Towards Generating High Coverage Vulnerability-Based Signatures with Protocol-Level Constraint-Guided Exploration

Authors:
Juan Caballero;Zhenkai Liang;Pongsin Poosankam;Dawn Song
Affiliations:
Carnegie Mellon University, and UC Berkeley,;National University of Singapore,;Carnegie Mellon University, and UC Berkeley,;UC Berkeley,
Venue:
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Year:
2009

Citing 26
Cited 6

Guarded commands, nondeterminacy and formal derivation of programs

Communications of the ACM
Testing network-based intrusion detection signatures using mutant exploits

Proceedings of the 11th ACM conference on Computer and communications security
Automatic Generation and Analysis of NIDS Attacks

ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
DART: directed automated random testing

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Vigilante: end-to-end containment of internet worms

Proceedings of the twentieth ACM symposium on Operating systems principles
Fast and automated generation of attack signatures: a basis for building self-protecting servers

Proceedings of the 12th ACM conference on Computer and communications security
Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Towards Automatic Generation of Vulnerability-Based Signatures

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
binpac: a yacc for writing application protocol parsers

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Packet vaccine: black-box exploit detection and signature generation

Proceedings of the 13th ACM conference on Computer and communications security
EXE: automatically generating inputs of death

Proceedings of the 13th ACM conference on Computer and communications security
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An architecture for generating semantics-aware signatures

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Creating Vulnerability Signatures Using Weakest Preconditions

CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Bouncer: securing software by blocking bad input

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Polyglot: automatic extraction of protocol message format using dynamic binary analysis

Proceedings of the 14th ACM conference on Computer and communications security
Grammar-based whitebox fuzzing

Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Tupni: automatic reverse engineering of input formats

Proceedings of the 15th ACM conference on Computer and communications security
BitBlaze: A New Approach to Computer Security via Binary Analysis

ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
Loop-extended symbolic execution on binary programs

Proceedings of the eighteenth international symposium on Software testing and analysis
RWset: attacking path explosion in constraint-based test generation

TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems

Input generation via decomposition and re-stitching: finding bugs in Malware

Proceedings of the 17th ACM conference on Computer and communications security
Deep packet pre-filtering and finite state encoding for adaptive intrusion detection system

Computer Networks: The International Journal of Computer and Telecommunications Networking
Finding protocol manipulation attacks

Proceedings of the ACM SIGCOMM 2011 conference
Linear obfuscation to combat symbolic execution

ESORICS'11 Proceedings of the 16th European conference on Research in computer security
MetaSymploit: day-one defense against script-based attacks with security-enhanced symbolic analysis

SEC'13 Proceedings of the 22nd USENIX conference on Security
Adaptive non-critical alarm reduction using hash-based contextual signatures in intrusion detection

Computer Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Signature-based input filtering is an important and widely deployed defense. But current signature generation methods have limited coverage and the generated signatures often can be easily evaded by an attacker with small variations of the exploit message. In this paper, we propose protocol-level constraint-guided exploration , a new approach towards generating high coverage vulnerability-based signatures. In particular, our approach generates high coverage, yet compact, vulnerability point reachability predicates , which capture many paths to the vulnerability point. In our experimental results, our tool, Elcano , generates compact, high coverage signatures for real-world vulnerabilities.