Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security

ISC 2008: Information Security pp 114–130Cite as

Towards Automatically Generating Double-Free Vulnerability Signatures Using Petri Nets

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 5222))

Abstract

With the increased popularity of polymorphic and register spring attacks, exploit signatures intrusion detection systems (IDS) can no longer rely only on exploit signatures. Vulnerability signatures that pattern match based on properties of the vulnerability instead of the exploit should be employed. Recent research has proposed three classes of vulnerability signatures but its approach cannot address complex vulnerabilities such as the ASN.1 Double-Free. Here we introduce Petri nets as a new class of vulnerability signature that could potentially be used to detect other types of vulnerabilities. Petri nets can be automatically generated and are represented as a graph making it easier to understand and debug. We analyzed it along side the three other classes of vulnerability signatures in relation to the Windows ASN.1 vulnerability. The results were very promising due to the very low false positive rate and 0% false negative rate. We have shown that Petri nets are a very efficient, concise, and effective way of describing signatures (both vulnerability and exploit). They are more powerful than regular expressions and still efficient enough to be practical. Comparing with the other classes, only Turing machines provided a better identification rate but they incur significant performance overhead.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Biba, K.J.: Integrity Considerations for Secure Computer Systems. In: MITRE Technical Report TR-3153 (April 1977)

    Google Scholar 

  2. Bishop, M.: Computer Security: Art and Science (2003)

    Google Scholar 

  3. Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards Automatic Generation of Vulnerability-Based Signatures. In: IEEE Symposium on Security and Privacy (May 2006)

    Google Scholar 

  4. Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of Internet worms. In: SOSP 2005: Proceedings of the twentieth ACM Symposium on Operating Systems Principles, pp. 133–147. ACM Press, New York (2005)

    Chapter  Google Scholar 

  5. Crandall, J.R., Chong, F.T.: Minos: Control Data Attack Prevention Orthogonal to Memory Model. MICRO, 221–232 (December 2004)

    Google Scholar 

  6. Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. ACM CCS, 235–248 (November 2005)

    Google Scholar 

  7. Eclipse, S.: kill-bill windows exploit, http://www.phreedom.org/solar/exploits/msasn1-bitstring/kill-bill.tar.gz

  8. King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)

    Article  MATH  Google Scholar 

  9. Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure Execution Via Program Shepherding. In: USENIX, pp. 191–206 (2002)

    Google Scholar 

  10. Larmouth, J.: Asn.1 complete. open system solutions (1999)

    Google Scholar 

  11. Murata, T.: Petri Nets: Properties, Analysis, and Applications. Proceedings of the IEEE 77(4) (April 1989)

    Google Scholar 

  12. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 226–241 (2005)

    Google Scholar 

  13. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005) (Febuary 2005)

    Google Scholar 

  14. Polychronakis, M., Anagnostakis, K., Markatos, E.: Network-level polymorphic shellcode detection using emulation. Institute for infocomm research, singapore (2005)

    Google Scholar 

  15. Qin, F., Wang, C., Li, Z., Kim, H.-S., Zhou, Y., Wu, Y.: LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. MICRO-39, 135–148 (December 2006)

    Google Scholar 

  16. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: OSDI (2004)

    Google Scholar 

  17. Szor, P.: The Art of Computer Virus Research and Defense (2005)

    Google Scholar 

  18. Tang, Y., Chen, S.: Defending Against Internet Worms: A Signature-based Approach. In: INFOCOM (2005)

    Google Scholar 

  19. Vachharajani, N., Bridges, M.J., Chang, J., Rangan, R., Ottoni, G., Blome, J.A., Reis, G.A., Vachharajani, M., August, D.I.: Rifle: An architectural framework for user-centric information-flow security. In: Proceedings of the 37th International Symposium on Microarchitecture (MICRO), December 2004, pp. 39–58 (2004)

    Google Scholar 

  20. Wang, K., Stolfo, S.: Anomalous Payload-Based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 201–222. Springer, Heidelberg (2004)

    Google Scholar 

  21. Wikipedia. Wikipedia. Petri net, http://en.wikipedia.org/wiki/Main_Page

  22. eEye advisory for AD20040210-2, http://www.eeye.com

  23. SNORT: The open source network intrusion detection system (2002), http://www.snort.org

Download references

Author information

Authors and Affiliations

  1. University of California at Davis,  

    Ryan Iwahashi, Daniela A. S. de Oliveira & S. Felix Wu

  2. University of New Mexico,  

    Jedidiah R. Crandall

  3. ETRI,  

    Young-Jun Heo, Jin-Tae Oh & Jong-Soo Jang

Authors
  1. Ryan Iwahashi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniela A. S. de Oliveira
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. S. Felix Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jedidiah R. Crandall
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Young-Jun Heo
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jin-Tae Oh
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Jong-Soo Jang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Tzong-Chen Wu Chin-Laung Lei Vincent Rijmen Der-Tsai Lee

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Iwahashi, R. et al. (2008). Towards Automatically Generating Double-Free Vulnerability Signatures Using Petri Nets. In: Wu, TC., Lei, CL., Rijmen, V., Lee, DT. (eds) Information Security. ISC 2008. Lecture Notes in Computer Science, vol 5222. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85886-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-85886-7_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-85884-3

  • Online ISBN: 978-3-540-85886-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation