The Community for Technology Leaders
Green Image
Issue No. 04 - October-December (2008 vol. 5)
ISSN: 1545-5971
pp: 224-241
Hao Wang , University of Wisconsin - Madison, Madison
James Newsome , Carnegie Mellon University, Pittsburgh
Somesh Jha , University of Wisconsin - Madison, Madison
Dawn Song , Carnegie Mellon University, Pittsburgh
David Brumley , Carnegie Mellon University, Pittsburgh
ABSTRACT
In this paper, we explore the problem of creating \emph{vulnerability signatures}. A vulnerability signature is based on a program vulnerability, and is not specific to any particular exploit. The advantage of vulnerability signatures is that their quality can be guaranteed. In particular, we create vulnerability signatures which are guaranteed to have zero false positives. We show how to automate signature creation for any vulnerability that can be detected by a runtime monitor. We provide a formal definition of a vulnerability signature, and investigate the computational complexity of creating and matching vulnerability signatures. We systematically explore the design space of vulnerability signatures. We also provide specific techniques for creating vulnerability signatures in a variety of language classes. In order to demonstrate our techniques, we have built a prototype system. Our experiments show that we can, using a single exploit, automatically generate a vulnerability signature as a regular expression, as a small program, or as a system of constraints. We demonstrate techniques for creating signatures of vulnerabilities which can be exploited via multiple program paths. Our results indicate that our approach is a viable option for signature generation, especially when guarantees are desired.
INDEX TERMS
Security, Security and Protection, Security, Network-level security and protection
CITATION
Hao Wang, James Newsome, Somesh Jha, Dawn Song, David Brumley, "Theory and Techniques for Automatic Generation of Vulnerability-Based Signatures", IEEE Transactions on Dependable and Secure Computing, vol. 5, no. , pp. 224-241, October-December 2008, doi:10.1109/TDSC.2008.55
99 ms
(Ver )