topics in information security, prof. avishai wool ohad ben-cohen ohadbc at eng.tau.ac.il ohad...
Post on 19-Dec-2015
218 views
TRANSCRIPT
Topics in Information Security, Prof. Avishai Wool
Ohad Ben-Cohen ohadbc at eng.tau.ac.il
Ohad Ben-Cohen ohadbc at eng.tau.ac.il
Intrusion Detection
viaStatic Analysis
Intrusion Detection
viaStatic Analysis
Topics in Information Security, Prof. Avishai Wool
Based onBased on
Topics in Information Security, Prof. Avishai Wool
void sayhi(char *param){ char buf[96]; printf(“what’s u’r name?”); gets(buf); printf(“hi %s!\n”, buf);}
What’s Wrong ?What’s Wrong ?
Topics in Information Security, Prof. Avishai Wool
Buffer OverflowBuffer Overflow
Topics in Information Security, Prof. Avishai Wool
char buf[96];
printf(“what’s u’r name?”);gets(buf);printf(“hi %s!\n”, buf);exit(0);
bad.bad.
/* evil code */execve(“/bin/sh”);/* evil code */execve(“/bin/sh”);
Topics in Information Security, Prof. Avishai Wool
•Model of Behaviour•Rule Based or Observations•Monitor and Alarm!•AI Statistical•Statistical False Positives •HIDS by System Calls (k=1)
•Model of Behaviour•Rule Based or Observations•Monitor and Alarm!•AI Statistical•Statistical False Positives •HIDS by System Calls (k=1)
Intrusion Detection ?Intrusion
Detection ?
Topics in Information Security, Prof. Avishai Wool
char buf[96];
printf(“what’s u’r name?”);gets(buf);printf(“hi %s!\n”, buf);exit(0);
Example 1Example 1
OK !OK !
Topics in Information Security, Prof. Avishai Wool
fd = open(“/etc/passwd”);if(time() < YEAR2009) read(fd, buf, 50);else write(fd,”new-user”);close(fd);
Example 2Example 2
False Positive
False Positive
Topics in Information Security, Prof. Avishai Wool
char buf[50];if(!fork()) execve(“stam_job”); gets(buf);printf(“got %s\n”, buf);exit(0);
Example 3Example 3
False Negative
False Negative
Topics in Information Security, Prof. Avishai Wool
i = read(fd, buf, 50);if(i == 50) { write(fd, buf, 50);}close(fd);
read
write
close
Solution (four of them, not
exactly)
Solution (four of them, not
exactly)
1. Build a syscall Graph (NDFA)
1. Build a syscall Graph (NDFA)
2. Monitor syscalls3. Kill if diverges2. Monitor syscalls3. Kill if diverges
Topics in Information Security, Prof. Avishai Wool
•Need source code•Static, not Statistical 0 false positives !•may have false negatives•Large branching factor… Tough computations
•Need source code•Static, not Statistical 0 false positives !•may have false negatives•Large branching factor… Tough computations
ResultResult
Topics in Information Security, Prof. Avishai Wool
i = read(fd, buf, 50);func();write(fd, buf, 50);func();close(fd);
read
write
close
FunctionsFunctions
func():gettimeofday();settimeofday();
gettimeofday
settimeofday
Topics in Information Security, Prof. Avishai Wool
i = read(fd, buf, 50);func();write(fd, buf, 50);func();close(fd);
read
write
close
Impossible Paths !
Impossible Paths !
func():gettimeofday();settimeofday();
gettimeofday
settimeofday
Topics in Information Security, Prof. Avishai Wool
i = read(fd, buf, 50);func();write(fd, buf, 50);func();close(fd);
context free grammar
context free grammar
func():gettimeofday();settimeofday();
read
write
close
gettimeofday
settimeofday
stack
stack
Topics in Information Security, Prof. Avishai Wool
•(*func)();•Signals•setjmp();•libraries•dynamic linking•Threads, execve()s
•(*func)();•Signals•setjmp();•libraries•dynamic linking•Threads, execve()s
Real World Problems
Real World Problems
Topics in Information Security, Prof. Avishai Wool
i = read(fd, buf, 50);(*func)();close(fd);
read
close
Function PointersFunction Pointers
A() B() C()
Topics in Information Security, Prof. Avishai Wool
signal(i, handlerA);signal(j, handlerB);signal(k, handlerC);i = read(fd, buf, 50);close(fd);
read
close
SignalsSignals
handlerA() handlerB() handlerC()
Topics in Information Security, Prof. Avishai Wool
i = read(fd, buf, 50);close(fd);
read
close
SignalsSignals
handlerA() handlerB() handlerC()
Topics in Information Security, Prof. Avishai Wool
setjmp(x);i = read(fd, buf, 50);setjmp(y);close(fd);longjmp(?);
read
close
setjmp/longjmpsetjmp/longjmp
x-state y-state
Topics in Information Security, Prof. Avishai Wool
•Graphs via gcc+manual fixes•Used Java Framework (JIT)•Heavy computational task•Stop if Latencies > 1 hour•Ignored common sys calls•Analyze Parameters, too
•Graphs via gcc+manual fixes•Used Java Framework (JIT)•Heavy computational task•Stop if Latencies > 1 hour•Ignored common sys calls•Analyze Parameters, too
ExperimentsExperiments
Topics in Information Security, Prof. Avishai Wool
ExperimentsExperiments
Topics in Information Security, Prof. Avishai Wool
•One Model Per App•Small branchings Precise•Preciseno impossible paths•Mimicry Attacks•Precise Models too Expensive•Jave framework too slow•Failed to run Precise Models
•One Model Per App•Small branchings Precise•Preciseno impossible paths•Mimicry Attacks•Precise Models too Expensive•Jave framework too slow•Failed to run Precise Models
ConclusionsConclusions
Topics in Information Security, Prof. Avishai Wool
The EndThe End
Topics in Information Security, Prof. Avishai Wool
begin:fd = open(“file”);while(1) { i = read(fd, buf, 50); if(i) goto begin;}exit(0);
open
read
exit
1. what is the correct callgraph ?
open
read
exit
open
read
exit
open
read
exit
a)a) b)b)
c)c) d)d)
HomeWorkHomeWork
Topics in Information Security, Prof. Avishai Wool
2.What is IDA Pro ?3.What are the sketches that
make the background of this presentation ? any idea how were they created ?
4.Do you think Snort (see Elad’d hw) has 0 false positives like the paper claims to achieve ?
5.Bonus: which movie were the two swords in the background taken from ?
HW – cont.(tip: all answers are short!)
HW – cont.(tip: all answers are short!)