Title: Formalizing Sensitivity in Program Models for Intrusion Detection
1Formalizing Sensitivityin Program Modelsfor
Intrusion Detection
- Henry Hanping Feng
- Yong Huang
- University of Massachusetts
- hfeng,yhuang_at_ecs.umass.edu
Jonathon T. Giffin Somesh Jha Barton P.
Miller University of Wisconsin giffin,jha,bart
_at_cs.wisc.edu
Wenke Lee Georgia Instituteof
Technology wenke_at_cc.gatech.edu
2Important Ideas
- Formalizing program models facilitates
understanding comparison. - Exposing additional program state improves
monitoring speed model accuracy. - VPStatic model reads programs call stack
- Dyck model instruments binary code
3Model-Based Intrusion Detection
- Build model of correct program behavior
- Model automaton specifying all valid system call
sequences - Runtime monitor ensures execution does not
violate model
User Process
Operating System
4Model-Based Intrusion Detection
- Model must be fast to operate
- Model must accurately represent program
- Context-sensitive models restrict impossible paths
User Process
Operating System
5Code Example
- char filename
- pid_t2 pid
- int prepare (int index)
- char buf20
- pidindex getpid()
- strcpy(buf, filename)
- return open(buf, O_RDWR)
getpid
open
6Code Example
- void action (void)
- uid_t uid getuid()
- int handle
- if (uid ! 0)
- handle prepare(1)
- read(handle, )
- else
- handle prepare(0)
- write(handle, )
-
- close(handle)
getuid
prepare
prepare
write
read
close
7NFA Model
getuid
getpid
prepare
prepare
open
write
read
close
Function action
Function prepare
8NFA Model
getuid
getpid
open
write
read
close
Function action
Function prepare
9Impossible Path Exploit
- void action (void)
- uid_t uid getuid()
- int handle
- if (uid ! 0)
- handle prepare(1)
- read(handle, )
- else
- handle prepare(0)
- write(handle, )
-
- close(handle)
getuid
prepare
prepare
write
read
close
10PDA Model
push X
getuid
getpid
push Y
pop X
open
pop Y
write
read
close
Function action
Function prepare
11PDA Problems
- Impossible paths still exist
- Non-determinism indicates missing execution
information - PDA run-time state explosion
- e-edge identifiers maintained on a stack
- Stack non-determinism is expensive
- post algorithm cubic in automaton size
push X
getuid
getpid
push Y
12Determinize PDA
- Expand the input alphabet by exposing the stack
operations and the target state of the transition - fa,p,z indicates consume input a, push z on the
stack, and transition to state p. - ga,p,z for pop operations.
- ea,p for operations with no stack activity.
- Result in a Deterministic PDA (or DPDA).
- Exposing only stack operations we get PDA with
deterministic stack operations (or sDPDA).
13NFA
- State non-determinism is cheap.
State non-determinism
unlink
unlink
14Non-Deterministic PDA
- Stack non-determinism is expensive.
State non-determinism
unlink
unlink
15Deterministic PDA (DPDA)
- VPStatic Model
- Model exposes stack operations target states
- Possible exponential increase in model size?
State non-determinism
unlink
unlink
16Stack-Deterministic PDA (sDPDA)
- Dyck Model
- Model exposes stack operations
- No increase in model size?
State non-determinism
unlink
unlink
17Input Symbol Processing Complexity
-
- n is state count
- m is transition count
- k is PDA input alphabet size
- r is PDA stack alphabet size
18VPStatic
- A variant of VtPath model.
- DPDA.
- Generated by static analysis of binary.
- Use Addr(state) to expose states.
19Determinizing via Observation
- Extract return addresses from call stack into
virtual stack list for each system call. - Generate a bunch of input symbols for each system
call.
20Determinizing via Observation
char filename pid_t2 pid int prepare (int
index) char buf20 pidindex
getpid() strcpy(buf, filename) return
open(buf, O_RDWR)
Addr(C0)
Addr(C1)
Addr(C1)
getpid
open
e(open,Addr(Sopen))
e(none,Exit(prepare)) g(none,Addr(C1),Addr(C1)) e(
none,Addr(C0)) f(none,Entry(prepare),Addr(C0)) e(o
pen,Addr(Sopen))
21Dyck Model
X
push X
getuid
getpid
Y
push Y
pop X
open
X
Y
pop Y
write
read
close
22Dyck Model
- getuid X getpid open X read close
- getuid Y getpid open Y write close
- Matching brackets are alphabet symbols
- Expose stack operations to runtime monitor
- Language of bracket symbols is a Dyck language
- Rewrite binary to generate bracket symbols
23Determinizing via Binary Rewriting
- Insert code to generate bracket symbols around
function call sites - Notify monitor of stack activity
- Determinizes stack operations
- void action (void)
- uid_t uid getuid()
- int handle
- if (uid ! 0)
- precall(X)
- handle prepare(1)
- postcall(X)
- read(handle, )
- else
- precall(Y)
- handle prepare(0)
- postcall(Y)
- write(handle, )
-
- close(handle)
24Dyck Model
- Dyck model stack-determinizes PDA
Stack non-determinism
Stack deterministism
push Y
push X
Y
X
Only one valid stack configuration
push Y
push X
25Test Programs
26(No Transcript)
27(No Transcript)
28Questions?
- Henry Hanping Feng, Yong HuangUniversity of
MassachusettsAmherst hfeng,yhuang_at_ecs.umass.ed
u - Jonathon T. Giffin, Somesh Jha, Barton P.
MillerUniversity of WisconsinMadisongiffin,jha
,miller_at_cs.wisc.edu - Wenke LeeGeorgia Institute of Technologywenke_at_cc
.gatech.edu