Tales from the Crypt: Fingerprinting Attacks on Encrypted Channels by Way of Retainting

Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 30)

Abstract

Paradoxically, encryption makes it hard to detect, fingerprint and stop exploits. We describe Hassle, a honeypot capable of detecting and fingerprinting monomorphic and polymorphic attacks on encrypted channels. It uses dynamic taint analysis in an emulator to detect attacks, and it tags each tainted byte in memory with a pointer to its origin in the corresponding network trace. Upon detecting an attack, we correlate tainted memory blocks with the network trace to generate various types of signature. As correlation with encrypted data is difficult, we retaint data on encrypted connections, making tags point to decrypted data instead.

Keywords

Intrusion Detection Buffer Overflow Tainted Data Protocol Field Taint Analysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    P. Bueno. IIS Exploit released / Gagobot.XZ – SANS Microsoft Advisories. http://isc.sans.org/diary.html?date=2004-04-14, April 2004.
  2. [2]
    G. Combs. Ethereal network protocol analyzer. http://www.ethereal.com.
  3. [3]
    M. Costa, J. Crowcroft, M. Castro, A Rowstron, L. Zhou, L. Zhang and P. Barham. Vigilante: End-to-end containment of internet worms. In Proc. of the 20th ACM Symposium on Operating Systems Principles, Brighton, UK, 2005.Google Scholar
  4. [4]
    T. W. Curry. Profiling and tracing dynamic library usage via interposition. In Usenix ATC, Boston, MA, June 1994.Google Scholar
  5. [5]
    J. Giffin, S. Jha, and B. Miller. Efficient context-sensitive intrusion detection. In 11th Annual Network and Distributed Systems Security Symposium, 2004.Google Scholar
  6. [6]
    I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A secure environment for untrusted helper applications. In Proceedings of the 6th Usenix Security Symposium, 1996.Google Scholar
  7. [7]
    A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. SIGOPS Oper. Syst. Rev. (Proc. of ACM SIGOPS EuroSys, April 2006, Leuven, Belgium), 40(4):29–41, 2006.Google Scholar
  8. [8]
    C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept 2005.Google Scholar
  9. [9]
    B. A. Kuperman and E. Spafford. Generation of application level data via library interposition. Technical Report CERIAS TR 1999-11, 1999.Google Scholar
  10. [10]
    C. Leita, M. Dacier, and G. Wicherski. SGNET: a distributed infrastructure to handle zero-day exploits. Technical Report EURECOM+2164, 2007.Google Scholar
  11. [11]
    Z. Liang and R. Sekar. Fast and automated generation of attack signatures: a basis for building self-protecting servers. CCS ’05.Google Scholar
  12. [12]
    Z. Liang, R. Sekar, and D. C. DuVarney. Automatic synthesis of filters to discard buffer overflow attacks: A step towards realizing self-healing systems. In USENIX Annual Technical Conference - short paper, Anaheim, CA, 2005.Google Scholar
  13. [13]
    McAfee. Encrypted threat protection – network IPS for SSL encrypted traffic. White paper, February 2005.Google Scholar
  14. [14]
    J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proc. of Network and Distributed System Security Symposium (NDSS), 2005.Google Scholar
  15. [15]
    V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31:23–24, December 1998.Google Scholar
  16. [16]
    F. Perriot and P. Szor. An analysis of the slapper worm exploit - white paper. Technical report, Symantec Security Response, 2002.Google Scholar
  17. [17]
    M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Network-level polymorphic shellcode detection using emulation. In R. Büschkes and P. Laskov, editors, DIMVA, volume 4064 of Lecture Notes in Computer Science.Google Scholar
  18. [18]
    G. Portokalidis, A. Slowinska, and H. Bos. Argos: An emulator for fingerprinting zero-day attacks. In Proc. ACM SIGOPS EUROSYS’2006. Google Scholar
  19. [19]
    C. Prosise and S. U. Shah. Hackers’ tricks to avoid detection. WindowSecurity White Paper, http://secinf.net/info/misc/tricks.html, 2002.
  20. [20]
    M. Roesch. Snort: Lightweight intrusion detection for networks. In Proceedings of the 1999 USENIX LISA Systems Adminstration Conference.Google Scholar
  21. [21]
    SecurityFocus. Can-2003–0245 apache apr-psprintf memory corruption vulnerability. http://www.securityfocus.com/bid/7723/discussion/, 2003.
  22. [22]
    A. Slowinska and H. Bos. Prospector: Accurate analysis of heap and stack overflows by means of agestamps. Technical Report IR-CS-031, Vrije Universiteit Amsterdam, June 2007.Google Scholar
  23. [23]
    T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Recent Advances in Intrusion Detection, 2002.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2009

Authors and Affiliations

  • Michael Valkering
    • 1
  • Asia Slowinska
    • 1
  • Herbert Bos
    • 1
  1. 1.Department of Computer ScienceVrije Universiteit AmsterdamAmsterdamNetherlands

Personalised recommendations