David Brumley, Pongsin Poosankam, Dawn Song, Jiang Zheng
Citation
David Brumley, Pongsin Poosankam, Dawn Song, Jiang Zheng. "Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications". Talk or presentation, 12, November, 2008.
Abstract
The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation and show that our techniques can automatically generate exploits for five Microsoft programs based upon patches provided via Windows Update. Although our techniques may not work in all cases, a fundamental tenant of security is to conservatively estimate the capabilities of attackers. Thus, our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update, may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch.
Electronic downloads
- 18%20-%20Song.pdf · application/pdf · 54 kbytes
| Citation formats |
- HTML
David Brumley, Pongsin Poosankam, Dawn Song, Jiang Zheng. <a href="http://www.truststc.org/pubs/489.html" ><i>Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications</i></a>, Talk or presentation, 12, November, 2008.
- Plain text
David Brumley, Pongsin Poosankam, Dawn Song, Jiang Zheng. "Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications". Talk or presentation, 12, November, 2008.
- BibTeX
@presentation{BrumleyPoosankamSongZheng08_AutomaticPatchBasedExploitGenerationIsPossibleTechniques, author = {David Brumley and Pongsin Poosankam and Dawn Song and Jiang Zheng}, title = {Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications}, day = {12}, month = {November}, year = {2008}, abstract = {The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation and show that our techniques can automatically generate exploits for five Microsoft programs based upon patches provided via Windows Update. Although our techniques may not work in all cases, a fundamental tenant of security is to conservatively estimate the capabilities of attackers. Thus, our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update, may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch. }, URL = {http://www.truststc.org/pubs/489.html} }
Posted by Jessica Gamble on 23 Jan 2009.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.