Weidong Cui - Microsoft
"Automatic Signature Generation for Unknown Vulnerabilities"
Dec 03, 2008Download: MP4 Video Size: 564.8MB
Watch on YouTube
AbstractIn this talk, I will present a new approach to automatically generate a vulnerability signature for an unknown vulnerability, given a zero-day attack instance. Our approach is based on two systems we developed: Tupni and ShieldGen.
Tupni takes one or more input instances and reverse engineers their format by analyzing how an application parses and processes them. Its reverse-engineered format has a rich set of information, including record sequences, record types and input constraints. We have implemented a prototype of Tupni and demonstrated that it can effectively reverse engineer ten common, real-world file and network message formats.
ShieldGen can generate a vulnerability signature for an unknown vulnerability, given a zero-day attack instance and its format. The key novelty of ShieldGen is that it leverages knowledge of the input format to generate new potential attack instances, uses a zero-day detector as an oracle to determine if an instance can still exploit the vulnerability, and then takes the feedback of the oracle to guide its search for the vulnerability signature. We have implemented a prototype of ShieldGen and used it to generate high-quality vulnerability signatures for three real-world vulnerabilities.
By feeding the input format generated by Tupni to ShieldGen, we can automatically generate a vulnerability signature even when the format of the attack instance is unknown. We have integrated Tupni with ShieldGen and demonstrated that we can automatically generate the vulnerability signature for a real-world WMF vulnerability given a single malicious WMF file.
About the Speaker
Weidong Cui is a researcher in the Distributed Systems and Security group at Microsoft Research, Redmond. His research interests lie in the areas of systems and networking security. He received his Ph.D. in Electrical Engineering and Computer Sciences (2006) and his M.S. in Computer Science (2003) from the University of California, Berkeley, and his M.E. (2000) and B.E. (1998) in Electronic Engineering from Tsinghua University in Beijing, China.
Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52 (Suite 050B), West Lafayette Campus. More information...