Tales from the Crypt: Fingerprinting Attacks on Encrypted Channels by Way of Retainting
Paradoxically, encryption makes it hard to detect, fingerprint and stop exploits. We describe Hassle, a honeypot capable of detecting and fingerprinting monomorphic and polymorphic attacks on encrypted channels. It uses dynamic taint analysis in an emulator to detect attacks, and it tags each tainted byte in memory with a pointer to its origin in the corresponding network trace. Upon detecting an attack, we correlate tainted memory blocks with the network trace to generate various types of signature. As correlation with encrypted data is difficult, we retaint data on encrypted connections, making tags point to decrypted data instead.
KeywordsIntrusion Detection Buffer Overflow Tainted Data Protocol Field Taint Analysis
Unable to display preview. Download preview PDF.
- P. Bueno. IIS Exploit released / Gagobot.XZ – SANS Microsoft Advisories. http://isc.sans.org/diary.html?date=2004-04-14, April 2004.
- G. Combs. Ethereal network protocol analyzer. http://www.ethereal.com.
- M. Costa, J. Crowcroft, M. Castro, A Rowstron, L. Zhou, L. Zhang and P. Barham. Vigilante: End-to-end containment of internet worms. In Proc. of the 20th ACM Symposium on Operating Systems Principles, Brighton, UK, 2005.Google Scholar
- T. W. Curry. Profiling and tracing dynamic library usage via interposition. In Usenix ATC, Boston, MA, June 1994.Google Scholar
- J. Giffin, S. Jha, and B. Miller. Efficient context-sensitive intrusion detection. In 11th Annual Network and Distributed Systems Security Symposium, 2004.Google Scholar
- I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A secure environment for untrusted helper applications. In Proceedings of the 6th Usenix Security Symposium, 1996.Google Scholar
- A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. SIGOPS Oper. Syst. Rev. (Proc. of ACM SIGOPS EuroSys, April 2006, Leuven, Belgium), 40(4):29–41, 2006.Google Scholar
- C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept 2005.Google Scholar
- B. A. Kuperman and E. Spafford. Generation of application level data via library interposition. Technical Report CERIAS TR 1999-11, 1999.Google Scholar
- C. Leita, M. Dacier, and G. Wicherski. SGNET: a distributed infrastructure to handle zero-day exploits. Technical Report EURECOM+2164, 2007.Google Scholar
- Z. Liang and R. Sekar. Fast and automated generation of attack signatures: a basis for building self-protecting servers. CCS ’05.Google Scholar
- Z. Liang, R. Sekar, and D. C. DuVarney. Automatic synthesis of filters to discard buffer overflow attacks: A step towards realizing self-healing systems. In USENIX Annual Technical Conference - short paper, Anaheim, CA, 2005.Google Scholar
- McAfee. Encrypted threat protection – network IPS for SSL encrypted traffic. White paper, February 2005.Google Scholar
- J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proc. of Network and Distributed System Security Symposium (NDSS), 2005.Google Scholar
- V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31:23–24, December 1998.Google Scholar
- F. Perriot and P. Szor. An analysis of the slapper worm exploit - white paper. Technical report, Symantec Security Response, 2002.Google Scholar
- M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Network-level polymorphic shellcode detection using emulation. In R. Büschkes and P. Laskov, editors, DIMVA, volume 4064 of Lecture Notes in Computer Science.Google Scholar
- G. Portokalidis, A. Slowinska, and H. Bos. Argos: An emulator for fingerprinting zero-day attacks. In Proc. ACM SIGOPS EUROSYS’2006. Google Scholar
- C. Prosise and S. U. Shah. Hackers’ tricks to avoid detection. WindowSecurity White Paper, http://secinf.net/info/misc/tricks.html, 2002.
- M. Roesch. Snort: Lightweight intrusion detection for networks. In Proceedings of the 1999 USENIX LISA Systems Adminstration Conference.Google Scholar
- SecurityFocus. Can-2003–0245 apache apr-psprintf memory corruption vulnerability. http://www.securityfocus.com/bid/7723/discussion/, 2003.
- A. Slowinska and H. Bos. Prospector: Accurate analysis of heap and stack overflows by means of agestamps. Technical Report IR-CS-031, Vrije Universiteit Amsterdam, June 2007.Google Scholar
- T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Recent Advances in Intrusion Detection, 2002.Google Scholar