Research on Automated Defenses for Common Exploits
Software exploit defenses have long remained as one of the most important research areas in the lab. Given the large base of existing software, and large gaps in automated or manual code analyses for discovering them, automated exploit defenses remain as perhaps one bright area, as these techniques are often able to block vast classes of popular exploits at little (or relatively low) cost.
Our research initially targeted the popular memory error exploits [11, 10, 6, 5, 4]. Many of these defenses rely on randomization, and are hence subject to brute-force attacks that try to guess the randomization key. To defend against these attacks, we developed novel techniques that rely on a forensic analysis of the memory space of randomized applications and/or application behavior models to synthesize accurate attack signatures [9, 8]. These signatures are developed within milliseconds after the first unsuccessful attack, and can hence defeat brute-force attacks.
We subsequently extended automated exploit defense to a much larger class of vulnerabilities, including those that lead to SQL injection, command injection, cross-site scripting, path-traversal, format-string vulnerabilities, and so on [7, 3]. Automated exploit defense continue to be one of the most active areas of research within the lab.
Related Publications
- [1] Online Signature Generation for Windows Systems
- , and
Annual Computer Security Applications Conference (ACSAC) December, 2009. - [2] Practical Techniques for Regeneration and Immunization of COTS Applications
- , , , and
Workshop on Recent Advances on Intrusion-Tolerant Systems (WRAITS) June, 2009. - [3] An Efficient Black-box Technique for Defeating Web Application Attacks
ISOC Network and Distributed Systems Symposium (NDSS) February, 2009.- [4] Anomalous Taint Detection (Extended Abstract)
- and
Recent Advances in Intrusion Detection (RAID) September, 2008. (Full version available as Technical Report SECLAB08-06). - [5] Data Space Randomization
- and
Detection of Intrusions, Malware and Vulnerability Analysis (DIMVA) July, 2008. - [6] Address-Space Randomization for Windows Systems
- , and
Annual Computer Security Applications Conference (ACSAC) December, 2006. - [7] Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks
- , and
USENIX Security Symposium (USENIX Security) August, 2006. (An earlier version appeared as Technical Report SECLAB-05-06, November 2005. Also supercedes Technical Report SECLAB-05-05 A Unified Approach for Preventing Attacks Exploiting a Range of Software Vulnerabilities, August 2005, and Technical Report SECLAB-05-04 Practical dynamic taint analysis for countering input validation attacks on web applications, May 2005, [PDF]). - [8] Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models
- and
Annual Computer Security Applications Conference (ACSAC) December, 2005. (Supercedes Technical Report SECLAB-05-01 An Immune System Inspired Approach for Protection from Repetitive Attacks, March 2005.). - [9] Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers
- and
ACM Conference on Computer and Communications Security (CCS) November, 2005. (Supercedes Technical Report SECLAB-05-02 Automated, Sub-second Attack Signature Generation: A Basis for Building Self-Protecting Servers, May 2005.). - [10] Efficient Techniques for Comprehensive Protection from Memory Error Exploits
- , and
USENIX Security Symposium (USENIX Security) August, 2005. - [11] Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits
- , and
USENIX Security Symposium (USENIX Security) August, 2003.