Towards automatic generation of vulnerability-based signatures

Towards automatic generation of vulnerability-based signatures

In this paper we explore the problem of creating vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, even polymorphic or metamorphic variants. Our work departs from previous approaches by focusing on the semantics of the program and vulnerability exerci...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Brumley, D., Newsome, J., Song, D., Hao Wang, Somesh Jha
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Assembly
Computational complexity
Data analysis
Error analysis
Filtering
Humans
Manuals
Security
Space exploration
Testing
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 16
container_issue
container_start_page 15 pp.
container_title
container_volume
creator Brumley, D.
Newsome, J.
Song, D.
Hao Wang
Somesh Jha
description In this paper we explore the problem of creating vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, even polymorphic or metamorphic variants. Our work departs from previous approaches by focusing on the semantics of the program and vulnerability exercised by a sample exploit instead of the semantics or syntax of the exploit itself. We show the semantics of a vulnerability define a language which contains all and only those inputs that exploit the vulnerability. A vulnerability signature is a representation (e.g., a regular expression) of the vulnerability language. Unlike exploit-based signatures whose error rate can only be empirically measured for known test cases, the quality of a vulnerability signature can be formally quantified for all possible inputs. We provide a formal definition of a vulnerability signature and investigate the computational complexity of creating and matching vulnerability signatures. We also systematically explore the design space of vulnerability signatures. We identify three central issues in vulnerability-signature creation: how a vulnerability signature represents the set of inputs that may exercise a vulnerability, the vulnerability coverage (i.e., number of vulnerable program paths) that is subject to our analysis during signature creation, and how a vulnerability signature is then created for a given representation and coverage. We propose new data-flow analysis and novel adoption of existing techniques such as constraint solving for automatically generating vulnerability signatures. We have built a prototype system to test our techniques. Our experiments show that we can automatically generate a vulnerability signature using a single exploit which is of much higher quality than previous exploit-based signatures. In addition, our techniques have several other security applications, and thus may be of independent interest
doi_str_mv 10.1109/SP.2006.41
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_1623997</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>1623997</ieee_id><sourcerecordid>1623997</sourcerecordid><originalsourceid>FETCH-LOGICAL-i277t-477b4b1d4d4bac91b6ef2eddc475a770f9c5ca545de01c072a1eff34729302043</originalsourceid><addsrcrecordid>eNotjktLw0AURgcfYFrduHWTPzDx3nnkOhtBii8oKFjXZZ5lJG0kkyj991Z09Z2zOXyMXSI0iGCu314bAdA2Co9YJSRpjgLomM2AWqOFJoUnrEK4Qd4C4hmblfIBIEAaVbHbVf9th1BqO4391o7Z15u4i8OB-l3dp_pr6n7V5S6Pe-5siaEuebOz4zTEcs5Ok-1KvPjfOXt_uF8tnvjy5fF5cbfkWRCNXBE55TCooJz1Bl0bk4gheEXaEkEyXnurlQ4R0AMJizElqUgYeXiq5Jxd_XVzjHH9OeStHfZrbIU0huQPlrpJmw</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Towards automatic generation of vulnerability-based signatures</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Brumley, D. ; Newsome, J. ; Song, D. ; Hao Wang ; Somesh Jha</creator><creatorcontrib>Brumley, D. ; Newsome, J. ; Song, D. ; Hao Wang ; Somesh Jha</creatorcontrib><description>In this paper we explore the problem of creating vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, even polymorphic or metamorphic variants. Our work departs from previous approaches by focusing on the semantics of the program and vulnerability exercised by a sample exploit instead of the semantics or syntax of the exploit itself. We show the semantics of a vulnerability define a language which contains all and only those inputs that exploit the vulnerability. A vulnerability signature is a representation (e.g., a regular expression) of the vulnerability language. Unlike exploit-based signatures whose error rate can only be empirically measured for known test cases, the quality of a vulnerability signature can be formally quantified for all possible inputs. We provide a formal definition of a vulnerability signature and investigate the computational complexity of creating and matching vulnerability signatures. We also systematically explore the design space of vulnerability signatures. We identify three central issues in vulnerability-signature creation: how a vulnerability signature represents the set of inputs that may exercise a vulnerability, the vulnerability coverage (i.e., number of vulnerable program paths) that is subject to our analysis during signature creation, and how a vulnerability signature is then created for a given representation and coverage. We propose new data-flow analysis and novel adoption of existing techniques such as constraint solving for automatically generating vulnerability signatures. We have built a prototype system to test our techniques. Our experiments show that we can automatically generate a vulnerability signature using a single exploit which is of much higher quality than previous exploit-based signatures. In addition, our techniques have several other security applications, and thus may be of independent interest</description><identifier>ISSN: 1081-6011</identifier><identifier>ISBN: 0769525741</identifier><identifier>ISBN: 9780769525747</identifier><identifier>EISSN: 2375-1207</identifier><identifier>DOI: 10.1109/SP.2006.41</identifier><language>eng</language><publisher>IEEE</publisher><subject>Assembly ; Computational complexity ; Data analysis ; Error analysis ; Filtering ; Humans ; Manuals ; Security ; Space exploration ; Testing</subject><ispartof>2006 IEEE Symposium on Security and Privacy (S&amp;P'06), 2006, p.15 pp.-16</ispartof><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/1623997$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,776,780,785,786,792,2052,4036,4037,27902,54733,54895</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/1623997$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Brumley, D.</creatorcontrib><creatorcontrib>Newsome, J.</creatorcontrib><creatorcontrib>Song, D.</creatorcontrib><creatorcontrib>Hao Wang</creatorcontrib><creatorcontrib>Somesh Jha</creatorcontrib><title>Towards automatic generation of vulnerability-based signatures</title><title>2006 IEEE Symposium on Security and Privacy (S&amp;P'06)</title><addtitle>SECPRI</addtitle><description>In this paper we explore the problem of creating vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, even polymorphic or metamorphic variants. Our work departs from previous approaches by focusing on the semantics of the program and vulnerability exercised by a sample exploit instead of the semantics or syntax of the exploit itself. We show the semantics of a vulnerability define a language which contains all and only those inputs that exploit the vulnerability. A vulnerability signature is a representation (e.g., a regular expression) of the vulnerability language. Unlike exploit-based signatures whose error rate can only be empirically measured for known test cases, the quality of a vulnerability signature can be formally quantified for all possible inputs. We provide a formal definition of a vulnerability signature and investigate the computational complexity of creating and matching vulnerability signatures. We also systematically explore the design space of vulnerability signatures. We identify three central issues in vulnerability-signature creation: how a vulnerability signature represents the set of inputs that may exercise a vulnerability, the vulnerability coverage (i.e., number of vulnerable program paths) that is subject to our analysis during signature creation, and how a vulnerability signature is then created for a given representation and coverage. We propose new data-flow analysis and novel adoption of existing techniques such as constraint solving for automatically generating vulnerability signatures. We have built a prototype system to test our techniques. Our experiments show that we can automatically generate a vulnerability signature using a single exploit which is of much higher quality than previous exploit-based signatures. In addition, our techniques have several other security applications, and thus may be of independent interest</description><subject>Assembly</subject><subject>Computational complexity</subject><subject>Data analysis</subject><subject>Error analysis</subject><subject>Filtering</subject><subject>Humans</subject><subject>Manuals</subject><subject>Security</subject><subject>Space exploration</subject><subject>Testing</subject><issn>1081-6011</issn><issn>2375-1207</issn><isbn>0769525741</isbn><isbn>9780769525747</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2006</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotjktLw0AURgcfYFrduHWTPzDx3nnkOhtBii8oKFjXZZ5lJG0kkyj991Z09Z2zOXyMXSI0iGCu314bAdA2Co9YJSRpjgLomM2AWqOFJoUnrEK4Qd4C4hmblfIBIEAaVbHbVf9th1BqO4391o7Z15u4i8OB-l3dp_pr6n7V5S6Pe-5siaEuebOz4zTEcs5Ok-1KvPjfOXt_uF8tnvjy5fF5cbfkWRCNXBE55TCooJz1Bl0bk4gheEXaEkEyXnurlQ4R0AMJizElqUgYeXiq5Jxd_XVzjHH9OeStHfZrbIU0huQPlrpJmw</recordid><startdate>2006</startdate><enddate>2006</enddate><creator>Brumley, D.</creator><creator>Newsome, J.</creator><creator>Song, D.</creator><creator>Hao Wang</creator><creator>Somesh Jha</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>2006</creationdate><title>Towards automatic generation of vulnerability-based signatures</title><author>Brumley, D. ; Newsome, J. ; Song, D. ; Hao Wang ; Somesh Jha</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i277t-477b4b1d4d4bac91b6ef2eddc475a770f9c5ca545de01c072a1eff34729302043</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2006</creationdate><topic>Assembly</topic><topic>Computational complexity</topic><topic>Data analysis</topic><topic>Error analysis</topic><topic>Filtering</topic><topic>Humans</topic><topic>Manuals</topic><topic>Security</topic><topic>Space exploration</topic><topic>Testing</topic><toplevel>online_resources</toplevel><creatorcontrib>Brumley, D.</creatorcontrib><creatorcontrib>Newsome, J.</creatorcontrib><creatorcontrib>Song, D.</creatorcontrib><creatorcontrib>Hao Wang</creatorcontrib><creatorcontrib>Somesh Jha</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Brumley, D.</au><au>Newsome, J.</au><au>Song, D.</au><au>Hao Wang</au><au>Somesh Jha</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Towards automatic generation of vulnerability-based signatures</atitle><btitle>2006 IEEE Symposium on Security and Privacy (S&amp;P'06)</btitle><stitle>SECPRI</stitle><date>2006</date><risdate>2006</risdate><spage>15 pp.</spage><epage>16</epage><pages>15 pp.-16</pages><issn>1081-6011</issn><eissn>2375-1207</eissn><isbn>0769525741</isbn><isbn>9780769525747</isbn><abstract>In this paper we explore the problem of creating vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, even polymorphic or metamorphic variants. Our work departs from previous approaches by focusing on the semantics of the program and vulnerability exercised by a sample exploit instead of the semantics or syntax of the exploit itself. We show the semantics of a vulnerability define a language which contains all and only those inputs that exploit the vulnerability. A vulnerability signature is a representation (e.g., a regular expression) of the vulnerability language. Unlike exploit-based signatures whose error rate can only be empirically measured for known test cases, the quality of a vulnerability signature can be formally quantified for all possible inputs. We provide a formal definition of a vulnerability signature and investigate the computational complexity of creating and matching vulnerability signatures. We also systematically explore the design space of vulnerability signatures. We identify three central issues in vulnerability-signature creation: how a vulnerability signature represents the set of inputs that may exercise a vulnerability, the vulnerability coverage (i.e., number of vulnerable program paths) that is subject to our analysis during signature creation, and how a vulnerability signature is then created for a given representation and coverage. We propose new data-flow analysis and novel adoption of existing techniques such as constraint solving for automatically generating vulnerability signatures. We have built a prototype system to test our techniques. Our experiments show that we can automatically generate a vulnerability signature using a single exploit which is of much higher quality than previous exploit-based signatures. In addition, our techniques have several other security applications, and thus may be of independent interest</abstract><pub>IEEE</pub><doi>10.1109/SP.2006.41</doi><oa>free_for_read</oa></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1081-6011
ispartof 2006 IEEE Symposium on Security and Privacy (S&P'06), 2006, p.15 pp.-16
issn 1081-6011
2375-1207
language eng
recordid cdi_ieee_primary_1623997
source IEEE Electronic Library (IEL) Conference Proceedings
subjects Assembly
Computational complexity
Data analysis
Error analysis
Filtering
Humans
Manuals
Security
Space exploration
Testing
title Towards automatic generation of vulnerability-based signatures
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-09T11%3A16%3A10IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Towards%20automatic%20generation%20of%20vulnerability-based%20signatures&rft.btitle=2006%20IEEE%20Symposium%20on%20Security%20and%20Privacy%20(S&P'06)&rft.au=Brumley,%20D.&rft.date=2006&rft.spage=15%20pp.&rft.epage=16&rft.pages=15%20pp.-16&rft.issn=1081-6011&rft.eissn=2375-1207&rft.isbn=0769525741&rft.isbn_list=9780769525747&rft_id=info:doi/10.1109/SP.2006.41&rft_dat=%3Cieee_6IE%3E1623997%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=1623997&rfr_iscdi=true