Overview of the WiSA Infrastructure and Applications

Overview of the WiSAInfrastructure and Applications

Somesh Jha, Bart Miller, Tom Reps{jha,bart,reps}@cs.wisc.edu

Computer Sciences DepartmentUniversity of Wisconsin1210 W. Dayton Street

Madison, WI 53706-1685

13 November 2003 WiSA 2

Codesurfer

IDA Pro Clients

BREW

Connector

Architecture

Binary

Value-SetAnalysis

GenerateCode

DetectMalicious Code

Detect BufferOverrunBuild SDG

Browse

Rewrite

BuildCFGs

ParseBinary

Build ProgramModel

GeneratedBinary

Control Flow Graphs System

Dependence Graph


Codesurfer

IDA Pro Clients

BREW

Connector

Code Generation

Binary

Value-SetAnalysis

GenerateCode



Browse

Rewrite

BuildCFGs

ParseBinary

Build ProgramModel

GeneratedBinary


Dynamic Buffer Overflow Detection• Detect buffer overflows that alter return

addresses

• Rewrite binary programs to detect and correct programming flaws– Return address verification – Safe string operations

• Jonathon Giffin, Hao Wang


Codesurfer

IDA Pro Clients

BREW

Connector

Dynamic Buffer Overflow Detection

Binary

Value-SetAnalysis

GenerateCode



Browse

Rewrite

BuildCFGs

ParseBinary

Build ProgramModel

GeneratedBinary


Malicious Code Detection• Detect viruses and other malware mutated

using obfuscation transformations

• Use static analysis to locate malicious code fragments embedded in a program– Deobfuscate program code– Identify malicious code sequences split across

procedure calls

• Mihai Christodorescu, Somesh Jha


Codesurfer

IDA Pro Clients

BREW

Connector

Malicious Code Detection

Binary

Value-SetAnalysis

GenerateCode



Browse

Rewrite

BuildCFGs

ParseBinary

Build ProgramModel

GeneratedBinary


Static Buffer Overflow Detection• Incorporate buffer overrun detection for C source

code in a program understanding framework

• Flow-insensitive, partly context-sensitive• Formulate and solve problem as linear program• Two solvers developed

– Fast and approximate– Mathematically precise

• Vinod Ganapathy, Somesh Jha


Codesurfer

IDA Pro Clients

BREW

Connector

Static Buffer Overflow Detection

Binary

Value-SetAnalysis

GenerateCode


Detect BufferOverrun

Parse C

Build SDG

Browse

Rewrite

BuildCFGs

ParseBinary

Build ProgramModel

GeneratedBinary

SourceCode


Value-Set Analysis• Create an Intermediate-Representation (IR) for an

x86 binary (for further analysis)

• IR – similar to that of a C compiler– CFG, used, killed, may-killed variables, points-to sets, etc.– Key challenge - understanding memory operations

• No symbol-table/debug information• Explicit memory addresses• Indirect addressing • Pointer arithmetic

• Gogul Balakrishnan, Tom Reps


Codesurfer

IDA Pro Clients

BREW

Connector

Value-Set Analysis

Binary

Value-SetAnalysis

GenerateCode



Browse

Rewrite

BuildCFGs

ParseBinary

Build ProgramModel

GeneratedBinary


Model-Based Intrusion Detection• Detect attempts to subvert processes

• Specify constraints upon program behavior– Statically constructed execution model– Dyck model: efficient & context-sensitive

• At run-time, ensure execution obeys model

• Jonathon Giffin, Somesh Jha, Barton Miller


Codesurfer

IDA Pro Clients

BREW

Connector

Model-Based Intrusion Detection

Binary

Value-SetAnalysis

GenerateCode



Browse

Rewrite

BuildCFGs

ParseBinary

Build ProgramModel

GeneratedBinary

ProgramModel


Future Directions• Support multiple architectures• Include new static analyses• Expand rewriting API• Develop architecture-independent rewriter

interface for code creation & insertion


Trace Analyzer

EDL/ESL CompilerApplication ESL

EDLEDL

Pol

icy

Enf

orce

r

Eve

nt In

terc

epto

r

.

.

.call A

call B

Application

.

.

.

syscall B

OS

syscall A

SandboX86


Trace Analyzer

EDL/ESL CompilerApplication ESL

EDLEDL

Pol

icy

Enf

orce

r

Eve

nt In

terc

epto

r

.

.

.call A

call B

Application

.

.

.

syscall B

OS

syscall A

SandboX86


ESL for Kazaa

edl "c:\malware\kazaa.edl"

map ipaddr

string blocked = "cydoor|doubleclick|adserver|…”

match gethostbyname(name) -> allow << addHash(ipaddr, ret, name)>>

match connect(addr, socket, << isHashed(addr) >> ) -> deny

match connect(sockaddr, socket, << regex(blocked, gethostbyaddr(sockaddr) >> ) -> deny

ESL (segment)Referring to the EDL

definition

Primitive data types

Policy specification


Slicing Results (Kazaa)

gethostbyname(cydor.com…)= 209.10.17.137

connect(544, 209.10.17.137,…) connect(1337, 209.10.17.137,…)

send(544,…) recv(1337,…)

closesocket(544) closesocket(1337)

Slicing from gethostbyname on

addr: 209.10.17.137

Slicing from gethostbyname on

addr: 209.10.17.137

Slicing fromconnect onsocket: 544

Slicing fromconnect on

socket: 1337


Performance Results

0%0%Original

5.9%2.7%Kazaa

1.7%0.8%RealOne Player

97%21%SSH Client

WithLogging

W/O Logging

69KB7KB62KBOriginal

45KB

42KB

42KB

Data

139KB94KBKazaa

136KB94KBRealOne Player

136KB94KBSSH Client

TotalText

Runtime Overhead Memory Overhead


Contact Information

• Prof. S. Jha– email:

[email protected]• Prof. B. Miller

– email: [email protected]

• Prof. T. Reps– email:

[email protected]

• Computer Sciences Dept. 1210 West Dayton Street Madison, WI 53706

Project home pagehttp://www.cs.wisc.edu/wisa


Clients

Codesurfer

IDA Pro

BREW

Connector


Binary

Value-SetAnalysis

GenerateCode



Browse

Rewrite

BuildCFGs

ParseBinary

Build ProgramModel

GeneratedBinary

ProgramModel


Clients


Binary

Value-SetAnalysis

GenerateCode



Browse

Rewrite

BuildCFGs

ParseBinary

Build ProgramModel

GeneratedBinary

EEL

ProgramModel


Clients


Binary

GenerateCode

Rewrite

BuildCFGs

ParseBinary

Build ProgramModel

GeneratedBinary

EEL

Build DDG

Data Dependence Graph

ProgramModel

Documents

Overview of the WiSA Infrastructure and Applications