Towards Automatically Generating Double-Free Vulnerability Signatures Using Petri Nets

  • Ryan Iwahashi
  • Daniela A. S. de Oliveira
  • S. Felix Wu
  • Jedidiah R. Crandall
  • Young-Jun Heo
  • Jin-Tae Oh
  • Jong-Soo Jang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5222)


With the increased popularity of polymorphic and register spring attacks, exploit signatures intrusion detection systems (IDS) can no longer rely only on exploit signatures. Vulnerability signatures that pattern match based on properties of the vulnerability instead of the exploit should be employed. Recent research has proposed three classes of vulnerability signatures but its approach cannot address complex vulnerabilities such as the ASN.1 Double-Free. Here we introduce Petri nets as a new class of vulnerability signature that could potentially be used to detect other types of vulnerabilities. Petri nets can be automatically generated and are represented as a graph making it easier to understand and debug. We analyzed it along side the three other classes of vulnerability signatures in relation to the Windows ASN.1 vulnerability. The results were very promising due to the very low false positive rate and 0% false negative rate. We have shown that Petri nets are a very efficient, concise, and effective way of describing signatures (both vulnerability and exploit). They are more powerful than regular expressions and still efficient enough to be practical. Comparing with the other classes, only Turing machines provided a better identification rate but they incur significant performance overhead.


Turing Machine Regular Expression Intrusion Detection System Symbolic Execution Free List 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Biba, K.J.: Integrity Considerations for Secure Computer Systems. In: MITRE Technical Report TR-3153 (April 1977)Google Scholar
  2. 2.
    Bishop, M.: Computer Security: Art and Science (2003)Google Scholar
  3. 3.
    Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards Automatic Generation of Vulnerability-Based Signatures. In: IEEE Symposium on Security and Privacy (May 2006)Google Scholar
  4. 4.
    Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of Internet worms. In: SOSP 2005: Proceedings of the twentieth ACM Symposium on Operating Systems Principles, pp. 133–147. ACM Press, New York (2005)CrossRefGoogle Scholar
  5. 5.
    Crandall, J.R., Chong, F.T.: Minos: Control Data Attack Prevention Orthogonal to Memory Model. MICRO, 221–232 (December 2004)Google Scholar
  6. 6.
    Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. ACM CCS, 235–248 (November 2005)Google Scholar
  7. 7.
  8. 8.
    King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)zbMATHCrossRefGoogle Scholar
  9. 9.
    Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure Execution Via Program Shepherding. In: USENIX, pp. 191–206 (2002)Google Scholar
  10. 10.
    Larmouth, J.: Asn.1 complete. open system solutions (1999)Google Scholar
  11. 11.
    Murata, T.: Petri Nets: Properties, Analysis, and Applications. Proceedings of the IEEE 77(4) (April 1989)Google Scholar
  12. 12.
    Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 226–241 (2005)Google Scholar
  13. 13.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005) (Febuary 2005)Google Scholar
  14. 14.
    Polychronakis, M., Anagnostakis, K., Markatos, E.: Network-level polymorphic shellcode detection using emulation. Institute for infocomm research, singapore (2005)Google Scholar
  15. 15.
    Qin, F., Wang, C., Li, Z., Kim, H.-S., Zhou, Y., Wu, Y.: LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. MICRO-39, 135–148 (December 2006)Google Scholar
  16. 16.
    Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: OSDI (2004)Google Scholar
  17. 17.
    Szor, P.: The Art of Computer Virus Research and Defense (2005)Google Scholar
  18. 18.
    Tang, Y., Chen, S.: Defending Against Internet Worms: A Signature-based Approach. In: INFOCOM (2005)Google Scholar
  19. 19.
    Vachharajani, N., Bridges, M.J., Chang, J., Rangan, R., Ottoni, G., Blome, J.A., Reis, G.A., Vachharajani, M., August, D.I.: Rifle: An architectural framework for user-centric information-flow security. In: Proceedings of the 37th International Symposium on Microarchitecture (MICRO), December 2004, pp. 39–58 (2004)Google Scholar
  20. 20.
    Wang, K., Stolfo, S.: Anomalous Payload-Based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 201–222. Springer, Heidelberg (2004)Google Scholar
  21. 21.
    Wikipedia. Wikipedia. Petri net,
  22. 22.
    eEye advisory for AD20040210-2,
  23. 23.
    SNORT: The open source network intrusion detection system (2002),

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Ryan Iwahashi
    • 1
  • Daniela A. S. de Oliveira
    • 1
  • S. Felix Wu
    • 1
  • Jedidiah R. Crandall
    • 2
  • Young-Jun Heo
    • 3
  • Jin-Tae Oh
    • 3
  • Jong-Soo Jang
    • 3
  1. 1.University of California at Davis 
  2. 2.University of New Mexico 
  3. 3.ETRI 

Personalised recommendations