Detecting past and present intrusions through vulnerability-

specific predicates

Ashlesha Joshi, Sam King, George Dunlap, and Peter Chen

University of Michigan

2

Motivation

• Software contains bugs, including flaws that may be exploited by an attacker

• Some time passes before vendor becomes aware of bug

• Software vendors try to release patches quickly

vulnerability discovered

timevulnerability introduced

patch released

3

Motivation

• Users don’t always apply patches quickly– Concerns about unstable patches– Unacceptable downtime

• Can I somehow protect my system before I install the patch?

vulnerability introduced

timevulnerability discovered

patch released patch applied

4

Motivation

timepatch released patch

applied

• Was this vulnerability triggered on my machine in the past?

vulnerability introduced

5

Predicates

• Patch writer knows exactly what conditions during program execution indicate triggering of vulnerability

• Use this knowledge to write exploit-generic, vulnerability-specific predicates that check these conditions– No false positives or false negatives

6

An example

1 char *str = some_string;2 int length = strlen (str);3 char buf [BUFSIZE];4 strcpy(buf,str); // D’oh!Predicate: (length >= BUFSIZE)

7

Approach

vulnerability introduced

“past” “present”

timepatch released patch

applied

Using replay, detect if vulnerability was triggered in past

Monitor ongoing execution to detect and respond to attempts to trigger vulnerability

8

Goals

The system must…1. Not perturb the target software

2. Work for both OS and application-level vulnerabilities

3. Allow predicates to be installed dynamically

4. Allow predicates to be written easily

5. Have low overhead

9

Challenge #1: Where do predicates execute?

hardware

operating system

application applicationpredicate

engine

predicate engine

predicate engine

hardware

OS

10

control

IntroVirt structure

hardware

host OS

guest OS

application

predicate engine

state

predicates

intrusionsdetected

VMM

application

11

Challenge #2: Semantic gap

Problem: VMM exposes guest state at the wrong level of abstraction– It gives us registers, memory locations, disk blocks, …– We want program variables, files, …

1 uid = getuid();2 // forget to check group membership3 perform privileged action

Predicate– Perform missing authentication, e.g., read /etc/group

12

Bridging the semantic gap

• How could the programmer write this predicate?– Determine memory location where uid is stored; if

page not resident, read from disk; read value of uid; traverse guest OS file system structures to see if /etc/group in file cache, if so, read from memory; if not, traverse FS structures to see which disk blocks contain it, then read blocks from disk; …

– i.e., emulate guest functionality• Our solution: call guest code

– Leverages existing guest code that does what we want

– Here, we cause the guest itself to read the file and check group membership

13

Challenge #3: Avoiding perturbations to target state

• Calling guest functions perturbs target

• Solution: use checkpoint and restore– Take a checkpoint before changing guest

state– Restore to checkpoint after predicate

execution

• Also protects from (buggy) predicates that modify guest state incorrectly

14

1 if (access(file, W_OK)) {2 unlink(file);3 }

• Check in line 1 should be atomic with use in line 2

Challenge #4: Preemptions between the predicate and the bug

Predicate: (!access(file, W_OK))

relink(file);relink(file);

15

Predicate refresh

• Detect and respond to race– “Predicate refresh”– Observation: in uniprocessors, a scheduling

event must occur before any other process can run

– Re-execute predicate on scheduling events to detect relevant changes in state

16

Predicate engine functionality

• Translate symbolic information from guest– Parse debugging information

• Allow predicates to control guest execution– Breakpoints

• Read guest state• Call guest functions

– Manipulate guest stack and registers

• Checkpoint and restore• Guarantee safety

17

Predicates for applications

• Need additional support for application predicates– Processes are created and destroyed– Shared libraries can be mapped in different

locations of application address space– Memory pages are not always resident

• Use kernel predicates in fork, exec, exit, mmap, try_to_swap_out

18

Predicate for CAN-2003-0961

Actual Patch:if((addr + len) > TASK_SIZE || (addr + len) < addr)

return –EINVAL;

Predicate:registerBreak(“mmap.c:1044:begin”, brkEventHandler);

void brkEventHandler() {unsigned long addr = readVar(“addr”);unsigned long len = readVar(“len”);

if((addr+len) > TASK_SIZE || (addr+len) < addr) {cout << “brk bug triggered” << endl;

}}

19

“find” race condition

• Run as root• Delete all files in /tmp that haven’t been

accessed in past 3 days (“old files”)• Problem: file pointed to by filename may

change between time of identification and time of deletion

find /tmp –atime +3 –exec rm –f – {} \;“identify old file” “delete old file”

20

“find” predicate

find /tmp –atime +3

–exec rm –f – {} \;

“identify old file”

“delete old file”

Save inode number of file

1. Get inode # of file

2. Compare with saved inode #

3. Enable predicate refresh

Predicate refresh

Ensure the inode # of the file stays the same

21

Experience

• Wrote predicates for 20 real vulnerabilities (Linux kernel, bind, emacs, gv, imapd, OpenSSL, php, smbd, squid, wu-ftpd, xpdf)– Easy to write once vulnerability is understood– Length and complexity comparable to patch– Most are simple, e.g., just read a few variables

• Overhead for most predicates is less than 10%– Many predicates are on infrequently executed code

paths– Frequently executed predicates are simple and fast– Checkpoint/restore adds 5ms

22

Usage

• Vendors distribute predicates along with patches• Users can install and run in past and present• For past attacks

– Alert user; take corrective measures

• For present attacks, lots of possibilities– Alert, kill process, halt machine, drop offending

connection, imitate patch, install patch, …– For anything other than “alert”, you must trust the

predicate

23

Limitations and future work

• Predicates change timing

• Software breakpoints

• Current implementation only works on native code

• Only works for uniprocessors– ReVirt– Predicate refresh

• Predicates must be written by hand

24

Related work

• VM introspection [Rosenblum97]

• VM introspection for intrusion detection [Garfinkel03]

• Shield [Wang04]

• Vigilante [Costa05]

25

Conclusions

• Vulnerability-specific predicates detect triggering of software vulnerabilities

• IntroVirt predicate engine– Simple to write general-purpose predicates– No perturbations in state

• Alert users about past attacks

• Detect and respond to attacks in the present