On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits

Jedidiah R. Crandall, Zhendong Su, S. Felix Wu, Frederic T. Chong

Research output: Chapter in Book/Report/Conference proceedingConference contribution

121 Scopus citations

Abstract

Vulnerabilities that allow worms to hijack the control flow of each host that they spread to are typically discovered months before the worm outbreak, but are also typically discovered by third party researchers. A determined attacker could discover vulnerabilities as easily and create zero-day worms for vulnerabilities unknown to network defenses. It is important for an analysis tool to be able to generalize from a new exploit observed and derive protection for the vulnerability. Many researchers have observed that certain predicates of the exploit vector must be present for the exploit to work and that therefore these predicates place a limit on the amount of polymorphism and metamorphism available to the attacker. We formalize this idea and subject it to quantitative analysis with a symbolic execution tool called DACODA. Using DACODA we provide an empirical analysis of 14 exploits (seven of them actual worms or attacks from the Internet, caught by Minos with no prior knowledge of the vulnerabilities and no false positives observed over a period of six months) for four operating systems. Evaluation of our results in the light of these two models leads us to conclude that 1) single contiguous byte string signatures are not effective for content filtering, and token-based byte string signatures composed of smaller substrings are only semantically rich enough to be effective for content filtering if the vulnerability lies in a part of a protocol that is not commonly used, and that 2) practical exploit analysis must account for multiple processes, multithreading, and kernel processing of network data necessitating a focus on primitives instead of vulnerabilities.

Original languageEnglish (US)
Title of host publicationCCS 2005 - Proceedings of the 12th ACM Conference on Computer and Communications Security
Pages235-248
Number of pages14
DOIs
StatePublished - 2005
EventCCS 2005 - 12th ACM Conference on Computer and Communications Security - Alexandria, VA, United States
Duration: Nov 7 2005Nov 11 2005

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Conference

ConferenceCCS 2005 - 12th ACM Conference on Computer and Communications Security
CountryUnited States
CityAlexandria, VA
Period11/7/0511/11/05

Keywords

  • Honeypots
  • Metamorphism
  • Polymorphic worms
  • Polymorphism
  • Symbolic execution
  • Worms

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits'. Together they form a unique fingerprint.

Cite this