On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits

Full text

Pdf (335 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 12th ACM conference on Computer and communications security table of contents

Alexandria, VA, USA

SESSION: Intrusion detection and prevention table of contents

Pages: 235 - 248

Year of Publication: 2005

ISBN:1-59593-226-7

Authors

Jedidiah R. Crandall	Univ. of Calif., Davis, Davis, CA
Zhendong Su	Univ. of Calif., Davis, Davis, CA
S. Felix Wu	Univ. of Calif., Davis, Davis, CA
Frederic T. Chong	Dept. Comp. Sci. Univ. of Calif., Santa Barbara, Santa Barbara, CA 93106

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 17, Downloads (12 Months): 175, Citation Count: 15

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1102120.1102152 What is a DOI?

ABSTRACT

Vulnerabilities that allow worms to hijack the control flow of each host that they spread to are typically discovered months before the worm outbreak, but are also typically discovered by third party researchers. A determined attacker could discover vulnerabilities as easily and create zero-day worms for vulnerabilities unknown to network defenses. It is important for an analysis tool to be able to generalize from a new exploit observed and derive protection for the vulnerability.Many researchers have observed that certain predicates of the exploit vector must be present for the exploit to work and that therefore these predicates place a limit on the amount of polymorphism and metamorphism available to the attacker. We formalize this idea and subject it to quantitative analysis with a symbolic execution tool called DACODA. Using DACODA we provide an empirical analysis of 14 exploits (seven of them actual worms or attacks from the Internet, caught by Minos with no prior knowledge of the vulnerabilities and no false positives observed over a period of six months) for four operating systems.Evaluation of our results in the light of these two models leads us to conclude that 1) single contiguous byte string signatures are not effective for content filtering, and token-based byte string signatures composed of smaller substrings are only semantically rich enough to be effective for content filtering if the vulnerability lies in a part of a protocol that is not commonly used, and that 2) practical exploit analysis must account for multiple processes, multithreading, and kernel processing of network data necessitating a focus on primitives instead of vulnerabilities.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis. Stride: Polymorphic sled detection through instruction sequence analysis. In 20th IFIP International Information Security Conference.
	2	Barnaby Jack. Remote Windows Kernel Exploitation-Step Into the Ring 0.
	3	Elena Gabriela Barrantes , David H. Ackley , Trek S. Palmer , Darko Stefanovic , Dino Dai Zovi, Randomized instruction set emulation to disrupt binary code injection attacks, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948147]
	4	C. Cadar and D. Engler. Execution generated test cases: how to make systems code crash itself. In SPIN, 2005.
	5	S. Chen, J. Xu, and E. C. Sezer. Non-control-hijacking attacks are realistic threats. In USENIX Security Symposium 2005, 2005.
	6	R. Chinchani and E. van den Berg. A fast static analysis approach to detect exploit code inside network flows. In RAID, 2005.
	7	M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns, 2003.
	8	Mihai Christodorescu , Somesh Jha , Sanjit A. Seshia , Dawn Song , Randal E. Bryant, Semantics-Aware Malware Detection, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.32-46, May 08-11, 2005 [doi>10.1109/SP.2005.20]
	9	F. Cohen. Computer viruses: theory and experiments. In 7th DoD/NBS Computer Security Conference Proceedings, pages 240--263, September 1984.
	10	M. Costa, J. Crowcroft, M. Castro, and A. Rowstron. Can we contain internet worms? In HotNets III.
	11	Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	12	J. R. Crandall and F. T. Chong. A Security Assessment of the Minos Architecture. In Workshop on Architectural Support for Security and Anti-Virus, Oct. 2004.
	13	Jedidiah R. Crandall , Frederic T. Chong, Minos: Control Data Attack Prevention Orthogonal to Memory Model, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.221-232, December 04-08, 2004, Portland, Oregon [doi>10.1109/MICRO.2004.26]
	14	J. R. Crandall, S. F. Wu, and F. T. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. In Proceedings of GI SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), 2005.
	15	H. Dreger, C. Kreibich, V. Paxson, and R. Sommer. Enhancing the accuracy of network-based intrusion detection with host-based context. In Proceedings of GI SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), 2005.
	16	George W. Dunlap , Samuel T. King , Sukru Cinar , Murtaza A. Basrai , Peter M. Chen, ReVirt: enabling intrusion analysis through virtual-machine logging and replay, ACM SIGOPS Operating Systems Review, v.36 n.SI, Winter 2002 [doi>10.1145/844128.844148]
	17	J. Fenton. Information protection systems. In Ph.D. Thesis, University of Cambridge, 1973.
	18	Patrice Godefroid , Nils Klarlund , Koushik Sen, DART: directed automated random testing, Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, June 12-15, 2005, Chicago, IL, USA
	19	S.-S. Hong, F. Wong, S. F. Wu, B. Lilja, T. Y. Jansson, H. Johnson, and A. Nelsson. TCPtransform: Property-oriented TCP traffic transformation. In Proceedings of GI SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), 2005.
	20	S.-S. Hong and S. F. Wu. On interactive Internet traffic replay. In RAID, 2005.
	21	H.-A. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In USENIX Security Symposium, pages 271--286, 2004.
	22	James C. King, Symbolic execution and program testing, Communications of the ACM, v.19 n.7, p.385-394, July 1976 [doi>10.1145/360248.360252]
	23	O. Kolesnikov and W. Lee. Advanced polymorphic worms: Evading IDS by blending in with normal traffic.
	24	Christian Kreibich , Jon Crowcroft, Honeycomb: creating intrusion detection signatures using honeypots, ACM SIGCOMM Computer Communication Review, v.34 n.1, January 2004 [doi>10.1145/972374.972384]
	25	C. Krügel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In RAID, 2005.
	26	B. Miller, D. Koski, C. P. Lee, V. Maganty, R. Murthy, A. Natarajan, and J. Steidl. Fuzz revisited: A re-examination of the reliability of UNIX utilities and services. Technical report, 1995.
	27	Barton P. Miller , Louis Fredriksen , Bryan So, An empirical study of the reliability of UNIX utilities, Communications of the ACM, v.33 n.12, p.32-44, Dec. 1990 [doi>10.1145/96267.96279]
	28	James Newsome , Brad Karp , Dawn Song, Polygraph: Automatically Generating Signatures for Polymorphic Worms, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.226-241, May 08-11, 2005 [doi>10.1109/SP.2005.15]
	29	J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS '05), Feb. 2005.
	30	A. Pasupulati, J. Coit, K. Levitt, S. Wu, S. Li, R. Kuo, and K. Fan. Buttercup: On network-based detection of polymorphic buffer overflow vulnerabilities. In 9th IEEE/IFIP Network Operation and Management Symposium (NOMS'2004), 2004.
	31	U. Payer, P. Teufl, and M. Lamberger. Hybrid engine for polymorphic shellcode detection. In Proceedings of GI SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), 2005.
	32	T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., Suite 330, 1201 5th Street S.W, Calgary, Alberta, Canada, T2R-0Y6, 1998.
	33	C. Raiu. Holding the Bady. In Virus Bulletin, 2001.
	34	Shai Rubin , Somesh Jha , Barton P. Miller, Automatic Generation and Analysis of NIDS Attacks, Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), p.28-38, December 06-10, 2004 [doi>10.1109/CSAC.2004.9]
	35	Shai Rubin , Somesh Jha , Barton P. Miller, Language-Based Generation and Evaluation of NIDS Signatures, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.3-17, May 08-11, 2005 [doi>10.1109/SP.2005.10]
	36	Mark E. Russinovich , David A. Solomon, Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer), Microsoft Press, Redmond, WA, 2004
	37	S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In OSDI, 2004.
	38	Peter Szor, The Art of Computer Virus Research and Defense, Addison-Wesley Professional, 2005
	39	Steven J. Templeton , Karl Levitt, A requires/provides model for computer attacks, Proceedings of the 2000 workshop on New security paradigms, p.31-38, September 18-21, 2000, Ballycotton, County Cork, Ireland [doi>10.1145/366173.366187]
	40	T. Toth and C. Krügel. Accurate buffer overflow detection via abstract payload execution. In RAID, pages 274--291, 2002.
	41	Neil Vachharajani , Matthew J. Bridges , Jonathan Chang , Ram Rangan , Guilherme Ottoni , Jason A. Blome , George A. Reis , Manish Vachharajani , David I. August, RIFLE: An Architectural Framework for User-Centric Information-Flow Security, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.243-254, December 04-08, 2004, Portland, Oregon [doi>10.1109/MICRO.2004.31]
	42	Giovanni Vigna , William Robertson , Davide Balzarotti, Testing network-based intrusion detection signatures using mutant exploits, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA [doi>10.1145/1030083.1030088]
	43	Helen J. Wang , Chuanxiong Guo , Daniel R. Simon , Alf Zugenmaier, Shield: vulnerability-driven network filters for preventing known vulnerability exploits, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA
	44	V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha. An architecture for generating semantics-aware signatures. In USENIX Security Symposium, 2005.
	45	Adam Young , Moti Yung, Malicious Cryptography: Exposing Cryptovirology, John Wiley & Sons, 2004
	46	bochs: the Open Source IA-32 Emulation Project (Home Page), http://bochs.sourceforge.net.
	47	eEye advisory for the DCOM RPC Race Condition (http://www.eeye.com/html/research/advisories/ AD20040413B.html).
	48	eEye advisory for the LSASS buffer overflow (http://www.eeye.com/html/research/advisories/ AD20040413C.html).
	49	General William T. Sherman, as quoted in B. H. Liddell Hart, Strategy, second revised edition.
	50	Microsoft advisory MSXX-YYY (http://www.microsoft.com/technet/security/bulletin/ MSXX-YYY.mspx).
	51	QEMU (Home Page), http://fabrice.bellard.free.fr/qemu/.
	52	Security Focus Vulnerability Notes, (http://www.securityfocus.com), bid == Bugtraq ID.
	53	SNORT: The open source network intrusion detection system (http://www.snort.org). 2002.

CITED BY 15

	Jisheng Wang , lhab Hamadeh , George Kesidis , David J. Miller, Polymorphic worm detection and defense: system design, experimental methodology, and data resources, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.169-176, September 11-15, 2006, Pisa, Italy
	Justin Ma , John Dunagan , Helen J. Wang , Stefan Savage , Geoffrey M. Voelker, Finding diversity in remote code injection exploits, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
	Michael E. Locasto , Angelos Stavrou , Angelos D. Keromytis, Dark application communities, Proceedings of the 2006 workshop on New security paradigms, September 19-22, 2006, Germany
	Shai Rubin , Somesh Jha , Barton P. Miller, Protomatching network traffic for high throughputnetwork intrusion detection, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
	Emre C. Sezer , Peng Ning , Chongkyung Kil , Jun Xu, Memsherlock: an automated debugger for unknown memory corruption vulnerabilities, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
	Sungwon Yi , Byoung-koo Kim , Jintae Oh , Jongsoo Jang , George Kesidis , Chita R. Das, Memory-efficient content filtering hardware for high-speed intrusion detection systems, Proceedings of the 2007 ACM symposium on Applied computing, March 11-15, 2007, Seoul, Korea
	Daniela A. S. de Oliveira , Jedidiah R. Crandall , Gary Wassermann , S. Felix Wu , Zhendong Su , Frederic T. Chong, ExecRecorder: VM-based full-system replay for attack analysis and system recovery, Proceedings of the 1st workshop on Architectural and system support for improving software dependability, p.66-71, October 21-21, 2006, San Jose, California
	Shashidhar Mysore , Bita Mazloom , Banit Agrawal , Timothy Sherwood, Understanding and visualizing full systems with data flow tomography, ACM SIGARCH Computer Architecture News, v.36 n.1, March 2008
	Jedidiah R. Crandall , Gary Wassermann , Daniela A. S. de Oliveira , Zhendong Su , S. Felix Wu , Frederic T. Chong, Temporal search: detecting hidden malware timebombs with virtual machines, ACM SIGPLAN Notices, v.41 n.11, November 2006
	Yingbo Song , Michael E. Locasto , Angelos Stavrou , Angelos D. Keromytis , Salvatore J. Stolfo, On the infeasibility of modeling polymorphic shellcode, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
	Miguel Castro , Manuel Costa , Jean-Philippe Martin, Better bug reporting with better privacy, ACM SIGPLAN Notices, v.43 n.3, March 2008
	Joseph Tucek , James Newsome , Shan Lu , Chengdu Huang , Spiros Xanthos , David Brumley , Yuanyuan Zhou , Dawn Song, Sweeper: a lightweight end-to-end system for defending against fast worms, ACM SIGOPS Operating Systems Review, v.41 n.3, June 2007
	Manuel Costa , Miguel Castro , Lidong Zhou , Lintao Zhang , Marcus Peinado, Bouncer: securing software by blocking bad input, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
	Jedidiah R. Crandall , S. Felix Wu , Frederic T. Chong, Minos: Architectural support for protecting control data, ACM Transactions on Architecture and Code Optimization (TACO), v.3 n.4, p.359-389, December 2006
	Zhiqiang Lin , Xuxian Jiang , Dongyan Xu , Bing Mao , Li Xie, AutoPaG: towards automated software patch generation with source code root cause identification and repair, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore