Towards Practical Automatic Generation of Multipath Vulnerability Signatures

Signature-based defense systems are one of the most popular architectures for defending against exploits of vulnerabilities. At the heart of a signature-based defen se system is the signature generation mechanism. Since manual signature generation tends to be slow and error-prone, we need automatic signature generation techniques. In this paper, we present the first practical approach for aut omatically creating vulnerability signatures which recognize different exploit variants of a vulnerability re gardless of the execution path they take. Vulnerability signatures are based on the semantics of the vulnerability i n the program itself, thus are more accurate than other types of signatures. A key limitation of previous vulnerability signature generation approaches is that they were only able to demonstrate signature generation for a single program path that an exploit may take to exploit a vulnerability. However, there may be multiple program paths which an exploit can take to the vulnerability, resulting in unacceptably many false negat ives if only one path is covered by the signature. We address this shortcoming by presenting and implementing techniques for automatically generating practical vulnerability signatures which cover multiple paths. By covering multiple paths, our signatures have lower false negatives than previous approaches, while still guar anteeing zero false positives.

[1]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[2]  Zhenkai Liang,et al.  Fast and automated generation of attack signatures: a basis for building self-protecting servers , 2005, CCS '05.

[3]  Wenke Lee,et al.  Misleading worm signature generators using deliberate noise injection , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[4]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[5]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[6]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM.

[7]  Jeffrey D. Ullman,et al.  Introduction to automata theory, languages, and computation, 2nd edition , 2001, SIGA.

[8]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM 2004.

[9]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[10]  Ming-Yang Kao,et al.  Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[11]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[12]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[13]  Christopher Krügel,et al.  Static Disassembly of Obfuscated Binaries , 2004, USENIX Security Symposium.

[14]  Mark Weiser,et al.  Programmers use slices when debugging , 1982, CACM.

[15]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[16]  Yuanyuan Zhou,et al.  Sweeper: a lightweight end-to-end system for defending against fast worms , 2007, EuroSys '07.

[17]  Hao Wang,et al.  Creating Vulnerability Signatures Using Weakest Preconditions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[18]  Zhendong Su,et al.  On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits , 2005, CCS '05.

[19]  James Newsome,et al.  Paragraph: Thwarting Signature Learning by Training Maliciously , 2006, RAID.

[20]  Peng Ning,et al.  Automatic diagnosis and response to memory corruption vulnerabilities , 2005, CCS '05.

[21]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[22]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[23]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[24]  Saumya K. Debray,et al.  Alias analysis of executable code , 1998, POPL '98.