Y N
N
Minimal QAa. la. DAT
update
Hybrid System for Binary Analysis
Manage Program Execution Engine – all analysis at runtime Pros: Full visibility and simple workflow Cons: Expensive analysis affects the performance
Hybrid system Do some analysis at installation or first invocation Pre-compute and memoize information when
available Reduce the runtime overhead
Proactive Situational Awareness
Attacks are mostly on known vulnerabilities No prior knowledge on day-zero attacks But… vulnerabilities are known
“Are your applications open to known vulnerabilities?”
Proactive Situational Awareness will Gather info on known vulnerabilities and attacks Gather current status of the applications Identify what vulnerabilities are unprotected Identify when an application deviate from the community
Vulnerability Analysis
Determina’s LiveShield Operations team Troll for new vulnerabilities and attacks in the wild Analyze any new vulnerabilities and attacks Analyze Microsoft security updates Pinpoint the exact vulnerability Develop LiveShields to stop them
We have a large knowledge base Develop scenarios using the
state-of-the-black-art