network attack injection
DESCRIPTION
PhD Defense Presentation: 15 min Thesis Title: Network Attack Injection Author: Joao AntunesTRANSCRIPT
NETWORK ATTACK INJECTION
PhD Candidate: João Antunes Supervisor : Nuno Ferreira Neves
1
Ph.D. Defense Presentation Lisbon, November 2nd, 2012
Monday, November 12, 12
VULNERABILITIES
2
Monday, November 12, 12
TESTING
3
Monday, November 12, 12
TESTING
3
Fault Injection
Manual Testing
Model Checking
Static AnalysisRobustness Testing
Fuzzing
Vulnerability Scanners
Buffer overflow detection and protection
Monday, November 12, 12
THESIS PROPOSAL
Automated and systematic vulnerability discovery approach:
• automatic generation of test cases• systematic injection and monitoring of target server• provides analysis of results
4
Monday, November 12, 12
Network Attack Injection Framework
NETWORK ATTACKINJECTION FRAMEWORK
5
Protocol Specification
Attack Generation
Attack Injection
MonitoringAttack Analysis
Monday, November 12, 12
PROTOCOL SPECIFICATIONManual specification
Protocol reverse engineering
6
S0 S1-/2.+ S2USER .+/3.+PASS .+/5.+
S3PASS .+/2.+
CDUP/2.+, LIST.*/2.+, MKD .+/2.+,RMD .+/2.+, RETR .+/2.+, STOR .+/2.+,
SYST/2.+, TYPE .+/2.+S4
RNFR .+/2.+
S5QUIT/2.+
RNTO .+/2.+, RNTO .+/5.+
Protocol Specification
Attack Generation
Attack Injection Monitoring Attack
Analysis
Monday, November 12, 12
ATTACK GENERATION
Test case generation algorithms• delimiter, syntax, value
Recycling of existing test cases• inferred protocol spec. is used to apply test cases from
other protocols
7
Protocol Specification
Attack Generation
Attack Injection Monitoring Attack
Analysis
Monday, November 12, 12
Input
Output
INJECTION & MONITORING8
Server Application
Monitor
OperatingSystem
Injector
Monitoring data
Test Cases
Protocol Specification
Attack Generation
Attack Injection Monitoring
Attack Analysis
Monday, November 12, 12
Injector• single injection campaign w/ restart• single injection campaign w/o restart• repeated injection campaign w/ restart
Monitor• external monitor• generic internal monitor• specialized internal monitor
INJECTION & MONITORING9
Protocol Specification
Attack Generation
Attack Injection Monitoring
Attack Analysis
Monday, November 12, 12
ATTACK ANALYSIS
Fault pattern detection
Resource usage profile
Behavioral profile
10
Protocol Specification
Attack Generation
Attack Injection Monitoring Attack
Analysis
Monday, November 12, 12
ATTACK ANALYSISFault pattern detection
11
Protocol Specification
Attack Generation
Attack Injection Monitoring Attack
Analysis
[0]SIGN(5)[0]SIGN(5)[0]SYSC(102)[0]SYSC(102)[1]SIGN(19)[1]SYSC(190)[1]SYSC(190)[1]SIGN(17)[1]SYSC(221)[1]SYSC(197)[1]SYSC(192)[1]SYSC(140)[1]SYSC(6)[1]SYSC(4)[1]SYSC(91)[1]SYSC(175)[1]SYSC(114)[1]SYSC(114)[1]SIGN(11)
SIGSEGV
Atta
ck g
ener
atio
n In
ject
ion
cam
paig
n
Attack Injector
Protocol Specification Attack Generator
Target System and Monitor
Protocol spec.
Attack Injection Results
Attacks
App
licat
ions
O.S
.
Res
ourc
es
Mon
itor
Network Server
response attack injection sy
nc execution
data
Test Definition
Attack Generator
GUI Protocol Specification
Packet Injector
Response and Execution Data
Collector
Attack Processor
Attack #131
AJECT
Monday, November 12, 12
ATTACK ANALYSISResource usage profile
12
Protocol Specification
Attack Generation
Attack Injection Monitoring Attack
Analysis
0 200 400 600 800 1000150
160
170
180
190
200
210MaraDNS (other attacks) MaraDNS (attack #3002)
Mem
ory
page
s
Repeated injection
Atta
ck g
ener
atio
n In
ject
ion
cam
paig
n
Attack Injector
Protocol Specification Attack Generator
Target System and Monitor
Protocol spec.
Attacks (exploratory phase)
App
licat
ions
O.S
.
Res
ourc
es
Cus
tom
M
onito
r
Network Server
response attack injection sy
nc execution
data
Test Definition
Attack Generator
GUI Protocol Specification
Packet Injector
Response and Execution Data
Collector
Attack Processor
Attack Projector
Attack Projection
Attack Selection
Selected Attacks (exploitive phase)
Projection Results (exploratory phase)
High-Accuracy Projection Results (exploitive phase)
PREDATOR
Monday, November 12, 12
ATTACK ANALYSISBehavioral profile
13
Protocol Specification
Attack Generation
Attack Injection Monitoring Attack
Analysis
m15m2m3
m4
m5 m6 m7m8 m9 m10m11 m12 m13
m14m16
S0 S1-/2.+/ S2USER .+/3.+/ PASS .+/5.+/
S3PASS .+/2.+/
CDUP/2.+/ , LIST.*/2.+/ , MKD .+/2.+/ ,RMD .+/2.+/ , RETR .+/2.+/ , STOR .+/2.+/ ,
SYST/2.+/ , TYPE .+/2.+/ S4
RNFR .+/2.+/
S5QUIT/2.+/
RNTO .+/2.+/ , RNTO .+/5.+/ m1
Input:USER <parameter>
Output:begins with reply code 3
Monitoring:# Processes: 1Signals: 5, 19Syscalls: read, stat64, brk, write, ...Memory: 250 pagesDisk: 0 bytes
Atta
ck g
ener
atio
n In
ject
ion
cam
paig
n
Attack Injector
Protocol Specification Attack Generator
Target System and Monitor
Protocol spec.
App
licat
ions
O.S
.
Res
ourc
es
Mon
itor
Network Server
response attack injection sy
nc execution
data
Test Definition
Attack Generator
GUI Protocol Specification
Packet Injector
Response and Execution Data
Collector
Attack Processor
Behavioral Profile
Behavioral Profile Constr./Checker
Behavioral Profile
Attack Injection Results
Benign Test Cases
Attacks
(learning phase)
(learning phase)
(testing phase)
(testing phase)
(testing phase)
REVEAL
Monday, November 12, 12
CONCLUSIONS
14
Monday, November 12, 12
Network Attack Injection Framework
CONCLUSIONS15
Protocol Specification
Attack Generation
Attack Injection
MonitoringAttack Analysis
Different solutions, different requirements ReverX
Test case generation algorithmsRecycling existing test cases
Several injection approaches
Different monitorsFault pattern detectionResource usage profileBehavioral profile
Automatic and systematic way
Detect fatal and subtle faults
Complete solutions, complementing solutions
Monday, November 12, 12
PhD Candidate: João Antunes Supervisor : Nuno Ferreira Neves
Selected publications:• Recycling Test Cases to Detect Security Vulnerabilities,João Antunes and Nuno Neves, in Proceedings of the
International Symposium on Software Reliability Engineering (ISSRE), Dallas, USA, November 2012.• Using Behavioral Profiles to Detect Software Flaws in Network Servers, João Antunes and Nuno Neves, in
Proceedings of the International Symposium on Software Reliability Engineering (ISSRE), Hiroshima, Japan, November 2011.
• Reverse Engineering of Protocols from Network Traces, João Antunes, Nuno Neves, and Paulo Verissimo, in Proceedings of the Working Conference on Reverse Engineering (WCRE), Lero, Limerick, Ireland, October 2011.
• Vulnerability Removal with Attack Injection, João Antunes, Nuno Neves, Miguel Correia, Paulo Verissimo, and Rui Neves, in IEEE Transactions on Software Engineering, Special issue on Evaluation and Improvement of Software Dependability, May-June 2010.
• Detection and Prediction of Resource-Exhaustion Vulnerabilities, João Antunes, Nuno Ferreira Neves, Paulo Veríssimo, in Proceedings of the International Symposium on Software Reliability Engineering (ISSRE), Seattle, USA, November 2008.
NETWORK ATTACK INJECTION
16
Ph.D. Defense Presentation Lisbon, November 2nd, 2012
Thank you!
Monday, November 12, 12