The BlackPage

February 22, 2006

The BlackPage highlights breaking security research submitted by leading corporate professionals, government experts, and members of the underground hacking community.

On The BlackPage: Advances In Anomaly Detection
by Jeff Moss posted February 22, 2006

While we would all love to see bug-free code in our critical applications, we must recognize the reality that we are a long way off from security nirvana. One pragmatic way to make it through until transcendence is to find ways to reliably identify unexpected behavior in our systems as it occurs, and automatically deploy counter-measures. Tzi-cker Chiueh and Stefano Zanero promise to push the state-of-the-art to new levels in the field of software anomaly detection. Their approaches are a bit different from each other, so we hope these presentations will give attendees a lot to chew on and compare/contrast. I really hope to see deployable systems based on the work of these two very bright gentlemen in the near future.

How to Automatically Sandbox IIS With Zero False Positive and Negative

by Tzi-cker Chiueh posted February 22, 2006

Since we published the PAID paper in 2004, people have asked whether the same approach could be extended to the Windows® platform where only application binaries are available. Originally, we thought it was just a matter of applying a state-of-the-art disassembler such as IDA Pro to a Windows binary to obtain its intermediate form, and then using the original PAID compiler to derive its sandboxing policy. Well, Windows binaries are much more challenging than we thought because the coverage and accuracy of commercial disassemblers is less than 100%. Since PAID transforms programs, it needs 100% disassembly coverage and accuracy. We then spent the next 12 months building a general Windows binary analysis and transformation infrastructure called BIRD, and used it to develop a binary version of PAID called BPAID, which is the first known system that can automatically derive a sandboxing policy for Windows binaries such as IIS that is guaranteed to produce zero false positives and negatives. This talk will walk you through the details of this adventure.  

Host-Based Anomaly Detection On System Calls Arguments

by Stefano Zanero posted February 22, 2006

As probably most of you know, almost any type of algorithm has been applied, sooner or later, to the topic of anomaly detection. Their mileage varies; sometimes the idea is good, sometimes it is plainly crazy. Host-based anomaly detection through the analysis of system calls sequences has been done in almost any way you can think of, but something no one (almost no one) has tinkered with until now is how to deal with system call arguments.

Even informally, you can understand that the argument of a system call is much more indicative of anomalous activity than the call itself. For instance, an "open" may not be suspicious per se, but a "read-write"open of the "/etc/passwd" file by a process which usually does not add users to the system may very well look suspicious.

We have developed a tool which analyzes each argument of the system call, models the contents of each, and then compares it against a "normal" model of previous calls. It is able to cluster system calls and thus detect "different uses" of the same syscall at different points of different programs. It then builds a Markovian model of the sequence, which is then used to trace and flag anomalies.

upcoming events

USA Briefings & Training 2007
July 28-August 2
Las Vegas

Japan Briefings & Training 2007
October 23-26
Tokyo

DC Briefings & Training 2008
February
Washington DC Area

Europe Briefings & Training 2008
March 25-28
Amsterdam

USA Briefings & Training 2008
August 2-7
Las Vegas

the BlackPage Archives
See past BlackPage articles.


the BlackPage archives
Black Hat Logo
(c) 1996-2007 Black Hat