Creating vulnerability signatures using weakest preconditions

Proceedings - IEEE Computer Security Foundations Symposium

Volumn , Issue , 2007, Pages 311-325

  Brumley, David ^a   Wang, Hao ^a   Jha, Somesh ^a   Song, Dawn ^a  

^a NONE

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER AIDED SOFTWARE ENGINEERING; INTRUSION DETECTION; POLYNOMIALS; TELECOMMUNICATION TRAFFIC;

PROGRAM PATHS; SIGNATURE SIZE; VULNERABILITY SIGNATURES; WEAKEST PRECONDITIONS (WP);

ELECTRONIC DOCUMENT IDENTIFICATION SYSTEMS;

EID: 35048885595     PISSN: 19401434     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CSF.2007.17     Document Type: Conference Paper

References (50)

1. Automatically generating malicious disks using symbolic execution. In IEEE Symposium on Security and Privacy, 2006.
2. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In Proc. of the ACM Conference on Computer and Communication Security, 2005.
3. A. Aho, R. Sethi, and J. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley Publishing Company, 1986.
4. G. Balakrishnan and T. Reps. Analyzing memory accesses in x86 executables. In Proc. Int. Conf. on Compiler Construction, 2004.
5. G. Balakrishnan, T. Reps, D. Melski, and T. Teitelbaum. Wysinwyx: What you see is not what you execute. In Proc. IFIP Working Conference on Verified Software: Theories, Tools, Experiments, 2005.
6. M. Barnett and K. R. M. Leino. Weakest-precondition of unstructured programs. In PASTE, 2005.
7. C. Barrett and S. Berezin. CVC Lite: A new implementation of the cooperating validity checker. In R. Alur and D. A. Peled, editors, CAV, Lecture Notes in Computer Science. Springer, 2004.
8. S. P. Berry. Shoki intrusion detection system, shoki. sf. net.
9. A. Biere, A. Cimatti, E. M. Clarke, O. Strichman, and Y Zhu. Bounded model checking. Advances in Computers, 2003.
10. D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin. Towards automatically identifying trigger-based behavior in malware using symbolic execution and binary analysis. Technical Report CMU-CS-07-105, Carnegie Mellon University School of Computer Science, January 2007.
11. D. Brumley and J. Newsome. Alias analysis for assembly. Technical Report CMU-CS-06-180, Carnegie Mellon University School of Computer Science, 2006.
12. D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proceedings of the IEEE Symposium on Security and Privacy, 2006.
13. C. Cadar, V. Ganesh, P. Pawlowski, D. Dill, and D. Engler. EXE: automatically generating inputs of death. Inf roc. 13th ACM Conference on Computer and Communications Security (CCS), 2006.
14. CISCO. Cisco secure intrusion detection system director -string matching signatures, http://www.cisco.com/ univercd/cc/td/doc/product/iaabu/csids/ csids5/csidscog/sigs.htm#wp1015446.
15. th ACM Symposium on Operating System Principles (SOSP 2005), 2005.
16. J. Crandall, Z. Su, S. F. Wu, and F. Chong. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In Proc. 12th ACM Conference on Computer and Communications Security (CCS), 2005.
17. J. R. Crandall and F. Chong. Minos: Architectural, support for software security through control data integrity. In To appear in International Symposium on Microarchitecture, December 2004.
18. D. Detlefs, K. R. M. Leino, G. Nelson, and J. Saxe. Extended static checking. Technical Report 159, Compaq Systems Research Center, December 1998.
19. E. Dijkstra. A Discipline of Programming. Prentice Hall, Englewood Cliffs, NJ, 1976.
20. H. Doli. iwconfig vulnerability (wireless tools v.26). http://eve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-094 7, 2003.
21. Enterasys. Dragon intrusion detection system., http:// www.enterasys.com/products/ids/.
22. C. Flanagan and S. Qadeer. Predicate abstraction for software verification. In Proceedings of the 29th ACM SLGPLAN-SLGACT symposium on Principles of programming languages (POPL). ACM Press, 2002.
23. C. Flanagan and J. Saxe. Avoiding exponential, explosion: Generating compact verification conditions. In Proceedings of the 28th ACM Symposium, on the Principles of Programming Languages (POPL), 2001.
24. J. Hopcroft, R. Motwani, and J. Ullman. Introduction to automata theory, langauges, and computation. Addison-Wesley, 2001.
25. A. Ireland and J. Stark, the automatic discovery of loop invariants. In Fourth NASA Langley formal methods workshop, 1997.
26. H.-A. Kim and B. Karp. Autograph: toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium, August 2004.
27. C. Kreibich and J. Crowcroft. Honeycomb - creating intrusion detection signatures using honeypots. In Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II), November 2003.'
28. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Automating mimicry attacks using static binary analysis. In Proceedings of the 14th USENIX Security Symposium, Aug. 2005.
29. K. R. M. Leino. Efficient weakest preconditions. Information Processing Letters, 93(6):281-288, 2005.
30. Z. Liang and. R. Sekar. Fast, and automated generation of attack signatures: A basis for building self-protecting servers. In Proc. of the 12th ACM Conference on Computer and Communications Security (CCS), 2005.
31. S. Muchnick. Advanced Compiler Design and Implementation. Academic Press, 1997.
32. th ACM Conference on Computer and and Communications Security (CCS), Oct. 2006.
33. J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy, May 2005.
34. J. Newsome, B. Karp, and D. Song. Paragraph: Thwarting signature learning by training maliciously. In Rapid Advances in Intrusion Detection (RALD), 2006.
35. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), February 2005.
36. NFR. Network flight, recorder intrusion detection system. http://www.nfr.com.
37. T. Norvell. In Machine code programs are predicates too, 1994.
38. L. I. on Demand. K rustan leino and francesco logozzo. In The Third Asian Symposium on Programming Languages and Systems, 2005.
39. V. Paxson. Bro: A. system, for detecting network intruders in real-time, computer networks, 31, December 1999.
40. R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. Sharif. Misleading worm signature generators using deliberate noise injection. In IEEE Symposium on Security and Privacy, 2006.
41. r-code. ATPhttpd exploit. http://www.cotse.com/mailing-lists/todays/att- 0003/01-atphttp0x06.c.
42. J. Rafail. Samba contains buffer overflow in smb/cifs packet, fragment reassembly code, http://www.kb.cert.org/vuls/id/298233, 2003.
43. S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm, fingerprinting. In Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), Dec. 2004.
44. G. E. Suh, J. Lee, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of ASPLOS, 2004.
45. N. Suzuki and K. Ishihata. Implementation of an array bound checker. In Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages (POPL). ACM Press, 1977.
46. K. Takeda. Pakemon intrusion detection system, http://www.inas.mag.keio. ac.jp/ids/pakemon/index.html. referenced by http://www.whit.ehats.com/ids/.
47. The Snort Project. Snort, the open-source network intrusion detection system, http://www.snort.org/.
48. US-CERT. Vulnerability note vu#196945 - isc bind 8 contains buffer overflow in transaction signature (tsig) handling code, http://www.kb.cert.org/ vuls/id/196945.
49. H. J. Wang, C. Guo, D. Simon, and. A. Zugenmaier. Shield: Vulnerability-driven network, filters for preventing known vulnerability exploits. In Proceedings of the 2004 ACM SIGCOMM Conference, August 2004.
50. th ACM Conference on Computer and Communication Security (CCS), 2005.