Miyuki Hanaoka

AspFuzz: A state-aware protocol fuzzer based on application-layer protocols

In the face of constant malicious attacks to network-connected software systems, software vulnerabilities need to be discovered early in the development phase. In this paper, we present AspFuzz, a state-aware protocol fuzzer based on the specifications of application-layer protocols. AspFuzz automatically generates anomalous messages that exploit possible vulnerabilities. The key observation behind AspFuzz is that most of the previously reported attack messages violate the strict specifications of application-layer protocols. For example, they do not conform to the rigid format or syntax required of each message. In addition, some attack messages ignore the protocol states and have incorrect orders of messages. AspFuzz automatically generates a large number of anomalous messages that deliberately violate the specifications of application-layer protocols. It then sends the generated messages in both anomalous orders and correct orders. To demonstrate the effectiveness of AspFuzz, we conducted experiments with POP3 and HTTP servers. With AspFuzz, we can discover 20 reported and 1 previously unknown vulnerabilities for POP3 servers and 25 reported vulnerabilities for HTTP servers.

Simplifying security policy descriptions for internet servers in secure operating systems

Secure operating systems (secure OSes) are widely used to limit the damage caused by unauthorized access to Internet servers. However, writing a security policy based on the principle of least privilege for a secure OS is a challenge for an administrator. Considering that remote attackers can never attack a server before they establish connections to it, we propose a novel scheme that exploits phases to simplify security policy descriptions for Internet servers. In our scheme, the entire system has two execution phases: an initialization phase and a protocol processing phase. The initialization phase is defined as the phase before the server establishes connections to its clients, and the protocol processing phase is defined as the phase after it establishes connections. The key observation is that access control should be enforced by the secure OS only in the protocol processing phase to defend against remote attacks. Thus, we can omit the access-control policy in the initialization phase, which effectively reduces the number of policy rules. Our experimental results demonstrate that our scheme effectively reduces the number of descriptions; it eliminates 47.2%, 27.5%, and 24.0% of policy rules for HTTP, SMTP, and POP servers respectively, compared with an existing SELinux policy that includes the initialization of the server.

An Efficient TCP Reassembler Mechanism for Layer7-aware Network Intrusion Detection/Prevention Systems

Exploiting layer/ context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Unfortunately layerl-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP/IP reassembly without losing (1) complete prevention, (2) performance, (3) application transparency, or (4) transport transparency. To the best of our knowledge, none of the existing approaches meet all of these requirements. Our store-through does this by forwarding each out-of-order or IP-fragmented packet immediately after copying it even if it has not been checked yet. Although the forwarded packet might turn out to be a part of an attack, the store-through can successfully defend against the attack by blocking one of the subsequent packets. Testing of a prototype in linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order packets.

TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems

Exploiting layer7 context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Layer7 context enables us to inspect message formats and the message exchanged order. Unfortunately, layer7-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP and IP reassembly without losing 1) complete prevention, 2) performance, 3) application transparency, or 4) transport transparency. Complete prevention means that the NIDS/NIPS should prevent malicious messages from reaching target applications. Application transparency means not requiring any modifications to and/or reconfiguration of server and client applications. Transport transparency is not to disrupt the end-to-end semantics of TCP/IP. To the best of our knowledge, none of the existing approaches meet all of these requirements. We have developed an efficient mechanism for layer7-aware NIDS/NIPSs that does meet the above requirements. Our store-through does this by forwarding each out-of-order or IP-fragmented packet immediately after copying the packet even if it has not been checked yet by an NIDS/NIPS sensor. Although the forwarded packet might turn out to be a part of an attack message, the store-through mechanism can successfully defend against the attack by blocking one of the subsequent packets that contain another part of attack message. Testing of a prototype in Linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order and IP-fragmented packets. In addition, the experimental results suggest that the CPU and memory usage incurred by our store-through is not significant.

FlexBox: Sandboxing internet servers based on layer-7 contexts

Internet servers are constantly exposed to malicious attacks launched remotely. Sandbox is a promising approach to reducing the damage caused by malicious attacks. A sandbox system provides a restricted environment for executing programs/codes from an Internet server, in which the accessible resources are limited to those required for legal execution. However, traditional sandbox systems are not suitable for preventing sensitive files, legally accessed by Internet servers, from being leaked or tampered. A sandbox system must permit access to sensitive files if the sandboxed server requires access to them. This paper presents FlexBox, a novel sandbox system that reduces the possibility of leaking or tampering with sensitive files accessed by Internet servers. The key observation is that Internet servers typically have several execution states, each of which requires different access rights to resources such as files, especially sensitive files that are usually accessed only in a few execution states. Therefore, if FlexBox dynamically changes a set of accessible files according to serverspsila execution states, it is expected to dramatically reduce the possibility of information leakage/tampering. To obtain the execution states of Internet servers, FlexBox exploits the layer-7 contexts of Internet servers, i.e., it monitors the network messages exchanged between the server and clients. We demonstrate that FlexBox can be applied to several real Internet servers and the overhead from FlexBox is reasonably low.

Filtering False Positives Based on Server-Side Behaviors

Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks that are not harmful to the administrators environment. This is a daunting task; if some signatures are disabled by mistake, the NIDS fails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators that a malicious message has been detected, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it has confirmed that an attempt has been made. The TrueAlarm NIDS cooperates with a server-side monitor that observes the protected servers behavior. TrueAlarm only alerts administrators when a server-side monitor has detected deviant server behavior that must have been caused by a message detected by a NIDS. Our experimental results revealed that TrueAlarm reduces the rate of false positives. Using actual network traffic collected over 14 days, TrueAlarm produced 46 false positives, while Snort, a conventional NIDS, produced 818.