Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Overview of the WiSAInfrastructure and Applications
Somesh Jha, Bart Miller, Tom Reps{jha,bart,reps}@cs.wisc.edu
Computer Sciences DepartmentUniversity of Wisconsin1210 W. Dayton Street
Madison, WI 53706-1685
13 November 2003 WiSA 2
Codesurfer
IDA Pro Clients
BREW
Connector
Architecture
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
Control Flow Graphs System
Dependence Graph
13 November 2003 WiSA 3
Codesurfer
IDA Pro Clients
BREW
Connector
Code Generation
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
13 November 2003 WiSA 4
Dynamic Buffer Overflow Detection• Detect buffer overflows that alter return
addresses
• Rewrite binary programs to detect and correct programming flaws– Return address verification – Safe string operations
• Jonathon Giffin, Hao Wang
13 November 2003 WiSA 5
Codesurfer
IDA Pro Clients
BREW
Connector
Dynamic Buffer Overflow Detection
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
13 November 2003 WiSA 6
Malicious Code Detection• Detect viruses and other malware mutated
using obfuscation transformations
• Use static analysis to locate malicious code fragments embedded in a program– Deobfuscate program code– Identify malicious code sequences split across
procedure calls
• Mihai Christodorescu, Somesh Jha
13 November 2003 WiSA 7
Codesurfer
IDA Pro Clients
BREW
Connector
Malicious Code Detection
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
13 November 2003 WiSA 8
Static Buffer Overflow Detection• Incorporate buffer overrun detection for C source
code in a program understanding framework
• Flow-insensitive, partly context-sensitive• Formulate and solve problem as linear program• Two solvers developed
– Fast and approximate– Mathematically precise
• Vinod Ganapathy, Somesh Jha
13 November 2003 WiSA 9
Codesurfer
IDA Pro Clients
BREW
Connector
Static Buffer Overflow Detection
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrun
Parse C
Build SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
SourceCode
13 November 2003 WiSA 10
Value-Set Analysis• Create an Intermediate-Representation (IR) for an
x86 binary (for further analysis)
• IR – similar to that of a C compiler– CFG, used, killed, may-killed variables, points-to sets, etc.– Key challenge - understanding memory operations
• No symbol-table/debug information• Explicit memory addresses• Indirect addressing • Pointer arithmetic
• Gogul Balakrishnan, Tom Reps
13 November 2003 WiSA 11
Codesurfer
IDA Pro Clients
BREW
Connector
Value-Set Analysis
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
13 November 2003 WiSA 12
Model-Based Intrusion Detection• Detect attempts to subvert processes
• Specify constraints upon program behavior– Statically constructed execution model– Dyck model: efficient & context-sensitive
• At run-time, ensure execution obeys model
• Jonathon Giffin, Somesh Jha, Barton Miller
13 November 2003 WiSA 13
Codesurfer
IDA Pro Clients
BREW
Connector
Model-Based Intrusion Detection
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
ProgramModel
13 November 2003 WiSA 14
Future Directions• Support multiple architectures• Include new static analyses• Expand rewriting API• Develop architecture-independent rewriter
interface for code creation & insertion
13 November 2003 WiSA 15
Trace Analyzer
EDL/ESL CompilerApplication ESL
EDLEDL
Pol
icy
Enf
orce
r
Eve
nt In
terc
epto
r
.
.
.call A
call B
Application
.
.
.
syscall B
OS
syscall A
SandboX86
13 November 2003 WiSA 16
Trace Analyzer
EDL/ESL CompilerApplication ESL
EDLEDL
Pol
icy
Enf
orce
r
Eve
nt In
terc
epto
r
.
.
.call A
call B
Application
.
.
.
syscall B
OS
syscall A
SandboX86
13 November 2003 WiSA 17
ESL for Kazaa
edl "c:\malware\kazaa.edl"
map ipaddr
string blocked = "cydoor|doubleclick|adserver|…”
match gethostbyname(name) -> allow << addHash(ipaddr, ret, name)>>
match connect(addr, socket, << isHashed(addr) >> ) -> deny
match connect(sockaddr, socket, << regex(blocked, gethostbyaddr(sockaddr) >> ) -> deny
ESL (segment)Referring to the EDL
definition
Primitive data types
Policy specification
13 November 2003 WiSA 18
Slicing Results (Kazaa)
gethostbyname(cydor.com…)= 209.10.17.137
connect(544, 209.10.17.137,…) connect(1337, 209.10.17.137,…)
send(544,…) recv(1337,…)
closesocket(544) closesocket(1337)
Slicing from gethostbyname on
addr: 209.10.17.137
Slicing from gethostbyname on
addr: 209.10.17.137
Slicing fromconnect onsocket: 544
Slicing fromconnect on
socket: 1337
13 November 2003 WiSA 19
Performance Results
0%0%Original
5.9%2.7%Kazaa
1.7%0.8%RealOne Player
97%21%SSH Client
WithLogging
W/O Logging
69KB7KB62KBOriginal
45KB
42KB
42KB
Data
139KB94KBKazaa
136KB94KBRealOne Player
136KB94KBSSH Client
TotalText
Runtime Overhead Memory Overhead
13 November 2003 WiSA 20
Contact Information
• Prof. S. Jha– email:
[email protected]• Prof. B. Miller
– email: [email protected]
• Prof. T. Reps– email:
• Computer Sciences Dept. 1210 West Dayton Street Madison, WI 53706
Project home pagehttp://www.cs.wisc.edu/wisa
13 November 2003 WiSA 21
Clients
Codesurfer
IDA Pro
BREW
Connector
Model-Based Intrusion Detection
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
ProgramModel
13 November 2003 WiSA 22
Clients
Model-Based Intrusion Detection
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
EEL
ProgramModel
13 November 2003 WiSA 23
Clients
Model-Based Intrusion Detection
Binary
GenerateCode
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
EEL
Build DDG
Data Dependence Graph
ProgramModel