The Shield Project

Shield: First-Line Malware Defense

Software patching has not been an effective first-line defense preventing large-scale worm attacks, even when patches had long been available for their corresponding vulnerabilities. Generally, people have been reluctant to patch their systems immediately, because patches are perceived to be unreliable and disruptive to apply. To address this problem, we propose a first-line worm defense in the network stack, using shields -- vulnerability-specific, exploit-generic network filters installed in end systems once a vulnerability is discovered, and before the patch is applied. These filters examine the incoming or outgoing traffic of vulnerable applications, and drop traffic that exploits vulnerabilities. Shields are less disruptive to install and uninstall, easier to test for bad side effects, and hence more reliable than traditional software patches. Further, shields are resilient to polymorphic or metamorphic variations of exploits.

In this work, we're showing that this concept is feasible by implementing a prototype Shield framework that filters traffic at the transport layer. We have designed a safe and restrictive language to describe vulnerabilities as partial state machines of the vulnerable application. The expressiveness of the language has been verified by encoding the signatures of a number of known vulnerabilities. Our evaluation provides evidence of Shield's low false positive rate and impact on application throughput. An examination of a sample set of known vulnerabilities suggests that Shield could be used to prevent exploitation of a substantial fraction of the most dangerous ones.

Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits
Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier
In the Proceedings of ACM SIGCOMM, August, 2004, Portland, OR [pdf] [older]

Generic Application-Level Protocol Analyzer (GAPA)

Applications such as intrusion detection systems, firewalls, and network management and monitoring tools use protocol analyzers to parse messages and keep track of protocol state. The current practice of writing such analyzers in C or similar languages incurs high development costs and often yields analyzers that are vulnerable to memory corruption and resource consumption attacks. The large and growing number of application-level protocols motivates a new approach. We therefore have architected and prototyped a Generic Application-level Protocol Analyzer (GAPA), consisting of a protocol analysis language (GAPAL) and an analysis engine (the GAPAL run-time) that operates on live network streams or traces. GAPA allows rapid creation of new protocol analyzers that are both memory-safe and DoS-resilient. To support rapid creation, our language provides built-in abstractions for message parsing, protocol state machines, session dispatching, and layering. GAPAL's message parsing supports both text and binary messages with a BNF-like syntax similar to that found in many RFCs, easing message format specification. To bound state accumulation, our analysis engine uses a stream processing model, allowing multi-packet messages to be analyzed without buffering the entire message. We have specified 10 commonly used protocols in GAPAL and found it expressive and easy to use. We measured our GAPA prototype and found that it can handle an enterprise client HTTP workload at up to 60 Mbps, sufficient performance for many end host firewall/IDS scenarios.

A Generic Application-Level Protocol Analyzer and its Language
Nikita Borisov, David J. Brumley, Helen J. Wang, John Dunagan, Pallavi Joshi, and Chuanxiong Guo
The 14th Annual Network & Distributed System Security Symposium (NDSS)
San Diego, CA, Feb, 2007 [pdf]

Generic Application-Level Protocol Analyzer and its Language
Nikita Borisov, David J. Brumley, Helen J. Wang, John Dunagan, Pallavi Joshi, and Chuanxiong Guo
Submitted to SIGCOMM 2006, Feb 10, 2006 [ pdf ]
Submitted to NSDI 2006, Oct 17 2005. [pdf]
An earlier MSR technical report, Feb 2005, [ pdf ]

BillG Thinkweek 2005 paper: Generic Application Level Protocol Analyzer and Shield
[ pdf ]

BrowserShield: Vulnerability-Driven Filtering of Dynamic Content

Vulnerability-driven filtering of network data can offer a fast and easy-to-deploy alternative or intermediary to software patching, as exemplified in Shield. This approach provides protection for the time window between patch release and patch application. This time window is critical because attackers often reverse engineer newly released patches to gain vulnerability knowledge and then launch attacks against unpatched machines. In this paper, we take Shield's vision to a new domain, inspecting and cleansing not just static content, but also dynamic content. The dynamic content we target is the dynamic HTML in web pages, which have become a popular vector for attacks. The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at run-time. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at run-time. The rewritten pages contain logic for recursively applying run-time checks to dynamically generated or modified web content, based on known vulnerabilities. We have built and evaluated {\it BrowserShield}, a system that performs this dynamic instrumentation of embedded scripts, and that admits policies for customized run-time actions, such as vulnerability-driven filtering.

OSDI 2006 paper [pdf]
Nov 2006, OSDI talk by Charlie Reis . [ppt]
April 2006, Invited talk at University of Maryland by Helen J. Wang [ppt]
Aug 2005, End-of-internship talk by Charlie Reis. [ ppt ]
Presentation to Elissa Murphy's group . [ ppt ]
TechFest 2006 Slide Deck [ ppt ]

Exploit Diversity Study

Accounting for exploit diversity is an important issue for network defense mechanisms because diversity is an avenue for malware authors to evade potentially stagnant defenses. However, discussions about the prevalence and nature of exploit diversity in the current Internet have been anecdotal at best. Shield, a vulnerability-driven end host firewall, is an ideal tool for detecting attack variations, and gives a special position to conduct the first systematic study on exploit diversity. In doing so, we collected data from a DSL-connected honeypot, extracted exploits using Shield, and performed automated and manual analysis of the exploit payloads. We have observed attack traffic for four well known vulnerabilities: the ones behind Slammer, Sasser, and two variants of Blaster. Among these 4 vulnerabilities, three of them manifest diversity in their attacks -- all 3 have used decoding routes. While attack diversity on two of the vulnerabilities are very simple and most exploits concentrate over one variant, the remaining one is clearly polymorphic, which uses one key per exploit, yielding all distinct exploits for that vulnerability.

End-of-internship talk by Justin Ma. [ ppt ]

SAV-V: Securing Anti-Virus with Virtualization

Bryan Parno (CMU), Jay Lorch, Helen J. Wang

Today's desktop PCs rely on security software such as anti-virus products and personal firewalls for protection. Unfortunately, malware authors have adapted by specifically targeting and disabling these defenses, a practice exacerbated by the rise in zero-day exploits. In this paper, we present the design, implementation, and evaluation of a secure execution platform, called SAV-V, for anti-virus software. Our platform leverages virtualization to make AV software resilient to zero-day malware attempting to tamper with it. SAV-V also uses secure logging, a split file system, and fake shutdowns to allow AV software to detect past infections by zero-day malware once signatures become available.

Oakland 2006 submission. [pdf]
Presentation at MSR Brownbag with the AV team . [ppt]

ShieldGen: Automated Data Patch Generation for Unknown Vulnerabilities with Informed Probing

Weidong Cui, Marcus Peinado, Helen J. Wang, Michael Locasto (Columbia)

In this work, we tackle the problem of automatic data patch or vulnerability signature generation for an unknown vulnerability, given a zero-day attack instance. Unlike previous approaches that employ program analysis, we leverage the knowledge of the data format to generate new potential attack instances and use a zero-day detector as our oracle. With such informed probing and feedback loop, we construct vulnerability signatures. We have implemented a prototype called ShieldGen and experimented with three known vulnerabilities. The generated signatures have no false positives, but may admit a small amount of false negatives largely due to the imprecision of the data format specification. By comparing with the vulnerability signatures generated by the existing schemes, our signatures are noticeably superior. We also conducted a detailed vulnerability study on 40 vulnerabilities over the past three years, and estimate ShieldGen to have a significant coverage with superior signatures to those generated by existing schemes.

Oakland 2006 submission. [pdf]

Discoverer for Protocol Reverse-Engineering

Weidong Cui, Helen J. Wang, Jayanth Kannan (UC Berkeley)

Discoverer is a tool that reverse-engineers protocol specifications directly from network traces. It automatically infers both the message format and the protocol state machine. One can use such information to fingerprint protocols, detect tunneling, and guide penetration tests. We have successfully reverse engineered a text protocol (SMTP) and observed promising results on reverse engineering a complex binary protocol (SMB). We are continuing our experiments over a number of protocols as well as the applications of Discoverer.

MashupOS

Xiaofeng Fan, Jon Howell, Collin Jackson (Stanford), Helen J. Wang

Web mashups have created a new generation of wildly popular and successful web services, marking a paradigm shift in web service development. In this project, we aim to build up a Mashup OS that provides OS abstractions over underlying web browser resources and allow JavaScript gadgets that are mashed up together to share the resources in a secure and controlled fashion.

Subspace: Secure Cross-Domain Communication for Web Mashups (Submission to WWW 2007) [pdf]

MashupOS: Operating System Abstractions for Client Mashups (position paper submission to HotOS 2007) [pdf]

XSS-Shield

Xiaofeng Fan, Helen J. Wang

Cross site scripting (XSS) attacks have surged over the past years on the Web. Existing mitigation is either incomplete or heuristics-based, which lags behind in the arms race with attackers who circumvent known heuristics and find creatives ways for injecting malicious scripts. In XSS-Shield, we target the root cause of the XSS which is unexpected script execution in page. To this end, we introduce the <scriptfree> tag for a web page to create a scriptfree context in which no script is parsed or executed. In addition to advocating the adoption of <scriptfree> in existing browsers, we also prototyped a XSS-Shield system that is <scriptfree>>-capable on the server side to detect XSS attacks. Such a XSS-Shield system can be deployed today to combat XSS attacks.

XSS-Shield powerpoint: [ppt]

People

Xiaofeng Fan

Weidong Cui
John Dunagan

Helen J. Wang	(Project leader)

Summer Interns 2004

Nikita Borisov	(U. C. Berkeley)
David Brumley	(CMU)

Summer Interns 2005

Pallavi Joshi	(Indian Institute of Technology, Kharagpur)
Charlie Reis	(U.W. Seattle)
Justin Ma	(U. C. San Diego)

Summer Interns 2006

Bryan Parno	(CMU)
Jayanth Kannan	(U.C. Berkeley)
Michael Locasto	Columbia U.

BrowserShield ISA Counterparts

Opher Dubrovsky	(ISA PM)
Saher Esmeir	(Intern from Technion University)

Alumni

Chuanxiong Guo	(former MSR-A)
Dan Simon	MSR-R
Alf Zugenmaier	(former MSR-C)

Talks

Shield project overview, Jan 4, 2005 "The Shield Project" [ ppt ]

MSR TAB Presentation, October 24, 2005 "The Shield Project Update" [ ppt ]

Microsoft Faculty Summit 2005 "Shield and Friends Troubleshooting Network" [ ppt ]

An internal GAPA talk [ ppt ]

MSR TAB Presentation, October 25, 2004 "Shield: First-Line Worm Defense" [ ppt ]

ACM SIGCOMM 2004 presentation [ pdf ]

MSR Cool Talk Series: "Shield: First-Line Worm Defense" [pdf] [ Recording ] March 25, 2004.

UCSD system and networking seminar: "Shield: First-Line Worm Defense" [pdf] Feb 25, 2004.

Our work in the News

December 4, 2006, InformationWeek: Inside Microsoft Labs

August 2006, Microsoft Research News & Highlights: BrowserShield: Helping Make the Web Safe for Surfers

September 4, 2006, eWeek: Microsoft Research Builds 'BrowserShield'. The same article is alos posted at Slashdot, newwin.net, OSNews.com, cgisecurity.com, IT professionals, clipmarks, The NewTech

September 5, 2006, Windows IT Pro: BrowserShield Defends Browsers At Network Borders

September 5, 2006, Ars Technica: Microsoft hefts a heavy mithril BrowserShield

September, 2006, Softpedia: Microsoft Reveals the BrowserShield Research Project

September, 2006, download squad: Microsoft's BrowserShield to nullify malicious sites

March 04, 2004, Seattle Times: Microsoft's researchers display wares at TechFest

June 9, 2004, IDG News Service: Microsoft research targets security, searching. PC World, Info World, Australian Reseller News.com , NetworkWorldFusion, Computer World, PC World Magazine (Australia) Computer Weekly

June 10, 2004, CNet: "Microsoft Researchers Dream Big", news.com, New York Times, Silicon.com (UK), ZDNet UK, CNet Asia, ZDNet,

June 10, 2004, Vnunet.com: Microsoft 'shield' to fight off worms

June 10, 2004, SearchExchange.com: What Microsoft gets for its $7B R&D budget

June 10, 2004, InternetNews.com, What's Under Wraps at Microsoft?

June 11, 2004, SearchWin2000.com: Microsoft grabs spotlight even when it stands pat

June 13, 2004, CRN: Microsoft Research: Beam Me Up Scotty?

The name of our research project coincides with our company's "shield" security strategy. In fact, our research project started before the Microsoft "shield" initiative. Some of the news articles listed here have drawn some connections between the two, which are inaccurate.

Links

Last update: November 22, 2006