Abstract
Automated intrusion prevention and self-healing software are active areas of security systems research. A major hurdle for the widespread deployment of these systems is that many system administrators lack confidence in the quality of the generated fixes. Thus, a key requirement for future self-healing software is that each automatically-generated fix must be validated before deployment. Under the response rates required by self-healing systems, we believe such verification must proceed automatically. We call this process Automatic Repair Validation (ARV). We describe the design and implementation of Bloodhound, a system that tags and tracks information between the kernel and the application and correlates symptoms of exploits (such as memory errors) with high-level data (e.g., network flows). By doing so, Bloodhound can replay the flows that triggered the repair process against the newly healed application to help show that the repair is accurate (i.e., it defeats the exploit). We show through experimentation a performance impact of as little as 2.6%.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Chung, S.P., Mok, A.K.: Allergy Attack Against Automatic Signature Generation. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 61–80. Springer, Heidelberg (2006)
Rinard, M., Cadar, C., Dumitran, D., Roy, D., Leu, T., Beebee, J.W.: Enhancing Server Availability and Security Through Failure-Oblivious Computing. In: Proceedings 6th Symposium on Operating Systems Design and Implementation (OSDI) (December 2004)
Sidiroglou, S., Locasto, M.E., Boyd, S.W., Keromytis, A.D.: Building a Reactive Immune System for Software Services. In: Proceedings of the USENIX Annual Technical Conference, April 2005, pp. 149–161 (2005)
Qin, F., Tucek, J., Sundaresan, J., Zhou, Y.: Rx: Treating Bugs as Allergies – A Safe Method to Survive Software Failures. In: Proceedings of the Symposium on Systems and Operating Systems Principles (SOSP) (2005)
Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards Automatic Generation of Vulnerability-Based Signatures. In: Proceedings of the IEEE Symposium on Security and Privacy (2006)
Wang, H.J., Guo, C., Simon, D.R., Zugenmaier, A.: Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In: Proceedings of the ACM SIGCOMM (August 2004)
Cui, W., Peinado, M., Wang, H.J., Locasto, M.E.: ShieldGen: Automated Data Patch Generation for Unknown Vulnerabilities with Informed Probing. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2007)
Newsome, J., Brumley, D., Song, D.: Vulnerability–Specific Execution Filtering for Exploit Prevention on Commodity Software. In: Proceedings of the 13th Symposium on Network and Distributed System Security (NDSS 2006) (February 2006)
Kim, H.A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the USENIX Security Conference (2004)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated Worm Fingerprinting. In: Proceedings of Symposium on Operating Systems Design and Implementation (OSDI) (2004)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2005)
Liang, Z., Sekar, R.: Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS) (November 2005)
Toth, T., Kruegel, C.: Accurate Buffer Overflow Detection via Abstract Payload Execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)
Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic Worm Detection Using Structural Information of Executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)
Chinchani, R., van den Berg, E.: A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 284–308. Springer, Heidelberg (2006)
Smirnov, A., Chiueh, T.: DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks. In: Proceedings of the 12th Symposium on Network and Distributed System Security (NDSS) (February 2005)
Xu, J., Ning, P., Kil, C., Zhai, Y., Bookholt, C.: Automatic Diagnosis and Response to Memory Corruption Vulnerabilities. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS) (November 2005)
King, S.T., Chen, P.M.: Backtracking Intrusions. In: 19th ACM Symposium on Operating Systems Principles (SOSP) (October 2003)
Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Proceedings of the 12th Symposium on Network and Distributed System Security (NDSS) (February 2005)
Costa, M., Crowcroft, J., Castro, M., Rowstron, A.: Vigilante: End-to-End Containment of Internet Worms. In: Proceedings of the Symposium on Systems and Operating Systems Principles (SOSP) (2005)
Hong, S.S., Wu, S.F.: On Interactive Internet Traffic Replay. In: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2005, pp. 247–264 (2005)
Cui, W., Paxson, V., Weaver, N.C., Katz, R.H.: Protocol-Independent Adatpive Replay of Application Dialog. In: Proceedings of the 13th Symposium on Network and Distributed System Security (NDSS 2006) (February 2006)
Leita, C., Mermoud, K., Dacier, M.: ScriptGen: an automated script generation tool for honeyd. In: ACSA 2005, 21st Annual Computer Security Applications Conference, Tucson, USA, December 5-9 (2005)
Newsome, J., Brumley, D., Franklin, J., Song, D.: Replayer: Automatic Protocol Replay by Binary Analysis. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS), pp. 311–321 (2006)
Wang, K., Parekh, J.J., Stolfo, S.J.: ANAGRAM: A Content Anomaly Detector Resistant To Mimicry Attack. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)
Gao, D., Reiter, M.K., Song, D.: Gray-Box Extraction of Execution Graphs for Anomaly Detection. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2004)
Feng, H.H., Kolesnikov, O., Fogla, P., Lee, W., Gong, W.: Anomaly Detection Using Call Stack Information. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy (May 2003)
Giffin, J.T., Dagon, D., Jha, S., Lee, W., Miller, B.P.: Environment-Sensitive Intrusion Detection. In: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID) (September 2005)
Bhatkar, S., Chaturvedi, A., Sekar, R.: Improving Attack Detection in Host-Based IDS by Learning Properties of System Call Arguments. In: Proceedings of the IEEE Symposium on Security and Privacy (2006)
Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous System Call Detection. ACM Transactions on Information and System Security 9(1), 61–93 (2006)
Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS) (November 2005)
Anonymous: Anonymized. Technical Report
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Locasto, M.E., Burnside, M., Keromytis, A.D. (2008). Online Network Forensics for Automatic Repair Validation. In: Matsuura, K., Fujisaki, E. (eds) Advances in Information and Computer Security. IWSEC 2008. Lecture Notes in Computer Science, vol 5312. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89598-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-540-89598-5_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89597-8
Online ISBN: 978-3-540-89598-5
eBook Packages: Computer ScienceComputer Science (R0)