Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
MOPS: an infrastructure for examining security properties of software
Proceedings of the 9th ACM conference on Computer and communications security
Secure Execution via Program Shepherding
Proceedings of the 11th USENIX Security Symposium
An Experimental Study of Security Vulnerabilities Caused by Errors
DSN '01 Proceedings of the 2001 International Conference on Dependable Systems and Networks (formerly: FTCS)
NetSTAT: A Network-Based Intrusion Detection Approach
ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
RAD: A Compile-Time Solution to Buffer Overflow Attacks
ICDCS '01 Proceedings of the The 21st International Conference on Distributed Computing Systems
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Shield: vulnerability-driven network filters for preventing known vulnerability exploits
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
On the effectiveness of address-space randomization
Proceedings of the 11th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Fast and automated generation of attack signatures: a basis for building self-protecting servers
Proceedings of the 12th ACM conference on Computer and communications security
Building a reactive immune system for software services
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Flashback: a lightweight extension for rollback and deterministic replay for software debugging
ATEC '04 Proceedings of the annual conference on USENIX Annual Technical Conference
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
FormatGuard: automatic protection from printf format string vulnerabilities
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Address obfuscation: an efficient approach to combat a board range of memory error exploits
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Detecting targeted attacks using shadow honeypots
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
FLIPS: hybrid adaptive intrusion prevention
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Fast and automated generation of attack signatures: a basis for building self-protecting servers
Proceedings of the 12th ACM conference on Computer and communications security
Improving address space randomization with a dynamic offset randomization technique
Proceedings of the 2006 ACM symposium on Applied computing
Memory Protection through Dynamic Access Control
Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture
ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
Sweeper: a lightweight end-to-end system for defending against fast worms
Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007
On the infeasibility of modeling polymorphic shellcode
Proceedings of the 14th ACM conference on Computer and communications security
Memsherlock: an automated debugger for unknown memory corruption vulnerabilities
Proceedings of the 14th ACM conference on Computer and communications security
From STEM to SEAD: speculative execution for automated defense
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Fast and Black-box Exploit Detection and Signature Generation for Commodity Software
ACM Transactions on Information and System Security (TISSEC)
Online Network Forensics for Automatic Repair Validation
IWSEC '08 Proceedings of the 3rd International Workshop on Security: Advances in Information and Computer Security
POTSHARDS—a secure, recoverable, long-term archival storage system
ACM Transactions on Storage (TOS)
Address-space layout randomization using code islands
Journal of Computer Security - Best papers of the Sec Track at the 2006 ACM Symposium
Self-healing: science, engineering, and fiction
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
HSP: A solution against heap sprays
Journal of Systems and Software
Paragraph: thwarting signature learning by training maliciously
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Generating simplified regular expression signatures for polymorphic worms
ATC'07 Proceedings of the 4th international conference on Autonomic and Trusted Computing
| Hi-index | 0.00 |
Cyber attacks against networked computers have become relentless in recent years. The most common attack method is to exploit memory corruption vulnerabilities such as buffer overflow and format string bugs. This paper presents a technique to automatically identify both known and unknown memory corruption vulnerabilities. Based on the observation that a randomized program usually crashes upon a memory corruption attack, this technique uses the crash as a trigger to initiate an automatic diagnosis algorithm. The output of the diagnosis includes the instruction that is tricked to corrupt data, the call stack at the time of corruption, and the propagation history of corrupted data. These results provide useful information in fixing the vulnerabilities. Moreover, the diagnosis process also generates a signature of the attack using data/address values embedded in the malicious input message, and is used to block future attacks. Such a signature is further associated with the program execution state to reduce false positives without decreasing the detection rate. The proposed techniques enable the development of a decentralized self-diagnosing and self-protecting defense mechanism for networked computers. We report the implementation experience and experimental evaluation of a prototype system on Linux.