Abstract
With the increased popularity of polymorphic and register spring attacks, exploit signatures intrusion detection systems (IDS) can no longer rely only on exploit signatures. Vulnerability signatures that pattern match based on properties of the vulnerability instead of the exploit should be employed. Recent research has proposed three classes of vulnerability signatures but its approach cannot address complex vulnerabilities such as the ASN.1 Double-Free. Here we introduce Petri nets as a new class of vulnerability signature that could potentially be used to detect other types of vulnerabilities. Petri nets can be automatically generated and are represented as a graph making it easier to understand and debug. We analyzed it along side the three other classes of vulnerability signatures in relation to the Windows ASN.1 vulnerability. The results were very promising due to the very low false positive rate and 0% false negative rate. We have shown that Petri nets are a very efficient, concise, and effective way of describing signatures (both vulnerability and exploit). They are more powerful than regular expressions and still efficient enough to be practical. Comparing with the other classes, only Turing machines provided a better identification rate but they incur significant performance overhead.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Biba, K.J.: Integrity Considerations for Secure Computer Systems. In: MITRE Technical Report TR-3153 (April 1977)
Bishop, M.: Computer Security: Art and Science (2003)
Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards Automatic Generation of Vulnerability-Based Signatures. In: IEEE Symposium on Security and Privacy (May 2006)
Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of Internet worms. In: SOSP 2005: Proceedings of the twentieth ACM Symposium on Operating Systems Principles, pp. 133–147. ACM Press, New York (2005)
Crandall, J.R., Chong, F.T.: Minos: Control Data Attack Prevention Orthogonal to Memory Model. MICRO, 221–232 (December 2004)
Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. ACM CCS, 235–248 (November 2005)
Eclipse, S.: kill-bill windows exploit, http://www.phreedom.org/solar/exploits/msasn1-bitstring/kill-bill.tar.gz
King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)
Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure Execution Via Program Shepherding. In: USENIX, pp. 191–206 (2002)
Larmouth, J.: Asn.1 complete. open system solutions (1999)
Murata, T.: Petri Nets: Properties, Analysis, and Applications. Proceedings of the IEEE 77(4) (April 1989)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 226–241 (2005)
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005) (Febuary 2005)
Polychronakis, M., Anagnostakis, K., Markatos, E.: Network-level polymorphic shellcode detection using emulation. Institute for infocomm research, singapore (2005)
Qin, F., Wang, C., Li, Z., Kim, H.-S., Zhou, Y., Wu, Y.: LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. MICRO-39, 135–148 (December 2006)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: OSDI (2004)
Szor, P.: The Art of Computer Virus Research and Defense (2005)
Tang, Y., Chen, S.: Defending Against Internet Worms: A Signature-based Approach. In: INFOCOM (2005)
Vachharajani, N., Bridges, M.J., Chang, J., Rangan, R., Ottoni, G., Blome, J.A., Reis, G.A., Vachharajani, M., August, D.I.: Rifle: An architectural framework for user-centric information-flow security. In: Proceedings of the 37th International Symposium on Microarchitecture (MICRO), December 2004, pp. 39–58 (2004)
Wang, K., Stolfo, S.: Anomalous Payload-Based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 201–222. Springer, Heidelberg (2004)
Wikipedia. Wikipedia. Petri net, http://en.wikipedia.org/wiki/Main_Page
eEye advisory for AD20040210-2, http://www.eeye.com
SNORT: The open source network intrusion detection system (2002), http://www.snort.org
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Iwahashi, R. et al. (2008). Towards Automatically Generating Double-Free Vulnerability Signatures Using Petri Nets. In: Wu, TC., Lei, CL., Rijmen, V., Lee, DT. (eds) Information Security. ISC 2008. Lecture Notes in Computer Science, vol 5222. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85886-7_8
Download citation
DOI: https://doi.org/10.1007/978-3-540-85886-7_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85884-3
Online ISBN: 978-3-540-85886-7
eBook Packages: Computer ScienceComputer Science (R0)