In the Shield project, we propose using "data patch" at the network or host firewall or above the file system to protect the vulnerable window between the vulnerability disclosure and code patch application. This vulnerable window has been exploited by all major worm outbreaks to date, such as CodeRed and Blaster.
Software patching has not been an effective first-line defense preventing large-scale worm attacks, even when patches had long been available for their corresponding vulnerabilities. Generally, people have been reluctant to patch their systems immediately, because patches are perceived to be unreliable and disruptive to apply. To address this problem, we propose a first-line worm defense in the network stack, using shields -- vulnerability-specific, exploit-generic network filters installed in end systems once a vulnerability is discovered, and before the patch is applied. These filters examine the incoming or outgoing traffic of vulnerable applications, and drop or correct traffic that exploits vulnerabilities. Shields are less disruptive to install and uninstall, easier to test for bad side effects, and hence more reliable than traditional software patches. Further, shields are resilient to polymorphic or metamorphic variations of exploits
In the Shield project, we're showing that this concept is feasible by implementing a prototype Shield framework that filters traffic at the transport layer. We have designed a safe and restrictive language to describe vulnerabilities as partial state machines of the vulnerable application. The expressiveness of the language has been verified by encoding the signatures of a number of known vulnerabilities. Our evaluation provides evidence of Shield's low false positive rate and impact on application throughput. An examination of a sample set of known vulnerabilities suggests that Shield could be used to prevent exploitation of a substantial fraction of the most dangerous ones.
This work is published at SIGCOMM 2004 [paper]
Generic Application-Level Protocol Analyzer (GAPA)
Applications such as intrusion detection systems, firewalls, and network management and monitoring tools use protocol analyzers to parse messages and keep track of protocol state. The current practice of writing such analyzers in C or similar languages incurs high development costs and often yields analyzers that are vulnerable to memory corruption and resource consumption attacks. The large and growing number of application-level protocols motivates a new approach. We therefore have architected and prototyped a Generic Application-level Protocol Analyzer (GAPA), consisting of a protocol analysis language (GAPAL) and an analysis engine (the GAPAL run-time) that operates on live network streams or traces. GAPA allows rapid creation of new protocol analyzers that are both memory-safe and DoS-resilient. To support rapid creation, our language provides built-in abstractions for message parsing, protocol state machines, session dispatching, and layering. GAPAL's message parsing supports both text and binary messages with a BNF-like syntax similar to that found in many RFCs, easing message format specification. To bound state accumulation, our analysis engine uses a stream processing model, allowing multi-packet messages to be analyzed without buffering the entire message. We have specified 10 commonly used protocols in GAPAL and found it expressive and easy to use. We measured our GAPA prototype and found that it can handle an enterprise client HTTP workload at up to 60 Mbps, sufficient performance for many end host firewall/IDS scenarios.
This work is published at NDSS 2007. [paper]
Exploit Diversity Study
Remote code injection exploits inﬂict a signiﬁcant societal cost, and an active underground economy has grown up around these continually evolving attacks. We present a methodology for inferring the phylogeny, or evolutionary tree, of such exploits. We have applied this methodology to trafﬁc captured at several vantage points, and we demonstrate that our methodology is robust to the observed polymorphism. Our techniques revealed non-trivial code sharing among different exploit families, and the resulting phylogenies accurately captured the subtle variations among exploits within each family. Thus, we believe our methodology and results are a helpful step to better understanding the evolution of remote code injection exploits on the Internet.
We published this work at IMC 2006. [paper]
ShieldGen: Automated Data Patch Generation for Unknown Vulnerabilities with Informed Probing
In this work, we tackle the problem of automatic data patch or vulnerability signature generation for an unknown vulnerability, given a zero-day attack instance. Unlike previous approaches that employ program analysis, we leverage the knowledge of the data format to generate new potential attack instances and use a zero-day detector as our oracle. With such informed probing and feedback loop, we construct vulnerability signatures. We have implemented a prototype called ShieldGen and experimented with three known vulnerabilities. The generated signatures have no false positives, but may admit a small amount of false negatives largely due to the imprecision of the data format specification. By comparing with the vulnerability signatures generated by the existing schemes, our signatures are noticeably superior. We also conducted a detailed vulnerability study on 40 vulnerabilities over the past three years, and estimate ShieldGen to have a significant coverage with superior signatures to those generated by existing schemes.
This work is published at Oakland 2006. [paper]
BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
Vulnerability-driven filtering of network data can offer a fast and easy-to-deploy alternative or intermediary to software patching, as exemplified in Shield. This approach provides protection for the time window between patch release and patch application. This time window is critical because attackers often reverse engineer newly released patches to gain vulnerability knowledge and then launch attacks against unpatched machines. In this paper, we take Shield's vision to a new domain, inspecting and cleansing not just static content, but also dynamic content. The dynamic content we target is the dynamic HTML in web pages, which have become a popular vector for attacks. The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at run-time. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at run-time. The rewritten pages contain logic for recursively applying run-time checks to dynamically generated or modified web content, based on known vulnerabilities. We have built and evaluated BrowserShield , a system that performs this dynamic instrumentation of embedded scripts, and that admits policies for customized run-time actions, such as vulnerability-driven filtering.
We published this paper at OSDI 2006. [paper]
Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits
Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier ACM SIGCOMM, August, 2004 Portland, OR [pdf][talk]
A Generic Application-Level Protocol Analyzer and its Language
Nikita Borisov, David J. Brumley, Helen J. Wang, John Dunagan, Pallavi Joshi, and Chuanxiong Guo
The 14th Annual Network & Distributed System Security Symposium (NDSS)
San Diego, CA, Feb, 2007 [pdf]
Finding Diversity in Remote Code Injection Exploits
Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, and Geoffrey M. Voelker
Internet Measurement Conference, Rio de Janeiro, Brazil October, 2006 [pdf]
ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing
Weidong Cui, Marcus Peinado, Helen J. Wang, and Michael E. Locasto
IEEE Symposium on Security and Privacy
Oakland, CA, May 20-23, 2007 [pdf]
BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir
Usenix OSDI, Seattle, WA December 2006 [pdf]
GAPA has become the foundational software or platform for several lines of Microsoft's security products including Threat Management Gateway (TMG) 2010 (released in December 2009) and Microsoft Security Essential. Numerous GAPA-enabled products are in the pipeline.
In the press
December 4, 2006, InformationWeek: Inside Microsoft Labs
August 2006, Microsoft Research News & Highlights: BrowserShield: Helping Make the Web Safe for Surfers
September 5, 2006, Windows IT Pro: BrowserShield Defends Browsers At Network Borders
September 5, 2006, Ars Technica: Microsoft hefts a heavy mithril BrowserShield
September, 2006, Softpedia: Microsoft Reveals the BrowserShield Research Project
September, 2006, download squad: Microsoft's BrowserShield to nullify malicious sites
March 04, 2004, Seattle Times: Microsoft's researchers display wares at TechFest
June 9, 2004, IDG News Service: Microsoft research targets security, searching. PC World, Info World, Australian Reseller News.com , NetworkWorldFusion, Computer World, PC World Magazine (Australia) Computer Weekly
June 10, 2004, Vnunet.com: Microsoft 'shield' to fight off worms
June 10, 2004, SearchExchange.com: What Microsoft gets for its $7B R&D budget
June 10, 2004, InternetNews.com, What's Under Wraps at Microsoft?
June 11, 2004, SearchWin2000.com: Microsoft grabs spotlight even when it stands pat
June 13, 2004, CRN: Microsoft Research: Beam Me Up Scotty?
The name of our research project coincides with our company's "shield" security strategy. In fact, our research project started before the Microsoft "shield" initiative. Some of the news articles listed here have drawn some connections between the two, which are inaccurate.