A3: Automating Attack Recovery and Adaptive Filtering for Enhanced Application Security
Table of Contents
A3
A3 automates attack recovery to restore service, isolate attack inputs, and diagnose and repair vulnerabilities using filter generation and program repair.
Research
- what are the actual issues facing application teams
- this is a talk to the public
- protecting data
- adaptive systems that can respond to attacks
Adaptive Filtering
- QoS
- Survivability
This appears to be for the military but seems like odd project work. There seems to be a significant amount of money looking at
- how to you detect faults
- repair is next
https://en.wikipedia.org/wiki/Shellshock_(software_bug)
- detect attacks
- how is adaptability different that static analysis
- automated code changes
- find issues
- limited to command line
- bash is self contained
- example from bash driven cgi?
Protect -> Detech -> Adapt
- how does a system create a reproduction
- people talking about network layer: feels like 2000 interviews
- still feels like people sticking with what they know
Workflow
- inbound data
- detech failure
- replay sample input
- run regression suite
- iterate on code isolation, fix test, and regression
- deploy
Attacks
CVE 2015-1547
DNS attack: crafted packet causes system crash.
Requires central logging: all inbound packets, all ips, all logs between nginx and dns. How do you identify malicious attacks and then do signal extraction.
Project
- Pull down the attack pcap files
- Create appliance that proxies to the application stack
- Detect standard function call paths
- Create a transition matrix that tracks anomalous code paths
- Detect timing considerations
- Instrument binaries that are executed
The sheer amount of data coming in from all instrumented applications would be astounding. Would reqiure second level warning notes of failures.