We propose, develop, and implement techniques for achieving contractual anonymity. In contractual... more We propose, develop, and implement techniques for achieving contractual anonymity. In contractual anon- ymity, a user and service provider enter into an anonym- ity contract. The user is guaranteed anonymity and mes- sage unlinkability from the contractual anonymity sys- tem unless she breaks the contract. The service provider is guaranteed that it can identify users who break the contract. The
2006 IEEE Symposium on Security and Privacy (S&P'06), 2006
In this paper we explore the problem of creating vulnerability signatures. A vulnerability signat... more In this paper we explore the problem of creating vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, even polymorphic or metamorphic variants. Our work departs from previous approaches by focusing on the semantics of the program and vulnerability exercised by a sample exploit instead of the semantics or syntax of the exploit itself. We show the semantics of a vulnerability define a language which contains all and only those inputs that exploit the vulnerability. A vulnerability signature is a representation (e.g., a regular expression) of the vulnerability language. Unlike exploitbased signatures whose error rate can only be empirically measured for known test cases, the quality of a vulnerability signature can be formally quantified for all possible inputs.
In this paper, we give an overview of the BitBlaze project, a new approach to computer security v... more In this paper, we give an overview of the BitBlaze project, a new approach to computer security via binary analysis. In particular, BitBlaze focuses on building a unified binary analysis platform and using it to provide novel solutions to a broad spectrum of different security problems. The binary analysis platform is designed to enable accurate analysis, provide an extensible architecture, and combines static and dynamic analysis as well as program verification techniques to satisfy the common needs of security applications. By extracting security-related properties from binary programs directly, BitBlaze enables a principled, root-cause based approach to computer security, offering novel and effective solutions, as demonstrated with over a dozen different security applications. / / i n s t r u c t i o n dst , s r c add a , b / / a = a+b s h l a , x / / a << x j z t a r g e t / / jump i f z e r o t o a d d r e s s t a r g e t
The vulnerabilities that plague computers cause endless grief to users. Slammer compromised milli... more The vulnerabilities that plague computers cause endless grief to users. Slammer compromised millions of hosts in minutes; a hit-list worm would take under a second. Recently proposed techniques respond better than manual approaches, but require expensive instrumentation, which limits deployment. Although spreading &amp;amp;amp;amp;amp;amp;quot;antibodies&amp;amp;amp;amp;amp;amp;quot; (e.g. signatures) ameliorates this limitation, hosts depending on antibodies are defenseless until inoculation; to the fastest hit-list worms this delay is crucial. Additionally, most recently proposed techniques cannot provide recovery to provide continuous service after an attack. We propose a novel solution called Sweeper that provides both fast and accurate post-attack analysis and efficient recovery with low normal execution overhead. Sweeper in-novatively combines several techniques: (1) Sweeper uses lightweight monitoring techniques to detect a wide array of suspicious requests, providing a first level of defense. (2) By cleverly leveraging lightweight checkpointing, Sweeper postpones heavyweight monitoring until absolutely necessary --- after an attack is detected. Sweeper rolls back and re-executes multiple times to dynamically apply heavyweight analysis techniques via dynamic binary instrumentation. Since only the execution involved in the attack is analyzed, the analysis is efficient, yet thorough. (3) Based on the analysis results, Sweeper automatically generates low-overhead antibodies to prevent future attacks of the same vulnerability. (4) Finally, Sweeper again re-executes to perform fast recovery for continuous service. We implement Sweeper in a real system. Our experimental results with three real-world servers and four real security vulnerabilities show that Sweeper can detect an attack and generate antibodies in under 60 milliseconds. Our results also show that Sweeper imposes under 1% overhead during normal execution, clearly suitable for widespread production deployment (especially since Sweeper also allows partial deployment). Finally, we analytically show that, for a fast hit-list worm otherwise capable of infecting all vulnerable hosts in under a second, Sweeper contains the extent of infection to under 5%.
We proposeusing Datalog for alias analysis of binary programs. Alias anal- ysis reasons about whe... more We proposeusing Datalog for alias analysis of binary programs. Alias anal- ysis reasons about whethertwo memory references will overwrite the same memory cell.
Malware often contains hidden behavior which is only activated when properly triggered. Well know... more Malware often contains hidden behavior which is only activated when properly triggered. Well known examples include: the MyDoom worm which DDoS's on particular dates, keyloggers which only log keystrokes for particular sites, and DDoS zombies which are only activated when given the proper command. We call such behavior trigger-based behavior.
Complex computer systems are plagued with bugs and vulnerabilities. Worms such as SQL Slammer and... more Complex computer systems are plagued with bugs and vulnerabilities. Worms such as SQL Slammer and hit-list worms exploit vulnerabilities in computer programs and can compromise millions of vulnerable hosts within minutes or even seconds, bringing down vulnerable critical services. In this paper, we propose an end-to-end self-healing approach to achieve the following goal: for a large class of vulnerabilities and attacks, we can protect a large fraction of critical services and enable them to be highly available even in the case of a zero-day hit-list worm. Moreover, our techniques do not require access to source code and thus work on COTS software. We achieve this goal by designing an end-to-end self-healing approach: (1) programs use light-weight techniques to efficiently self-monitor the execution behavior and reliably detect a large class of errors and exploits, (2) we use sophisticated techniques to self-diagnose the root cause of detected errors and exploits, (3) programs self-harden to be resilient against further attacks on the same vulnerability, and (4) safely and efficiently self-recover to a safe state. Self-hardening does not result in false positives of legitimate traffic, and adds little performance overhead. Moreover, our approach allows a community of nodes to efficiently share Self-Verifiable Antibody Alerts (SVAAs), which are produced by the self-diagnosis engine. Nodes can verify that SVAAs fix real vulnerabilities without trusting the SVAA senders, and self-harden quickly and efficiently based upon SVAAs. By employing a new approach of combining proactive protection and reactive anti-body defense, we show for the first time that it is possible to protect vulnerable programs and enable critical services to remain undisrupted even under extremely fast worm attacks such as hit-list worms.
Proceedings of the 13th ACM conference on Computer and communications security - CCS '06, 2006
We address the problem of replaying an application dialog between two hosts. The ability to accur... more We address the problem of replaying an application dialog between two hosts. The ability to accurately replay application dialogs is useful in many security-oriented applications, such as replaying an exploit for forensic analysis or demonstrating an exploit to a third party.
Signature-based tools such as network intrusion detection systems are widely used to protect crit... more Signature-based tools such as network intrusion detection systems are widely used to protect critical systems. Automatic signature generation techniques are needed to enable these tools due to the speed at which new vulnerabilities are discovered. In particular, we need automatic techniques which generate sound signatures -signatures which will not mistakenly block legitimate traffic or raise false alarms. In addition, we need signatures to have few false negatives and will catch many different exploit variants.
Signature-based defense systems are one of the most popular architectures for defending against e... more Signature-based defense systems are one of the most popular architectures for defending against exploits of vulnerabilities. At the heart of a signature-based defense system is the signature generation mechanism. Since manual signature generation tends ...
IEEE Transactions on Dependable and Secure Computing, 2000
In this paper we explore the problem of creating vulnerability signatures. A vulnerability signat... more In this paper we explore the problem of creating vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, including polymorphic and metamorphic variants. Our work departs from previous approaches by focusing on the semantics of the program and vulnerability exercised by a sample exploit instead of the semantics or syntax of the exploit itself. We show the semantics of a vulnerability define a language which contains all and only those inputs that exploit the vulnerability. A vulnerability signature is a representation (e.g., a regular expression) of the vulnerability language. Unlike exploit-based signatures whose error rate can only be empirically measured for known test cases, the quality of a vulnerability signature can be formally quantified for all possible inputs. We provide a formal definition of a vulnerability signature and investigate the computational complexity of creating and matching vulnerability signatures. We also systematically explore the design space of vulnerability signatures. We identify three central issues in vulnerability-signature creation: how a vulnerability signature represents the set of inputs that may exercise a vulnerability, the vulnerability coverage (i.e., number of vulnerable program paths) that is subject to our analysis during signature creation, and how a vulnerability signature is created for a given representation and coverage. We propose new data-flow analysis and a novel adoption of existing techniques, such as constraint solving, for automatically generating vulnerability signatures. We have built a prototype system to test our techniques. Our experiments show that we can, using a single exploit, automatically generate a vulnerability signature which is of much higher quality than previous exploit-based signatures. In addition, our techniques have several other security applications, and thus may be of independent interest.
Exploits for new vulnerabilities, especially when incorporated within a fast spreading worm, can ... more Exploits for new vulnerabilities, especially when incorporated within a fast spreading worm, can compromise nearly all vulnerable hosts within a short amount of time. This problem demonstrates the need for fast defenses which can react to a new vulnerability quickly. In addition, a realistic defense system should (a) not require source code since in practice most vulnerable systems do not have source code access nor is there adequate time to involve the software vendor, (b) be accurate, i.e., have a negligible false positive rate and low false negative rate, and (c) be efficient, i.e., add little overhead to normal program execution.
Automatic analysis of malicious binaries is necessary in order to scale with the rapid developmen... more Automatic analysis of malicious binaries is necessary in order to scale with the rapid development and recovery of malware found in the wild. The results of automatic analysis are useful for creating defense systems and understanding the current capabilities of attackers.
14h Symposium on Network and Distributed System Security (NDSS), Mar 1, 2007
Application-level protocol analyzers are important components in tools such as intrusion detectio... more Application-level protocol analyzers are important components in tools such as intrusion detection systems, firewalls, and network monitors. Currently, protocol analyzers are written in an ad-hoc fashion using low-level languages such as C, incurring a high development cost and security risks inherent in low-level language programming. Motivated by the large number of application-level protocols and new ones constantly emerging, we have architected and prototyped a Generic Application-level Protocol Analyzer (GAPA), ...
2004 Technical Reports by Author Computer Science Department School of Computer Science, Carnegie... more 2004 Technical Reports by Author Computer Science Department School of Computer Science, Carnegie Mellon University. ACAR, Umut A. CMU-CS-04-155. AIROLDI, Edoardo CMU-CS-04-130. AKELLA, Aditya CMU-CS-04-158. ARUNACHALAM, Raghu CMU-CS-04-107, CMU-CS-04-164. BLELLOCH, Guy E. CMU-CS-04-155, CMU-CS-04-166. BLUM, Avrim CMU-CS-04-142. BROWNING, Brett CMU-CS-04-181. BRUMLEY, David CMU-CS-04-113. BRYANT, Randal E. CMU-CS-04-179. BUDIU, Mihai CMU-CS-04-103. BURCH, Hal CMU-CS- ...
Uploads
Papers by David Brumley