Packet Vaccine: Black-box Exploit Detection and Signature Generation

In biology, a vaccine is a weakened strain of a virus or bacterium
that is intentionally injected into the body for the
purpose of stimulating antibody production. Inspired by
this idea, we propose a packet vaccine mechanism that randomizes
address-like strings in packet payloads to carry out
fast exploit detection, vulnerability diagnosis and signature
generation. An exploit with a randomized jump address behaves
like a vaccine: it will likely cause an exception in a
vulnerable program’s process when attempting to hijack the
control flow, and thereby expose itself. Taking that exploit
as a template, our signature generator creates a set of new
vaccines to probe the program, in an attempt to uncover
the necessary conditions for the exploit to happen. A signature
is built upon these conditions to shield the underlying
vulnerability from further attacks. In this way, packet vaccine
detects and filters exploits in a black-box fashion, i.e.,
avoiding the expense of tracking the program’s execution
flow. We present the design of the packet vaccine mechanism
and an example of its application. We also describe
our proof-of-concept implementation and the evaluation of
our technique using real exploits



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s