skip to main content
article

Bouncer: securing software by blocking bad input

Published: 14 October 2007 Publication History

Abstract

Attackers exploit software vulnerabilities to control or crash programs. Bouncer uses existing software instrumentation techniques to detect attacks and it generates filters automatically to block exploits of the target vulnerabilities. The filters are deployed automatically by instrumenting system calls to drop exploit messages. These filters introduce low overhead and they allow programs to keep running correctly under attack. Previous work computes filters using symbolic execution along the path taken by a sample exploit, but attackers can bypass these filters by generating exploits that follow a different execution path. Bouncer introduces three techniques to generalize filters so that they are harder to bypass: a new form of program slicing that uses a combination of static and dynamic analysis to remove unnecessary conditions from the filter; symbolic summaries for common library functions that characterize their behavior succinctly as a set of conditions on the input; and generation of alternative exploits guided by symbolic execution. Bouncer filters have low overhead, they do not have false positives by design, and our results show that Bouncer can generate filters that block all exploits of some real-world vulnerabilities.

Supplementary Material

JPG File (1294274.jpg)
index.html (index.html)
Slides from the presentation
Audio only (1294274.mp3)
Video (1294274.mp4)

References

[1]
GHttpd Log() Function Buffer Overflow Vulnerability. http://www.securityfocus.com/bid/5960.
[2]
Null HTTPd Remote Heap Overflow Vulnerability. http://www.securityfocus.com/bid/5774.
[3]
STunnel Client Negotiation Protocol Format String Vulnerability. http://www.securityfocus.com/bid/3748.
[4]
M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow Integrity: Principles, implementations, and applications. In ACM CCS, Nov. 2005.
[5]
A. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, techniques, and tools. Prentice Hall, 1986.
[6]
M. Barnett and K. R. M. Leino. Weakest-precondition of unstructured programs. In PASTE, Sept. 2005.
[7]
E. D. Berger and B. G. Zorn. DieHard: Probabilistic memory safety for unsafe languages. In PLDI, June 2006.
[8]
S. Bhansali, W.-K. Chen, S. de Jong, A. Edwards, R. Murray, M. Drinic, D. Mihocka, and J. Chau. Framework for instruction--level tracing and analysis of program executuions. In VEE, June 2006.
[9]
D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability signatures. In IEEE Symposium on Security and Privacy, May 2006.
[10]
D. Brumley, H. Wang, S. Jha, and D. Song. Creating Vulnerability Signatures Using Weakest Pre-conditions. In Computer Security Foundations Symposium, July 2007.
[11]
C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically generating inputs of death. In ACM CCS, 2006.
[12]
M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In OSDI, Nov. 2006.
[13]
S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. K. Iyer. Defeating memory corruption attacks via pointer taintedness detection. In DSN, July 2005.
[14]
S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In USENIX Security Symposium, July 2005.
[15]
M. Costa. End-to-End Containment of Internet Worm Epidemics. PhD thesis, University of Cambridge, Oct. 2006.
[16]
M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-End Containment of Internet Worms. In SOSP, Oct. 2005.
[17]
C. Cowan, C. Pu, D. Maier, H. Hinton, J. Wadpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic detection and prevention of buffer-overrun attacks. In USENIX Security Symposium, Jan. 1998.
[18]
J. R. Crandall, Z. Su, S. F. Wu, and F. T. Chong. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In ACMCCS, Nov. 2005.
[19]
W. Cui, M. Peinado, H. J. Wang, and M. Locasto. ShieldGen: Automatic data patch generation for unknown vulnerabilities with informed probing. In IEEE Symposium on Security and Privacy, May 2007.
[20]
E. W. Dijkstra. Guarded commands, nondeterminacy and formal derivation of programs. Communications of the ACM, Aug. 1975.
[21]
E. N. Elnozahy, L. Alvisi, Y.-M. Wang, and D. B. Johnson. A survey of rollback-recovery protocols in message-passing systems. ACM Computing Surveys, 34(3):375--408, Sept. 2002.
[22]
P. Godefroid. Compositional Dynamic Test Generation. In POPL, Jan. 2007.
[23]
P. Godefroid, N. Klarlund, and K. Sen. DART: Directed Automated Random Testing. In PLDI, 2005.
[24]
R. Jhala and R. Majumdar. Path slicing. In PLDI, June 2005.
[25]
J. O. Kephart and W. C. Arnold. Automatic extraction of computer virus signatures. In Virus Bulletin, Sept. 1994.
[26]
H. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In USENIX Security Symposium, Aug. 2004.
[27]
J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385--394, July 1976.
[28]
V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure execution via program shepherding. In USENIX Security Symposium, Aug. 2002.
[29]
B. Korel and J. Laski. Dynamic program slicing. Information Processing Letters, 29, 1988.
[30]
C. Kreibich and J. Crowcroft. Honeycomb -- creating intrusion detection signatures using honeypots. In HotNets, Nov. 2003.
[31]
Z. Liang and R. Sekar. Automatic generation of buffer overflow signatures: An approach based on program behavior models. In ACSAC, Dec. 2005.
[32]
Z. Liang and R. Sekar. Fast and automated generation of attack signatures: A basis for building self-protecting servers. In ACM CCS, Nov. 2005.
[33]
Microsoft. Phoenix compiler framework. http://research.microsoft.com/phoenix/phoenixrdk.aspx.
[34]
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer worm. IEEE Security and Privacy, 1(4), July 2003.
[35]
J. Newsome, D. Brumley, and D. Song. Vulnerability-specific execution filtering for exploit prevention on commodity software. In NDSS, Feb. 2006.
[36]
J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In IEEE Symposium on Security and Privacy, May 2005.
[37]
J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis and signature generation of exploits on commodity software. In NDSS, Feb. 2005.
[38]
F. Qin, J. Tucek, J. Sundaresan, and Y. Zhou. Rx: Treating bugs as allergies -- a safe method to survive software failures. In SOSP, Nov. 2005.
[39]
M. Rinard, C. Cadar, D. Dumitran, D. M. Roy, T. Leu, and W. Beebee. Enhancing server availability and security through failure-oblivious computing. In OSDI, Dec. 2004.
[40]
O. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In NDSS, Feb. 2004.
[41]
K. Sen, D. Marinov, and G. Agha. CUTE: A Concolic Unit Testing Engine for C. In ESEC/FSE, 2005.
[42]
S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In OSDI, Dec. 2004.
[43]
SPEC. Specweb99 benchmark. http://www.spec.org/osg/web99.
[44]
T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In RAID, Oct. 2002.
[45]
TPC. TPC-C online transaction processing benchmark. 1999. http://www.tpc.org/tpcc.
[46]
J. Tucek, J. Newsome, S. Lu, C. Huang, S. Xanthos, D. Brumley, Y. Zhou, and D. Song. Sweeper: A lightweight end-to-end system for defending against fast worms. In EuroSys, Mar. 2007.
[47]
X. Wang, C.-C. Pan, P. Liu, and S. Zhu. Sigfree: A signature-free buffer overflow attack blocker. In Usenix Security Symposium, Aug. 2006.
[48]
W. Weimer and G. C. Necula. Finding and preventing runtime error handling mistakes. In OOPSLA, Oct. 2004.
[49]
M. Weiser. Program slicing. In Conference on Software Engineering. IEEE Computer Society Press, 1981.
[50]
G. Winskel. The Formal Semantics of Programming Languages. MIT Press, 1993.
[51]
X. Zhang and R. Gupta. Cost effective dynamic program slicing. In PLDI, June 2004.

Cited By

View all
  • (2023)PolyDoc: Surveying PDF Files from the PolySwarm network2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00017(117-134)Online publication date: May-2023
  • (2021)A Comprehensive Study of Bugs in Software Defined Networks2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48987.2021.00026(101-115)Online publication date: Jun-2021
  • (2020)C2S: translating natural language comments to formal program specificationsProceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3368089.3409716(25-37)Online publication date: 8-Nov-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM SIGOPS Operating Systems Review
ACM SIGOPS Operating Systems Review  Volume 41, Issue 6
SOSP '07
December 2007
363 pages
ISSN:0163-5980
DOI:10.1145/1323293
Issue’s Table of Contents
  • cover image ACM Conferences
    SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
    October 2007
    378 pages
    ISBN:9781595935915
    DOI:10.1145/1294261
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 October 2007
Published in SIGOPS Volume 41, Issue 6

Check for updates

Author Tags

  1. precondition slicing
  2. symbolic execution

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)21
  • Downloads (Last 6 weeks)2
Reflects downloads up to 12 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)PolyDoc: Surveying PDF Files from the PolySwarm network2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00017(117-134)Online publication date: May-2023
  • (2021)A Comprehensive Study of Bugs in Software Defined Networks2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48987.2021.00026(101-115)Online publication date: Jun-2021
  • (2020)C2S: translating natural language comments to formal program specificationsProceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3368089.3409716(25-37)Online publication date: 8-Nov-2020
  • (2020)A Systematic Review of Search Strategies in Dynamic Symbolic ExecutionComputer Standards & Interfaces10.1016/j.csi.2020.10344472(103444)Online publication date: Oct-2020
  • (2018)Symbolic execution with existential second-order constraintsProceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3236024.3236049(389-399)Online publication date: 26-Oct-2018
  • (2015)Empirical Evaluation of the A3 EnvironmentProceedings of the 2015 10th International Conference on Availability, Reliability and Security10.1109/ARES.2015.89(80-89)Online publication date: 24-Aug-2015
  • (2014)CybertronACM SIGPLAN Notices10.1145/2714064.266020449:10(895-908)Online publication date: 15-Oct-2014
  • (2011)FloGuard: Cost-Aware Systemwide Intrusion Defense via Online Forensics and On-Demand IDS DeploymentComputer Safety, Reliability, and Security10.1007/978-3-642-24270-0_25(338-354)Online publication date: 2011
  • (2008)The Hidden Difficulties of Watching and Rebuilding NetworksIEEE Security and Privacy10.1109/MSP.2008.486:2(79-82)Online publication date: 1-Mar-2008
  • (2023)Capturing Invalid Input Manipulations for Memory Corruption DiagnosisIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314502220:2(917-930)Online publication date: 1-Mar-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media