TY - GEN
T1 - Online signature generation for windows systems
AU - Li, Lixin
AU - Just, James E.
AU - Sekar, R.
PY - 2009
Y1 - 2009
N2 - In this paper, we present a new, light-weight approach for generating filters for blocking buffer overflow attacks on Microsoft Windows systems. It is designed to be deployable as an "always on" component on production systems. To achieve this goal, it avoids expensive and intrusive techniques such as taint-tracking. The online nature of our system enables it to provide protection from a range of memory corruption exploits, including those involving unknown vulnerabilities, or known vulnerabilities but unknown exploits. In contrast, most previous signature generation techniques need to be run in sandboxed environments, and need working exploits to generate signatures. Moreover, our technique overcomes the "gap" problem faced by previous signature generation mechanisms, i.e., when the vulnerable memory region is corrupted between the overflow and the time an attack is detected. Another novel feature of our approach is that it is able to reason about likely lengths of vulnerable buffers, which can lead to more accurate signatures. Our experimental results are very promising, and demonstrate that the approach can generate effective signatures for many synthetic and real-world vulnerabilities.
AB - In this paper, we present a new, light-weight approach for generating filters for blocking buffer overflow attacks on Microsoft Windows systems. It is designed to be deployable as an "always on" component on production systems. To achieve this goal, it avoids expensive and intrusive techniques such as taint-tracking. The online nature of our system enables it to provide protection from a range of memory corruption exploits, including those involving unknown vulnerabilities, or known vulnerabilities but unknown exploits. In contrast, most previous signature generation techniques need to be run in sandboxed environments, and need working exploits to generate signatures. Moreover, our technique overcomes the "gap" problem faced by previous signature generation mechanisms, i.e., when the vulnerable memory region is corrupted between the overflow and the time an attack is detected. Another novel feature of our approach is that it is able to reason about likely lengths of vulnerable buffers, which can lead to more accurate signatures. Our experimental results are very promising, and demonstrate that the approach can generate effective signatures for many synthetic and real-world vulnerabilities.
KW - Buffer overflow
KW - Self-healing
KW - Signature generation
UR - https://www.scopus.com/pages/publications/77950825366
U2 - 10.1109/ACSAC.2009.34
DO - 10.1109/ACSAC.2009.34
M3 - Conference contribution
AN - SCOPUS:77950825366
SN - 9780769539195
T3 - Proceedings - Annual Computer Security Applications Conference, ACSAC
SP - 289
EP - 298
BT - 25th Annual Computer Conference Security Applications, ACSAC 2009
T2 - 25th Annual Computer Conference Security Applications, ACSAC 2009
Y2 - 7 December 2009 through 11 December 2009
ER -