1. Determina’s Vulnerability Protection Suite Saman Amarasinghe CTO, Determina Inc. Associate Professor, MIT EECS/CSAIL

6. Recent Example: WMF Vulnerability NO Patch Available Patch fully deployed *Wipro, Ltd 2005, “The Total Cost of Security Patch Management” Day 14 : December 14: Sites first post WMF Exploits Day 35 : January 5 th : Microsoft Releases Patch Average exploit window: 25 days* before patches deployed Vulnerable w/no Official Patch 35 Days Vulnerability Made Public Total exploit window for average organization: 60 days Day 27: December 27: Initial Disclosure of Vulnerability Day 28 : December 28: MS Announces Awareness…No Patch for Issue Day 29: December 29: 50+ variants, 1000+ sites reported: Thursday 12/29 Day 31: December 31: Instant messaging,Trojan horses & botnets begin exploiting WMF and Unofficial patch released by Ilfak Guilfanov Day 33: January 3rd: 1,000,000+ WMF exploited downloads reported from just 1 site Day 0 : December 1: Vulnerability Discovered 1 and Exploit Code Being Sold for $4000 Shortly Afterward 1 Computerworld.com, “Russian hackers sold WMF exploit, analyst says” Patch issued by MS Determina 0-day protection active before vulnerability is known Zero-days

13. Managed Program Execution Engine Derek Bruening

17. How Program Shepherding Work? Restricted Control Transfer: Is it legal to go from here to there? Restricted Code Origins: Is this code came from a code page? Restricted Control Transfer: Is it legal to go from here to there? Restricted Code Origins: Is this code came from a code page? Program Run-time System Code Cache Program Counter: Executes the Program Instruction by Instruction Never Let go of the Program Counter Restricted Code Origins: Is this code came from a code page? jmp call br ret call jmp br

20. An Example: Chained Call Attack Local Variables: URL Local Variables: tmp Return Address Argument: h Local Variables: … Return Address Arguments: … Stack http://001110110110111011010001010110101101010110 10110110110110101011010101010110101011010101... URL: 0x7F8B0 Fake arguments handle_URL(handle * h) { char url[64]; … char * tmp =geturl(h) strcpy(url, tmp); … } Code 0x8A234 Fake arguments Libraries setuid() … unlink() … 0x7F8B0 0x8A234

21. Technique 2: Restricted Control Transfers context switch indirect branch lookup trace branch taken? BASIC BLOCK CACHE TRACE CACHE non-control-flow instructions non-control-flow instructions Restrict based on source address, destination address, and/or transfer type

26. Memory protection R R Application code RW RW Application data RW R Code cache RW R MPEE data R R MPEE code MPEE Privileges Application Privileges Page type

27. Memory protection R R Application code RW RW Application data RW RE Code cache RW R MPEE data RE R MPEE code MPEE Privileges Application Privileges Page type

33. Different Levels of Updates Power of a Patch, Operates like a DAT         Administration can be fully automated Minutes Within a day Hours Weeks to Months Months Months to never Typical time from release to deployment       Easy to undo     Patch update     Detect     Protect LiveShield     DAT file update     Dot upgrade     Major upgrade Manageable at a fine granularity Will not change current behavior No need to reboot or restart app No need to upgrade hardware or other programs

38. LiveShield Development Operations Flow POC Exploit Released Acquire the exploit Identify vulnerability Patch Released Diff the patched version against previous version Attack Released Trace the exploit activity Acquire the attack Trace the attack’s activity Develop a Shield Port it to multiple versions Test the Shield Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N best case is 24 hours, Cannot take more than 7 days Minimal QA a. la. DAT update

39. LiveShield Flow Read - only memory Read - only memory DLL load eventlog Determina Web site Controller @ Customer Site Node Manager Core Files available MP - v3 - 011604.xml const - v3base.dll const - v3a.dll const - v3b.dll … . const - v3u.dll const - v3v.dll Internet xml file per host Up - to - date dll cache Mode information Status information Events Controller - Node Manager Communication Interface Per processor policy data structure with mode info dll cache Stats Events Policy data structure with mode info Loaded dll ’ s Read - only memory Read - only memory DLL load eventlog Determina Web site Controller @ Customer Site Node Manager Core Files available MP - v3 - 011604.xml const - v3base.dll const - v3a.dll const - v3b.dll … . const - v3u.dll const - v3v.dll Internet xml file per host Up - to - date dll cache Mode information Status information Events Controller - Node Manager Communication Interface Per processor policy data structure with mode info dll cache Stats Events Policy data structure with mode info Loaded dll ’ s

45. 4. Coverage: No partial band-aid solutions please! % of vulnerabilities Source: CVE, Microsoft Security Bulletins, 2003-2004

46. 5. Proactivity: Should be ready to protect when attacked! Application Released With a bug Vulnerability announced Patch released Attack Released Good guys Patch like crazy Bad guys analyze patch & create attack 17 Previously Unknown Vulnerability 2 26 Previously Unknown Vulnerability 46 31 06/01 03/02 04/02 07/02 07/02 03/03 07/03 03/04 04/04 11/04 Code Red Digispid Spida Slammer Slapper WebDAV Blaster Witty Sasser Mydoom.ag 185 # of days from the Publication of the Vulnerability (availability of a patch) to Attack 77 34

47. Speed of Propagation The Witty Worm

51. VPS impact on the Project Managed Program Execution Engine Memory Firewall LiveShield Client Interface Injected code detection Patch Generation and Deployment Constraint Leaning and Monitoring Data Structure Consistency Checking Application State Probing Repair Generation, Evaluation and Filtering

55. LiveShiled Constraint Creation Framework POC Exploit Released Acquire the exploit Identify vulnerability Patch Released Diff the patched version against previous version Attack Released Trace the exploit activity Acquire the attack Trace the attack’s activity Develop a Shield Port it to multiple versions Test the Shield Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N best case is 24 hours, Cannot take more than 7 days Minimal QA a. la. DAT update