Daniel Fleck

A moving target DDoS defense mechanism

In this paper, we introduce a moving target defense mechanism that defends authenticated clients against Internet service DDoS attacks. Our mechanism employs a group of dynamic, hidden proxies to relay traffic between authenticated clients and servers. By continuously replacing attacked proxies with backup proxies and reassigning (shuffling) the attacked clients onto the new proxies, innocent clients are segregated from malicious insiders through a series of shuffles. To accelerate the process of insider segregation, we designed an efficient greedy algorithm which is proven to have near optimal empirical performance. In addition, the insider quarantine capability of this greedy algorithm is studied and quantified to enable defenders to estimate the resource required to defend against DDoS attacks and meet defined QoS levels under various attack scenarios. Simulations were then performed which confirmed the theoretical results and showed that our mechanism is effective in mitigating the effects of a DDoS attack. The simulations also demonstrated that the overhead introduced by the shuffling procedure is low.

Affine Invariant-Based Classification of Inliers and Outliers for Image Matching

This paper presents a new approach to classify tentative feature matches as inliers or outliers during wide baseline image matching. After typical feature matching algorithms are run and tentative matches are created, our approach is used to classify matches as inliers or outliers to a transformation model. The approach uses the affine invariant property that ratios of areas of shapes are constant under an affine transformation. Thus, by randomly sampling corresponding shapes in the image pair we can generate a histogram of ratios of areas. The matches that contribute to the maximum histogram value are then candidate inliers. The candidate inliers are then filtered to remove any with a frequency below the noise level in the histogram. The resulting set of inliers are used to generate a very accurate transformation model between the images. In our experiments we show similar accuracy to RANSAC and an order of magnitude efficiency increase using this affine invariant-based approach.

PyTrigger: A System to Trigger a Extract User-Activated Malware Behavior

We introduce PyTrigger, a dynamic malware analysis system that automatically exercises a malware binary extracting its behavioral profile even when specific user activity or input is required. To accomplish this, we developed a novel user activity record and playback framework and a new behavior extraction approach. Unlike existing research, the activity recording and playback includes the context of every object in addition to traditional keyboard and mouse actions. The addition of the context makes the playback more accurate and avoids dependencies and pitfalls that come with pure mouse and keyboard replay. Moreover, playback can become more efficient by condensing common activities into a single action. After playback, PyTrigger analyzes the system trace using a combination of multiple states and behavior differencing to accurately extract the malware behavior and user triggered behavior from the complete system trace log. We present the algorithms, architecture and evaluate the PyTrigger prototype using 3994 real malware samples. Results and analysis are presented showing PyTrigger extracts additional behavior in 21% of the samples.

Radmin: Early Detection of Application-Level Resource Exhaustion and Starvation Attacks

Software systems are often engineered and tested for functionality under normal rather than worst-case conditions. This makes the systems vulnerable to denial of service attacks, where attackers engineer conditions that result in overconsumption of resources or starvation and stalling of execution. While the security community is well familiar with volumetric resource exhaustion attacks at the network and transport layers, application-specific attacks pose a challenging threat. In this paper, we present Radmin, a novel system for early detection of application-level resource exhaustion and starvation attacks. Radmin works directly on compiled binaries. It learns and executes multiple probabilistic finite automata from benign runs of target programs. Radmin confines the resource usage of target programs to the learned automata, and detects resource usage anomalies at their early stages. We demonstrate the effectiveness of Radmin by testing it over a variety of resource exhaustion and starvation weaknesses on commodity off-the-shelf software.

Strict Virtual Call Integrity Checking for C++ Binaries

Modern operating systems are equipped with defenses that render legacy code injection attacks inoperable. However, attackers can bypass these defenses by crafting attacks that reuse existing code in a programs memory. One of the most common classes of attacks manipulates memory data used indirectly to execute code, such as function pointers. This is especially prevalent in C++ programs, since tables of function pointers (vtables) are used by all major compilers to support polymorphism. In this paper, we propose VCI, a binary rewriting system that secures C++ binaries against vtable attacks. VCI works directly on stripped binary files. It identifies and reconstructs various C++ semantics from the binary, and constructs a strict CFI policy by resolving and pairing virtual function calls (vcalls) with precise sets of target classes. The policy is enforced by instrumenting checks into the binary at vcall sites. Experimental results on SPEC CPU2006 and Firefox show that VCI is significantly more precise than state-of-the-art binary solutions. Testing against the ground truth from the source-based defense GCC VTV, VCI achieved greater than 60% precision in most cases, accounting for at least 48% to 99% additional reduction in the attack surface compared to the state-of-the-art binary defenses. VCI incurs a 7.79% average runtime overhead which is comparable to the state-of-the-art. In addition, we discuss how VCI defends against real-world attacks, and how it impacts advanced vtable reuse attacks such as COOP.

Using Local Affine Invariants to Improve Image Matching

A method to classify tentative feature matches as inliers or outliers to a transformation model is presented. It is well known that ratios of areas of corresponding shapes are affine invariants [6]. Our algorithm uses consistency of ratios of areas in pairs of images to classify matches as inliers or outliers. The method selects four matches within a region, and generates all possible corresponding triangles. All matches are classified as inliers or outliers based on the variance among the ratio of areas of the triangles. The selected inliers are used to compute a homography transformation. We present experimental results showing significant improvements over the baseline RANSAC algorithm for pairs of images from the Zurich Building Database.

An Evaluation of Affine Invariant-Based Classification for Image Matching

This paper presents a detailed evaluation of a new approach that uses affine invariants for wide baseline image matching. Previously published work presented a new approach to classify tentative feature matches as inliers or outliers during wide baseline image matching. After typical feature matching algorithms are run and tentative matches are created, the approach is used to classify matches as inliers or outliers to a transformation model. The approach uses the affine invariant property that ratios of areas of shapes are constant under an affine transformation. Thus, by randomly sampling corresponding shapes in the image pair a histogram of ratios of areas can be generated. The matches that contribute to the maximum histogram value are then candidate inliers. This paper evaluates the robustness of the approach under varying degrees of incorrect matches, localization error and perspective rotation often encountered during wide baseline matching. The evaluation shows the affine invariant approach provides similar accuracy as RANSAC under a wide range of conditions while maintaining an order of magnitude increase in efficiency.

Practical and Accurate Runtime Application Protection Against DoS Attacks

Software Denial-of-Service (DoS) attacks use maliciously crafted inputs aiming to exhaust available resources of the target software. These application-level DoS attacks have become even more prevalent due to the increasing code complexity and modular nature of Internet services that are deployed in cloud environments, where resources are shared and not always guaranteed. To make matters worse, many code testing and verification techniques cannot cope with the code size and diversity present in most services used to deliver the majority of everyday Internet applications. In this paper, we propose Cogo, a practical system for early DoS detection and mitigation of software DoS attacks. Unlike prior solutions, Cogo builds behavioral models of network I/O events in linear time and employs Probabilistic Finite Automata (PFA) models to recognize future resource exhaustion states. Our tracing of events spans then entire code stack from userland to kernel. In many cases, we can block attacks far before impacting legitimate live sessions. We demonstrate the effectiveness and performance of Cogo using commercial-grade testbeds of two large and popular Internet services: Apache and the VoIP OpenSIPS servers. Cogo required less than 12 min of training time to achieve high accuracy: less than \(0.0194\%\) false positives rate, while detecting a wide range of resource exhaustion attacks less than seven seconds into the attacks. Finally, Cogo had only two to three percent per-session overhead.

Detecting ROP with Statistical Learning of Program Characteristics

Return-Oriented Programming (ROP) has emerged as one of the most widely used techniques to exploit software vulnerabilities. Unfortunately, existing ROP protections suffer from a number of shortcomings: they require access to source code and compiler support, focus on specific types of gadgets, depend on accurate disassembly and construction of Control Flow Graphs, or use hardware-dependent (microarchitectural) characteristics. In this paper, we propose EigenROP, a novel system to detect ROP payloads based on unsupervised statistical learning of program characteristics. We study, for the first time, the feasibility and effectiveness of using microarchitecture-independent program characteristics -- namely, memory locality, register traffic, and memory reuse distance -- for detecting ROP. We propose a novel directional statistics based algorithm to identify deviations from the expected program characteristics during execution. EigenROP works transparently to the protected program, without requiring debug information, source code or disassembly. We implemented a dynamic instrumentation prototype of EigenROP using Intel Pin and measured it against in-the-wild ROP exploits and on payloads generated by the ROP compiler ROPC. Overall, EigenROP achieved significantly higher accuracy than prior anomaly-based solutions. It detected the execution of the ROP gadget chains with 81% accuracy, 80% true positive rate, only 0.8% false positive rate, and incurred comparable overhead to similar Pin-based solutions.

Securing applications with Dyninst

While significant bodies of work exist for sandboxing potentially malicious software and for sanitizing input, there has been little investigation into using binary editing software to perform either of these tasks. However, because binary editors do not require source code and can modify the software, they can generate secure versions of arbitrary binaries and provide better control over the software than existing approaches. In this paper, we explore the application of the binary editing library Dyninst to both the sandboxing and sanitization problems. We also create a prototype of a more advanced graphical tool to perform these tasks. Finally, we lay the groundwork for more complex and functional tools to solve these problems.