overview of the wisa infrastructure and applications
TRANSCRIPT
![Page 1: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/1.jpg)
Overview of the WiSAInfrastructure and Applications
Somesh Jha, Bart Miller, Tom Reps{jha,bart,reps}@cs.wisc.edu
Computer Sciences DepartmentUniversity of Wisconsin1210 W. Dayton Street
Madison, WI 53706-1685
![Page 2: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/2.jpg)
13 November 2003 WiSA 2
Codesurfer
IDA Pro Clients
BREW
Connector
Architecture
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
Control Flow Graphs System
Dependence Graph
![Page 3: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/3.jpg)
13 November 2003 WiSA 3
Codesurfer
IDA Pro Clients
BREW
Connector
Code Generation
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
![Page 4: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/4.jpg)
13 November 2003 WiSA 4
Dynamic Buffer Overflow Detection• Detect buffer overflows that alter return
addresses
• Rewrite binary programs to detect and correct programming flaws– Return address verification – Safe string operations
• Jonathon Giffin, Hao Wang
![Page 5: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/5.jpg)
13 November 2003 WiSA 5
Codesurfer
IDA Pro Clients
BREW
Connector
Dynamic Buffer Overflow Detection
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
![Page 6: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/6.jpg)
13 November 2003 WiSA 6
Malicious Code Detection• Detect viruses and other malware mutated
using obfuscation transformations
• Use static analysis to locate malicious code fragments embedded in a program– Deobfuscate program code– Identify malicious code sequences split across
procedure calls
• Mihai Christodorescu, Somesh Jha
![Page 7: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/7.jpg)
13 November 2003 WiSA 7
Codesurfer
IDA Pro Clients
BREW
Connector
Malicious Code Detection
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
![Page 8: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/8.jpg)
13 November 2003 WiSA 8
Static Buffer Overflow Detection• Incorporate buffer overrun detection for C source
code in a program understanding framework
• Flow-insensitive, partly context-sensitive• Formulate and solve problem as linear program• Two solvers developed
– Fast and approximate– Mathematically precise
• Vinod Ganapathy, Somesh Jha
![Page 9: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/9.jpg)
13 November 2003 WiSA 9
Codesurfer
IDA Pro Clients
BREW
Connector
Static Buffer Overflow Detection
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrun
Parse C
Build SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
SourceCode
![Page 10: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/10.jpg)
13 November 2003 WiSA 10
Value-Set Analysis• Create an Intermediate-Representation (IR) for an
x86 binary (for further analysis)
• IR – similar to that of a C compiler– CFG, used, killed, may-killed variables, points-to sets, etc.– Key challenge - understanding memory operations
• No symbol-table/debug information• Explicit memory addresses• Indirect addressing • Pointer arithmetic
• Gogul Balakrishnan, Tom Reps
![Page 11: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/11.jpg)
13 November 2003 WiSA 11
Codesurfer
IDA Pro Clients
BREW
Connector
Value-Set Analysis
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
![Page 12: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/12.jpg)
13 November 2003 WiSA 12
Model-Based Intrusion Detection• Detect attempts to subvert processes
• Specify constraints upon program behavior– Statically constructed execution model– Dyck model: efficient & context-sensitive
• At run-time, ensure execution obeys model
• Jonathon Giffin, Somesh Jha, Barton Miller
![Page 13: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/13.jpg)
13 November 2003 WiSA 13
Codesurfer
IDA Pro Clients
BREW
Connector
Model-Based Intrusion Detection
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
ProgramModel
![Page 14: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/14.jpg)
13 November 2003 WiSA 14
Future Directions• Support multiple architectures• Include new static analyses• Expand rewriting API• Develop architecture-independent rewriter
interface for code creation & insertion
![Page 15: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/15.jpg)
13 November 2003 WiSA 15
Trace Analyzer
EDL/ESL CompilerApplication ESL
EDLEDL
Pol
icy
Enf
orce
r
Eve
nt In
terc
epto
r
.
.
.call A
call B
Application
.
.
.
syscall B
OS
syscall A
SandboX86
![Page 16: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/16.jpg)
13 November 2003 WiSA 16
Trace Analyzer
EDL/ESL CompilerApplication ESL
EDLEDL
Pol
icy
Enf
orce
r
Eve
nt In
terc
epto
r
.
.
.call A
call B
Application
.
.
.
syscall B
OS
syscall A
SandboX86
![Page 17: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/17.jpg)
13 November 2003 WiSA 17
ESL for Kazaa
edl "c:\malware\kazaa.edl"
map ipaddr
string blocked = "cydoor|doubleclick|adserver|…”
match gethostbyname(name) -> allow << addHash(ipaddr, ret, name)>>
match connect(addr, socket, << isHashed(addr) >> ) -> deny
match connect(sockaddr, socket, << regex(blocked, gethostbyaddr(sockaddr) >> ) -> deny
ESL (segment)Referring to the EDL
definition
Primitive data types
Policy specification
![Page 18: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/18.jpg)
13 November 2003 WiSA 18
Slicing Results (Kazaa)
gethostbyname(cydor.com…)= 209.10.17.137
connect(544, 209.10.17.137,…) connect(1337, 209.10.17.137,…)
send(544,…) recv(1337,…)
closesocket(544) closesocket(1337)
Slicing from gethostbyname on
addr: 209.10.17.137
Slicing from gethostbyname on
addr: 209.10.17.137
Slicing fromconnect onsocket: 544
Slicing fromconnect on
socket: 1337
![Page 19: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/19.jpg)
13 November 2003 WiSA 19
Performance Results
0%0%Original
5.9%2.7%Kazaa
1.7%0.8%RealOne Player
97%21%SSH Client
WithLogging
W/O Logging
69KB7KB62KBOriginal
45KB
42KB
42KB
Data
139KB94KBKazaa
136KB94KBRealOne Player
136KB94KBSSH Client
TotalText
Runtime Overhead Memory Overhead
![Page 20: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/20.jpg)
13 November 2003 WiSA 20
Contact Information
• Prof. S. Jha– email:
[email protected]• Prof. B. Miller
– email: [email protected]
• Prof. T. Reps– email:
• Computer Sciences Dept. 1210 West Dayton Street Madison, WI 53706
Project home pagehttp://www.cs.wisc.edu/wisa
![Page 21: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/21.jpg)
13 November 2003 WiSA 21
Clients
Codesurfer
IDA Pro
BREW
Connector
Model-Based Intrusion Detection
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
ProgramModel
![Page 22: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/22.jpg)
13 November 2003 WiSA 22
Clients
Model-Based Intrusion Detection
Binary
Value-SetAnalysis
GenerateCode
DetectMalicious Code
Detect BufferOverrunBuild SDG
Browse
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
EEL
ProgramModel
![Page 23: Overview of the WiSA Infrastructure and Applications](https://reader031.vdocuments.site/reader031/viewer/2022021019/6204608243e5d9203041816d/html5/thumbnails/23.jpg)
13 November 2003 WiSA 23
Clients
Model-Based Intrusion Detection
Binary
GenerateCode
Rewrite
BuildCFGs
ParseBinary
Build ProgramModel
GeneratedBinary
EEL
Build DDG
Data Dependence Graph
ProgramModel