Determinas Vulnerability Protection Suite

1
Determinas Vulnerability Protection Suite

• Saman Amarasinghe
• CTO, Determina Inc.
• Associate Professor, MIT EECS/CSAIL

2
Corporate Overview

• Founded Early 2003
• Core technology developed at MIT over 8 years
• Venture backed
• Headquarters in Redwood City, CA
• CTO founding engineering team from MIT

3
Overview

• Corporate Overview
• Vulnerability Protection Suite
• Managed Program Execution Engine
• Memory Firewall
• LiveShield
• Evaluation Criteria
• Research Plan

4
Overview

• Corporate Overview
• Vulnerability Protection Suite
• Managed Program Execution Engine
• Memory Firewall
• LiveShield
• Evaluation Criteria
• Research Plan

5
Market Trends

• Attacks and vulnerabilities still increasing
• Security incidents have nearly doubled each year
  (CERT)
• Endpoint security often last line of security
• to be addressed.
• SYMC Threat Report
• Trend towards directed attacks
• Threat landscape dominated by emerging threats
  such as bot networks, customizable modular
  malicious code, and targeted attacks
• Current threats increasingly motivated by profit

Increasing vulnerabilities, more directed attacks
6
Recent Example WMF VulnerabilityNO Patch
Available
Day 0 December 1 Vulnerability Discovered1 and
Exploit Code Being Sold for 4000 Shortly
Afterward
Day 14 December 14 Sites first post WMF Exploits
Day 27 December 27 Initial Disclosure of
Vulnerability
Day 28 December 28 MS Announces AwarenessNo
Patch for Issue
Day 29 December 29 50 variants, 1000 sites
reported Thursday 12/29
Day 31 December 31 Instant messaging,Trojan
horses botnets begin exploiting WMF and
Unofficial patch released by Ilfak Guilfanov
Day 33 January 3rd 1,000,000 WMF exploited
downloads reported from just 1 site
Day 35 January 5th Microsoft Releases Patch
Vulnerability Made Public
Patch issued by MS
Patch fully deployed
Average exploit window 25 days before patches
deployed
Vulnerable w/no Official Patch 35 Days
Determina 0-day protection active before
vulnerability is known
Total exploit window for average organization 60
days
Wipro, Ltd 2005, The Total Cost of Security
Patch Management
1Computerworld.com, Russian hackers sold WMF
exploit, analyst says
7
Vulnerability Protection Suite

• What is VPS
• Enterprise Host IPS security solution for Fortune
  1000
• Patented Technology
• Vulnerability Protection focus vs. Attack focus
• Stops both known and unknown (zero-day) attacks
• A zero complexity / zero maintenance solution
• No attack signatures / no post attack cleanup
• No policies to maintain
• No behavior to model
• No false positives
• Application Communities
• The core of VPS (DyanmoRIO, Memory Firewall and
  LiveShield) are core building blocks

8
Vulnerability Protection Suite

• What is VPS
• Enterprise Host IPS security solution for Fortune
  1000
• Stops both known and unknown (zero-day) attacks
• A zero complexity / zero maintenance solution
• No attack signatures / no post attack cleanup
• No policies to maintain
• No behavior to model
• No false positives

Memory Firewall
LiveShield
Managed Program Execution Engine
9
Software Vulnerabilities The Root Cause of
Attacks

• 4,000 new software vulnerabilities are discovered
  each year (Symantec)
• 422 new vulnerabilities in Q2 05, a 20 increase
  YoY (SANS)
• Microsoft issued 53 security bulletins in 2005.
  (Microsoft)
• Directed attackers (hackers) are increasingly
  targeting enterprise information for profit
• 30M Total losses in 2005 due to theft of
  proprietary data - a 270 increase YoY. (CSI/FBI)
• Mass worm attacks have caused billions in damage
• Zero-Day costs - SQL Slammer costs 950M to 1.2
  billion in first five days alone (Cnet)

100 of Microsoft critical vulnerabilities are
memory-related
10
Zero-Day Endpoint Protection Without Tuning or
Maintenance

• Memory Firewall protects without updates
• LiveShield shields released within days of
  vulnerability, without waiting for patches,
  exploit behavior or attack signatures

11
VPS Advantages

• Ensure non-stop availability
• Must be able to deploy and maintain without
  disrupting business operations
• Accessibility
• Must be easy, simple to manage
• Guarantee reliability for critical servers and
  applications
• It just works!
• Scalability
• Be able to support thousands of machines
• Flexibility
• Integration with a variety of management
  solutions through support of standard protocols

12
Overview

• Corporate Overview
• Vulnerability Protection Suite
• Managed Program Execution Engine
• Memory Firewall
• LiveShield
• Evaluation Criteria
• Research Plan

13
Managed Program Execution Engine

• Derek Bruening

14
Overview

• Corporate Overview
• Vulnerability Protection Suite
• Managed Program Execution Engine
• Memory Firewall
• LiveShield
• Evaluation Criteria
• Research Plan

15
Attack Lifecycle

• Enter
• Monitoring is simple
• Port monitoring or system call monitoring
• Dont know good guy from bad guy
• only known criminals can be identified
• Even known bad guys are hard to detect
• encrypted channels
• Compromise
• Monitoring can be done
• System call monitoring
• Hard to distinguish between actions of a normal
  program vs. a compromised program

Make payment
Change prefs
Read statement
ENTER
NETWORK
APPLICATIONS

• Hijack
• Catch in the act of criminal behavior
• All programs follow strict conventions
• ABI (Application Binary Interface)
• The Calling Convention
• Currently no enforcement
• All attacks violate some of these conventions

HIJACK
KERNEL
COMPROMISE
Write Record
Update Registry
Open port
16
Stop before Hijack
ABI

• Hijack
• Catch in the act of criminal behavior
• All programs follow strict conventions
• ABI (Application Binary Interface)
• The Calling Convention
• Currently no enforcement
• All attacks violate some of these conventions

• Enforcing conventions
• Systematically catch an entire class of attacks
• No false positives
• Catch them before they do ANY bad activity ? no
  attack code is ever run
• Conventional Wisdom Impossible to do without a
  large performance penalty
• Need to be inside the application
• Need to monitor activity at a very fine-grain
  each instruction at a time
• Overhead will be overwhelming
• The Memory Firewall lets you do just that!
• Able to amortize the cost of enforcement,
  eliminating the overhead

Processor Execution Environment
17
How Program Shepherding Work?
Program Counter Executes the Program Instruction
by Instruction
Run-time System
Never Let go of the Program Counter
Code Cache
Program
Restricted Control Transfer Is it legal to go
from here to there?
Restricted Code Origins Is this code came from a
code page?
Restricted Control Transfer Is it legal to go
from here to there?
Restricted Code Origins Is this code came from a
code page?
Restricted Code Origins Is this code came from a
code page?
18
Technique 1 Restricted Code Origins
Code Cache
Unmodified code pages
A
D
Modified pages
B
E

• As code is copied to the code cache, check where
  its coming from
• Check the security policy only once

19
Technique 1 Restricted Code Origins

• Catches all the injected code attacks
• Most of the popular attacks are of this type
• What is left?
• Malicious reuse of existing code
• Change addresses used by return and indirect jump
  and indirect branch instructions
• Much more difficult

20
An Example Chained Call Attack
Code
Stack
handle_URL(handle h) char url64 char
tmp geturl(h) strcpy(url, tmp)
Arguments
Fake arguments
Return Address
Local Variables
0x8A234
Fake arguments
Argument h
Return Address
0x7F8B0
Local Variables tmp
Local Variables URL
Libraries
setuid()
unlink()
0x7F8B0
0x8A234
URL
http//001110110110111011010001010110101101010110
10110110110110101011010101010110101011010101...
21
Technique 2Restricted Control Transfers
context switch
BASIC BLOCK CACHE
TRACE CACHE
trace branch taken?
indirect branch lookup
non-control-flow instructions
non-control-flow instructions
Restrict based on source address, destination
address, and/or transfer type
22
Technique 2Restricted Control Transfers

• Inter-Segment Indirect Calls and Jumps
• Only to known function entry points
• Only if the function is exported by the
  destination segment
• Only if the function is imported by the source
  segment
• Intra-Segment Jumps
• Only within a known function or to a known
  function entry point
• Intra-Segment Indirect Calls
• Only to known function entry points

23
Technique 2Restricted Control Transfers

• Returns
• Only to after a call instruction
• If a direct call, called function should be the
  same as the function returning from

24
Technique 3 Un-circumventable Sandboxing

• Typical problem with sandboxing
• If attacker gains control, can bypass checks
• MPEE-inserted sandboxing isun-circumventable
• MPEE enforces unique entry points

25
Protecting MPEE Itself

• MPEE runs in the applications address space
• Must not allow application to manipulate MPEE
  data or code cache
• How?
• Protect MPEE data structures and the code cache
• Sandbox system calls that can change protection
  and thread behavior

26
Memory protection
27
Memory protection
28
Overview

• Corporate Overview
• Vulnerability Protection Suite
• Managed Program Execution Engine
• Memory Firewall
• LiveShield
• Evaluation Criteria
• Research Plan

29
What is a Vulnerability?

• Anatomy of a Vulnerability
• A corner case that should never happen in normal
  operations
• The programmer forgot to check for that corner
  case
• Vulnerability is the ability to invoke that
  corner case by an exploit to do something that is
  not allowed in normal operation.
• In most vulnerabilities
• A simple check (a few assembly instructions)
  identify the corner case
• Check if value is out of range
• Check a string for certain patterns
• The check never passes in normal operations
• When an exploit is caught by the check, simple
  remediation exist
• Return an error code from the function
• Put the value within range
• Truncate the string

30
LiveShield

• Reactive elimination of vulnerabilities
• Triggered by
• the availability of a proof-of-concept exploit
  against a vulnerability
• the availability of a patch release fixing a
  vulnerability
• the availability of an attack taking advantage of
  a vulnerability
• when the remediation for a memory based
  vulnerability (or attack) destabilize the system

31
LiveShield

• Inject two very small pieces of code in to a
  running program
• Detector
• Check when the corner case is invoked
• Guaranteed no impact on the program (cannot
  change program state or crash the program)
• Remediator
• Take remediation action once an exploit is
  detected
• Will minimally change the program behavior, but
  it is to stop an attack.

32
LiveShield

• LiveShields improves the availability of systems
• minimizes the disruption of a working system
• Faster deployment cycle than a typical patch
• Surgical fix for the root cause of the problem
• In conjunction with the Memory Firewall,
  eliminates most vulnerabilities
• Reduce the patch frequency and need for emergency
  patching

33
Different Levels of Updates
Power of a Patch, Operates like a DAT
34
Using MPEE infrastructure as the LiveShield
Framework

• Invisible injection
• Dont need to put trampolines in the visible
  address space
• Issues with atomicity, instruction alignment etc.
• Basic Block/Trace building naturally leads to a
  direct implementation
• Fully isolated execution especially for the
  detect mode
• MPEE provides an environment isolated from the
  application
• Detect mode can give strong promises on not
  impacting the normal program behavior
• Existing central management framework
• Easy to manage dynamic updates and changes of
  status
• Can store the shields without impacting
  application
• Can do I/O without impacting the application

35
LiveShield Properties

• Dynamic
• Customer Visible
• Individually Manageable/Undoable
• Live Testing Capable
• Targeted
• Micro-Sized
• Control-flow Triggered Execution

36
Detector Requirements

• Checks if the corner case gets invoked
• If so, indicates that to the LiveShield runtime
  system
• In the detect mode will report that fact
• In the protect mode call the remediator
• Guarantee that the detector will not impact the
  the program
• Cannot change normal program state
• Cannot modify any program visible memory or
  program registers
• Cannot acquire program visible resources
• Cannot modify the control-flow of the program
• Cannot crash or hang the program
• Need to catch any exception condition
• Need to check for infinite loops
• If a problem is encountered, exit the Shield
• If the problem is recurring, disable the Shield
• Implementation
• Restricted ISA that can be validated and
  sandboxed at load time

37
Remediator Requirements

• Ability to change the application to fix a
  vulnerability
• Change any application visible memory location
• Change control-flow of the program
• Return from the current application function
• Jump over a few application instructions after
  the trampoline
• Take allowed program-level remediation action
• Kill thread and throw exception
• More expressiveness than the detector
• Still will need some limitations

38
LiveShield Development Operations Flow
POC Exploit Released
Acquire the exploit
Trace the exploit activity
Diff the patched version against previous version
Port it to multiple versions
Identify vulnerability
Patch Released
Develop a Shield
Test the Shield
Acquire the attack
Trace the attacks activity
Attack Released
Release to customers
best case is 24 hours, Cannot take more than 7
days
No triggering in 24 hours
Push the Shield in detect mode
Minimal QA a. la. DAT update
Receive LiveShield
Put into protect mode
Y
N
Y
No problems in 24 hours
Report the problems to Determina
Put in a full QA System in protect mode
N
39
LiveShield Flow
40
Overview

• Corporate Overview
• Vulnerability Protection Suite
• Managed Program Execution Engine
• Memory Firewall
• LiveShield
• Evaluation Criteria
• Research Plan

41
Evaluation Criteria

• Accuracy
• Maintainability
• Scalability
• Coverage
• Proactivity
• Uncircumventability
• Containment

42
1. Accuracy The cure cannot be deadlier than the
illness!

• False Positives
• More common than the attacks
• In an IDS ? a nuisance
• In an IPS ? Can destabilize the system
• Applications arent resilient to squashing random
  system calls

43
2. Maintainability The cost of the solution
should be less than the attack cleanup cost

• What is a typical enterprise like?
• How many machines, how many IT people?
• Cost of operations
• How do you manage a large enterprise?
• What impact maintainability?
• Shelfware vs. deployed software

44
3. Scalability Worms are equal opportunity
attackers. Need to protect every box

• Requirements to run enterprise-wide
• Critical bottlenecks
• Deployment / maintenance
• Performance

45
4. Coverage No partial band-aid solutions please!
46
5. Proactivity Should be ready to protect when
attacked!
47
Speed of PropagationThe Witty Worm
48
6. Uncirumventability Dont be an emperor with
no clothes!

• Phrack Article Smashing Stack for Fun and
  Profit
• Any fool-proof systems?
• Complex systems are never fool-proof
• Should we just give up?
• Compare system security with crypto
• Is crypto fool-proof?
• How do you evaluate crypto?
• Evaluating system security
• 10/90 rule of thumb
• Nothing is perfect, make it hard...

49
7. Containment What good of stopping an attack
after it happens?

• Where was the attack stopped?
• At the gates vs. inner chamber
• How far did the attack propagate
• Did malicious code got executed?
• Any machine got infected?
• Other machines got compromised?

50
Overview

• Corporate Overview
• Vulnerability Protection Suite
• Managed Program Execution Engine
• Memory Firewall
• LiveShield
• Evaluation Criteria
• Research Plan

51
VPS impact on the Project
52
Determina Stmt of Work

• Client Interface for MPEE
• Application State Probing
• LiveShield Constraint Creation Framework
• LieShield Coordination Center
• Hybrid System for Binary Analysis
• Proactive Situational Awareness
• Vulnerability Analysis
• Integration, Testing and Deployment

53
Client Interface for MPEE

• The basic framework to build the tools
• Support the necessary APIs
• Support on windows services and server
  applications
• Status
• Was an active research topic at MIT
• Currently dormant
• Will bring it back to life, improve and extend
  for this project

54
Application State Probing

• Build probes to check internal state of the
  application
• Probes can be client programs
• Simpler probes can be even liveshields
• Framework to collect the probe information to the
  central mgmt console

Application State Probing
Memory Firewall
LiveShield
Client Interface
Managed Program Execution Engine
55
LiveShiled Constraint Creation Framework
POC Exploit Released
Acquire the exploit
Trace the exploit activity
Diff the patched version against previous version
Port it to multiple versions
Identify vulnerability
Patch Released
Develop a Shield
Test the Shield
Acquire the attack
Trace the attacks activity
Attack Released
Release to customers
best case is 24 hours, Cannot take more than 7
days
No triggering in 24 hours
Push the Shield in detect mode
Minimal QA a. la. DAT update
Receive LiveShield
Put into protect mode
Y
N
Y
No problems in 24 hours
Report the problems to Determina
Put in a full QA System in protect mode
N
56
LiveShiled Constraint Creation Framework

• Interface for
• Creating constraints
• Deploying them through the central management
  console
• Gather feedback and manage the deployment
• Used for deploying automatically generted patches

Framework for Constraint Creation
Release to customers
No triggering in 24 hours
Push the Shield in detect mode
Minimal QA a. la. DAT update
Receive LiveShield
Put into protect mode
Y
N
Y
No problems in 24 hours
Report the problems to Determina
Put in a full QA System in protect mode
N
57
LiveShiled Coordination Center

• Liveshields can have problems
• Minimal dev and QA (or no QA for auto developed)
• Can adversely impact the application
• Mitigate the risk by using the application
  community
• Gradual deployment while monitoring
• Find anomalies that are correlated with deployment

No triggering in 24 hours
Push the Shield in detect mode
Minimal QA a. la. DAT update
Receive LiveShield
Put into protect mode
Y
N
Y
No problems in 24 hours
Report the problems to Determina
Put in a full QA System in protect mode
N
58
Hybrid System for Binary Analysis

• Manage Program Execution Engine all analysis
  at runtime
• Pros Full visibility and simple workflow
• Cons Expensive analysis affects the performance
• Hybrid system
• Do some analysis at installation or first
  invocation
• Pre-compute and memoize information when
  available
• Reduce the runtime overhead

59
Proactive Situational Awareness

• Attacks are mostly on known vulnerabilities
• No prior knowledge on day-zero attacks
• But vulnerabilities are known
• Are your applications open to known
  vulnerabilities?
• Proactive Situational Awareness will
• Gather info on known vulnerabilities and attacks
• Gather current status of the applications
• Identify what vulnerabilities are unprotected
• Identify when an application deviate from the
  community

60
Vulnerability Analysis

• Determinas LiveShield Operations team
• Troll for new vulnerabilities and attacks in the
  wild
• Analyze any new vulnerabilities and attacks
• Analyze Microsoft security updates
• Pinpoint the exact vulnerability
• Develop LiveShields to stop them
• We have a large knowledge base
• Develop scenarios using the state-of-the-black-ar
  t

61
Integrate, Testing, Deployment

• Build a prototype version of the product that
  integrate successful AC components
• Identify commercially-viable and ready components
• Prototype product development
• Integration
• QA and test
• Deployment
• Interact with the Red Team
• Get feedback
• Iterate