Automatic Signature Generation for Unknown Vulnerabilities

Dec 03, 2008

Download: MP4 Video Size: 564.8MB  
Watch on YouTube

Abstract

In this talk, I will present a new approach to automatically generate a vulnerability signature for an unknown vulnerability, given a zero-day attack instance. Our approach is based on two systems we developed: Tupni and ShieldGen.

Tupni takes one or more input instances and reverse engineers their format by analyzing how an application parses and processes them. Its reverse-engineered format has a rich set of information, including record sequences, record types and input constraints. We have implemented a prototype of Tupni and demonstrated that it can effectively reverse engineer ten common, real-world file and network message formats.

ShieldGen can generate a vulnerability signature for an unknown vulnerability, given a zero-day attack instance and its format. The key novelty of ShieldGen is that it leverages knowledge of the input format to generate new potential attack instances, uses a zero-day detector as an oracle to determine if an instance can still exploit the vulnerability, and then takes the feedback of the oracle to guide its search for the vulnerability signature. We have implemented a prototype of ShieldGen and used it to generate high-quality vulnerability signatures for three real-world vulnerabilities.

By feeding the input format generated by Tupni to ShieldGen, we can automatically generate a vulnerability signature even when the format of the attack instance is unknown. We have integrated Tupni with ShieldGen and demonstrated that we can automatically generate the vulnerability signature for a real-world WMF vulnerability given a single malicious WMF file.