CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
CERIAS Logo
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Automatic Signature Generation for Unknown Vulnerabilities

Weidong Cui - Microsoft

Dec 03, 2008

Size: 564.8MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube

Abstract

In this talk, I will present a new approach to automatically generate a vulnerability signature for an unknown vulnerability, given a zero-day attack instance. Our approach is based on two systems we developed: Tupni and ShieldGen.

Tupni takes one or more input instances and reverse engineers their format by analyzing how an application parses and processes them. Its reverse-engineered format has a rich set of information, including record sequences, record types and input constraints. We have implemented a prototype of Tupni and demonstrated that it can effectively reverse engineer ten common, real-world file and network message formats.

ShieldGen can generate a vulnerability signature for an unknown vulnerability, given a zero-day attack instance and its format. The key novelty of ShieldGen is that it leverages knowledge of the input format to generate new potential attack instances, uses a zero-day detector as an oracle to determine if an instance can still exploit the vulnerability, and then takes the feedback of the oracle to guide its search for the vulnerability signature. We have implemented a prototype of ShieldGen and used it to generate high-quality vulnerability signatures for three real-world vulnerabilities.

By feeding the input format generated by Tupni to ShieldGen, we can automatically generate a vulnerability signature even when the format of the attack instance is unknown. We have integrated Tupni with ShieldGen and demonstrated that we can automatically generate the vulnerability signature for a real-world WMF vulnerability given a single malicious WMF file.

About the Speaker

Weidong Cui is a researcher in the Distributed Systems and Security group at Microsoft Research, Redmond. His research interests lie in the areas of systems and networking security. He received his Ph.D. in Electrical Engineering and Computer Sciences (2006) and his M.S. in Computer Science (2003) from the University of California, Berkeley, and his M.E. (2000) and B.E. (1998) in Electronic Engineering from Tsinghua University in Beijing, China.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...

Disclaimer

The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.