Yifeng Lian

Automatically generating patch in binary programs using attribute-based taint analysis

Vulnerabilities in software threaten safety of hosts. Generating patches could overcome this problem. Patches are usually generated with human intervention, which is very time-consuming and needs a lot of experience. A few heuristic methods can generate patches automatically. But they usually have high false negative and/or false positive rate. We proposed a novel solution and implemented a real system called Patch-Gen that can automatically generate patches for vulnerabilities. Patch-Gen innovatively combines several techniques: (1) It can automatically generate patches for Windows x86 binaries without any need for source code, debugging information or human intervention. (2) Attribute-based taint analysis method (ATAM) is proposed to find attack point and overflow point with no need to record or analyze program execution traces, which saves both analysis time and memory. (3) PatchGen automatically tunes the candidate position to find the most suitable position to patch. We made several experiments on PatchGen. The results show that Patch-Gen can successfully generate patches for buffer overflow vulnerabilities in several minutes. The running overhead of the patched applications is less than 1% in average.

A novel vector edge sampling scheme for IP traceback against DDoS attacks

A novel edge sampling scheme for IP traceback against DDoS attacks is presented, which is called routers vector edge sampling (RVES). It is simple for marking machines to be implemented. A packet will be probabilistically pre-marked and post-marked on traversed routers interfaces. This approach supports incremental deployment, which makes it effective for multi-path attack reconstruction and computation. Probability packet marking (PPM) and reconstruction algorithm based on RVES is also presented. We implemented prototypes and deployed them in the real Internet to make some experiments. The results show that our method is effective and efficient.

Vulnerability-Based Backdoors: Threats from Two-step Trojans

Attackers like to install trojans in a target system to control it. However, it becomes more and more difficult to deceive a user into installing such trojans. One reason is that antivirus software uses more strict policies on the first run of unknown software. The other reason is that users also become more cautious. Some attackers try to find system vulnerabilities to evade the antivirus software and users. But it is not easy to find suitable vulnerabilities because they are usually patched in a short time. In this paper, we present a new type of threat called vulnerability-based backdoor (VBB). It is a two-step trojan. In the first step, attackers deceive users into installing an application. This application is transformed from the original one such as “Adobe PDF Reader” by only creating one or more vulnerabilities in it. It runs as a normal one without any malicious code. So it can escape the detection of antivirus software and users. In the second step, attackers can make use of the vulnerability and control the target system just as they use a pre-existing vulnerability. We present a method to automatically create a VBB in several minutes. In this process, no source code is needed. VBB is stable enough to reside in a system for a long time since it does not conflict with operating systems, antivirus software, other backdoors or even other VBBs. We also show how to prevent VBBs.

Timing-Based Clone Detection on Android Markets

With the growth of smartphone users, mobile phone applications increase exponentially. But a lot of apps are cloned. We design a timing-based clone detection method. By choosing several lists of inputs, we can get the corresponding CPU time usage, which composes a CPU time usage tuple. After comparing these tuples, we can find the clone apps. At last, we do some experiments to verify our methods.

Optimal Defense Strategies for DDoS Defender Using Bayesian Game Model

In a typical DDoS attack and defense scenario, both the attacker and the defender will take actions to maximize their utilities. However, each player does not know his opponent’s investment and cannot adopt the optimal strategies. We formalize a Bayesian game model to handle these uncertainties and specify two problems usually faced by the defender when choosing defense measures. A nonlinear programming method is proposed to handle policies’ permutation in order to maximize the defender’s utility. Followed the Nash equilibrium, security administrators can take optimal strategies. Finally, the practicality and effectiveness of the model and method are illustrated by an example.

Virtualization detection based on data fusion

Characteristic analysis and timing analysis are two methods for virtualization detection. However, the accuracy of characteristic analysis is low and the timing analysis is not efficient. Moreover, current methods based on timing analysis make use of the privileged instructions separately without data fusion and the accuracy of timing analysis can be improved further. In this paper, we introduce a new method in timing analysis based on data fusion to improve the accuracy of virtualization detection. Our method combines characteristic analysis and timing analysis, which makes virtualization detection more efficient. A virtualization detection tool is implemented and several experiments are made. The results show that our method is both effective and efficient.

VulLocator: Automatically Locating Vulnerable Code in Binary Programs

It usually takes rather long time to generate patches for vulnerabilities. For example, an analysis on 21 recent Microsoft patches shows that it usually takes 115 days on average to generate and release a patch. The longer it takes to generate a patch, the higher the risk a vulnerable system needs to take. In patch generation process, perhaps the core part is to find the vulnerable code in software from zero-day attacks or crash reports. However, this is not easy since there are millions of instructions in an ordinary execution path. In this paper, we present VulLocator, a system that aims at automatically locating vulnerable code in software without requiring any source code. VulLocator could analyze different types of vulnerabilities including stack/heap/integer overflow, double free, memory corruption, format string and division by zero. By generating vulnerability dependence tree, it decreases the number of instructions that need to be analyzed (from millions of instructions to dozens of instructions). VulLocator could also generate a sample patch for temporarily defending against attacks. Analysts could also benefit from the information given by VulLocator to generate more fine-grained patches. Several experiments with real-world exploits are made on VulLocator. The results show that VulLocator could successfully find the vulnerable code in binary programs both effectively and efficiently.

AutoDunt: dynamic latent dependence analysis for detection of zero day vulnerability

Zero day vulnerabilities have played an important role in cyber security. Since they are unknown to the public and patches are not available, hackers can use them to attack effectively. Detecting software vulnerabilities and making patches could protect hosts from attacks that use these vulnerabilities. But this method cannot prevent all vulnerabilities. Some methods such as address space randomization could defend against vulnerabilities, but they cannot find them in software to help software vendors to generate patches for other hosts. In this paper, we design and develop a proof-of-concept prototype called AutoDunt (AUTOmatical zero Day vUlNerability deTector), which can detect vulnerable codes in software by analyzing attacks directly in virtual surroundings. It does not need any source codes or care about polymorphic/metamorphic shellcode (even no shellcode). We present a new kind of dependence between variables called latent dependence and use it to save necessary states for virtual surrounding replaying. In this way, AutoDunt does not need to use slicing or taint analysis method to find the vulnerable code in software, which saves managing time. We verify the effectiveness and evaluate the efficiency of AutoDunt by testing 81 real exploits and 7 popular applications at the end of this paper.