ebook img

DTIC ADA454761: Automated Discovery of Mimicry Attacks PDF

0.17 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview DTIC ADA454761: Automated Discovery of Mimicry Attacks

Automated Discovery of Mimicry Attacks JonathonT.Giffin,SomeshJha,andBartonP.Miller ComputerSciencesDepartment,UniversityofWisconsin {giffin,jha,bart}@cs.wisc.edu Abstract. Model-based anomaly detection systems restrict program execution by a predefined model of allowed system call sequences. These systems are usefulonlyiftheydetectactualattacks.Previousresearchdevelopedmanually- constructedmimicryandevasionattacksthatavoideddetectionbyhidingama- liciousseriesofsystemcallswithinavalidsequenceallowedbythemodel.Our work helps to automate the discovery of such attacks. Westart with two mod- els: aprogram model of the application’s system call behavior and a model of security-criticaloperatingsystemstate.GivenunsafeOSstateconfigurationsthat describe the goals of an attack, we then find system call sequences allowed as valid execution by the program model that produce the unsafe configurations. Ourexperimentsshowthatwecanautomaticallyfindattacksequencesinmodels ofprogramssuchaswu-ftpdandpasswdthatpreviouslyhaveonlybeendis- covered manually. Whenundetected attacksarepresent, wefrequently findthe sequenceswithlessthan2secondsofcomputation. Keywords:IDSevaluation,modelchecking,attacks,model-basedanomalydetection 1 Introduction A model-basedanomalydetectorrestrictsallowedprogramexecutionbyapredefined modelofacceptablebehavior[6,8,12,14,19,23].Thesesystemscompareasequenceof systemcallsgeneratedbytheexecutingprogramagainstthemodel.Thedetectorclas- sifiesanysystemcallsequencethatdeviatesfromthemodelasmaliciousandindicative ofaprogramexploit.Theabilityofthemodeltodetectactualattacksdependsuponthe implicitassumptionthatattacksalwaysappeardifferentthanvalidexecution. An attack that is accepted by the model as valid will not cause an anomaly and will not be detected (Fig. 1). Mimicry and evasion attacks avoid detection by trans- formingan attack sequenceof system calls so thatit is acceptedbya programmodel yet still carries out the same malicious action. Previous research found examples of mimicry attacks against high-privilege processes restricted by a model-based detec- tor[20–22,24].However,theattackswereconstructedmanuallybyiteratingbetweenan attacksequenceandaprogrammodeluntiltheattackcouldbemadetoappearnormal. Althoughthese manually-constructedattacksservedasa successfulproof-of-concept, manualapproachesremainunsuitableasageneralattackdiscoverystrategy. Thispaperautomatesthediscoveryofmimicryattacks.Ourintentisnottopropose anewdetectionsystembutrathertoprovidethemeanstoevaluateanexistingprogram model’sabilitytodetectattacks.Weaddresstwoprimaryquestions: Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2006 2. REPORT TYPE 00-00-2006 to 00-00-2006 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Automated Discovery of Mimicry Attacks 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION University of Wisconsin,Computer Sciences REPORT NUMBER Department,Madison,WI,53706 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE 20 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 Σ∗ L(M) Attacks Detected attacks Undetected attacks Fig.1.IfΣ isthesetofsystemcalls,thenΣ∗ istheinfinitesetofallpossiblesystemcallse- quences.AprogrammodelM acceptsasubsetofsystemcallsequencesL(M)asvalidprogram execution.Anyattacksequenceacceptedasvalidisamissedattack. – Whatattacksdoesaprogrammodelfailtodetect? – Whatattackscanweprovethatamodelwillalwaysdetect? Findingmissed attacksrevealsthe weaknessesof a programmodeland indicatesthat amodel-baseddetectorprovidesinsufficientsecurityforthatparticularprogram.Con- versely, proving that a model always detects an attack establishes strong indications thata computersystem usingmodel-baseddetectionis secure,evenwhenan attacker attemptstohideanattackwithinlegitimateexecution. Anattackisanysequenceofsystemcallsthatproducesa maliciouschangetothe operatingsystem(OS).Foragivenattacksequence,anattackercanproducevariations ofthesequencehavingthesameattackeffectbyinsertingextraneoussystemcallsinto the sequence or replacing existing system calls with alternative sequenceshaving the sameeffect.Aprogrammodelthatdetectsonesequencemayallowadifferent,obfus- catedsequence.Thenetresultremainsthesame:themodelfailstodetectanattack.We mustverifythatamodeldetectseachoftheattackvariants. We use a novelformalism thatrequiresneither knowledgeof particularattack se- quencesnorknowledgeofparticularobfuscationsthattrytohidethosesequencesfrom a detector.We developa modelofanOS withrespectto its security-criticalstate and thencharacterizeattacksonlybytheireffectupontheOS.Thisleveragesakeyinsight: thecommonalityamongthe obfuscatedattack sequencesisthatthesequencesarese- manticallyequivalentwithrespecttotheirmaliciouseffectupontheOS.Althoughwe manuallyproducetheOSmodelandthedefinitionsofmaliciousOSstate,thisisaone- timeeffortthatisreusedforsubsequentanalysesofallmodelsofprogramsexecuting onthatoperatingsystem. The program model specifies what sequences of system calls are allowed to exe- cute. By specifying how each system call transformsthe OS’s state variables, we are able to compute the set of OS configurations reachable when a program’s execution is constrainedby the model.We applymodelchecking[4]to provethatno reachable configurationcorrespondstotheeffectofanattack.Iftheprooffails,thensomesystem callsequenceallowedbythemodelproducesthemaliciouseffect.Themodelchecker reportsthissequenceasacounter-examplethatcausedtheprooftofail,providingpre- cisely an undetected attack as output. In terms of Fig. 1, we are finding system call sequencescontainedinL(M)∩AttackswithoutexplicitlycomputingthesetAttacks ofmalicioussystemcallsequences. Thisapproachautomatesthepreviousmanualeffortoffindingmimicryattacks.In experiments,weshowthatwecanautomaticallydiscoverthemimicryattackagainstthe Stide[8]modelforwu-ftpd[24]andtheevasionattacksagainsttheStidemodelsfor passwd, restore,and traceroute [20–22].The modelcheckingprocesscom- pletedinabout2secondsorlesswhenundetectedattackswerepresentinthemodels. Whenamodelissufficientlystrongtodetectanattack,themodelcheckingalgorithm willreportthatnoattacksequencecouldbefound.Thisrequiresexhaustivesearchand completedin75secondsorless forallattacksdetectedbythemodelsofthe fourtest programs.Notethatproofsofsuccessfuldetectionholdonlywithrespecttoourabstrac- tion ofthe OS state. If this abstractioniserroneousor incomplete,undetectedattacks maystillbepresentwhenusingthemodeltoprotectacompleteoperatingsystem. Our work addressesoutstandingproblemsin model-basedanomalydetection.We provideamethodformodelevaluationthatexhaustivelysearchesforsequencesofsys- temcallsallowedasvalidbyaprogrammodelbutthatinduceamaliciousconfiguration ofOS state. Althoughourcurrentworkevaluatesthe context-insensitiveStide model, wehavedesignedoursystemsothatitcanevaluateanyprogrammodelexpressibleas a context-sensitive pushdown automaton (PDA). One of our long-term goals, not yet realized,istocomparethedetectioncapabilitiesofdifferentmodeldesignsproposedin theliterature. Insummary,thispapermakesthefollowingcontributions: – Automateddiscoveryofmimicryattacks.Weusemodelcheckingtofindsequences ofsystemcallsacceptedasvalidbyaprogrammodelbutthathavemaliciouseffects upon the operating system. Our system produces the exact sequences of system calls,witharguments,thatcomprisetheundetectedattacks. – Asystemdesignwhereattacksequencesandobfuscationsneednotbeknown.Our systemdoesnotrequirethatattacksystemcallsequencesbeknownorenumerated. Infact,westrivefortheopposite:oursystemwillautomaticallyfindnew,unknown attacksequencesacceptedbyaprogrammodelandwillproducethosesequencesas output.Likewise,weautomaticallyfindtheobfuscationsusedbyattackerstohide attack system calls within a legitimate sequence.As a result, our approachis not limitedbyaprioriknowledgeofattackerbehavior. Section2presentsrelatedworkinmanualattackanalysis.Section3givesanover- view of our system. Section 4 describes the operating system abstraction and Sect. 5 explainshowamodelcheckerusesthatabstractiontofindundetectedattacksinapro- grammodel.Section6presentsthearchitectureofourimplementation,andSect.7uses thatimplementationtodemonstrateexperimentallythatwe haveautomatedthe previ- ouslymanualprocessofdiscoveringundetectedattacks. 2 Related Work The seminalresearch on mimicry [9,24] and evasion attacks [20–22] demonstrateda criticalshortcomingofmodel-basedanomalydetection.Attackerscanavoiddetection by altering their attacks to appear as a program’snormalexecution.These altered at- tacks are sequences of system calls allowed by a program model but that still cause maliciousexecution.Previouswork constructed mimicryand evasion attacks by con- vertingsomedetectedattacksystemcallsequenceAintoanequivalentundetectedse- quenceA′.IfAandA′aresemanticallyequivalentandA′isasequenceallowedbythe programmodel,thenA′isasuccessful,undetectedattack. DeterminingthatamodelexpressedasapushdownautomatonacceptsA′isacom- putable intersection operation provided that A′ is regular; finding a sequence A′ to intersectisamanual,incompleteprocedurewithseveraldrawbacks: – TheprocedurerequiresknownattacksequencesA. – Theequivalenceoftwosystemcallsequencesisnotwelldefined.Forexample:an undetected attack sequence A′ may include legitimate execution behavior that is irrelevanttotheoriginalattacksequenceA.AreAandA′equivalent? – There is no clear operationaldirection to find mimicry and evasion attacks auto- matically.Identifyingtwosequencesasequivalentattackswasamanualprocedure basedonintuition.Therewasnoalgorithmicprocessamenabletoautomation. Ourmodelevaluationtakesa differentapproachthatadvancesthestate ofthe art.By defining attacks only by their malicious effects upon the system, our work is not re- stricted to known attack sequences of system calls or known attack transformations producing evasive attacks. Attack sequences are not part of the input to our system; infact,ourworkproducesthesequencesasitsoutput.We canfurtherdefinetwosys- tem call sequences as equivalent with respect to the attack if they produce the same malicious effect upon the operating system. This formalism provides the operational directionallowingourworktoautomatetheprocedureoffindingundetectedattacks. Previousattempts have been made to quantify the ability of a modelto detect at- tacks. Average branching factor (ABF) [23] calculates, for any finite-state machine model, the average opportunity for an attacker to undetectably execute a malicious system callduringa program’sexecution.A predefinedpartitioningdividestheset of systemcallsinto“safe”callsand“potentiallymalicious”calls.Astheruntimemonitor followspathsthroughthe automatonin responseto system calls executedby the pro- gram, it looks ahead one transition to determine the number of potentially malicious callsthatwouldbeallowedasthenextoperation.Theaveragebranchingfactoristhen the sum of the potentiallymaliciouscalls dividedby the numberof system calloper- ations verified duringexecution.An extension to average branchingfactor, called the average reachability measure (ARM) [10], similarly evaluated pushdown automaton models. Althoughthesemeasurementsprovideaconvenientnumericscoreenablingmodel comparisons,theydonotprovideaclearmeasureofamodel’sabilitytoactuallydetect attacks.Thesemetricsdonoteffectivelyembodyanattacker’sabilities: – An attacker may alter a program’s execution to reach a portion of the program modelthat admits an attack sequence by first passing througha sequence of safe systemcalls.Byonlylookingatthefirstsystemcallbranchingawayfromabenign executionpath,ABFandARMfailtoshowthestrengthofonemodeloveranother. – The ABF or ARM value computed depends upon the benign execution path fol- lowedandhenceuponprograminput.Acompleteevaluationofthemodelrequires computingthescorealongallpossibleexecutionpaths.Thisisextremelychalleng- inganditselfformsanentirebodyofresearchintheprogramtestingarea. – Attacksfrequentlyarecomprisedofasequenceofsystemcalls.Thepreviousmet- rics look at each system call in isolation and have no way to characterize longer attacksequences. Consequently,thesemetricsprovidelimitedinsightintoamodel’sabilitytodetectat- tacks.Ourworkimprovestheevaluationofaprogrammodel’sattackdetectionability bydecouplingtheevaluationfrombothaparticularexecutionpathandfromtheneed todescribemaliciousactivityasunsafesystemcalls. MOPS[3] is similar to our workin the first aspect: it statically checksa program modeltodeterminepropertiesofthemodel.Unlikeourwork,however,MOPScharac- terizesunsafeorattackbehaviorasregularexpressionsoversystemcallsandrequires userstoprovideadatabaseofmalicioussystemcallpatterns.Justascommercialvirus scanners syntactically match malicious byte sequences against program code, MOPS syntacticallymatchesunsafesystemcallsequencesagainstaprogrammodel.Likewise, whenanewmaliciousbehaviorisdiscovered,thedatabaseofsystemcallpatternsmust be updated. Conversely, by understanding the semantics of system calls, the system in our paper does not require known malicious system call sequences, and it in fact automatically discovers them for the user. Our work is not tied to known patterns of malicioussystemcallexecution. Modelcheckingis a generictechniqueusedto verifypropertiesofstate transition systems,andithasbeenappliedpreviouslytocomputersecurity.Bessenetal.[2]de- scribedhowmodelcheckerscanverifysafetyproperties[16]expressedinlinear-time temporallogic(LTL).Theyverifiedthepropertiesoverannotatedcontrol-flowgraphs, whereboththegraphandtheannotationsexpressingsecuritypropertiesoftheprogram code came from some unspecifiedsource. We analyzeautomatically constructedpro- grammodels,andourmodelcheckingprocedureautomaticallyderivessecurityprop- ertiesofthemodelasittraversesthemodel’sedges. Guttmanetal.usedmodelcheckingtofindviolationsofinformation-flowrequire- mentsinSELinuxpolicies[13].TheymodeledtheSELinuxpolicyenforcementengine andthewaysinwhichinformationmayflowbetweenmultipleprocessesviaafilesys- tem.Theycouldthenverifythatanyinformationflowwasmediatedbyatrustedprocess onthesystem.Ourworkhasadifferentgoal:verificationofsafetypropertiesusingan OSmodelwheresystemcallsalterOSstate. Ramakrishnan and Sekar [15] used model checking to find vulnerabilities in the interaction of multiple processes. They abstracted the file system and specified each program’sexecutionasafilesystemtransformer.Theprogramspecificationswerecom- plicatedbytheneedtocharacterizeinterprocesscommunication.Ourworkexpandsthe system abstractionto includethe entireoperatingsystem, shifts the checkedinterface fromcoarse-grainedprocessexecutiondowntosystemcalls,andhasnoneedtomodel communicationchannelsbetweenprocesses. Walker et al. used formal proof techniques to verify properties of a specification of a UNIX security kernel [25]. This work is notable because the authors rigorously provedthattheabstractspecificationofthekernelmatchedtheactualimplementation. Asaresult,propertiesprovedusingtheabstractionalsoholdtrueintherealoperating system. Due to the difficulty of producingproofsof correctspecifications,little other research actually demonstrates that abstractions are accurate. We adopt this simpler approach:weproducedouroperatingsystemabstractionmanuallyandhavenotproved itcorrect.Asaresult,discoveredattacksorproofsoftheabsenceofattacksholdonly withrespecttotheabstraction.Adiscoveredattackcanbevalidatedbyactuallyrunning the system call sequence againsta sandboxedoperatingsystem. Conversely,if we do notfindanyattack,thenthisprovidesgoodindicationthattheprogrammodelissecure eventhoughthisisnotprovablytrueintherealoperatingsystem. 3 Overview Weprovidehereanoverviewofmodel-basedanomalydetection,includingtheattacker threatsaddressed,context-sensitiveprogrammodels,andthepurposeofattackdiscov- ery. 3.1 ThreatModel Oursystemautomaticallyconstructsundetectedattacksequencespossiblewithinapar- ticularthreatmodel.Thisthreatmodelissimpleandstrong: Let Σ be the set of system calls invoking kernel operations. If program P is under attacker control, then P can generate any sequence of system calls A∈Σ∗. Attackersmaysubvertavulnerableprogram’sexecutionatanyexecutionpoint,includ- ingthepointofprocessinitialization.Attackerscanthenarbitrarilyalterthecodeand dataoftheprogram,andcanevenreplacetheprogram’sentirememoryimagewithan image of their choosing. Alternatively,the attacker could replace the disk image of a programwith,forexample,atrojanbeforetheOSloadstheprogramforexecution.The attackercangenerateanysequenceofsystemcallsandsystemcallarguments,andthe operatingsystemwillexecutethecallswiththeprivilegeoftheoriginalprogram. This threat model matches real-world attacks. In remote execution environments, programsexecuteonremote,untrustedmachinesbutsendasequenceofremotesystem callsbackto a trusted machineforexecution.Anattackercontrollingthe remotehost canarbitrarilyalterorreplacetheremoteprogram.Theattacker’sprogramimagecan thensendmalicioussystemcallsbacktothetrustedmachineforexecution[11]. Common network-based attacks against server programs have a more restrictive threatmodel.Attackerscansubvertexecutiononlyatpointsofparticularprogramvul- nerabilitiesandfacegreaterrestrictionsintheattackcodethattheycanthenexecute.As aresult,ifoursystemprovesthataprogrammodeldetectsanattackinthestrongthreat model, it will also detect the attack in a more restrictive model. However, successful attacksdiscoveredbyoursystemarespecifictothestrongthreatmodel.Althoughthe program model would fail to detect the attack sequence even in the restricted threat model,arestrictedattackermaybeunabletocausetheprogramtoexecutethatattack. Oursystemcurrentlydoesnotmakethisdeterminationandwillreportallattacksdis- coveredinthestrongthreatmodel. Considertheexamplein Fig.2.Thisisavulnerableprogramthatreadscommand characters and filenames from user input. This input may come from the network if void main (void) { char input[32]; gets(input); if (input[0] == ‘x’) { setreuid(42, -1); syslog(1, "Execing file"); execve(input+2, 0, 0); } else if (input[0] == ‘e’) { struct stat buf; syslog(1, "Echoing file"); stat(input+2, &buf); int fd = open(input+2, O RDONLY); void *filedata = mmap(0, buf.st size, PROT READ, MAP PRIVATE, fd, 0); write(1, filedata, buf.st size); } } Fig.2.Codeexample.Weshowsystemcallsinboldfaceandlibrarycallsinitalics.Theunsafe calltogetsallowsanattackertoexecutearbitrarycode. theprogramislaunchedbyanetworkserviceswrapperdaemonsuchasxinetd.The command-codeandargumentinputresemblestheusageofprogramssuchasftpservers orhttpservers.Supposethattheprogramisexecutedwithstoredbutinactiveprivilege: itsrealandeffectiveuserIDsarealow-privilegeuser,butthesaveduserIDisroot.If the inputcontainsthe commandcharacter‘x’,then theprogramdropsallof its saved privilegeandexecutesafilenamegivenintheinput.Iftheinputcontainsthecommand character‘e’,thentheprogramechoesthecontentsofaspecifiedfiletoitsoutput,which maybeanetworkstream. Inourthreatmodel,anattackercanarbitrarilyaltertheexecutionofthisprogram. Perhapstheattackerexploitsthevulnerablegetscall;perhapstheyuseanattackvector thatwehavenotconsidered.Theattackercancausetheprogramtoexecuteanysystem call, including system calls not contained in the original program code. The role of host-basedintrusiondetectionistodetectanysuchsubvertedprogramexecution. 3.2 ProgramModel Readers familiar with pushdown automaton (PDA) models may elect to bypass this section, as it presents backgroundmaterial and standard notation previously used for PDA-basedprogrammodels. Model-basedanomalydetectionrestrictsallowedexecutiontoaprecomputedmodel of allowed behavior. A program model M is a language acceptor of system call se- quencesandisanabstractrepresentationoftheprogram’sexpectedexecutionbehavior. If Σ denotes the alphabet of system calls, then L(M) ⊆ Σ∗ denotes the language accepted by M. A system call sequence in L(M) is valid; sequences outside L(M) indicateanomalousprogramexecution.Inthispaper,weimplementa programmodel asanon-deterministicpushdownautomaton(PDA). Definition1. A pushdown automaton (PDA) is a tuple M = hS,Σ,Γ,δ,s0,Z0,Fi, where – S isasetofstates; – Σisasetofalphabetsymbols; – Γisasetofstacksymbols; – δ ⊆{hs,γi→σ hs′,γ′i|s∈S,γ ∈Γ ∪ǫ,σ ∈Σ∪ǫ,s′ ∈S,γ′ ∈Γ ∪ǫ}; – s0 ∈S inaninitialstate; – Z0 ∈Γ∗isaninitialstackconfiguration; – F ⊆S isasetoffinalstates. APDAmodelhasclosetiestoprogramexecution.Astatecorrespondstoaprogram pointintheprogram’scode.Theinitialstatecorrespondstotheprogram’sentrypoint. The final states correspondto programterminationpoints, which generally follow an exitsystemcall.Thealphabetsymbolsarethesystemcallsgeneratedbyaprogramas itexecutes.Thestacksymbolsarereturnaddressesspecifyingtowhereafunctioncall returns. The initial stack Z0 is empty, as a program begins execution with no return addressesonitscallstack. Thetransitionrelationδ describesvalidcontrolflowswithinaprogram.OurPDA modelhasthreetypesoftransitions: – System calls: hs,ǫi →σ hs′,ǫi for σ 6= ǫ indicates that the programcan generate systemcallσwhentransitioningfromstatestostates′.ThePDAstackoffunction callreturnaddressesremainsunchanged. – Functioncalls:hs,ǫi→σ hs′,γiforγ 6=ǫindicatesthattheprogrampushesreturn addressγ onto the callstack whentransitioningfromstate s to s′. Here, s corre- spondstoafunctioncall-siteintheprogramands′ correspondstotheentrypoint ofthecall’sdestination. – Function returns: hs,γi →σ hs′,ǫi for γ 6= ǫ indicates that the programreturns fromafunctioncallandpopsreturnaddressγ fromthecallstack.Thistransition can be followed only when γ is the top symbol of the PDA stack. The state s correspondsto a programpoint containing a function return instruction and s′ is theprogrampointtowhichcontrolisactuallyreturned. Manyprogrammodeldesignsproposedinacademicliteraturearenotpresentedas pushdownautomata.However,thegeneralityofaPDAallowsustocharacterizethose modelsasPDAsuitableforanalysisusingthetechniquespresentedlaterinthispaper. Thecontext-freelanguagesrecognizedbyPDAcompletelycontaintheclassofregular languages. All program models of which we are are aware accept either regular or context-freelanguages,andhencecanalwaysbecharacterizedbyaPDA.Thisincludes: – window-basedmodels,suchastheStidemodel[8](Fig.3a)orthedigraphmodel [23](Fig.3b); – non-deterministicfiniteautomata(NFA)[12,14,19,23](Fig.3c); – bounded-stackPDAs[11]; – deterministicPDAs,suchastheVPStaticmodel[6]; – stack-deterministicPDAs,suchastheDyckmodel[6];and – non-deterministicPDAs[23](Fig.3d). push A read pop A setreuid push C push B read read write setreuid write read setreuid write pop B pop C write stat setreuid write ewxercitvee stat execve stat execve open ewxercitvee stat open open mmap open mmap mmap write write mmap write write (a)StideModel (b)DigraphModel (c)NFAModel (d)PDAModel Fig.3. Four different program models for the code of Fig. 2, each expressed as a pushdown automaton.Forsimplicity,weassumethatthegetsfunctioncallgeneratesthesystemcallread andthesyslogfunctioncallgenerateswrite. When a modelacceptsa regularlanguage,we simply have Γ = ∅ and transitionsin δ are only of the form hs,ǫi →σ hs′,ǫi. Althoughthe experimentsin Sect. 7 consider theStidemodel,a regularlanguageacceptor,weintentionallydesignedoursystemto analyzepushdownautomatasothatitisrelevanttoawidecollectionofprogrammodels ofvaryingstrength. Commensuratewithourthreatmodel,weassumethatanattackerhaspriorknowl- edgeoftheparticularprogrammodelusedtoconstrainexecutionofavulnerablepro- gram. The security of the system then relies entirely upon the ability of the program modeltodetectattacks. 3.3 FindingUndetectedAttacks WehavedevelopedamodelanalysissystemthatevaluatesaPDA-basedprogrammodel andfindsundetectedattacks.Ourdesignhasthreefeaturesofnote: – Itoperatesautomatically.Ausermustprovideaninitial,one-timeoperatingsystem abstraction that can then be reused to analyze the model of any program execut- ing on that operating system. This subsequent analysis requires no human input, allowingtheanalysistoscaleeasilytolargecollectionsofprogrammodels. – Attacks,whicharesequencesofsystemcalls,donotneedtobeknown.Infact,our systemprovidesattacksequencesasoutput. – System call arguments can significantly alter the semantic meaning of the calls. Whenoursystemfindsanundetectedattacksequenceofsystemcalls,itaddition- allyprovidesthesystemcallargumentsnecessarytoeffecttheattack.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.