Chang-Ting Lin,Chunming Wu,Min Huang,Zhenyu Wen,Qiumei Cheng

DOI: https://doi.org/10.1109/SRDSW.2016.21

2016-01-01

Abstract:IP address mutation is a proactive defense method that is used to reduce the risk of network attacks, especially to deal with the worm propagation attacks. However, previous work did not give much consideration to the negative effects that IP address mutation could bring to network performance. To be specific, there is a trade-off between network performance and security, which implies that when a security mechanism is reinforced, network performance would be impaired and vice versa. Therefore, in order to achieve the optimal balance between performance and security, an optimal solution should be provided. In this paper, we propose an adaptive IP mutation defense method which is based on temporal-dimension, to dynamically control the mutation interval according to real-time measurable metrics, assurance and avoidance. This method leverages a genetic algorithm to achieve the optimization of performance-security trade-off. We then evaluate our method in a simulated computer cluster environment, including 1024 hosts, and demonstrate that our method can successfully find the optimal solution according to the experimental results. For example, it can reduce the worm propagation significantly, while maintaining the network performance in a predefined level.

Qiang Zeng,Mingyi Zhao,Peng Liu

DOI: https://doi.org/10.1109/dsn.2015.54

2015-06-01

Abstract:For decades buffer overflows have been one of the most prevalent and dangerous software vulnerabilities. Although many techniques have been proposed to address the problem, they mostly introduce a very high overhead while others assume the availability of a separate system to pinpoint attacks or provide detailed traces for defense generation, which is very slow in itself and requires considerable extra resources. We propose an efficient solution against heap buffer overflows that integrates exploit detection, defense generation, and overflow prevention in a single system, named HeapTherapy. During program execution it conducts on-the-fly lightweight trace collection and exploit detection, and initiates automated diagnosis upon detection to generate defenses in realtime. It can handle both over-write and over-read attacks, such as the recent Heartbleed attack. The system has no false positives, and keeps effective under polymorphic exploits. It is compliant with mainstream hardware and operating systems, and does not rely on specific allocation algorithms. We evaluated HeapTherapy on a variety of services (database, web, and ftp) and benchmarks (SPEC CPU2006); it incurs a very low average overhead in terms of both speed (6.2%) and memory (7.7%).

Caiming Liu,Xiaojie Liu,Tao Li,Jinquan Zeng,Lingxi Peng,Yan Zhang

2007-01-01

Abstract:An artificial immunity-based method for dynamic script-virus detection is presented. Antigen and antibody in the environment of virus detection are defined. Processes of self-tolerance and clone selection are simulated. Self and memory antibody are evolved dynamically. The mechanism of dynamic production and elimination of mature antibody is set up. The experiment result shows that the method can detect virus well, andmutated and unknown script-virus can be detected.

Fady Copty,Andre Kassis,Sharon Keidar-Barner,Dov Murik

DOI: https://doi.org/10.48550/arXiv.2007.08296

2020-07-16

Cryptography and Security

Abstract:Many applications have security vulnerabilities that can be exploited. It is practically impossible to find all of them due to the NP-complete nature of the testing problem. Security solutions provide defenses against these attacks through continuous application testing, fast-patching of vulnerabilities, automatic deployment of patches, and virtual patching detection techniques deployed in network and endpoint security tools. These techniques are limited by the need to find vulnerabilities before the black-hats. We propose an innovative technique to virtually patch vulnerabilities before they are found. We leverage testing techniques for supervised-learning data generation, and show how artificial intelligence techniques can use this data to create predictive deep neural-network models that read an application's input and predict in real time whether it is a potential malicious input. We set up an ahead-of-threat experiment in which we generated data on old versions of an application, and then evaluated the predictive model accuracy on vulnerabilities found years later. Our experiments show ahead-of-threat detection on LibXML2 and LibTIFF vulnerabilities with 91.3% and 93.7% accuracy, respectively. We expect to continue work on this field of research and provide ahead-of-threat virtual patching for more libraries. Success in this research can change the current state of endless racing after application vulnerabilities and put the defenders one step ahead of the attackers

Zhi-qiang LIN,Yi WANG,Bing MAO,Li XIE

DOI: https://doi.org/10.3321/j.issn:0372-2112.2007.05.016

2007-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:This paper presents a dynamic and transparent toolkit, SafeBird, to defend against run-time buffer overflows by combining several techniques. SafeBird consists of three tools: SIET, LibsafeXP and SLI. SIET extracts the size and starting address information of program global variables from the symbol section of ELF executable file. LibsafeXP, a dynamic shared library and an extension to Libsafe, contains wrapper functions for all the buffer related C Standard Library functions. These wrapper functions are enforced to check the source and target buffer's size using the following information: global buffer knowledge provided by SIET, heap buffer knowledge by intercepting/tracking memory allocation family functions, and stack buffer bound information by dynamically determined from the frame pointer. The third tool SLI is used to accomplish the function interception and inject the shared library, LibsafeXP, into the running process online without interruption. Compared with existing approaches, SafeBird is more transparent to programs: it works on binary mode, and neither requires the source code or any debug information, nor needs to stop/restart the protected software. Performance and effectiveness evaluations indicate that SafeBird could be used to prevent run-time buffer overflow attacks efficiently, and imposes only about 10 percent overhead on average.

Tao Ye,Lingming Zhang,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1109/ICST.2016.21

2016-01-01

Abstract:Buffer overflow is one of the most common types of software security vulnerabilities. Although researchers have proposed various static and dynamic techniques for buffer overflow detection, buffer overflow attacks against both legacy and newly-deployed software systems are still quite prevalent. Compared with dynamic detection techniques, static techniques are more systematic and scalable. However, there are few studies on the effectiveness of state-of-the-art static buffer overflow detection techniques. In this paper, we perform an in-depth quantitative and qualitative study on static buffer overflow detection. More specifically, we obtain both the buggy and fixed versions of 100 buffer overflow bugs from 63 real-world projects totalling 28 MLoC (Millions of Lines of Code) based on the reports in Common Vulnerabilities and Exposures (CVE). Then, quantitatively, we apply Fortify, Checkmarx, and Splint to all the buggy versions to investigate their false negatives, and also apply them to all the fixed versions to investigate their false positives. We also qualitatively investigate the causes for the false-negatives and false-positives of studied techniques to guide the design and implementation of more advanced buffer overflow detection techniques. Finally, we also categorized the patterns of manual buffer overflow repair actions to guide automated repair techniques for buffer overflow. The experiment data is available at http://bo-study.github.io/Buffer-Overflow-Cases/.

Zhi Liu,Xiaosong Zhang,Xiongda Li

DOI: https://doi.org/10.1109/mines.2010.108

2010-01-01

Abstract:Software vulnerability is the major root of security issues which results in serious attacks such as DDOS and worms. How to find vulnerability especially on binaries has been an alluring but challenging topic. Traditional black-box fuzzing heavily relies on input format so that it cannot work on unknown formats, more severely, it cannot generate effective test cases because it randomly change input values. Therefore, fuzzing is rarely effective in real-world circumstances. Information flow tracking, namely taint analysis, has been used in recent years in attack detection and malware analysis but no prior work has used this technique to actively find software vulnerability on binaries. In this paper, we propose a novel approach to find software vulnerability via dynamic tainting consisting of three steps. First execute target program with a seed input being independent of input format. Then identify relevant bytes by back tracking from vulnerability points, defined as dangerous library or system calls, to the original input. Finally generate new test cases by mutating relevant bytes while irrelevant parts remain unchanged. It guarantees that new inputs are able to divert execution flow to vulnerability points. We implemented the system in Windows and evaluated two real-world vulnerabilities. Compared with black-box fuzzing, experiment results show our approach can generate effective test inputs to expose vulnerabilities in short time, which also incurs low overhead.

Jiayun Xie,Xiao Fu,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1109/icc.2017.7996682

2017-01-01

Abstract:recently, an increasing number of inter-app attacks such as confused deputy attacks, data leakage attacks and collusion attacks spring up. However, there is no perfect defense method against them. As we all know, developers play an important role in android security, but their weak consciousness about the security may lead to inter-app attacks. Therefore, considered for developers, it is important to investigate and try to defend against such attacks in android. This paper presents typical inter-app attacks in android and proposes AutoPatchDroid, an automatic framework to find the vulnerable code in apps and patch them automatically. We firstly find the vulnerable paths from sources to sinks, sources to execution exit points, execution entry points to sinks and execution entry points to execution exit points in the application using static analysis. Then we locate the vulnerable code pieces and insert the patch code to guard against such attacks. AutoPatchDroid prevent inter-app attacks in the application level rather than modifying the kernel or framework. We use DroidBench and IccRE to evaluate our framework, and find that AutoPatchDroid could effectively secure the apps. The runtime overhead introduced by AutoPatchDroid is 1.105% on average.

Xiaosong Zhang,Lin Shao,Jiong Zheng

DOI: https://doi.org/10.1109/ICACIA.2008.4770021

2008-01-01

Abstract:Buffer overflow vulnerabilities can cause attacks that result in serious consequences. However the techniques of buffer overflow vulnerability detection are limited to manual analysis, binary-patch comparison, fuzzing and so on. They rely on manual analysis, thus cause high overhead. In this paper, we propose a novel method of detection of buffer overflow vulnerabilities, which is based on fuzzing, data-flow dynamic analysis and automated exception analysis. This new method effectively improves the detection of unknown security vulnerabilities (0 Day). Moreover, it is more automated and has better performance in finding new security vulnerabilities.

Xinghang Lv,Tao Peng,Junwei Tang,Ruhan He,Xinrong Hu,Minghua Jiang,Zaihui Deng,Wenli Cao

DOI: https://doi.org/10.1109/msn57253.2022.00072

2022-01-01

Abstract:During the process of pushing patch packets for Android application hotfix, the attacker can hijack and tamper with the dex file due to the lack of adding a digital signature, which leads to code injection with serious consequences. To address the above problems, an dynamic vulnerability detection system based on mitmproxy is primary proposed, which first utilizes mitmproxy to capture all the packets interacted between the client and the server while locating the dex file, then injects the test code into the dex and pushes it to the client for execution using a man-in-the-middle attack, and finally verifies through the log output by the application whether there is a code injection vulnerability. For 1000 applications in the application market, our system successfully detects 34 new unknown applications with dex injection, and the experimental results show that the system is effective in detecting real-world applications with vulnerabilities caused by hotfix.

Yikun Hu,Yuanyuan Zhang,Dawu Gu

DOI: https://doi.org/10.1109/access.2019.2901951

IF: 3.9

2019-01-01

IEEE Access

Abstract:The security of binary programs is significantly threatened by software vulnerabilities. When vulnerabilities are found, those applications are exposed to malicious attacks that exploit the known vulnerabilities. Thus, it is necessary to patch them when vulnerabilities are reported to the public as soon as possible. However, it still heavily relies on manual work to locate and correct the corresponding defective code in the binary programs. In order to raise productivity and ensure software security, it becomes imperative to automate the process. In this paper, we propose BINPATCH to automatically patch known vulnerabilities of binary programs. It first locates the defective function, which contains the vulnerability, via similar code comparison. Then, it reuses the corresponding code from the correct version of the defective function as the patch code and inserts it to the defective function via binary rewriting. BINPATCH is evaluated on eight real-world vulnerabilities, and the experimental results show that it is able to not only locate the defective code effectively but also patch the code correctly.

Zhiqiang Lin,Xuxian Jiang,Dongyan Xu,Bing Mao,Li Xie

DOI: https://doi.org/10.1145/1229285.1267001

2007-01-01

Abstract:ABSTRACTSoftware patch generation is a critical phase in the life-cycle of a software vulnerability. The longer it takes to generate a patch, the higher the risk a vulnerable system needs to take to avoid from being compromised. However, in practice, it is a rather lengthy process to generate and release software patches. For example, the analysis on 10 recent Microsoft patches (MS06-045 to MS06-054) shows that, for an identified vulnerability, it took 75 days on average to generate and release the patch. In this paper, we present the design, implementation, and evaluation of AutoPaG, a system that aims at reducing the time needed for software patch generation. In our current work, we mainly focus on a common and serious type of software vulnerability: the out-of-bound vulnerability which includes buffer overflows and general boundary condition errors. Given a working out-of-bound exploit which may be previously unknown, AutoPaG is able to catch on the fly the out-of-bound violation, and then, based on data flow analysis, automatically analyzes the program source code and identifies the root cause - vulnerable source-level program statements. Furthermore, within seconds, AutoPaG generates a fine-grained source code patch to temporarily fix it without any human intervention. We have built a proof-of-concept system in Linux and the preliminary results are promising: AutoPaG is able to successfully identify the root cause and generate a source code patch within seconds for every vulnerability test in the Wilander's buffer overflow benchmark test-suite. In addition, the evaluation with a number of real-world out-of-bound exploits also demonstrates its effectiveness and practicality in automatically identifying (vulnerable) source code root causes and generating corresponding patches.

Youkun Shi,Yuan Zhang,Tianhan Luo,Xiangyu Mao,Yinzhi Cao,Ziwen Wang,Yudi Zhao,Zongan Huang,Min Yang

2022-01-01

Abstract:Web vulnerabilities, especially injection-related ones, are popular among web application frameworks (such as Word-Press and Piwigo), which can lead to severe consequences like user information leak and server-side maiware execution. One major practice of fixing web vulnerabilities on real-world websites is to apply security patches from the official developers of web frameworks. However, such a practice is challenging because security patches are developed for the latest version of a web framework, but real-world websites often run an old version due to legacy reasons. A direct application of security patches on the old version often fails because web frameworks, especially the code around the vulnerable location, may change between versions. In this paper, we design a security patch backporting framework and implement a prototype on injection vulnerability patches, called SKYPORT. SKYPORT first identifies safely-backportable patches of injection vulnerabilities and web framework versions in theory and then backports patches to corresponding old versions. In the evaluation, SKYPORT identifies 98 out of 155 security patches targeting legacy injection vulnerabilities, which can be backported to 750 old versions of web application frameworks. Then, SKYPORT successfully backported all of the aforementioned backportable patches to corresponding old versions to correctly fix vulnerabilities. We believe that this is a first-step towards this important research problem and hope our research can draw further attention from the research community in backporting security patches to fix unpatched vulnerabilities in general beyond injection-related ones.

Fengjuan Gao,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1145/2970276.2970282

2016-01-01

Abstract:Buffer overflow is one of the most common types of software vulnerabilities. Various static analysis and dynamic testing techniques have been proposed to detect buffer overflow vulnerabilities. With automatic tool support, static buffer overflow detection technique has been widely used in academia and industry. However, it tends to report too many false positives fundamentally due to the lack of software execution information. Currently, static warnings can only be validated by manual inspection, which significantly limits the practicality of the static analysis. In this paper, we present BovInspector, a tool framework for automatic static buffer overflow warnings inspection and validated bugs repair. Given the program source code and static buffer overflow vulnerability warnings, BovInspector first performs warning reachability analysis. Then, BovInspector executes the source code symbolically under the guidance of reachable warnings. Each reachable warning is validated and classified by checking whether all the path conditions and the buffer overflow constraints can be satisfied simultaneously. For each validated true warning, BovInspector fix it with three predefined strategies. BovInspector is complementary to prior static buffer overflow discovery schemes. Experimental results on real open source programs show that BovInspector can automatically inspect on average of 74.9% of total warnings, and false warnings account for about 25% to 100% (on average of 59.9%) of the total inspected warnings. In addition, the automatically generated patches fix all target vulnerabilities. Further information regarding the implementation and experimental results of BovInspector is available at http://bovinspectortool.github.io/project/. And a short video for demonstrating the capabilities of BovInspector is now available at https://youtu.be/IMdcksROJDg.

Zili Shao,Chun Jason Xue,Qingfeng Zhuge,Edwin H.‐M. Sha,Bin Xiao

DOI: https://doi.org/10.1109/itcc.2004.1286489

2004-01-01

Abstract:With more embedded systems networked, it becomes an important research problem to effectively defend embedded systems against buffer overflow attacks and efficiently check if systems have been protected. In this paper, we propose the HSDefender (hardware/software Defender) technique that considers the protection and checking together to solve this problem. Our basic idea is to design a secure instruction set and require third-party software developers to use secure instructions to call functions. Then the security checking can be easily performed by system integrators even without the knowledge of the source code. We first classify buffer overflow attacks into two categories, stack smashing attacks and function pointer attacks, and then provide two corresponding defending strategies. We analyze the HSDefender technique in respect of hardware cost, security, and performance, and experiment with it on the SimpleScalar/ARM simulator using benchmarks from MiBench. The results show that HSDefender can defend a system against more types of buffer overflow attacks with less overhead compared with the previous work.

魏强,韦韬,王嘉捷

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2011.10.015

2011-01-01

Abstract:Vulnerability exploitation and its mitigation technologies have always been important in vulnerability offense and defense research.Major operating systems and compilers provide support for exploit mitigation.This paper summarizes research on heap protection,address randomization,sandbox protection and other related technologies which have been developed.Among them,the three rounds of combat for GS and SafeSEH for stack protection focus on both offensive and defensive strategies.ROP,DeActive,Spray breakthroughs and counterattacking are analyzed to illustrate the evolution of data execution prevention.The truncation attack vector is used to monitor data integration destruction,undermine reliable exploitation,prevent control flow redirection,and isolate failure risk.Current exploit mitigation methods use data integrity testing protection,memory features removal based protection,execution control based protection,and fault isolation protection.The lack of bypass protection and other protection measure make existing mitigation methods less effective for protecting data flow hijacking and compound attack vectors.

Chao Zhang,Zhongyuan Qin,Liquan Chen,Xin Sun,Wen Wang

DOI: https://doi.org/10.1109/icsip57908.2023.10271009

2023-01-01

Abstract:The rapid growth of program complexity and the development of security mitigation for program have brought serious challenges to program security research. It is more difficult to evaluate program security efficiently by analyzing vulnerabilities manually. Therefore, an automatic method of detecting vulnerabilities and generating exploit is in critical demand. This paper proposes AutoExploit, which is an automatic scheme to detect various vulnerabilities and generate exploit in binary programs after bypassing the security mitigation. The method detects potential vulnerabilities including format string vulnerability and buffer overflow vulnerability using symbolic execution and dynamic analysis at the dangerous functions. For the potential buffer overflow vulnerability, this method generates exploit automatically by constructing constraints expressions and solving constraints after bypassing the security mitigation through code reuse. The effectiveness of our method is demonstrated using the datasets from CTF competition.

XIA Chao,QIU Wei-dong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.22.065

2008-01-01

Abstract:This paper proposes a method to detect buffer-overflow vulnerabilities for executables.Combining dynamic analysis and static analysis, it makes further detection of buffer-overflow vulnerabilities.Static methods mainly deal with the internal semantic relationship of assembly instructions and the properties of a function's stack frame for executables.Dynamic emulation provides a virtual run-time environment,which enables the program to combine its static properties while virtually executed,and then it can get the function's semantic results on buffer manipulation,and determine whether there is a buffer-overflow vulnerability.

Zhiqiang Lin,Bing Mao,Li Xie,I. I NTRODUCTION

DOI: https://doi.org/10.1109/IAW.2006.1652114

2006-01-01

Abstract:This paper presents a practical tool, LibsafeXP, to protect the software against the most common and severe attack, buffer overflows. As a dynamic shared library and an extension to Libsafe and LibsafePlus, LibsafeXP contains wrapper functions for all the buffer related functions in C standard library. These wrapper functions are enforced to check the source and target buffer's size using the following information: global buffer knowledge extracted from the program symbol information, heap buffer knowledge by intercepting memory allocation family functions, and stack buffer bound information by dynamically determined from the frame pointer. Compared with other approaches, LibsafeXP is more transparent to programs: it works on binary mode, and neither requires the source code nor any debugging information. The performance and effectiveness evaluation indicates LibsafeXP could be used to defend against buffer overflow attacks and impose about 10 percent overhead on the protected software

SHAO Lin,ZHANG Xiao-song,SU En-biao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.03.088

2009-01-01

Abstract:The techniques of buffer overflow vulnerabilities detection was single and limited to manual analysis,binary-patch comparison,fuzzing and so on.These techniques of vulnerabilities detection were either too dependent on manual analysis or too blind,leading up to the low efficiency of vulnerabilities detection.Introduced a new method of buffer overflow vulnerabilities detection,which was based on fuzzing,data-flow dynamic analysis and automated exception analysis.Overcame the disadvantages of old techniques,this new method effectively improves the detection of potential unknown security vulnerabilities(0day) in software.Besides,this method is more automated and performs better in finding new security vulnerabilities.