Abstract
Zero day vulnerabilities have played an important role in cyber security. Since they are unknown to the public and patches are not available, hackers can use them to attack effectively. Detecting software vulnerabilities and making patches could protect hosts from attacks that use these vulnerabilities. But this method cannot prevent all vulnerabilities. Some methods such as address space randomization could defend against vulnerabilities, but they cannot find them in software to help software vendors to generate patches for other hosts. In this paper, we design and develop a proof-of-concept prototype called AutoDunt (AUTOmatical zero Day vUlNerability deTector), which can detect vulnerable codes in software by analyzing attacks directly in virtual surroundings. It does not need any source codes or care about polymorphic/metamorphic shellcode (even no shellcode). We present a new kind of dependence between variables called latent dependence and use it to save necessary states for virtual surrounding replaying. In this way, AutoDunt does not need to use slicing or taint analysis method to find the vulnerable code in software, which saves managing time. We verify the effectiveness and evaluate the efficiency of AutoDunt by testing 81 real exploits and 7 popular applications at the end of this paper.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Cowan, C., Wagle, P., Pu, C., Beattie, S., Walpole, J.: Buffer overflows: attacks and defenses for the vulnerability of the decade. In: Foundations of Intrusion Tolerant Systems (Organically Assured and Survivable Information Systems), pp. 227–237 (2003)
Kuperman, B.A., Brodley, C.E., Ozdoganoglu, H., Vijaykumar, T.N., Jalote, A.: Detection and prevention of stack buffer overflow attacks. Communications of the ACM 48(11), 50–56 (2005)
BBC: Serious security flaw found in ie (2011), http://news.bbc.co.uk/2/hi/technology/7784908.stm
Hund, R., Holz, T., Freiling, F.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of the 18th Conference on USENIX Security Symposium, pp. 383–398. USENIX Association (2009)
Ganesh, V., Leek, T., Rinard, M.: Taint-based directed whitebox fuzzing. In: Proceedings of the 31st International Conference on Software Engineering, pp. 474–484. IEEE Computer Society (2009)
Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.: Notamper: automatic blackbox detection of parameter tampering opportunities in web applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 607–618. ACM (2010)
Avgerinos, T., Cha, S., Hao, B., Brumley, D.: Aeg: Automatic exploit generation. In: Proceedings of the Network and Distributed System Security Symposium (2011)
Baratloo, A., Singh, N., Tsai, T.: Transparent run-time defense against stack smashing attacks. In: Proceedings of the USENIX Annual Technical Conference, pp. 251–262 (2000)
Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 298–307. ACM (2004)
Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In: 22nd Annual Computer Security Applications Conference, ACSAC 2006, pp. 339–348. IEEE (2006)
Sezer, E.C., Ning, P., Kil, C., Xu, J.: Memsherlock: An automated debugger for unknown memory corruption vulnerabilities (2007)
Weiser, M.: Programmers use slices when debugging. Communications of the ACM 25(7), 446–452 (1982)
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (2005)
Kim, H.A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: USENIX Security Symposium, vol. 286 (2004)
Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: 2005 IEEE Symposium on Security and Privacy, pp. 226–241 (2005)
Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 32–47 (2006)
Wang, X., Pan, C.C., Liu, P., Zhu, S.: Sigfree: A signature-free buffer overflow attack blocker. In: Proceedings of the 15th conference on USENIX Security (2006)
PaX.Team: Pax documentation (2003), http://pax.grsecurity.net/docs/pax.txt
Kc, G.S., Keromytis, A.D.: e-nexsh: Achieving an effectively non-executable stack and heap via system-call policing. In: 21st Annual Computer Security Applications Conference, pp. 286–302 (2005)
McGregor, J.P., Karig, D.K., Shi, Z., Lee, R.B.: A processor architecture defense against buffer overflow attacks. In: Proceedings of International Conference on Information Technology: Research and Education, ITR 2003, pp. 243–250 (2003)
Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity (2006)
Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure execution via program shepherding. In: Proceedings of the 11th USENIX Security Symposium, pp. 191–205 (2002)
Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14 table of contents, p. 17 (2005)
Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: end-to-end containment of internet worms. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, pp. 133–147 (2005)
Brumley, D., Wang, H., Jha, S., Song, D.: Creating vulnerability signatures using weakest preconditions. In: 20th IEEE Computer Security Foundations Symposium, pp. 311–325 (2007)
Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 2–16 (2006)
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 116–127. ACM, New York (2007)
Bayer, U., Kruegel, C., Kirda, E.: Ttanalyze: A tool for analyzing malware. In: 15th Annual Conference of the European Institute for Computer Antivirus Research, EICAR (2006)
Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 85–96 (2004)
King, S.T., Dunlap, G.W., Chen, P.M.: Debugging operating systems with time-traveling virtual machines. In: Proceedings of the USENIX 2005 Annual Technical Conference (2005)
Ramalingam, G.: Identifying loops in almost linear time. ACM Transactions on Programming Languages and Systems (TOPLAS) 21(2), 175–188 (1999)
Sreedhar, V.C., Gao, G.R., Lee, Y.F.: Identifying loops using dj graphs. ACM Transactions on Programming Languages and Systems (TOPLAS) 18(6), 649–658 (1996)
Bellard, F.: Qemu, a fast and portable dynamic translator. In: Proceedings of the USENIX Annual Technical Conference, FREENIX Track, pp. 41–46 (2005)
Milw0rm: milw0rm-exploits: vulnerabilities: videos: papers: shellcode (2008), http://www.milw0rm.com/
Microsoft: Microsoft security bulletin ms06-055 (2006), http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
techFAQ: What is a format string vulnerability? (2011), http://www.tech-faq.com/format-string-vulnerability.shtml
Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. University of Auckland Technical Report 170 (1997)
Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 290–299 (2003)
Ho, A., Fetterman, M., Clark, C., Warfield, A., Hand, S.: Practical taint-based protection using demand emulation. In: Proceedings of the 2006 EuroSys Conference, pp. 29–41 (2006)
Qin, F., Lu, S., Zhou, Y.: Safemem: exploiting ecc-memory for detecting memory leaks and memory corruption during production runs. In: 11th International Symposium on High-Performance Computer Architecture, HPCA-11, pp. 291–302 (2005)
Qin, F., Wang, C., Li, Z., Kim, H., Zhou, Y., Wu, Y.: Lift: A low-overhead practical information flow tracking system for detecting security attacks. In: Proceedings of the Annual IEEE/ACM International Symposium on Microarchitecture (Micro 2006), Orlando, Florida, USA (December 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chen, K., Lian, Y., Zhang, Y. (2012). AutoDunt: Dynamic Latent Dependence Analysis for Detection of Zero Day Vulnerability. In: Kim, H. (eds) Information Security and Cryptology - ICISC 2011. ICISC 2011. Lecture Notes in Computer Science, vol 7259. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31912-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-31912-9_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31911-2
Online ISBN: 978-3-642-31912-9
eBook Packages: Computer ScienceComputer Science (R0)