Sanjay Rawat

A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level

Current binary-level Control-Flow Integrity (CFI) techniques are weak in determining the set of valid targets for indirect control flow transfers on the forward edge. In particular, the lack of source code forces existing techniques to resort to a conservative address-taken policy that overapproximates this set. In contrast, source-level solutions can accurately infer the targets of indirect calls and thus detect malicious control-flow transfers more precisely. Given that source code is not always available, however, offering similar quality of protection at the binary level is important, but, unquestionably, more challenging than ever: recent work demonstrates powerful attacks such as Counterfeit Object-oriented Programming (COOP), which made the community believe that protecting software against control-flow diversion attacks at the binary level is rather impossible. In this paper, we propose binary-level analysis techniques to significantly reduce the number of possible targets for indirect branches. More specifically, we reconstruct a conservative approximation of target function prototypes by means of use-def analysis at possible callees. We then couple this with liveness analysis at each indirect callsite to derive a many-to-many relationship between callsites and target callees with a much higher precision compared to prior binary-level solutions. Experimental results on popular server programs and on SPEC CPU2006 show that TypeArmor, a prototype implementation of our approach, is efficient - with a runtime overhead of less than 3%. Furthermore, we evaluate to what extent TypeArmor can mitigate COOP and other advanced attacks and show that our approach can significantly reduce the number of targets on the forward edge. Moreover, we show that TypeArmor breaks published COOP exploits, providing concrete evidence that strict binary-level CFI can still mitigate advanced attacks, despite the absence of source information or C++ semantics.

XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing

We present an approach to detect web injection vulnerabilities by generating test inputs using a combination of model inference and evolutionary fuzzing. Model inference is used to obtain a knowledge about the application behavior. Based on this understanding, inputs are generated using genetic algorithm (GA). GA uses the learned formal model to automatically generate inputs with better fitness values towards triggering an instance of the given vulnerability.

KameleonFuzz: evolutionary fuzzing for black-box XSS detection

Fuzz testing consists in automatically generating and sending malicious inputs to an application in order to hopefully trigger a vulnerability. Fuzzing entails such questions as: Where to fuzz? Which parameter to fuzz? Where to observe its effects? In this paper, we specifically address the questions: How to fuzz a parameter? How to observe its effects? To address these questions, we propose KameleonFuzz, a black-box Cross Site Scripting (XSS) fuzzer for web applications. KameleonFuzz can not only generate malicious inputs to exploit XSS, but also detect how close it is revealing a vulnerability. The malicious inputs generation and evolution is achieved with a genetic algorithm, guided by an attack grammar. A double taint inference, up to the browser parse tree, permits to detect precisely whether an exploitation attempt succeeded. Our evaluation demonstrates no false positives and high XSS revealing capabilities: KameleonFuzz detects several vulnerabilities missed by other black-box scanners.

Network traffic analysis using singular value decomposition and multiscale transforms

The present work integrates the multiscale transform provided by the wavelets and singular value decomposition (SVD) for the detection of anomaly in self-similar network data. The algorithm proposed in this paper uses the properties of singular value decomposition (SVD) of a matrix whose elements are local energies of wavelet coefficients at different scales. Unlike existing techniques, our method determines both the presence (i.e., the time intervals in which anomaly occurs) and the nature of anomaly (i.e., anomaly of bursty type, long or short duration, etc.) in network data. It uses the diagonal, left and right singular matrices obtained in SVD to determine the number of scales of self-similarity, location and scales of anomaly in data, respectively. Our simulation work on different data sets demonstrates that the method performs better than the existing anomaly detection methods proposed for self-similar data.

Finding Buffer Overflow Inducing Loops in Binary Executables

Vulnerability analysis is one among the important components of overall software assurance practice. Buffer overflow (BoF) is one example of the such vulnerabilities and it is still the root cause of many effective attacks. A general practice to find BoF is to look for the presence of certain functions that manipulate string buffers, like the strcpy family. In these functions, data is moved from one buffer to another, within a loop, without considering destination buffer size. We argue that similar behaviour may also be present in many other functions that are coded separately, and therefore are equally vulnerable. In the present work, we investigate the detection of such functions by finding loops that exhibit similar behaviour. We call such loops Buffer Overflow Inducing Loops (BOIL). We implemented a lightweight static analysis to detect BOILs, and evaluated it on real-world x86 binary executables. The results obtained show that this (simple but yet efficient) vulnerability pattern happens to be very effective in practice to retrieve real vulnerabilities, providing a drastic reduction of the part of the code to be analysed.

Toward Large-Scale Vulnerability Discovery using Machine Learning

With sustained growth of software complexity, finding security vulnerabilities in operating systems has become an important necessity. Nowadays, OS are shipped with thousands of binary executables. Unfortunately, methodologies and tools for an OS scale program testing within a limited time budget are still missing. In this paper we present an approach that uses lightweight static and dynamic features to predict if a test case is likely to contain a software vulnerability using machine learning techniques. To show the effectiveness of our approach, we set up a large experiment to detect easily exploitable memory corruptions using 1039 Debian programs obtained from its bug tracker, collected 138,308 unique execution traces and statically explored 76,083 different subsequences of function calls. We managed to predict with reasonable accuracy which programs contained dangerous memory corruptions. We also developed and implemented VDiscover, a tool that uses state-of-the-art Machine Learning techniques to predict vulnerabilities in test cases. Such tool will be released as open-source to encourage the research of vulnerability discovery at a large scale, together with VDiscovery, a public dataset that collects raw analyzed data.

An Evolutionary Computing Approach for Hunting Buffer Overflow Vulnerabilities: A Case of Aiming in Dim Light

We propose an approach in the form of a light weight smart fuzzer to generate string based inputs to detect buffer overflow vulnerability in C code. The approach is based on an evolutionary algorithm which is a combination of genetic algorithm and evolutionary strategies. In this preliminary work we focus on the problem that there are constraints on string inputs that must be satisfied in order to reach the vulnerable statement in the code and we have very little or no knowledge about them. Unlike other similar approaches, our approach is able to generate such inputs without knowing these constraints explicitly. It learns these constraints automatically while generating inputs dynamically by executing the vulnerable program. We provide few empirical results on a benchmarking dataset-Verisec suite of programs.

Offset-Aware Mutation Based Fuzzing for Buffer Overflow Vulnerabilities: Few Preliminary Results

This article presents few preliminary results and future ideas related to smart fuzzing to detect buffer overflow vulnerabilities. The approach is based on the combination of lightweight static analysis techniques and mutation-based evolutionary strategies. First, a static taint-analysis allows to identify the most dangerous execution paths, containing vulnerable statements those execution depend on user input streams. Then, concrete input are produced and executed on the vulnerable program following an offset-aware mutation strategy: at each step, the current input streams are mutated with specific values, and at specific offsets, depending on their ability to activate a target execution path. We provide few empirical results on a benchmarking dataset as a proof of concept and discuss future extension.

Danger theory based SYN flood attack detection in autonomic network

In the context of autonomic environment, we present a simple yet, effective Danger Theory based method to detect TCP SYN Flooding attack. An autonomous communication network consists of self-managed (i.e. self-configuring, self-awareness, self-optimization, self-healing and self-protection, collectively denoted as self-*) entities. These self-* properties ensure functioning of the network without or very minimum human intervention. In such an environment, security of the system is very challenging as there is no dedicated authority to monitor malicious activities and each entity, the computing device, has to monitor itself. Denial of service (DoS) attack, in particular flooding attack, is one of the most frequent and devastating attacks on networks. Traditionally, the detection of flooding attacks is achieved by a network-based intrusion detection system (IDS), mainly relying on the statistical characteristics of network data with fine tuning from a human administrator by monitoring the traffic continuously. Obviously, such facility is not assumed in autonomic networks. We, therefore, propose a danger theory based approach that can detect DoS attack in an automatic manner. The proposed scheme is able to detect SYN flood attack in its early stage, thereby enabling to control the damage. To empirically validate our proposal, we conduct experiments in a simulated environment and the results are encouraging. We assert that the work will be useful in designing the security of autonomic networks.

Frequency- and ordering-based similarity measure for host-based intrusion detection

This paper discusses a new similarity measure for the anomaly‐based intrusion detection scheme using sequences of system calls. With the increasing frequency of new attacks, it is getting difficult to update the signatures database for misuse‐based intrusion detection system (IDS). While anomaly‐based IDS has a very important role to play, the high rate of false positives remains a cause for concern. Defines a similarity measure that considers the number of similar system calls, frequencies of system calls and ordering‐of‐system calls made by the processes to calculate the similarity between the processes. Proposes the use of Kendall Tau distance to calculate the similarity in terms of ordering of system calls in the process. The k nearest neighbor (kNN) classifier is used to categorize a process as either normal or abnormal. The experimental results, performed on 1998 DARPA data, are very promising and show that the proposed scheme results in a high detection rate and low rate of false positives.