Efficient, context-sensitive detection of real-world semantic attacks

Software developers are increasingly choosing memory-safe languages. As a result, semantic vulnerabilities---omitted security checks, misconfigured security policies, and other software design errors---are supplanting memory-corruption exploits as the primary cause of security violations. Semantic attacks are difficult to detect because they violate program semantics, rather than language semantics. This paper presents Pecan, a new dynamic anomaly detector. Pecan identifies unusual program behavior using history sensitivity and depth-limited context sensitivity. Prior work on context-sensitive anomaly detection relied on stack-walking, which incurs overheads of 50% to over 200%. By contrast, the average overhead of Pecan is 5%, which is low enough for practical deployment. We evaluate Pecan on four representative real-world attacks from security vulnerability reports. These attacks exploit subtle bugs in Java applications and libraries, using legal program executions that nevertheless violate programmers' expectations. Anomaly detection must balance precision and sensitivity: high sensitivity leads to many benign behaviors appearing anomalous (false positives), while low sensitivity may miss attacks. With application-specific tuning, Pecan efficiently tracks depth-limited context and history and reports few false positives.

[1]  Yuanyuan Zhou,et al.  Have things changed now?: an empirical study of bug characteristics in modern open source software , 2006, ASID '06.

[2]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[3]  Tao Zhang,et al.  Using Branch Correlation to Identify Infeasible Paths for Anomaly Detection , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[4]  Giovanni Vigna,et al.  Exploiting Execution Context for the Detection of Anomalous System Calls , 2007, RAID.

[5]  Stephanie Forrest,et al.  Anomaly intrusion detection in dynamic execution environments , 2002, NSPW '02.

[6]  Somesh Jha,et al.  Efficient Context-Sensitive Intrusion Detection , 2004, NDSS.

[7]  Tao Zhang,et al.  Anomalous path detection with hardware support , 2005, CASES '05.

[8]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[9]  Stephen J. Fink,et al.  The Jalapeño virtual machine , 2000, IBM Syst. J..

[10]  Amer Diwan,et al.  The DaCapo benchmarks: java benchmarking development and analysis , 2006, OOPSLA '06.

[11]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[12]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[13]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  Hajime Inoue Inferring Java Security Policies Through Dynamic Sandboxing , 2005, PLC.

[15]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[16]  Stephanie Forrest,et al.  Anomaly detection in dynamic execution environments , 2005 .

[17]  Christopher Krügel,et al.  Automating Mimicry Attacks Using Static Binary Analysis , 2005, USENIX Security Symposium.

[18]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[19]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[20]  Adam Kiezun,et al.  jFuzz: A Concolic Whitebox Fuzzer for Java , 2009, NASA Formal Methods.

[21]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[22]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[23]  Perry Cheng,et al.  The garbage collection advantage: improving program locality , 2004, OOPSLA.

[24]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[25]  Lieven Eeckhout,et al.  Java performance evaluation through rigorous replay compilation , 2008, OOPSLA.

[26]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[27]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[28]  Stephen McCamant,et al.  The Daikon system for dynamic detection of likely invariants , 2007, Sci. Comput. Program..

[29]  M. Lam,et al.  Tracking down software bugs using automatic anomaly detection , 2002, Proceedings of the 24th International Conference on Software Engineering. ICSE 2002.

[30]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[31]  Wenliang Du,et al.  Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths , 2004, RAID.

[32]  Michael D. Bond,et al.  Probabilistic calling context , 2007, OOPSLA.

[33]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[34]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[35]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[36]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.