Academics Create Automatic Signature Generation Prototype

Security researchers at two U.S. universities create a new system for the automatic generation of vulnerability signatures to block exploits from targeting unpatched systems.

OAKLAND, Calif.—Internet security researchers at two U.S. universities have created a prototype system for the automatic generation of vulnerability signatures, promising a new technique to block exploits from attacking unpatched software vulnerabilities.

In a paper, here in PDF form, presented at the 2006 IEEE (Institute of Electrical and Electronics Engineers) Symposium on Security and Privacy here, academics from the University of Wisconsin-Madison and Carnegie Mellon University say the system can automatically generate a high-quality vulnerability signature using a single exploit.

"We need automatic signature generation techniques because manual signature generation is slow and error prone," said David Brumley, a doctoral student in the computer science department at the Carnegie Mellon University.

Although the research work is highly theoretical and unproven in real world scenarios, anti-malware experts at the conference agree that the speedy generation of signatures to thwart zero-day attacks is even more important in todays environment.

Brumley, who presented the paper on behalf of the two universities, said previously unknown or unpatched vulnerabilities can be exploited faster than a human can respond, especially in cases of worm outbreaks.

/zimages/4/28571.gifRead more here about Microsoft researching automated malware classification.

"Automatic techniques have the potential to be more accurate than manual efforts because vulnerabilities tend to be complex and require intricate knowledge of details such as realizable program paths and corner conditions," Brumley said.

"Understanding the complexities of a vulnerability has consistently proven very difficult for humans at even the source code level," he added.

In theory, the signature generator would sit between the attacker and the victim, using data flow analysis and algorithms to churn out signatures to be installed on the vulnerable system.

"We have a [smart] adversary. We have a victim running a vulnerable service. In between, we have a signature generator that takes an input [from the exploit], grind through an algorithm to create a signature that is installed on a defense system," Brumley said.

During lab tests against two different vulnerabilities, Brumley boasted that the system created signatures in a tenth of a second without any false positives or false negatives.

"We believe we can build the perfect signature for the exploit we have never seen," he said.

/zimages/4/28571.gifRead more here about the potential threat from virtual machine-based rootkits.

Brumley acknowledged that the successful implementations of the prototype were done in research settings only, but he made it clear that the work could be extended to handle things like robust vulnerability identification; improving existing pattern-extraction signature generation algorithms; and finding possible paths to a flaw that is missed by a software vendors patch.

The idea of automating the process of reacting to malware threats isnt entirely new. Researchers at Microsoft are currently working on an automated way to handle the classification of malware families.

Microsofts anti-malware engineering team has proposed the use of distance measure and machine learning technologies to come up with an automatic way to classify viruses, Trojans, spyware, rootkits and other malicious software programs.

At this weeks conference, lab rats at Microsoft Research and the University of Michigan are also expected to present prototypes for virtual machine-based rootkits that cannot be detected by security software running in the target system.

The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.

Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be flagged by security scanners.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.