Analyzing and DetectingNetwork Security Vulnerability

Weekly report

1Fan-Cheng Wu

1. Do some statistics on Cisco Advisories.– Classification methodology (on-going)

2. Classify the Advisories in various ways.– Read and classify Cisco advisories (on-going)

3. Select one Advisory from each category.4. Find the root cause by reading program diff files,

engineering notes, or interview development engineers.

5. For each Advisory/vulnerability category, develop ways to parse programs to look for such vulnerability.

6. Write the parser with the above detection capability.

Approach

2Fan-Cheng Wu

Initial start

Weekly report2007/08/17

3Fan-Cheng Wu

Weekly Report

4Fan-Cheng Wu

Cisco Advisories

5Fan-Cheng Wu

Example for Vulnerability ClassificationCharacteristic tree for protocol vulnerabilities

A network time protocol (NTP) exploit

6Fan-Cheng Wu

Analyzing Cisco Advisories

Weekly report2007/08/23

7Fan-Cheng Wu

Outline

• Overview Cisco advisories• Classifying Cisco advisories• Tools to detect problems in code• Secure coding

8Fan-Cheng Wu

Overview Cisco Advisories

• What information does Cisco advisory provide?– For example:

[Multiple Vulnerabilities in the IOS FTP server]Table of Content

9Fan-Cheng Wu

Overview Cisco Advisories (cont.)

• Details Cause

• Impact Symptom

Cause

Symptom

Protocol

10Fan-Cheng Wu

Overview Cisco Advisories (cont.)

• Vulnerability Scoring Details

11Fan-Cheng Wu

Example for Vulnerability ClassificationCharacteristic tree for protocol vulnerabilities

A network time protocol (NTP) exploit

12Fan-Cheng Wu

Classifying Cisco Advisory

• For example: [Multiple Vulnerabilities in the IOS FTP server]– Information in advisory• Protocol, Cause, Symptom, Access, Impact …

– Impossible to classify advisory by

Improper authorization checking in IOS FTP serverIOS reload when transferring files via FTP

Design flaw? Implementation flaw? 13Fan-Cheng Wu

Detecting Vulnerability

• Design flaw– Function extraction [1]

• Implementation flaw – Secure coding [2]

[1] Pleszkoch, M. & Linger, R. “Improving Network System Security with Function Extraction Technology for Automated Calculation of Program Behavior.” IEEE Computer Society Press, 2004.[2] “Secure coding,” http://www.securecoding.cert.org/

14Fan-Cheng Wu

Detecting Design Flaw

15Fan-Cheng Wu

Implementation flaw

• Language– C

• Preprocessor• Memory management• Array• …

– C++

16Fan-Cheng Wu

Classification Methodology for Vulnerability

Weekly report2007/09/14

17Fan-Cheng Wu

Outline

• Previous work– Landwehr’s taxonomies [1] – Bishop’s taxonomies [2]– Piessen’s taxonomy [4]– Du’s categorization [3] – Engle’s tree classification[5]

• Applying Engle’s scheme to Cisco advisory

18Fan-Cheng Wu

Consider single dimension

Consider multiple dimensions

• By Genesis• By Time of

introduction• By Location

Landwehr’s taxonomies

19Fan-Cheng Wu

Ambiguous

ill-defined

• Describing the vulnerabilities in a form which useful for the intrusion detection mechanisms

• Each vulnerability is classified by– The nature of the flaw– The time of introduction– The exploitation domain of the vulnerability– The effect domain– …

Bishop’s taxonomies

20Fan-Cheng Wu

• Classifying with software life-cycle

Piessen’s taxonomy

21Fan-Cheng Wu

• Describing security flaw in several area

• Categorization of sample security flaws

Du’s categorization

22Fan-Cheng Wu

• Vulnerabilities may fall into multiple classes.• Classification steps:

1. Define characteristic set for vulnerability2. Create characteristic tree by bottom-up approach3. Classify vulnerability

• For example:

Engle’s tree classification

23Fan-Cheng Wu

Complete characteristic tree Characteristic tree for {Q, Heart}

Step 1

Step 2

• A table for summarizing previous works (not ready)

Previous Works

24Fan-Cheng Wu

Complete Characteristic Tree for exploit

25Fan-Cheng Wu

Exploit

Vulnerability Symptoms

Landwehr's taxonomyGenesis

Landwehr's taxonomy Time of introduction

DoS

Privilege escalation

InformationDisclosure

Design MaintenanceTrojan horse Trapdoor

Classifying CSCek55259

26Fan-Cheng Wu

Exploit CSCek55259

Vulnerability Symptoms

Genesis Time of introduction Privilege escalation

Specification/DesignIdentification/Authentication …

Inadvertent During Development

Improper authorization checking in IOS FTP

1. Landwehr CE, Bull AR, McDermott JP, et al. "A Taxonomy of Computer Program Security Flaws," ACM Computing Surveys, 1994,26(3):211-254.

2. Matt Bishop, "A Taxonomy of UNIX System and Network Vulnerabilities," Technical Report CSE-95-10, Department of Computer Science, University of California at Davis, May 1995.

3. Du W,Mathur A P, "Categorization of software errors that led to security breaches," Proceedings of the 21st National Information Systems Security Conference (NISSC' 98), 1998.

4. F. Piessens, "A taxonomy of causes of software vulnerabilities in Internet software," Proceedings of the. 13th International Symposium on Software Reliability Engineering, Annapolis, Maryland, USA, November 2002.

5. Sophie Engle, Sean Whalen, Damien Howard, "Tree Approach to Vulnerability Classification", Technical Report CSE-2006-10, Dept. of Computer Science, University of California at Davis, May 2006.

Reference

27Fan-Cheng Wu

28Fan-Cheng Wu

<exploit id="CSCek55259" desc="Improper authorization checking in IOS FTP"> <vulnerability> <genesis>

<identification></identification>

</genesis> </vulnerability> <time> <development> <design></design> </development> </time> <symptom> <dos></dos> <privilege></privilege> </symptom></exploit>

Exploit CSCek55259

Vulnerability Symptoms

Genesis Time of introduction

DoS

Privilege escalation

Specification/Design

Identification/Authentication …

Inadvertent During Development

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation

of Exploits [1]

Weekly report2007/09/28

29Fan-Cheng Wu

[1] Newsome J,Song D. Dynamic Taint Analysis for Automatic Detection,Analysis, and Signature Generation of Exploits on Commodity Software. Proceedings of the 12th Annual Network and Distributed System Security Symposium(NDSS 2005), 2005

• Goal– Fine-grained attack detector for commodity software– Automatic tools for signature generation

• Design and Implementation• Evaluation– Precision– Performance

• Attack Detector• Automatic Signature Generation

Outline

30Fan-Cheng Wu

• Fine-grained attack detector for commodity software– Fine-grained attack detector– No need to recompile source code and libraries

• Automatic tools for signature generation

Goal

31Fan-Cheng Wu

• In order to monitor program in run-time, we run PUT(program under test) on a virtual machine.

• Valgrind [2]

– An open-source virtual machine on Linux– Providing skin(tool) mechanism to instrument

program in various ways• TaintCheck, a skin of Valgrind that – marks untruthful input as tainted (TaintSeed)– traces tainted data (TaintTracker)– checks whether policies is violated by instructions

(TaintAssert)

Monitoring program in run-time

32Fan-Cheng Wu[2] Valgrind, http://valgrind.org/

System Architecture

33Fan-Cheng Wu

Hardware

OS

Program Under Test

Valgrind

Exploit Analyzer

Analyzing TaintAssert’s log to useful information

about how the exploit happened

Basic Infrastructure

[Skin ]MemCheck

False Positive

• Possible cause of false positive– The program contains a vulnerability that should

be fixed– The program performs sanity checks on the

tainted data before it is used• Evaluation– Tested 13 programs– False positive is produced in 2 programs when

reading data from configuration file as an offset to a jump address

Fan-Cheng Wu 34

• Possible cause of false negative– Tainted attribute of flags is not considered, for

example:Suppose x is taintedif ( x == 1 ) y=1; else if ( x == 2 ) y=2; …

is semantically the same asx = y

– Tainted data is used as an index into a table.– TaintCheck is configured to trust input that should

not be trusted.

False Negative

35Fan-Cheng Wu

• CPU-bound: bzip2• Short-lived: cfingerd

Performance

36Fan-Cheng Wu

• Common case: Apache

Performance (cont.)

37Fan-Cheng Wu

• Performance overhead• Using TaintCheck with– sampling– anomaly detection

Attack Detector

38Fan-Cheng Wu

• Identifying the value used to overwrite a function pointer or return address

Automatic Signature Generation

39Fan-Cheng Wu