|
 ABSTRACT
We present ClearView, a system for automatically patching errors in deployed software. ClearView works on stripped Windows x86 binaries without any need for source code, debugging information, or other external information, and without human intervention. ClearView (1) observes normal executions to learn invariants thatcharacterize the application's normal behavior, (2) uses error detectors to distinguish normal executions from erroneous executions, (3) identifies violations of learned invariants that occur during erroneous executions, (4) generates candidate repair patches that enforce selected invariants by changing the state or flow of control to make the invariant true, and (5) observes the continued execution of patched applications to select the most successful patch. ClearView is designed to correct errors in software with high availability requirements. Aspects of ClearView that make it particularly appropriate for this context include its ability to generate patches without human intervention, apply and remove patchesto and from running applications without requiring restarts or otherwise perturbing the execution, and identify and discard ineffective or damaging patches by evaluating the continued behavior of patched applications. ClearView was evaluated in a Red Team exercise designed to test its ability to successfully survive attacks that exploit security vulnerabilities. A hostile external Red Team developed ten code injection exploits and used these exploits to repeatedly attack an application protected by ClearView. ClearView detected and blocked all of the attacks. For seven of the ten exploits, ClearView automatically generated patches that corrected the error, enabling the application to survive the attacks and continue on to successfully process subsequent inputs. Finally, the Red Team attempted to make Clear-View apply an undesirable patch, but ClearView's patch evaluation mechanism enabled ClearView to identify and discard both ineffective patches and damaging patches.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
ANAGNOSTAKIS, K., SIDIROGLOU, S., AKRITIDIS, P., XINIDIS, K., MARKATOS, E., AND KEROMYTIS, A.D. Detecting targeted attacks using shadow honeypots. In USENIX Security (Aug. 2005).
|
| |
2
|
AUSTIN, T., BREACH, S., AND SOHI, G. Efficient detection of all pointer and array access errors. In PLDI (June 2004).
|
| |
3
|
BALIGA, A., GANAPATHY, V., AND IFTODE, L. Automatic inference and enforcement of kernel data structure invariants. In ACSAC (Dec. 2008), pp. 77--86.
|
| |
4
|
BERGER, E., AND ZORN, B. DieHard: probabilistic memory safety for unsafe languages. In PLDI (June 2006).
|
| |
5
|
BRUENING, D. Efficient, Transparent, and Comprehensive Runtime Code Manipulation. Ph.D., MIT Department of Electrical Engineering and Computer Science, Cambridge, MA, Sep. 2004.
|
| |
6
|
CANDEA, G., AND FOX, A. Recursive restartability: Turning the reboot sledgehammer into a scalpel. In HotOS (Schloss Elmau, Germany, May 2001).
|
| |
7
|
CONDIT, J., HARREN, M., MCPEAK, S., NECULA, G.C., AND WEIMER, W. CCured in the real world. In PLDI (June 2003).
|
| |
8
|
COSTA, M., CASTRO, M., ANTONY, ZHOU, L., ZHANG, L., AND PEINADO, M. Bouncer: securing software by blocking bad input. In SOSP (Oct. 2007).
|
| |
9
|
COSTA, M., CROWCROFT, J., CASTRO, M., ROWSTRON, A., ZHOU, L., ZHANG, L., AND BARHAM, P. Vigilante: End-to-end containment of Internet worms. In SOSP (Oct. 2005).
|
| |
10
|
COWAN, C., PU, C., MAIER, D., WALPOLE, J., BAKKE, P., BEATTIE, S., GRIER, A., WAGLE, P., ZHANG, Q., AND HINTON, H. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security (January 1998).
|
| |
11
|
CRANDALL, J., AND CHONG, F. Minos: Control data attack prevention orthogonal to memory model. In MICRO (Dec. 2004).
|
| |
12
|
CUI, W., PEINADO, M., WANG, H.J., AND LOCASTO, M.E. ShieldGen: Automatic data patch generation for unknown vulnerabilities with informed probing. In IEEE S&P (May 2007).
|
| |
13
|
DEMSKY, B., ERNST, M.D., GUO, P.J., MCCAMANT, S., PERKINS, J.H., AND RINARD, M. Inference and enforcement of data structure consistency specifications. In ISSTA (July 2006).
|
| |
14
|
DEMSKY, B., AND RINARD, M. Automatic detection and repair of errors in data structures. In 18th Annual ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (Oct. 2003).
|
| |
15
|
DEMSKY, B., AND RINARD, M. Data structure repair using goal-directed reasoning. In ICSE (May 2005).
|
| |
16
|
ERNST, M.D., COCKRELL, J., GRISWOLD,W.G., AND NOTKIN, D. Dynamically discovering likely program invariants to support program evolution. IEEE TSE 27, 2 (Feb. 2001).
|
| |
17
|
ERNST, M.D., PERKINS, J.H., GUO, P.J., MCCAMANT, S., PACHECO, C., TSCHANTZ, M.S., AND XIAO, C. The Daikon system for dynamic detection of likely invariants. Science of Computer Programming 69, 1-3 (Dec. 2007).
|
| |
18
|
FORREST, S., WEIMER, W., NGUYEN, T., AND GOUES, C.L. A genetic programming approach to automated software repair. In GECCO (July 2009).
|
| |
19
|
GRAY, J., AND REUTER, A. Transaction Processing: Concepts and Techniques. Morgan Kaufmann, 1993.
|
| |
20
|
JIM, T., MORRISETT, G., GROSSMAN, D., HICKS, M., CHENEY, J., AND WANG, Y. Cyclone: A safe dialect of C. In USENIX (June 2002).
|
| |
21
|
JONES, R., AND KELLY, P. Backwards-compatible bounds checking for arrays and pointers in C programs. In AADEBUG (May 1997).
|
| |
22
|
JULA, H., TRALAMAZZA, D., ZAMFIR, C., AND CANDEA, G. Deadlock immunity: Enabling systems to defend against deadlocks. In OSDI (Dec. 2008), pp. 295--308.
|
| |
23
|
KENDALL, S.C. Bcc: Run-time checking for C programs. In USENIX Summer (1983).
|
| |
24
|
KIRIANSKY, V., BRUENING, D., AND AMARASINGHE, S. Secure execution via program shepherding. In USENIX Security (Aug. 2002).
|
| |
25
|
LIN, L., AND ERNST, M.D. Improving adaptability via program steering. In ISSTA (July 2004).
|
| |
26
|
LITZKOW, M., AND SOLOMON, M. The evolution of condor checkpointing. In Mobility: processes, computers, and agents (1999), ACM Press/Addison-Wesley.
|
| |
27
|
LOCASTO, M.E., SIDIROGLOU, S., AND KEROMYTIS, A.D. Software self-healing using collaborative application communities. In SNDSS (Feb. 2005).
|
| |
28
|
LORENZOLI, D., MARIANI, L., AND PEZZÈ, M. Towards self-protecting enterprise applications. In ISSRE (Nov. 2007), pp. 39--48.
|
| |
29
|
NEWSOME, J., AND SONG, D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS (Feb. 2005).
|
| |
30
|
NOVARK, G., BERGER, E., AND ZORN, B. Exterminator: Automatically correcting memory errors with high probability. Communications of the ACM 51, 12 (Dec. 2008).
|
| |
31
|
PERKINS, J.H., AND ERNST, M.D. Efficient incremental algorithms for dynamic detection of likely invariants. In FSE (Nov. 2004).
|
| |
32
|
QIN, F., TUCEK, J., SUNDARESAN, J., AND ZHOU, Y. Rx: treating bugs as allergies--a safe method to survive software failures. SIGOPS Oper. Syst. Rev. 39, 5 (2005), 235--248.
|
| |
33
|
RINARD, M. Acceptability-oriented computing. In OOPSLA Companion (Oct. 2003).
|
| |
34
|
RINARD, M., CADAR, C., DUMITRAN, D., ROY, D.M., AND LEU, T. A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors). In ACSAC (Dec. 2004).
|
| |
35
|
RINARD, M., CADAR, C., DUMITRAN, D., ROY, D.M., LEU, T., AND WILLIAM S. BEEBEE, J. Enhancing server availability and security through failure-oblivious computing. In OSDI (December 2004).
|
| |
36
|
RINARD, M., CADAR, C., AND NGUYEN, H.H. Exploring the acceptability envelope. In OOPSLA Companion (Oct. 2005).
|
| |
37
|
RUWASE, O., AND LAM, M.S. A practical dynamic buffer overflow detector. In NDSS (February 2004).
|
| |
38
|
SHACHAM, H., PAGE, M., PFAFF, B., GOH, E.-H., MODADUGU, N., AND BONEH, D. On the effectiveness of address-space randomization. In ACM CCS (Oct. 2004).
|
| |
39
|
SIDIROGLOU, S., GIOVANIDIS, G., AND KEROMYTIS, A.D. A dynamic mechanism for recovering from buffer overflow attacks. In ISC (Sep. 2005).
|
| |
40
|
SIDIROGLOU, S., LAADAN, O., KEROMYTIS, A.D., AND NIEH, J. Using rescue points to navigate software recovery. In IEEE S&P (May 2007).
|
| |
41
|
SIDIROGLOU, S., LAADAN, O., PEREZ, C., VIENNOT, N., NIEH, J., AND KEROMYTIS, A.D. Assure: automatic software self-healing using rescue points. In ASPLOS '09 (2009).
|
| |
42
|
SIDIROGLOU, S., LOCASTO, M.E., BOYD, S.W., AND KEROMYTIS, A.D. Building a reactive immune system for software services. In USENIX (Apr. 2005).
|
| |
43
|
SMIRNOV, A., AND CHIUEH, T. DIRA: Automatic detection, identification and repair of control-hijacking attacks. In NDSS (Feb. 2005).
|
| |
44
|
SPITZNER, L. Honeypots: Tracking Hackers. Addison-Wesley, 2002.
|
| |
45
|
Stackshield. www.angelfire.com/sk/stackshield.
|
| |
46
|
SUH, G., LEE, J., ZHANG, D., AND DEVADAS, S. Secure program execution via dynamic information flow tracking. In ASPLOS (Oct. 2004).
|
| |
47
|
Symantech Internet security threat report. www.symantec.com, Sep. 2006.
|
| |
48
|
TUCEK, J., NEWSOME, J., LU, S., HUANG, C., XANTHOS, S., BRUMLEY, D., ZHOU, Y., AND SONG, D. Sweeper: A lightweight end-to-end system for defending against fast worms. In EuroSys (Mar. 2007).
|
| |
49
|
YONG, S.H., AND HORWITZ, S. Protecting C programs from attacks via invalid pointer dereferences. In ESEC/FSE (2003).
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
K.6