FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hijacking Attacks

Alexey Smirnov, Huijia Lin, and Tzi-cker Chiueh Experimental Computer Systems Lab, Department of Computer Science, SUNY Stony Brook FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hijacking Attacks Contact Information ECSL Lab at SUNY Stony Brook: http://www.ecsl.cs.sunysb.edu E-mail: {alexey,lhj,chiueh}@cs.sunysb.edu Evaluation Test suite: named — a DNS daemon from BIND 8.1 program ghttpd — an HTTP server drcatd — a remote cat program squid – web caching daemon passlogd – syslog sniffer. Instrumentation Overheads: Signatures Evaluation: named signature ghttpd signature FORECAST System Architecture FORCAST compiler is an extension to GNU C Compiler. FORECAST run-time library has functions for attack detection, packet identification, and signature generation. The main idea is to log each memory update that a program performs at run-time in a memory updates log. At compile time , FORECAST instruments the program so that it can generate log records and detect an attack. At run-time , the instrumented program generates memory updates log records and uses this information when an attack is detected. ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],FTP Sever Example A vulnerable FTP server code Memory updates log Saved return address is in buf[17] FTP server GET multi-packet attack Signature char buf [ 16 ]; Is_auth = is_user =0; // user not authenticated initially while (1) { recv_packet( p ); if (! strncmp ( p , “QUIT”,4)) break ; if (! strncmp ( p , “USER”, 4)) { is_user =1; continue ; } if (! strncmp ( p , “PASS”, 4) && is_user ) { is_auth =1; continue ; } if (! is_auth ) continue ; // authentication required if (! strncmp ( p , “GET”, 3)) { strcpy ( buf , p+4 ); // overflow occurs send_file( buf ); } } Attack Detection Most control-hijacking attacks modify a control sensitive data structure in the victim program, for example a return address. The attacker gets control when the function returns. At the function prolog, the return address is stored in the return address repository. At the function epilog, the return address on the stack is compared with the value stored in the return address repository. If they are different then an attack is detected. Control and Data Dependencies A data dependency is created between variable X and Y when X=Y is executed. A control dependency is created between X and Y when Y defines X’s value using a conditional expression: if (Y>1) X=1; else X=2. For each conditional and loop expression FORECAST inserts a special log record . Memory updates log allows to identify control and data dependencies. Using data dependencies only is insufficient, for example for an FTP server that requires authentication. Memory Updates Logging Memory updates log record: For assignment statement X = Y, For X = Y + Z, an entry is created for each operand. Standard library functions are proxied: recv(socket, &buf, sizeof(buf), 0) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hijacking Attacks

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hijacking Attacks

Similar a FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hijacking Attacks (20)

Último

Último (20)

FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hijacking Attacks