1 / 39

Analyzing and Detecting Network Security Vulnerability

Analyzing and Detecting Network Security Vulnerability. Weekly report. Approach. Do some statistics on Cisco Advisories. Classification methodology (on-going) Classify the Advisories in various ways. Read and classify Cisco advisories (on-going) Select one Advisory from each category.

erasto
Télécharger la présentation

Analyzing and Detecting Network Security Vulnerability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analyzing and DetectingNetwork Security Vulnerability Weekly report Fan-Cheng Wu

  2. Approach • Do some statistics on Cisco Advisories. • Classification methodology (on-going) • Classify the Advisories in various ways. • Read and classify Cisco advisories (on-going) • Select one Advisory from each category. • Find the root cause by reading program diff files, engineering notes, or interview development engineers. • For each Advisory/vulnerability category, develop ways to parse programs to look for such vulnerability. • Write the parser with the above detection capability. Fan-Cheng Wu

  3. Initial start Weekly report2007/08/17 Fan-Cheng Wu

  4. Weekly Report Fan-Cheng Wu

  5. Cisco Advisories Fan-Cheng Wu

  6. Example for Vulnerability Classification Characteristic tree for protocol vulnerabilities A network time protocol (NTP) exploit Fan-Cheng Wu

  7. Analyzing Cisco Advisories Weekly report2007/08/23 Fan-Cheng Wu

  8. Outline • Overview Cisco advisories • Classifying Cisco advisories • Tools to detect problems in code • Secure coding Fan-Cheng Wu

  9. Overview Cisco Advisories • What information does Cisco advisory provide? • For example: [Multiple Vulnerabilities in the IOS FTP server] Table of Content Fan-Cheng Wu

  10. Overview Cisco Advisories (cont.) • Details  Cause • Impact  Symptom Protocol Cause Symptom Fan-Cheng Wu

  11. Overview Cisco Advisories (cont.) • Vulnerability Scoring Details Fan-Cheng Wu

  12. Example for Vulnerability Classification Characteristic tree for protocol vulnerabilities A network time protocol (NTP) exploit Fan-Cheng Wu

  13. Classifying Cisco Advisory • For example: [Multiple Vulnerabilities in the IOS FTP server] • Information in advisory • Protocol, Cause, Symptom, Access, Impact … • Impossible to classify advisory by Improper authorization checking in IOS FTP server IOS reload when transferring files via FTP Design flaw? Implementation flaw? Fan-Cheng Wu

  14. Detecting Vulnerability • Design flaw • Function extraction [1] • Implementation flaw • Secure coding [2] [1] Pleszkoch, M. & Linger, R. “Improving Network System Security with Function Extraction Technology for Automated Calculation of Program Behavior.” IEEE Computer Society Press, 2004. [2] “Secure coding,” http://www.securecoding.cert.org/ Fan-Cheng Wu

  15. Detecting Design Flaw Fan-Cheng Wu

  16. Implementation flaw • Language • C • Preprocessor • Memory management • Array • … • C++ Fan-Cheng Wu

  17. Classification Methodology for Vulnerability Weekly report2007/09/14 Fan-Cheng Wu

  18. Outline • Previous work • Landwehr’s taxonomies [1] • Bishop’s taxonomies [2] • Piessen’s taxonomy [4] • Du’s categorization [3] • Engle’s tree classification[5] • Applying Engle’s scheme to Cisco advisory Consider single dimension Consider multiple dimensions Fan-Cheng Wu

  19. Landwehr’s taxonomies • By Genesis • By Time of introduction • By Location Ambiguous ill-defined Fan-Cheng Wu

  20. Bishop’s taxonomies • Describing the vulnerabilities in a form which useful for the intrusion detection mechanisms • Each vulnerability is classified by • The nature of the flaw • The time of introduction • The exploitation domain of the vulnerability • The effect domain • … Fan-Cheng Wu

  21. Piessen’s taxonomy • Classifying with software life-cycle Fan-Cheng Wu

  22. Du’s categorization • Describing security flaw in several area • Categorization of sample security flaws Fan-Cheng Wu

  23. Engle’s tree classification • Vulnerabilities may fall into multiple classes. • Classification steps: • Define characteristic set for vulnerability • Create characteristic tree by bottom-up approach • Classify vulnerability • For example: Complete characteristic tree Characteristic tree for {Q, Heart} Step 2 Step 1 Fan-Cheng Wu

  24. Previous Works • A table for summarizing previous works (not ready) Fan-Cheng Wu

  25. Complete Characteristic Tree for exploit Exploit Vulnerability Symptoms DoS Landwehr's taxonomyGenesis Landwehr's taxonomy Time of introduction Privilege escalation InformationDisclosure Trojan horse Trapdoor Design Maintenance Fan-Cheng Wu

  26. Classifying CSCek55259 Improper authorization checking in IOS FTP Exploit CSCek55259 Vulnerability Symptoms Privilege escalation Genesis Time of introduction Inadvertent During Development Identification/Authentication … Specification/Design Fan-Cheng Wu

  27. Reference • Landwehr CE, Bull AR, McDermott JP, et al. "A Taxonomy of Computer Program Security Flaws," ACM Computing Surveys, 1994,26(3):211-254. • Matt Bishop, "A Taxonomy of UNIX System and Network Vulnerabilities," Technical Report CSE-95-10, Department of Computer Science, University of California at Davis, May 1995. • Du W,Mathur A P, "Categorization of software errors that led to security breaches," Proceedings of the 21st National Information Systems Security Conference (NISSC' 98), 1998. • F. Piessens, "A taxonomy of causes of software vulnerabilities in Internet software," Proceedings of the. 13th International Symposium on Software Reliability Engineering, Annapolis, Maryland, USA, November 2002. • Sophie Engle, Sean Whalen, Damien Howard, "Tree Approach to Vulnerability Classification", Technical Report CSE-2006-10, Dept. of Computer Science, University of California at Davis, May 2006. Fan-Cheng Wu

  28. Exploit CSCek55259 <exploit id="CSCek55259" desc="Improper authorization checking in IOS FTP"> <vulnerability> <genesis> <identification> </identification> </genesis> </vulnerability> <time> <development> <design></design> </development> </time> <symptom> <dos></dos> <privilege></privilege> </symptom> </exploit> Vulnerability Symptoms Genesis Time of introduction Inadvertent During Development Specification/Design Identification/Authentication … DoS Privilege escalation Fan-Cheng Wu

  29. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits [1] Weekly report2007/09/28 [1] Newsome J,Song D. Dynamic Taint Analysis for Automatic Detection,Analysis, and Signature Generation of Exploits on Commodity Software. Proceedings of the 12th Annual Network and Distributed System Security Symposium(NDSS 2005), 2005 Fan-Cheng Wu

  30. Outline • Goal • Fine-grained attack detector for commodity software • Automatic tools for signature generation • Design and Implementation • Evaluation • Precision • Performance • Attack Detector • Automatic Signature Generation Fan-Cheng Wu

  31. Goal • Fine-grained attack detector for commodity software • Fine-grained attack detector • No need to recompile source code and libraries • Automatic tools for signature generation Fan-Cheng Wu

  32. Monitoring program in run-time • In order to monitor program in run-time, we run PUT(program under test) on a virtual machine. • Valgrind [2] • An open-source virtual machine on Linux • Providing skin(tool) mechanism to instrument program in various ways • TaintCheck, a skin of Valgrind that • marks untruthful input as tainted (TaintSeed) • traces tainted data (TaintTracker) • checks whether policies is violated by instructions (TaintAssert) [2] Valgrind, http://valgrind.org/ Fan-Cheng Wu

  33. System Architecture Analyzing TaintAssert’s log to useful information about how the exploit happened Program Under Test Exploit Analyzer Valgrind [Skin ]MemCheck [Skin] TaintCheck TaintSeed TaintTracker TaintAssert Basic Infrastructure OS Hardware Fan-Cheng Wu

  34. False Positive • Possible cause of false positive • The program contains a vulnerability that should be fixed • The program performs sanity checks on the tainted data before it is used • Evaluation • Tested 13 programs • False positive is produced in 2 programs when reading data from configuration file as an offset to a jump address Fan-Cheng Wu

  35. False Negative • Possible cause of false negative • Tainted attribute of flags is not considered, for example: Suppose x is tainted if ( x == 1 ) y=1; else if ( x == 2 ) y=2; … is semantically the same asx = y • Tainted data is used as an index into a table. • TaintCheck is configured to trust input that should not be trusted. Fan-Cheng Wu

  36. Performance • CPU-bound: bzip2 • Short-lived: cfingerd Fan-Cheng Wu

  37. Performance (cont.) • Common case: Apache Fan-Cheng Wu

  38. Attack Detector • Performance overhead • Using TaintCheck with • sampling • anomaly detection Fan-Cheng Wu

  39. Automatic Signature Generation • Identifying the value used to overwrite a function pointer or return address Fan-Cheng Wu

More Related