Last week at CanSecWest I had the pleasure to watch the MMPC’s security research team present on a technology we have been working on to speed the analysis of vulnerabilities. The motivation behind this work is to automate the otherwise laborious process of analyzing exploits, indentifying malicious input bytes quickly, identification of how shell code is executed and, basically, to narrow the search space for further manual analysis. The ability to respond quickly to an emerging threat event is critical in our space and as we extend our capability in the next version of Forefront with our Network Inspection System our research team must be able to address a variety of exploits and vulnerabilities, must be able to do so efficiently and must be able to handle whatever scale falls within the scope of coverage. It is with all of this in mind that we have created a toolset we refer to as Paladin which helps support rapid and scalable vulnerability analysis.

Building from MS Research and Incubation we are working from a base of technology previously referred to as “Vigilante”. Vigilante was designed as an automated worm containment system. We leverage dynamic dataflow analysis to track the use of untrusted data and to block it from being executed.  It contains program instrumentation which is used to enable monitoring of how untrusted data is used, a detection engine which utilizes dynamic data-flow analysis to identify attacks and to generate alerts, and a filter generator which creates signatures against the attack.

The results of this technology are very positive on memory corruption vulnerabilities and allow our research team to decrease dramatically the amount of time spent analyzing those vulnerabilities. While it is true that there are types of vulnerabilities that Paladin is not perfectly suited for today we are working diligently to extend this capability towards even broader coverage and higher efficacy. Expect to hear more about Paladin in the months to come and to benefit from this and related research today if you are a customer running the beta of the next version Forefront Threat Management Gateway with our Network Inspection System.

--Jeff Williams