Automatic Signature Generation for Unknown Vulnerabilities
Weidong Cui - Microsoft
Dec 03, 2008Size: 564.8MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractIn this talk, I will present a new approach to automatically generate a vulnerability signature for an unknown vulnerability, given a zero-day attack instance. Our approach is based on two systems we developed: Tupni and ShieldGen.
Tupni takes one or more input instances and reverse engineers their format by analyzing how an application parses and processes them. Its reverse-engineered format has a rich set of information, including record sequences, record types and input constraints. We have implemented a prototype of Tupni and demonstrated that it can effectively reverse engineer ten common, real-world file and network message formats.
ShieldGen can generate a vulnerability signature for an unknown vulnerability, given a zero-day attack instance and its format. The key novelty of ShieldGen is that it leverages knowledge of the input format to generate new potential attack instances, uses a zero-day detector as an oracle to determine if an instance can still exploit the vulnerability, and then takes the feedback of the oracle to guide its search for the vulnerability signature. We have implemented a prototype of ShieldGen and used it to generate high-quality vulnerability signatures for three real-world vulnerabilities.
By feeding the input format generated by Tupni to ShieldGen, we can automatically generate a vulnerability signature even when the format of the attack instance is unknown. We have integrated Tupni with ShieldGen and demonstrated that we can automatically generate the vulnerability signature for a real-world WMF vulnerability given a single malicious WMF file.
About the SpeakerWeidong Cui is a researcher in the Distributed Systems and Security group at Microsoft Research, Redmond. His research interests lie in the areas of systems and networking security. He received his Ph.D. in Electrical Engineering and Computer Sciences (2006) and his M.S. in Computer Science (2003) from the University of California, Berkeley, and his M.E. (2000) and B.E. (1998) in Electronic Engineering from Tsinghua University in Beijing, China.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.