CRCS Privacy & Security Lunch Seminar - Wed. March 21
Speaker: Helen Wang, Microsoft Research
Date: Wednesday, 21 March
Time: talk 12-1, discussion 1-1:30 (lunch provided)
Place: Maxwell Dworkin 119
Helen J. Wang is a researcher from Microsoft Research, Redmond.
She has been leading the Shield research project (http://research.microsoft.com/research/shield/) which encompasses a number of projects in the area of the malware defense and web security. Her current research interests are in system security. Helen received her Ph.D. from the Computer Science department in 2001.
Abstract:
In this talk, I will present several of our research efforts in the theme of vulnerability-driven filtering.
Shield was proposed as a patch alternative or intermediary addressing the deployment problem of patches. Instead of patching software binary, Shield patches the network input of vulnerable applications. Shield utilizes a generic protocol analyzer and a domain-specific protocol specification language for analyzing network traffic and specifying and enforcing vulnerability signatures. This work was published at ACM SIGCOMM 2004.
In the BrowserShield project, we take Shield’s vision to a new domain, inspecting and cleansing not just static content, but also dynamic content. The dynamic content we target is the dynamic HTML in web pages, which have become a popular vector for attacks. The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at run-time. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at run-time. The rewritten pages contain logic for recursively applying run-time checks to dynamically generated or modified web content, based on known vulnerabilities. This work was published at Usenix OSDI 2006.
The rise of the zero-day attacks motivated us to undertake the ShieldGen project and explore the possibilities of automatically generating Shield signatures (that were manually constructed in the past) for an observed zero-day attack instance. In ShieldGen, we leverage knowledge of the data format to generate new potential attack instances, probes, and use a zero-day detector as an oracle to determine if an instance can still exploit the vulnerability; the feedback of the oracle guides our search for the vulnerability signature. Experimental results indicate that our signatures are free of false positives, but with a low rate of false negatives. This work will be published at IEEE Symposium of Security and Privacy 2007.