Abstract

Software vulnerabilities have had a devastating effect on the Internet. Worms such as CodeRed and Slammer can compromise hundreds of thousands of hosts within hours or even minutes, and cause millions of dollars of damage [25, 42]. To successfully combat these fast automatic Internet attacks, we need fast automatic attack detection and filtering mechanisms. In this paper we propose dynamic taint analysis for automatic detection of overwrite attacks, which include most types of exploits. This approach does not need source code or special compilation for the monitored program, and hence works on commodity software. To demonstrate this idea, we have implemented TaintCheck, a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time. We show that TaintCheck reliably detects most types of exploits. We found that TaintCheck produced no false positives for any of the many different programs that we tested. Further, we describe how Taint-Check could improve automatic signature generation in several ways. 1.

Citations

564	Bro: A system for detecting network intruders in real-time. Computer Networks - Paxson - 1999
425	How to own the internet in your spare time - Staniford, Paxson, et al. - 2002
407	Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks - Cowan, Pu, et al.
340	A Secure Environment for Untrusted Helper Applications - Goldberg, Wagner, et al. - 1996
322	Flow-sensitive type qualifiers - Foster, Terauchi, et al. - 2002
287	Dynamic program slicing - Agrawal, Horgan - 1990
286	CCured: Type-safe retrofitting of legacy code - Necula, McPeak, et al. - 2002
261	B.: Autograph: Toward automated, distributed worm signature detection - Kim, Karp
252	Internet Quarantine: Requirements for Containing Self-Propagating Code - Moore, Shannon, et al. - 2003
239	Automated worm fingerprinting - Singh, Estan, et al. - 2004
217	Improving host security with system call policies - Provos - 2003
215	Secure Execution via Program Shepherding - KIRIANSKY, BRUENING, et al.
183	Valgrind: A Program Supervision Framework - Nethercote, Seward
170	Inside the slammer worm - Moore, Paxson, et al.
165	Backwards-compatible bounds checking for arrays and pointers in C programs - Jones, Kelly - 1997
162	Address obfuscation: an efficient approach to combat a broad range of memory error exploits - Bhatkar, Varney, et al. - 2003
160	Anomalous payload-based network intrusion detection - WANG, STOLFO
156	Transparent run-time defense against stack-smashing attacks - Baratloo, Singh, et al. - 2000
146	Shield: Vulnerability-driven network filters for preventing known vulnerability exploits - Wang, Guo, et al. - 2004
142	Honeycomb - creating intrusion detection signatures using honeypots - Kreibich, Crowcroft - 2003
140	Countering code-injection attacks with instruction-set randomization - Kc, Keromytis, et al. - 2003
132	A practical dynamic buffer overflow detector - Ruwase, Lam - 2004
124	Understanding data lifetime via whole system simulation - Chow, Pfaff, et al. - 2004
121	Hardening COTS software with generic software wrappers - Fraser, Badger, et al. - 1999
120	FormatGuard: Automatic protection from printf format string vulnerabilities - Cowan - 2001
114	PointGuard: protecting pointers from buffer overflow vulnerabilities - Cowan, Beattie, et al. - 2003
77	Accurate buffer overflow detection via abstract payload execution - Toth, Kruegel - 2002
74	Dynamic slicing of computer programs - Korel, Laski - 1990
68	Hunting for Metamorphic - Ször, Ferrie - 2001
67	Using CQUAL for static analysis of authorization hook placement - ZHANG, EDWARDS, et al. - 2002
64	MAPbox: using parameterized behavior classes to confine untrusted applications - Acharya, Raje - 2000
56	The Open Source Network Intrusion Detection System. http://www.snort.org - Snort
53	Mitigating buffer overflows by operating system randomization - CHEW, SONG - 2002
53	Srinivas Devadas. Secure program execution via dynamic information flow tracking - Suh, Lee, et al. - 2004
51	The EarlyBird System for Real-time Detection of Unknown Worms - Singh, Estan, et al. - 2003
47	TRON: process-specific file protection for the UNIX operating system - Berman, Bourassa, et al. - 1995
46	A Network Worm Vaccine Architecture - SIDIROGLOU, KEROMYTIS - 2003
40	Vassilis Prevelakis. Countering Code-Injection Attacks with Instruction-Set Randomization - Kc, Keromytis - 2003
40	Saman Amarasinghe. Secure execution via program shepherding - Kiriansky, Bruening - 2002
34	Can we contain internet worms - Costa, Crowcroft, et al. - 2005
30	Scrash: A System for Generating Secure Crash Information - Broadwell, Harren, et al. - 2003
25	Buttercup: On Network-based Detection of Polymorphic Buffer Overflow Vulnerabilities - Pasupulati, Coit, et al.
25	Detecting Format-String Vulnerabilities with Type Qualifiers - Shankar, Talwar, et al. - 2001
19	TIED, Libsafeplus: Tools for Runtime Buffer Overflow Protection - Avijit, Gupta, et al. - 2004
18	Bounds-checking entire programs without recompiling - Nethercote, Fitzhardinge - 2004
15	On the effectiveness of address space randomization - SHACHAM, PAGE, et al. - 2004
13	Minos: Architectural support for software security through control data integrity - Crandall, Chong - 2004
12	Run-time type checking for binary programs - Burrows, Freund, et al. - 2003
10	Naveen Sastry. Scrash: A System for Generating Secure Crash Information - Broadwell, Harren - 2003
6	Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. On the effectiveness of address-space randomization - Shacham, Page, et al. - 2004