Entry Wang:2008:FBB from tissec.bib

Last update: Sun Oct 15 02:58:48 MDT 2017                Valid HTML 3.2!

Index sections

Top | Symbols | Numbers | Math | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

BibTeX entry

@Article{Wang:2008:FBB,
  author =       "Xiaofeng Wang and Zhuowei Li and Jong Youl Choi and
                 Jun Xu and Michael K. Reiter and Chongkyung Kil",
  title =        "Fast and Black-box Exploit Detection and Signature
                 Generation for Commodity Software",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "2",
  pages =        "11:1--11:??",
  month =        dec,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "https://doi.org/10.1145/1455518.1455523",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Dec 23 11:58:14 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "In biology, a {\em vaccine\/} is a weakened strain of
                 a virus or bacterium that is intentionally injected
                 into the body for the purpose of stimulating antibody
                 production. Inspired by this idea, we propose a {\em
                 packet vaccine\/} mechanism that randomizes
                 address-like strings in packet payloads to carry out
                 fast exploit detection and signature generation. An
                 exploit with a randomized jump address behaves like a
                 vaccine: it will likely cause an exception in a
                 vulnerable program's process when attempting to hijack
                 the control flow, and thereby expose itself. Taking
                 that exploit as a template, our signature generator
                 creates a set of new vaccines to probe the program in
                 an attempt to uncover the necessary conditions for the
                 exploit to happen. A signature is built upon these
                 conditions to shield the underlying vulnerability from
                 further attacks. In this way, packet vaccine detects
                 exploits and generates signatures in a black-box
                 fashion, that is, not relying on the knowledge of a
                 vulnerable program's source and binary code. Therefore,
                 it even works on the commodity software obfuscated for
                 the purpose of copyright protection. In addition, since
                 our approach avoids the expense of tracking the
                 program's execution flow, it performs almost as fast as
                 a normal run of the program and is capable of
                 generating a signature of high quality within seconds
                 or even subseconds. We present the design of the packet
                 vaccine mechanism and an example of its application. We
                 also describe our proof-of-concept implementation and
                 the evaluation of our technique using real exploits.",
  acknowledgement = ack-nhfb,
  articleno =    "11",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "black-box defense; exploit detection; signature
                 generation; vaccine injection; worm",
}

Related entries