Vulnerability-Specific Execution Filtering for Exploit Prevention on Commodity Software
journal contributionposted on 01.01.2006 by James Newsome, David Brumley, Dawn Song
Any type of content formally published in an academic journal, usually following a peer-review process.
Exploits for new vulnerabilities, especially when incorporated within a fast spreading worm, can compromise nearly all vulnerable hosts within a short amount of time. This problem demonstrates the need for fast defenses which can react to a new vulnerability quickly. In addition, a realistic defense system should (a) not require source code since in practice most vulnerable systems do not have source code access nor is there adequate time to involve the software vendor, (b) be accurate, i.e., have a negligible false positive rate and low false negative rate, and (c) be efficient, i.e., add little overhead to normal program execution. We propose vulnerability-specific execution-based filtering (VSEF) – a new approach for automatic defense which achieves a lower error rate and wider applicability than input filters and has better performance than full execution monitoring. VSEF is an execution-based filter which filters out attacks on a specific vulnerability based on the vulnerable program’s execution trace. We present VSEF, along with a system for automatically creating VSEF filters and a hardened program without access to source code. In our system, the time it takes to create the filter and generate the hardened program is negligible. The overhead of the hardened program is only a few percent in most cases. The false positive rate is zero in most cases, and the hardened program is resilient against polymorphic variants of exploits on the same vulnerability. VSEF therefore achieves the required performance, accuracy, and response speed requirements to defend against current fast-spreading exploits.