The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.04 - October-December (2008 vol.5)
pp: 224-241
David Brumley , Carnegie Mellon University, Pittsburgh
James Newsome , Carnegie Mellon University, Pittsburgh
Dawn Song , Carnegie Mellon University, Pittsburgh
Hao Wang , University of Wisconsin - Madison, Madison
Somesh Jha , University of Wisconsin - Madison, Madison
ABSTRACT
In this paper, we explore the problem of creating \emph{vulnerability signatures}. A vulnerability signature is based on a program vulnerability, and is not specific to any particular exploit. The advantage of vulnerability signatures is that their quality can be guaranteed. In particular, we create vulnerability signatures which are guaranteed to have zero false positives. We show how to automate signature creation for any vulnerability that can be detected by a runtime monitor. We provide a formal definition of a vulnerability signature, and investigate the computational complexity of creating and matching vulnerability signatures. We systematically explore the design space of vulnerability signatures. We also provide specific techniques for creating vulnerability signatures in a variety of language classes. In order to demonstrate our techniques, we have built a prototype system. Our experiments show that we can, using a single exploit, automatically generate a vulnerability signature as a regular expression, as a small program, or as a system of constraints. We demonstrate techniques for creating signatures of vulnerabilities which can be exploited via multiple program paths. Our results indicate that our approach is a viable option for signature generation, especially when guarantees are desired.
INDEX TERMS
Security, Security and Protection, Security, Network-level security and protection
CITATION
David Brumley, James Newsome, Dawn Song, Hao Wang, Somesh Jha, "Theory and Techniques for Automatic Generation of Vulnerability-Based Signatures", IEEE Transactions on Dependable and Secure Computing, vol.5, no. 4, pp. 224-241, October-December 2008, doi:10.1109/TDSC.2008.55
REFERENCES
[1] C. Cerrudo, Story of a Dumb Patch, http://argeniss.com/researchMSBugPaper.pdf , 2005.
[2] T. Detristan, T. Ulenspiegel, Y. Malcom, and M.V. Underduk, Polymorphic Shellcode Engine Using Spectrum Analysis, http://www.phrack.orgshow.php?p=61&a=9 , 2003.
[3] C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, “Polymophic Worm Detection Using Structural Information of Executables,” Proc. Int'l Symp. Recent Advances in Intrusion Detection, 2005.
[4] J. Newsome, B. Karp, and D. Song, “Polygraph: Automatically Generating Signatures for Polymorphic Worms,” Proc. IEEE Symp. Security and Privacy, May 2005.
[5] M. Jordan, “Dealing with Metamorphism,” Virus Bull. Magazine, 2002.
[6] P. Szor, “Hunting for Metamorphic,” Proc. 11th Ann. Virus Bull. Conf. and Exhibition, 2001.
[7] “Metasploit,” http:/metasploit.org, 2008.
[8] H.J. Wang, C. Guo, D. Simon, and A. Zugenmaier, “Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits,” Proc. ACM SIGCOMM '04, Aug. 2004.
[9] M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham, “Vigilante: End-to-End Containment of Internet Worms,” Proc. 20th ACM Symp. Operating System Principles (SOSP), 2005.
[10] P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, and W. Lee, “Polymorphic Blending Attacks,” Proc. 15th Usenix Security Symp., 2006.
[11] S. Chung and A. Mok, “Allergy Attack against Automatic Signature Generation,” Proc. Ninth Int'l Symp. Recent Advances in Intrusion Detection (RAID), 2006.
[12] J. Newsome, B. Karp, and D. Song, “Paragraph: Thwarting Signature Learning by Training Maliciously,” Proc. Ninth Int'l Symp. Recent Advances in Intrusion Detection (RAID '06), Sept. 2006.
[13] R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. Sharif, “Misleading Worm Signature Generators Using Deliberate Noise Injection,” Proc. IEEE Symp. Security and Privacy, May 2006.
[14] J. Newsome and D. Song, “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software,” Proc. 12th Ann. Network and Distributed System Security Symp. (NDSS '05), Feb. 2005.
[15] Z. Liang and R. Sekar, “Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers,” Proc. 12th ACM Conf. Computer and Comm. Security (CCS), 2005.
[16] D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha, “Towards Automatic Generation of Vulnerability-Based Signatures,” Proc. IEEE Symp. Security and Privacy, pp. 2-16, 2006.
[17] D. Brumley, H. Wang, S. Jha, and D. Song, “Creating Vulnerability Signatures Using Weakest Pre-Conditions,” Proc. 20th IEEE Computer Security Foundations Symp. (CSF), 2007.
[18] J. Crandall, Z. Su, S.F. Wu, and F. Chong, “On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits,” Proc. 12th ACM Conf. Computer and Comm. Security (CCS), 2005.
[19] H.-A. Kim and B. Karp, “Autograph: Toward Automated, Distributed Worm Signature Detection,” Proc. 13th Usenix Security Symp., Aug. 2004.
[20] C. Kreibich and J. Crowcroft, “Honeycomb—Creating Intrusion Detection Signatures Using Honeypots,” Proc. Second Workshop Hot Topics in Networks (HotNets '03), Nov. 2003.
[21] S. Singh, C. Estan, G. Varghese, and S. Savage, “Automated Worm Fingerprinting,” Proc. Sixth ACM/Usenix Symp. Operating System Design and Implementation (OSDI '04), Dec. 2004.
[22] Z. Li, M. Shanghi, B. Chavez, Y. Chen, and M.-Y. Kao, “Hamsa: Fast Signature Generation for Zero-Day Polymorphic Worms with Provable Attack Resilience,” Proc. IEEE Symp. Security and Privacy, 2006.
[23] P. Godefroid, N. Klarlund, and K. Sen, “DART: Directed Automated Random Testing,” Proc. ACM SIGPLAN Int'l Conf. Programming Language Design and Implementation (PLDI), 2005.
[24] K. Sen, D. Marinov, and G. Agha, “CUTE: A Concolic Unit Testing Engine for C,” Proc. Fifth Joint Meeting of the European Software Eng. Conf. and ACM SIGSOFT Symp. Foundations of Software Eng. (ESEC/FSE '05), pp. 263-272, 2005.
[25] C. Cadar, V. Ganesh, P. Pawlowski, D. Dill, and D. Engler, “EXE: A System for Automatically Generating Inputs of Death Using Symbolic Execution,” Proc. 13th ACM Conf. Computer and Comm. Security (CCS '06), Oct. 2006.
[26] V. Ganesh and D. Dill, “A Decision Procedure for Bit-Vectors and Arrays,” Proc. 19th Int'l Conf. Computer Aided Verification Conf. (CAV '07), Aug. 2007.
[27] E. Clarke, O. Grumberg, and D. Peled, Model Checking. MIT Press, 1999.
[28] D.B. Whalley, “Automatic Isolation of Compiler Errors,” ACM Trans. Programming Languages and Systems, vol. 16, no. 5, pp.1648-1659, Sept. 1994.
[29] B. Ness and V. Ngo, “Regression Containment through Source Change Isolation,” Proc. 21st Int'l Computer Software and Applications Conf. (COMPSAC '97), p. 616, 1997.
[30] A. Zeller, “Yesterday, My Program Worked. Today, It Does Not. Why?” Proc. Seventh European Software Eng. Conf Held Jointly with the Seventh ACM SIGSOFT Symp. Foundations of Software Eng. (ESEC/FSE '99), pp. 253-267, Sept. 1999.
[31] S. Muchnick, Advanced Compiler Design and Implementation. Academic Press, 1997.
[32] K.R.M. Leino, “Efficient Weakest Preconditions,” Information Processing Letters, vol. 93, no. 6, pp. 281-288, 2005.
[33] M. Barnett and K.R.M. Leino, “Weakest-Precondition of Unstructured Programs,” Proc. ACM SIGPLAN-SIGSOFT Workshop Program Analysis For Software Tools and Eng. (PASTE), 2005.
[34] F.B. Schneider, “Enforceable Security Policies,” ACM Trans. Information and System Security, vol. 3, no. 1, pp. 30-50, Feb. 2000.
[35] L. Lamport and F.B. Schneider, “Formal Foundation for Specification and Verification,” Distributed Systems. Methods and Tools for Specification. An Advanced Course., M. Paul and H. Siegert, eds., vol.190, pp. 203-270, 1985.
[36] M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-Flow Integrity,” Proc. 12th ACM Conf. Computer and Comm. Security (CCS'05), pp. 340-353, 2005.
[37] J. Hopcroft, R. Motwani, and J. Ullman, Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, 2001.
[38] J. Hopcroft, An $n\log n$ Algorithm for Minimizing the States in a Finite Automaton, Z. Kohavi, ed., Academic Press, 1971.
[39] T. Reps, “Program Analysis via Graph Reachability,” Information and Software Technology, vol. 40, nos. 11-12, 1998.
[40] D. Jackson and E. Rollins, “Chopping: A Generalisation of Slicing,” Proc. Second ACM SIGSOFT Symp. Foundations of Software Eng. (FSE), 1994.
[41] T. Reps and G. Rosay, “Precise Interprocedural Chopping,” Proc. Third ACM SIGSOFT Symp. Foundations of Software Eng. (FSE), 1995.
[42] J. Newsome, D. Brumley, D. Song, J. Chamcham, and X. Kovah, “Vulnerability-Specific Execution Filtering for Exploit Prevention on Commodity Software,” Proc. 13th Ann. Network and Distributed System Security Symp. (NDSS), 2006.
[43] D. Brumley, “Analysis and Defense of Vulnerabilities in Binary Code,” PhD dissertation, School of Computer Science, Carnegie Mellon Univ., 2008.
[44] D. Brumley and J. Newsome, “Alias Analysis for Assembly,” Technical Report CMU-CS-06-180, School of Computer Science, Carnegie Mellon Univ., 2006.
[45] P. Bosch, A. Carloganu, and D. Etiemble, “Complete $\times$ 86 Instruction Trace Generation from Hardware Bus Collect,” Proc. 23rd IEEE EUROMICRO Conf., 1997.
[46] P.A. Sandon, Y. Liao, T. Cook, D. Schultz, and P.M. de Nicolas, “NStrace: A Bus-Driven Instruction Trace Tool for PowerPC Microprocessors,” IBM J. Research and Development, vol. 41, no. 3, 1997.
[47] “Dynamorio,” http://www.cag.lcs.mit.edudynamorio/, 2008.
[48] C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V.J. Reddi, and K. Hazelwood, “Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation,” Proc. ACM SIGPLAN Int'l Conf. Programming Language Design and Implementation (PLDI '05), June 2005.
[49] N. Nethercote and J. Seward, “Valgrind: A Program Supervision Framework,” Proc. Third Workshop Runtime Verification (RV '03), July 2003.
[50] A. Milenkovic, M. Milenkovic, and J. Kulick, “N-Tuple Compression: A Novel Method for Compression of Branch Instruction Traces,” Proc. ISCA 16th Int'l Conf. Parallel and Distributed Computing (PDCS), 2003.
[51] R.A. Uhlig and T. Mudge, “Trace-Driven Memory Simulation: A Survey,” ACM Computing Surveys, vol. 29, 1997.
[52] A. Aho, M. Lam, R. Sethi, and J. Ullman, Compilers: Principles, Techniques, and Tools, second ed. Addison-Wesley, 2007.
[53] E. Dijkstra, A Discipline of Programming. Prentice Hall, 1976.
[54] D. Detlefs, K.R.M. Leino, G. Nelson, and J. Saxe, “Extended Static Checking,” Technical Report 159, Compaq Systems Research Center, Dec. 1998.
[55] QEMU—Open Source Processor Emulator, http://fabrice.bellard. free.frqemu/, 2008.
[56] C. Kruegel, W. Robertson, F. Valeur, and G. Vigna, “Static Disassembly of Obfuscated Binaries,” Proc. 13th Usenix Security Symp., 2004.
[57] V. Ganesh and D. Dill, “STP: A Decision Procedure for Bit-Vectors and Arrays,” http://theory.stanford.edu/vganeshstp, 2008.
[58] C. Barrett and S. Berezin, “CVC Lite: A New Implementation of the Cooperating Validity Checker,” Proc. 16th Int'l Conf. Computer Aided Verification Conf. (CAV '04), R. Alur and D.A. Peled, eds., 2004.
[59] Y. Ramin, “Atphttpd 0.4b,” http://jnewsome.net/srcatphttpd.html, 2008.
[60] r code, “Atphttpd Remote Get Request Buffer Overrun Vulnerability,” http:/www.securityfocus.com, Bugtraq ID 8709.
[61] dong-h0un U, “Passlog Daemon sl_parse Remote Buffer Overflow Vulnerability,” http:/www.securityfocus.com, Bugtraq ID 7261, 2008.
[62] pyramid-rp@hushmail.com, “ghttpd log() Function Buffer Overflow Vulnerability,” http:/www.securityfocus.com, Bugtraq ID 5960, 2008.
[63] D. Defense, “Samba call_trans2open Remote Buffer Overflow Vulnerability,” http://www.securityfocus.com/bid/7294discuss , 2003.
[64] Symantec, Blaster Worm, http://www.symantec.com/security_ response writeup.jsp?docid=2003-081113-0229-99 , 2003.
[65] Symantec, W32.sqlexp.worm (Slammer Worm), http://www. symantec.com/security_response writeup.jsp?docid=2003-012502-3306-99 , 2003.
[66] J. King, “Symbolic Execution and Program Testing,” Comm. ACM, vol. 19, pp. 386-394, 1976.
[67] A. Moser, C. Kruegel, and E. Kirda, “Exploring Multiple Execution Paths for Malware Analysis,” Proc. IEEE Security and Privacy Symp., 2007.
[68] C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, “Automating Mimicry Attacks Using Static Binary Analysis,” Proc. 14th Usenix Security Symp., 2005.
[69] C. Flanagan and J. Saxe, “Avoiding Exponential Explosion: Generating Compact Verification Conditions,” Proc. 28th ACM Symp. Principles of Programming Languages (POPL), 2001.
[70] G. Balakrishnan and T. Reps, “Analyzing Memory Accesses in $\times$ 86 Executables.,” Proc. 13th Int'l Conf. Compiler Construction (CC'04), pp. 5-23, 2004.
[71] S.K. Debray, R. Muth, and M. Weippert, “Alias Analysis of Executable Code,” Proc. 15th Ann. Symp. Principles of Programming Languages (POPL '88), pp. 12-24, 1988.
[72] D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha, Theory and Techniques for Automatic Generation of Vulnerability-Based Signatures, Technical Report CMU-CS-06-108, Computer Science Dept., Carnegie Mellon Univ., Feb. 2006.
[73] A.P. Sistla and E.M. Clarke, “The Complexity of Propositional Linear Temporal Logics,” J. ACM, vol. 32, no. 3, pp. 733-749, 1985.
[74] A. Bouajjani and O. Maler, “Reachability Analysis of Pushdown Automata,” Proc. Int'l Workshop Verification of Infinite-State Systems (Infinity), 1996.
42 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool