Bouncer:SecuringSoftwarebyBlockingBadInputManuelCostaMicrosoftResearch - PDF document

Bouncer:SecuringSoftwarebyBlockingBadInputManuelCostaMicrosoftResearchCambridge,UKmanuelc@microsoft.comMiguelCastroMicrosoftResearchCambridge,UKmcastro@microsoft.comLidongZhouMicrosoftResearchMountainView,USAlidongz@microsoft.comLintaoZhangMicrosoftResearchMountainView,USAlintaoz@microsoft.comMarcusPeinadoMicrosoftRedmond,USAmarcuspe@microsoft.comAbstractAttackersexploitsoftwarevulnerabilitiestocontrolorcrashprograms.Bouncerusesexistingsoftwareinstrumentationtechniquestodetectattacksanditgeneratesltersauto-maticallytoblockexploitsofthetargetvulnerabilities.Theltersaredeployedautomaticallybyinstrumentingsystemcallstodropexploitmessages.Theseltersintroducelowoverheadandtheyallowprogramstokeeprunningcorrectlyunderattack.Previousworkcomputesltersusingsymbolicexecutionalongthepathtakenbyasampleexploit,butat-tackerscanbypasstheseltersbygeneratingexploitsthatfollowadierentexecutionpath.Bouncerintroducesthreetechniquestogeneralizelterssothattheyarehardertobypass:anewformofprogramslicingthatusesacombina-tionofstaticanddynamicanalysistoremoveunnecessaryconditionsfromthelter;symbolicsummariesforcommonlibraryfunctionsthatcharacterizetheirbehaviorsuccinctlyasasetofconditionsontheinput;andgenerationofalterna-tiveexploitsguidedbysymbolicexecution.Bouncerltershavelowoverhead,theydonothavefalsepositivesbyde-sign,andourresultsshowthatBouncercangenerateltersthatblockallexploitsofsomereal-worldvulnerabilities.CategoriesandSubjectDescriptorsD.4.6[OperatingSystems]:SecurityandProtection;D.4.5[OperatingSystems]:Reliability;D.4.8[OperatingSys-tems]:PerformanceGeneralTermsSecurity,Reliability,Availability,Performance,Algorithms,Design,MeasurementKeywordsPreconditionslicing,SymbolicexecutionPermissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributedforprotorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitationontherstpage.Tocopyotherwise,torepublish,topostonserversortoredistributetolists,requirespriorspecicpermissionand/orafee.SOSP'07,October14–17,2007,Stevenson,Washington,USA.Copyright2007ACM978-1-59593-591-5/07/0010...$5.00.1.INTRODUCTIONAttackersexploitsoftwarevulnerabilitiestocrashpro-gramsortogaincontrolovertheirexecution.Thisisaseriousproblembecausetherearemanyvulnerabilitiesandattacksarefrequent.WedescribeBouncer,asystemthatpreventsattacksbydroppingexploitmessagesbeforetheyareprocessedbyavulnerableprogram.Bouncerintroduceslowoverheadanditallowsprogramstokeeprunningcor-rectlyevenwhenunderattack.Severaltechniquesdetect(potentiallyunknown)attacksbyaddingcheckstoprograms:safelanguagesincludecheckstoensuretypesafetyandtheythrowexceptionswhenthechecksfail(e.g.,JavaandC#),andcheckscanbeaddedtransparentlytoprogramswritteninunsafelanguages(e.g.,[4,12,13,16,17,28,40]).Theproblemisthatthesetech-niquesdetectattackstoolatewhentheonlywaytorecovermaybetorestarttheprogram.Forexample,CRED[40]addsboundscheckstopreventbuerover\rowsinCpro-grams.Thesepreventtheattackerfromgainingcontrolovertheexecution,buthowdowerecoverwhenanattackcausesaboundschecktofail?Intheabsenceofadditionalmech-anism,restartingtheprogramistheonlyoptionbecausetheprogramdoesnotincludeanycodetorecoverfromthefailure.Thisproblemisnotexclusivetounsafelanguages.Eventhoughout-of-boundsexceptionsarepartoftypesafelanguages,programsfrequentlylackcorrectcodetohandleruntimeexceptions[48].Therefore,thesetechniquesarenotsucient.Theyleaveservicesvulnerabletolossofdataanddenialofservice.Bouncerimprovesthereliabilityandavailabilityofpro-gramsunderattack.Itusesprevioustechniquestodetectattemptstoexploitavulnerabilityanditgeneratesltersautomaticallytomatchmessagesthatcanexploitthevul-nerability.Theltersaredeployedautomaticallybyinstru-mentingsystemcallstorunthelteronincomingmessagesandtodropexploitmessagesbeforetheyaredeliveredtothevulnerableprogram.Wedesignedthesystemtoensurethattheseltershavelowoverheadandnofalsepositives,thatis,theyonlydropmessagesthatcanexploitthevulner-ability.Sincemostprogramscancopewithmessagelossesandltershavenofalsepositives,Bouncerallowsprogramstokeepworkingcorrectlyandecientlyevenwhentheyareattackedrepeatedly.BouncerbuildsonVigilante's[16]techniquetogenerateltersautomatically.Itcomputesaninitialsetofltercon-ditionsusingsymbolicexecutionalongthepathfollowedby theprogramwhenprocessingasampleexploit.Itassignssymbolicvaluesb0;b1;b2;b3:::tothebytesintheexploitmessages,andkeepstrackofsymbolicstatefortheprocessorandmemory.Forexample,ifinputpointstoabuerwiththeexploitbytes,registereaxhassymbolicvalueb0+1af-terexecutingmovzxeax,input;addeax,1.Wheneveraconditionalbranchisexecuted,weaddaconditiontotheltertoensurethatinputsthatsatisfythelterconditionsfollowthesameexecutionpath.Continuingwiththepre-viousexample,ifcmpeax,2;jgtargetisexecutedandthebranchistaken,weaddtheconditionb0+1�2tothelter.Thistechniqueguaranteesnofalsepositives:anyinputthatsatisesthelterconditionscanmakethepro-gramfollowthesameexecutionpathasthesampleexploit.Theseltersblockmanyvariantsofthesampleexploit,butattackerscanbypassthembygeneratingexploitsthatfollowadierentexecutionpath.Bouncerintroducesthreepracticaltechniquestogeneral-izetheinitialltertoblockadditionalexploitsofthesamevulnerability:Preconditionslicingisanewformofprogramslic-ing[49]thatusesacombinationofstaticanddynamicanalysistoremoveunnecessarylterconditions.Symbolicsummariesgeneralizetheconditionscapturedbythesymbolicexecutioninsidecommonlibraryfunc-tions.Theyreplacetheseconditionsbyasuccinctsetofconditionsthatcharacterizethebehaviorofthesefunctionsforabroadersetofinputs.Thesesummariesaregeneratedautomaticallyfromatemplatethatiswrittenonceforeachlibraryfunction.Generationofalternativeexploitsguidedbysymbolicexecution.Bouncerusestheinitialexploitmessageandtheconditionsobtainedfromsymbolicexecutiontoderivenewinputmessagesthatarelikelytoexploitthesamevulnerability.Itusesexistingtechniquestocheckifthenewinputmessagesarevalidexploits,anditcomputesanewsetoflterconditionsforeachnewexploit.Thenallterisacombinationoftheltersobtainedforeachexploit.WeimplementedBouncerandevaluateditusingfourvul-nerabilitiesinfourrealprograms:MicrosoftSQLserver,ghttpd,nullhttpd,andstunnel.TheresultsshowthatBouncersignicantlyimprovesthecoverageofVigilantel-ters,andthatltersintroducelowoverhead.Computingalterthatblocksexactlythesetofmes-sagesthatcanexploitavulnerabilityissimilartocomputingweakestpreconditions[15,20],whichishardforprogramswithloopsorrecursion[50].Sinceweguaranteezerofalsepositives,wedonotguaranteezerofalsenegatives,thatis,Bouncerltersmayfailtoblocksomeexploitsofthetar-getvulnerability.Butourinitialresultsarepromising:adetailedanalysisofthevulnerablecodeshowsthatBouncercangeneratelterswithnofalsenegativesforthevulnera-bilitiesinSQLserverandstunnel.Therestofthepaperisorganizedasfollows.Section2providesanoverviewofBouncer.Section3describeshowBouncercomputesaninitialsetoflterconditionsusingsymbolicexecution.Section4describeslterrenementwithimproveddetectoraccuracy.Section5presentspre-conditionslicing.Section6describessymbolicsummaries.Section7describestheproceduretosearchforalternativeattacks.Section8presentstheresultsofourevaluation.Section9discussesrelatedworkandSection10concludes.ProcessMessage(char*msg){charbuffer[1024];charp0='A';charp1=0;if(msg[0]�0)p0=msg[0];if(msg[1]�0)p1=msg[1];if(msg[2]==0x1){sprintf(buffer,"\\servers\\%s\\%c",msg+3,p0);StartServer(buffer,p1);}}Figure1:Examplevulnerablecode:sprintfcanover\rowbuffer.2.OVERVIEWANDBACKGROUNDVulnerabilitiesinthecontextofthispaperareprogramerrorsthatanattackercanexploittomakethevulnerableprogramdeviatefromitsspecication.Anattackerexploitsavulnerabilitybycraftinginputthatcausestheprogramtobehaveincorrectly.Wecallsuchaninputanexploit.Figure1showsavulnerablecodefragmentthatwewilluseasanexamplethroughoutthepaper.ThisisinCforclaritybutBouncerworkswithbinarycode.ThefunctionProcessMessageiscalledimmediatelyafterthemessagemsgisreceivedfromthenetwork.Thisfunctionhasavulnerabil-ity:exploitmessagescancauseittoover\rowbufferinthecalltosprintf.Theattackercanexploitthisvulnerabilitytooverwritethereturnaddressonthestack,whichcancausetheprogramtocrashorexecutearbitrarycode.Thereareusuallymanyexploitsforavulnerability,forexample,anymessagewiththethirdbyteequalto0x1followedbyatleast1013non-zerobytesisavalidexploitforthisvulnerability.Bouncerprotectsprogramsbygeneratingltersthatdropexploitsbeforetheyareprocessed.Figure2providesanoverviewofBouncer'sltergenerationarchitecture.Filtergenerationstartswithasampleexploitthatidenti-esavulnerability.Weobtainasampleexploitbyrunningaversionofthevulnerableprograminstrumentedtologin-putsandtodetectattacks.Whenanattackisdetected,theexploitmessagesareretrievedfromthelog[16]andsenttoBouncer.ThecurrentprototypeusesDFI[12]todetectat-tacksonCandC++programsbutitwouldbepossibletouseotherdetectors(e.g.,[28,4,17,40,37,16,13])ortoapplyourtechniquestoprogramswritteninsafelanguages.DFIdetectsmemorysafetyviolations,forexample,formatstringvulnerabilities,buerover\rows,accessesthroughdan-glingpointers,readsofuninitializeddata,anddoublefrees.Foreachvaluereadbyaninstructionintheprogramtext,DFIusesstaticanalysistocomputethesetofinstructionsthatmaywritethevalue.Atruntime,itmaintainsatablewiththeidentierofthelastinstructiontowritetoeachmemorylocation.Theprogramisinstrumentedtoupdatethistablebeforewrites,andreadsareinstrumentedtocheckiftheidentieroftheinstructionthatwrotethevaluebeingreadisanelementofthesetcomputedbythestaticanalysis.Ifitisnot,DFIraisesanexception.DFIhaslowoverheadbecausemostinstrumentationcanbeoptimizedawaywithstaticanalysis,andithasnofalsepositives:itonlyraisesexceptionswhenmemorysafetyisviolated.Forourexample,wewilluseasampleexploitmessagethat Figure2:Bouncerarchitecture.startswiththreebytesequalto0x1followedby1500non-zerobytesandbytezero.ProcessingthismessagecausesDFItothrowanexceptionwhenp1isaccessedtosetupthecallstackforStartServerbecausep1hasbeenoverwritten.Themessagesinthesampleexploitaresenttoaversionofthevulnerableprogramthatisinstrumentedbothtodetectattacksandtogenerateanexecutiontrace(seeFigure2).ThecurrentprototypeusesDFItodetectattacksandNir-vana[8]togenerateanexecutiontrace.Ifthesampleexploitisvalid,theexecutiontraceissenttothemodulethatrunsthepreconditionslicingalgorithm.Thistracecontainsthesequenceofx86instructionsexecutedfromthemomenttherstmessageisreceivedtothepointwheretheattackisde-tected.Wecalltheinstructionwheretheattackisdetectedthevulnerabilitypoint.Inourexample,thetracecontainstheinstructionsuptothecalltosprintf,theinstructionsinsidesprintf,andtheremaininginstructionsuptothevulnerabilitypoint,whichisthepushofp1ontothestack.Themodulethatrunsthepreconditionslicingalgorithm(seeFigure2)usesthesametechniqueasVigilante[16]togenerateaninitialsetofconditionsforthelter.Thistech-niquereplacestheconcretevalueofeachbyteinthesampleexploitbyasymbolicvaluebiandperformsforwardsym-bolicexecutionalongthetraceofx86instructions.Itaddsaconditiontothelterforeachbranchthatdependsontheinput.Theinitialsetofconditionsforourexampleis:b0�0^b1�0^b2=1^b1503=0^82i1503bi=0Thevulnerableprogramisguaranteedtofollowtheexecu-tionpathinthetracewhenprocessinganymessagethatsatisestheinitiallterconditions.Therefore,thisltercanbeusedtodropexploitmessageswithoutintroducingfalsepositives.However,theattackercancraftexploitsthatarenotdroppedbythislterbecausetherearesomecondi-tionsthatarenotnecessarytoexploitthevulnerability.Forexample,theconditionsonb0andb1arenotnecessaryandexploitswithbothshorterandlongersequencesofnon-zerobytesstartingatindexthreecanexploitthevulnerability.Bouncerreplacestheconditionsgeneratedforsomelibraryfunctions,likesprintfinourexample,bysymbolicsum-mariesthatcontainexactlytheconditionsonthefunctionargumentsthatcauseittoviolatememorysafety.Thesesummariesaregeneratedautomaticallyfromatemplatethatiswrittenonceperlibraryfunction.Inourexample,Bouncerperformsstaticanalysisanddeterminesthatbufferhassize1024bytes,andthatanysequencewithatleast1013non-zerobytespointedtobymsg+3willleadtoamemorysafetyviolationindependentofthevalueofp0.Therefore,thelterconditionsafterthisstepare:b0&#x-0.6;㥙瀀0^b1&#x-0.6;㥙瀀0^b2=1^82i1016bi=0Afteraddingsymbolicsummaries,preconditionslicingusesacombinationofstaticanddynamicanalysistoremoveun-necessaryconditionsfromthelter.Inourexample,itisabletoremovetheconditionsonbytesb0andb1producingtheoptimallter:b2=1^82i1016bi=0Ingeneral,theltersproducedaftertherstiterationarenotoptimal.Bouncergeneralizestheseltersbyrepeatingtheprocesswithalternativeexploitsofthesamevulnera-bilitythatcausetheprogramtofollowdierentexecutionpaths.Thelterconditionsaresenttothemodulethatgeneratesalternativeexploits.Thismoduleusesthesampleexploitandtheconditionstogeneratenewinputmessagesthatarelikelytoexploitthesamevulnerability.Then,itsendsthesemessagestotheinstrumentedvulnerablepro-gramtocheckiftheyarevalidexploits.Iftheyare,theprocessisrepeatedwiththenewexploitmessages.Other-wise,themodulegeneratesnewinput.ThesetoflterconditionsobtainedwitheachexploitiscombinedintoanecientnallterbyoneofBouncer'smodules(seeFigure2).Bouncerlterscanbedeployedautomaticallyafewtensofsecondsafteranewvulnerabilityisidentiedandtheycanbeupdatedasouranalysisgeneralizesthelters.WecanalsorunthelterswithvulnerableprogramsthatareinstrumentedtodetectattackswithDFIandtologinputs.ThisscenarioallowsBouncertorenethelterwhenanattackthatbypassesthelterisdetectedbyDFI.WeexpectBouncertoimproveavailabilityandreliabilitysignicantlyuntilthesoftwarevendorissuesapatchforthevulnerability,whichcantakemanydays.3.SYMBOLICEXECUTIONBouncercomputestheinitialsetoflterconditionsbyperformingforwardsymbolicexecutionalongthetraceob-tainedbyprocessingasampleexploit.Anyinputthatsat-isestheseconditionscanmaketheprogramfollowtheexe-cutionpathinthetraceuntilthevulnerabilityisexploited.ThetraceisgeneratedbyNirvana[8]anditcontainsthesequenceofx86instructionsexecutedbyeachthreadandtheconcretevaluesofsourceanddestinationoperandsforeachinstruction.Thesymbolicexecutionstartsbyreplacingtheconcretevaluesofthebytesinthesampleexploitbysymbolicval-ues:thebyteatindexigetssymbolicvaluebi.Then,itexecutestheinstructionsinthetracekeepingtrackofthesymbolicvalueofstoragelocationsthataredatadependent ontheinput.Thesymbolicvaluesareexpressionswhosevaluedependsonsomeofthebi.Theyarerepresentedastreeswhoseinteriornodesarex86instructionopcodesandwhoseleavesareconstantsoroneofthebi.Wechosethisrepresentationbecauseitistrivialtoconvertintoexecutablecodeanditavoidstheproblemofmodelingx86instructionsusinganotherlanguage.Thesymbolicexecutiondenesatotalorderonthein-structionsinthetracethatisalegaluniprocessorschedule.Theinstructionsareprocessedoneatatimeinthistotalorder.Ifthenextinstructiontobeprocessedhasatleastonesourceoperandthatreferencesastoragelocationwithasymbolicvalue,theinstructionisexecutedsymbolically.Otherwise,anystoragelocationsmodiedbytheinstructionaremarkedasconcrete,thatis,wedeleteanysymbolicvaluetheselocationsmayhavehadbecausetheyarenolongerdatadependentontheinput.Forexample,considerthetraceinFigure3thatcorrespondstothetestintherstifinFigure1.Sincethesourceoperandoftherstinstructionisconcrete,thevalueinregistereaxismarkedconcrete.Thesourceoperandofthesecondinstructionreferencestherstbyteinthemsgarraythathassymbolicvalueb0.Therefore,eaxgetssymbolicvalue(movsxb0)aftertheinstructionisexecuted.Sincethevalueofregistereaxisnowsymbolic,the\ragsregister(eflags)hassymbolicvalue(cmp(movsxb0)0)afterthecmpinstruction.moveax,dwordptr[msg]movsxeax,byteptr[eax]cmpeax,0jgProcessMessage+25h(401045h)Figure3:Assemblycodefortherstifintheex-amplefromFigure1.Wheneverthesymbolicexecutionencountersabranchthatdependsontheinput,itaddsaconditiontotheltertoensurethatinputsthatsatisfythelterconditionscanfollowtheexecutionpathinthetrace.Abranchdependsontheinputifthevalueofeflagsissymbolic.Conditionsarerepresentedasatreeoftheform:(Jccf),wherefisthesymbolicvalueofeflags.Ifthebranchistakeninthetrace,Jccistheopcodeofthebranchinstruction.Otherwise,Jccistheopcodeofthebranchinstructionthatteststhenega-tionoftheconditiontestedinthetrace.ForexamplewhenthelastinstructioninFigure3isexecuted,symbolicexecu-tiongeneratesthecondition(jg(cmp(movsxb0)0)).Ifthebranchhadnotbeentakeninthetrace,theconditionwouldbe(jle(cmp(movsxb0)0)).Noconditionsareaddedforbranchesthatdonotdependontheinput.Symbolicexecutionalsogeneratesconditionswhenanin-directcallorjumpisexecutedandthevalueofthetargetoperandissymbolic.Theconditioninthiscaseassertsthatts=tcwheretsisthesymbolicvalueofthetargetandtcistheconcretevalueofthetargetretrievedfromthetrace.Werepresenttheconditionas(je(cmptstc)).Similarconditionsaregeneratedwhenaloadorstoreisex-ecutedandtheaddressoperandhasasymbolicvalue.Theseconditionsassertthatas=acwhereasisthesymbolicvalueoftheaddressoperandandacisitsconcretevalueretrievedfromthetrace.Werepresenttheconditionas(je(cmpasac)).EXE[11]describesatechniquetogenerateweakerconditionsinthiscase.Wecouldusethistechniquetoob-tainamoregeneralinitiallterbutourcurrentprototypeonlyappliesEXE'stechniquetocommonlibraryfunctionslikestrtokandsscanf.Theinitiallterisaconjunctionoftheseconditions.Anyinputthatsatisesthelterconditionscanmakethepro-gramfollowtheexecutionpathinthetraceuntilthevul-nerabilityisexploited.Wesaycanbecausetheprogrammayonlyfollowthesameexecutionpathiftheinputispro-cessedinthesamesettingasthesampleexploit,thatis,iftheinputisreceivedinthesamestatewherethetracestartedandtheruntimeenvironmentmakesthesamenon-deterministicchoicesitmadeduringthetrace(forexample,thesameschedulingdecisions).Sincethisstateisreachableandclientsdonotcontrolthenon-deterministicchoices,thelterhasnofalsepositives.Additionally,thesymbolicorconcretevaluesofinstruc-tionoperandsareequivalentacrossthetracesobtainedwhenprocessinganyoftheinputsthatsatisfytheconditionsintheinitiallter(inthesamesettingasthesampleexploit).Equivalentmeansidenticalmodulodierentlocationsforthesamelogicalobjects,forexample,thebasesofstackscandif-ferandlocationsofobjectsontheheapcanbedierentbuttheheapswillbeisomorphic.4.IMPROVINGDETECTORACCURACYDetectorinaccuracycanleadtolterswithunnecessaryconditionsbecauseitincreasesthelengthofthetracesusedduringsymbolicexecution.Manytechniquestodetectat-tacksareinaccurate(e.g.,[28,4,17,37,16,13,12]):theydetectanattackonlywhensomeinstructionobservestheef-fectoftheexploitratherthanidentifyingthevulnerability.Forexample,DFIdetectsamemorysafetyviolationonlywhenitreadsdataproducedbyanunsafewrite.Thiswritemayoccurmuchearlierintheexecution.WeanalyzethetracetoimproveDFI'saccuracy.WhenDFIdetectsamemorysafetyviolation,wetraversethetracebackwardstondtheunsafewrite.Wemakethiswriteinstructionthevulnerabilitypointandanyconditionsaddedbyinstructionsthatappearlaterinthetraceareremovedfromtheinitiallter.Thisanalysismaybeinsucienttoidentifythevulner-abilityforattacksthatcorruptinternaldatastructuresinlibraries.Forexample,aclassofattackscorruptstheheapmanagementdatastructuresintheCruntimelibrariestowriteanywhereinmemory.SinceDFIdoesnotcheckreadsinsidelibraries,itdetectstheattackonlywhenaninstruc-tionreadsdataproducedbythiswrite.Weimplementedananalysistondtheinstructionthatrstcorruptstheheapmanagementdatastructures.Wersttraversethetracebackwardstondtheunsafewrite(asdescribedabove).Ifthiswritewasexecutedbyoneoftheheapmanagementfunctions(e.g.,malloc),wetraversethetraceforwardfromthebeginningtondtherstreadinsidemalloc,callocorfreeofavaluewrittenbyaninstructionoutsidethesefunc-tions.Wemaketheinstructionthatwrotethisvaluethevulnerabilitypoint,andremoveanyconditionsaddedbylaterinstructions.Ourcurrentimplementationonlydealswithheapmanagementdatastructuresbutthesameideacouldbeappliedtootherlibraryfunctions.5.PRECONDITIONSLICINGTheinitialltergeneratedbysymbolicexecutionblocksmanyexploitvariants,butitcanbebypassedbyattacksthat exploitthevulnerabilitythroughadierentexecutionpath.Thissectionprovidesanoverviewofslicingtechniquesanddescribesthepreconditionslicingalgorithmthatgeneralizestheinitiallterwithoutintroducingfalsepositives.5.1Staticordynamic?Programslicing[49]performsstaticanalysistoidentifythesetofinstructionsthatarerelevanttothevalueofasetofvariableswhenachoseninstructionisreached.Thissetofinstructionsiscalledtheslice.Wecouldrunanexistingprogramslicingalgorithmtoremoveunnecessaryconditionsfromtheinitiallter.Thisalgorithmcouldcomputethesetofinstructionsthatarerelevanttothevalueoftheoperandsoftheinstructionatthevulnerabilitypoint.Thenwecouldremovefromthelterconditionsaddedbybranchinstruc-tionsnotintheslice.TheproblemwithslicingtechniquesthatrelyonlyonstaticanalysisisthattheyareveryimprecisewhenappliedtorealCandC++programswithpointers[29,24].Theytendtoclassifymostinstructionsasrelevantand,therefore,arenoteectiveatremovingconditionsfromthelter.Dynamicslicingtechniques[29,51]usedynamicinforma-tiontoimproveprecision.Theytakeaninput,generateanexecutiontrace,andusethedynamicdependenciesobservedduringthetracetoclassifyinstructionsasrelevant.Thesetechniquesarenotsuitabletoremoveconditionsfromthelterbecausetheymayintroducefalsepositives.Dynamicslicingcanleadtotheremovalofnecessarycon-ditionsfromthelterbecauseitdoesnotcapturedepen-denciesoninstructionsthatwerenotexecutedinthetrace.Figure4showsanexamplewherethiscanhappen.Ifweapplydynamicslicingtothetraceobtainedwiththesampleexploitmsg="ab",thebranchcorrespondingtothesecondifismarkedirrelevant.However,removingtheconditionaddedbythisbranchfromtheinitiallterresultsinalterthatblocksallmessagesstartingwith'a'.Thislterhasfalsepositives:itcanblockmessagesstartingwith"aa"thatcanneverreachthevulnerabilitypoint.inta=0,b=0;int*c=&b;if(msg[0]=='a')a=1;if(msg[1]=='a')c=&a;*c=0;if(a)Vulnerability();Figure4:Examplewhereremovingconditionsusingdynamicslicingcanleadtofalsepositives.Wedevelopedanewslicingalgorithmtoremoveunneces-saryconditionswithoutaddingfalsepositives.Itcombinesideasfromastaticslicingalgorithmcalledpathslicing[24]withideasfromdynamicslicing.Pathslicingiswellsuitedtoourproblembecauseitcomputesthesetofstatementsinapaththroughaprogramthatarerelevanttoreachatargetlocation.Weimproveitsaccuracybyusingnotonlythepathintheexecutiontraceforthesampleexploitbutalsodynamicinformationfromthetrace,andweperformslicingofassemblycoderatherthansourcecode.5.2BasicstructurePreconditionslicingtraversestheexecutiontraceback-wardsfromthevulnerabilitypointtocomputeapathslice,thatis,asubsequenceoftheinstructionsinthetracewhoseexecutionissucienttoensurethatthevulnerabilitycanbeexploited.Intuitively,thepathslicecontainsbrancheswhoseoutcomematterstoexploitthevulnerabilityandmu-tationsthataecttheoutcomeofthosebranches[24].Wegeneralizetheinitiallterbyremovinganyconditionsthatwereaddedbyinstructionsthatarenotintheslice.Thecurrentimplementationofpreconditionslicingislim-itedtothecasewhereallinstructionsthatarerelevanttoreachthevulnerabilitypointareexecutedbythesamethread.Thisdoesnotmeanthatouralgorithmonlyworkswithsingle-threadedprograms.Infact,alltheprogramsweusedtoevaluateBounceraremulti-threaded.Weareworkingonanextensiontohandlethecasewheretheinteractionbe-tweenseveralthreadsisrequiredtoexploitavulnerability.Westartbydescribingthealgorithmatahighlevelandexplainhowwecombinestaticanddynamicanalysistoim-proveprecisioninthenextsection.Thealgorithmreceivesasinputsatrace,arepresentationoftheprogramcode,andaliasanalysisinformation.Thetracehasasequenceofentriesforeachinstructionintheexecutionwiththesampleexploit.Eachentryinthetracehasapointertothecorrespondinginstructioninthecode,thememoryaddressesorregisternamesreadandwrittenbytheinstructionintheexecutiontrace,andthesymbolicorconcretevaluesreadandwrittenbytheinstructioninthesymbolicexecution.WeobtainarepresentationoftheprogramcodebyusingPhoenix[33]toraisetheprogrambinarytoanintermediaterepresentationverysimilartothex86instructionset.WeusethealiasanalysisimplementedinDFI[12].Theanalysisisperformedduringthecompilationoftheprogramfromsourcecode.Itgeneratestworelationsonoperandsofinstructionsintheprogramcode:MayAlias(o1;o2)itheoperandso1ando2mayrefertooverlappingstoragelocationsinsomeexecution,andMustAlias(o1;o2)itheoperandso1ando2alwaysrefertothesamestoragelocationinallexecutions.Theserelationsareconservativeapprox-imations.MayAliasmayincludepairsthatneveroverlapandMustAliasmaynotincludepairsthatalwaysoverlap.Thealiasrelationsarewrittentodiskduringcompilationandlaterreadbyouralgorithmtogetherwiththebinary.Thealgorithmmaintainsthefollowingdatastructures:curisthetraceentrybeingprocessedsliceisalistoftraceentriesthatwereaddedtothepathslice.Initially,itcontainstheentryforthevul-nerabilitypointinstruction.livekeepstrackofdependenciesforinstructionsinslice.Itcontainsentriesforoperandsreadbytheseinstructionsthathavenotbeencompletelyoverwrittenbyinstructionsthatappearearlierinthetrace.Entriesinlivecontainapointertothecorrespondingoperandinthecode,theregisterormemoryaddressfromwhichtheinstructionreadtheoperandintheexecutiontrace,andthesymbolicorconcretevalueoftheoperandreadbytheinstructioninthesymbolicexecution.Entriesalsokeeptrackofportionsoftheoperandthathavebeenoverwrittenbyinstructionsthatappearearlierinthetrace.Initially,livecontainstheoperandsreadbytheinstructionatthevulnerabilitypoint.WeshowpseudocodeforthealgorithminFigure5.Thealgorithmiteratesthroughthetracebackwardsdecidingwhatinstructionstotakeintotheslice.Return,call,andbranch ComputeSlice(){while(!trace.IsEmpty){cur=trace.RemoveTail();if(cur.IsRet){call=trace.FindCall(cur);if(MayWriteF(CalledFunc(call),live))Take(cur);elsetrace.RemoveRange(cur,call);}elseif(cur.IsCall){Take(cur);foreach(eintrace.CallArgSetup(cur)){Take(e);trace.Remove(e);}}elseif(cur.IsBranch){if(!Postdominates(slice.head,cur)||WrittenBetween(cur,slice.head))Take(cur);}else{if(MayWrite(cur,live))Take(cur);}}}voidTake(cur){slice.AddHead(cur);live.UpdateWritten(cur);live.AddRead(cur);}Figure5:Pseudo-codefortheslicingalgorithm.instructionsaretreatedinaspecialwaybutotherinstruc-tionsaretakeniftheymayoverwritetheoperandsinlive.Whencurisareturninstruction,thealgorithmndsthecorrespondingcallinthetraceandtakesthereturnifthecalledfunctioncanoverwriteoperandsinlive;otherwise,noneoftheinstructionsinthecalledfunctionistakenandalltheentriesbetweenthereturnandthecallareremovedfromthetrace.Whenthereturnistaken,thealgorithmiteratesthroughtheinstructionsinthecalledfunction.Callinstructionsarealwaystakenunlesstheywerealreadyremovedwhenprocessingthecorrespondingreturn.Wealsotaketheinstructionsthatsetuptheargumentsforthecall.Branchesaretakenifthedirectionofthebranchisrele-vanttothevalueoftheoperandsinlive,thatis,ifthereissomepathoriginatingatthebranchinstructionthatdoesnotleadtothelastinstructionaddedtotheslice,orifoneoftheoperandsinlivemaybeoverwritteninapathbetweenthebranchandthelastinstructionaddedtotheslice.TheprocedureTakeaddsthetraceentryofeachinstruc-tionthatistakentoslice.Inaddition,itupdateslivetore\rectthewritesandreadsperformedbytheinstructioninthetrace.ThemethodUpdateWrittenrecordswhatlo-cationswerewrittenbytheinstructionincurandAddReadaddstheoperandsreadbycurtoliverecordingthelocationtheywerereadfromandtheirvalue.5.3CombiningstaticanddynamicanalysisPreconditionslicingimprovestheaccuracyofpathslic-ing[24]bytakingadvantageofinformationfromthesym-bolicexecution.Itensuresthefollowinginvariant.LetFbetheintermediatelterthatcontainsalltheconditionsintheinitiallterthatwereaddedbyinstructionsuptocurandtheconditionsaddedbyinstructionsinslice.ThenalltheexecutionpathsobtainedbyprocessinginputsthatmatchF(inthesamesettingasthesampleexploit)executethese-ProcessMessage(char*msg,char*p0,char*p1){charbuffer[1024];if(msg[0]�0)*p0=msg[0];if(msg[1]�0)*p1=msg[1];if(msg[2]==0x1&&*p0!=0){sprintf(buffer,"\\servers\\%s\\%c",msg+3,*p0);StartServer(buffer,p1);}}Figure6:Exampletoillustratebenetofusingdy-namicinformationtoremoveoperandsfromlive.quenceofinstructionsinsliceandthesourceoperandsofeachoftheseinstructionshaveequivalentconcreteorsym-bolicvaluesacrossthesepaths.Weusedynamicinformationtoremoveentriesfromlivesoonerthanpossibleusingstaticanalysis.ThemethodUp-dateWrittenremovesanentryfromlivewhenthestor-agelocationthattheoperandwasreadfromintheexecu-tiontraceiscompletelyoverwrittenbyearlierinstructionsinthetrace.Sincelivealreadycapturesthedependenciesoftheinstructionsthatoverwrotetheremovedentry,theentrynolongeraectsthereachabilityofthevulnerabilityatthispointinanypathobtainedwithinputsthatmatchF.Incontrast,pathslicingremovesanoperandfromliveifMustAliasholdsfortheoperandandanyoftheoperandswrittenbythecurrentinstruction.WecanillustratethebenetsofourapproachusingthemodiedexampleinFigure6andthesamesampleexploitthatweusedearlier.Assumethatp0andp1pointtothesamestoragelocationandthatthisfactcannotbedeter-minedbythestaticanalysis.Pathslicingwouldnotbeabletoremoveanyconditionfromtheinitiallter.Preconditionslicingcanremovetheconditionb0�0fromtheinitiallter.When*p1=msg[1]isprocessed,theoperandfor*p0isre-movedfromlivebecauseitsstoragelocationisoverwritten.Therefore,thebranchthatchecksmsg[0]�0isnotaddedtotheslice.ThefunctionMayWritechecksifaninstructionmayover-writeanoperandinlive.Wealsouseacombinationofstaticanddynamicanalysistoimplementthisfunction.May-WritestartsbycomputingthesetLwithalloperandsinthecodethatmayaliasatleastoneoperandwithanentryinlive.Accordingtothestaticanalysis,MayWriteshouldre-turntrueifanyoftheoperandswrittenbycurisinLandfalseotherwise.Weperformanadditionalchecktoimproveaccuracywithdynamicinformation.Wedonottakecurifitsexecutiondidnotwriteoverthestoragelocationsofanyoftheoperandsinliveanditstargetaddressisdeterminedbyconcretevaluesofoperandsinlive.ThispreservestheinvariantbecausethedependenciescapturedinliveensurethatcurcannotaectthevalueoftheoperandsinliveinanypathobtainedwithinputsthatmatchF.Soitisnotrelevanttoreachthevulnerability.Tocheckifthetargetaddressofcurisdeterminedbyconcretevaluesofoperandsinlive,weiterateoverthein-structionsinthebasicblockofcur.Ifalloperandsreadbyaninstructionmustaliasanoperandwithaconcretevalueinliveortheresultoperandofapreviousinstructioninthebasicblock,weexecutetheinstructionwiththecon- ProcessMessage(char*msg,char*p0,char*p1){charbuffer[1024];if(msg[0]�0)*p0=msg[0];if(msg[1]�0)*p1=msg[1];if(msg[2]==0x1&&*p0!=0&&p1!=p0){sprintf(buffer,"\\servers\\%s\\%c",msg+3,*p0);StartServer(buffer,p1);}}Figure7:Exampletoillustratebenetofusingdy-namicinformationtocomputeMayWrite.cretevaluesandrecordtheconcretevalueofthedestinationoperand.Wedonottakecurifwecancomputeaconcretevalueforitstargetaddress.Figure7showsamodiedversionofourexamplecodethatillustratesthebehaviorofMayWrite.Assumethatp0andp1pointtodierentlocationsbutstaticanalysiscannotdeterminethisfact.Inthiscase,pathslicingcannotremoveanyconditionsfromtheoriginallter.Preconditionslicingcanremovetheconditionb1�0.*p1=msg[1]isnottakenbecauseitdoesnotoverwriteanyoperandinliveandp1isinlive.Sothebranchthatchecksmsg[1]�0isnottaken.MayWriteFcheckswhetherafunctionmaywriteoveranyoperandinlive.ItcomputestheintersectionbetweenthesetofalloperandsthefunctionmaymodifyandL.Ifthein-tersectionisempty,wedonottakethefunction.Otherwise,weperformanadditionalcheckforlibraryfunctionswhosesemanticsweknow.Wedonottakealibraryfunctionifthelocationsitwritesaredeterminedbytheconcretevaluesofoperandsinliveanditdidnotwriteoveranyoperandinliveinthetrace.Forexample,wedonottakethecallmemcpy(dst,src,n)ifthevaluesofdstandnarecon-stantsoraredeterminedbytheconcretevaluesofoperandsinlive,anditdidnotoverwriteanyoperandinlive.Therearetwocheckstodeterminewhethertoaddabranchtotheslice.Therstonechecksifthelastinstructionaddedtothesliceisapostdominatorofthebranch[5],i.e.,whetherallpathsfromthebranchtothefunction'sreturninstruc-tionspassbyslice.head.Ifnot,weaddthebranchtotheslicetocaptureinlivethedependenciesnecessarytoensurethebranchoutcomeinthetrace.Otherwise,theexecutionpathsmightnotvisittheinstructionsinslice.Weuseastandardstaticanalysistodeterminepostdom-inancebutrstwecheckiftheoutcomeofthebranchisalreadydecidedgiventheconcreteandsymbolicvaluesofoperandsinlive.Inthiscase,wedonotaddthebranchtotheslice.ThisissimilartothetechniquesdescribedtoimprovetheaccuracyofMayWritebutwemakeuseofsym-bolicoperandvaluesandtheconditionsaddedbyinstruc-tionsalreadyintheslice.Ifthebranch\ragissymbolic,wecheckiftheconditionsalreadyinthesliceimplythebranchconditionoritsnegation.Thecurrentimplementationonlydealswithsimpleexpressions.Thispreservestheinvariantbecause,whenthebranchisnotaddedtoslice,thede-pendenciescapturedinlivealreadyensuretheappropriatebranchoutcometoreachthevulnerabilityinanypathob-tainedwithaninputthatmatchesF.WrittenBetweenimplementsthesecondchecktodeter-minewhetherornottotakeabranch.Itreturnstrueifthereissomepathinthecodebetweenthebranchandslice.headwheresomeoperandsinlivemaybeoverwritten.Weper-formthischeckbytraversingthecontrol\rowgraphbetweenthebranchandslice.headindepth-rstorder.Weiterateovertheinstructionsineachbasicblockvisited.WeuseMayWrite(orMayWriteFforfunctioncalls)todetermineiftheinstructionsinthebasicblockcanmodifyoperandsinlive.Wealsomakeuseofconcretevaluesofoperandsinlivetoimprovetheaccuracyoftheanalysis.Thisisverysimilartowhatwasdescribedabove.6.SYMBOLICSUMMARIESPreconditionslicingisnoteectiveatremovingconditionsaddedbyinstructionsinsidelibraryfunctions.Withoutaliasinformation,itmustbeconservativeandaddalltheinstruc-tionsinthesefunctionstotheslice.Wetookapragmaticapproachtoaddressthislimitation:weuseknowledgeaboutthesemanticsofcommonlibraryfunctionstogeneratesym-bolicsummariesthatcharacterizethebehaviorofafunctionasasetofconditionsonitsinputs.Weusethesesummariestoreplacetheconditionsextractedfromthetrace.Wegeneratesymbolicsummariesautomaticallyfromatemplatethatiswrittenonceperlibraryfunction.Therearetwocasesdependingonwhetherthevulnerabilitypointisinsidealibraryfunctionorthelibraryfunctioniscalledinthepathtowardsthevulnerability.Intherstcase,wedonotneedtocharacterizethefullbehaviorofthefunc-tionbecausewhathappensafterthevulnerabilitypointisnotimportant.Therefore,thesymbolicsummaryissimplyaconditionontheargumentsofthefunctionthatistrueexactlywhenthevulnerabilitycanbeexploited.Theconditionsinasymbolicsummaryaregeneratedfromatemplate(whichdependsonthelibraryfunction)usingacombinationofstaticanddynamicanalysis.Theanalysismustdeterminethesymbolicorconcretevaluesoffunctionargumentsandpotentiallythesizesoftheobjectspointedtobythesearguments.Forexampleifthevulnerabilityisabuerover\rowinthecallmemcpy(dst,src,n),thesummarywillstatethatthesizeoftheobjectpointedtobydstmustbegreaterthanorequalton.Togeneratethiscondition,theanalysismustdeterminetheconcreteorsymbolicvaluesfornandforthesizeoftheobjectpointedtobydst.Thevalueforargumentslikenisreadilyavailablefromthetraceentryforthecorrespondingpushinstruction.Todeterminethesizeoftheobjectpointedtobyanar-gument,theanalysistraversesthetracebackwardsfromthefunctioncalltothepointwheretheobjectisallocated.Forobjectsthatareallocateddynamicallyusingcalloc,malloc,orrealloc,theanalysisobtainstheconcreteorsymbolicvaluesoftheargumentspassedtotheseallocatorstocomputeanexpressionfortheobjectsize.Forobjectswhosesizeisknownstatically,theanalysisobtainstheob-jectsizefromourrepresentationofthecode.Duringthistracetraversal,theanalysisbuildsanexpressionfortheo-setbetweentheargumentpointerandthestartaddressoftheobject.Theexpressionforthesizeusedintheconditionisequaltotheobjectsizeminusthisoset.Itishardertocomputesymbolicsummariesforfunctionsintheprintffamilybecausetheyhaveavariablenumberofargumentswithvariabletypes,butitisimportantbecausethesefunctionsareinvolvedinmanyvulnerabilities.Wedistinguishtwocases:whentheformatstringdependsontheinputandwhenitisknownstatically. Intherstcase,weonlydealwithcallsthatreceivenoargumentsbeyondtheformatstring,whichisthecommoncasewithformatstringvulnerabilities.Theanalysisgener-atesasummarywithaconditiononthesymbolicvaluesofthebytesintheformatstring.Thisconditionistruewhentheformatstringcontainsvalidformatspeciersorwhenitssize(afterconsumingescapecharacters)exceedsthesizeofthedestinationbuerforfunctionsinthesprintffamily.Whentheformatstringdoesnotdependontheinput,themostcommonvulnerabilityisforafunctioninthesprintffamilytoformatanattacker-suppliedstringintoadestina-tionbuerthatistoosmall(asinourexampleinFigure1).Thesummaryforthiscaseisaconditiononthesizesoftheargumentstrings.Theanalysiscomputestheboundonthesesizesbyparsingthestaticformatstringusingthesamealgorithmasprintf,processinganyargumentsthatdonotdependontheinput,anddeterminingthesizeofthedestinationbuer(asdescribedabove).Itisinterestingtocontrastsymbolicsummarieswithatechniquethatpatchesthecodebyaddingacheckbeforethelibrarycall.SymbolicsummariesallowBouncertode-tectanddiscardbadinputbeforeitisprocessed.Therefore,servicescankeeprunningcorrectlyunderattack.Whereasrecoveringwhenthecheckfailsishard.Furthermore,addingthecheckmayrequirekeepingaruntimestructuremappingobjectstotheirsizes.Thisisnotneededbysymbolicsum-mariesbecausetheyarespecictoaparticularexecutionpath(theonedenedbytheotherconditionsinthelter).Wealsocomputeasecondtypeofsymbolicsummaryforlibraryfunctionsthatarecalledinthepathtowardsthevulnerability.Wemotivatethiswiththefollowingexample:if(stricmp(s,"Astring")==0)Vulnerability();thevulnerabilityinthisexampleisreachableiftheattackersuppliedstringequals\Astring"afterbothareconvertedtolowercase.Theconditionsthatweextractautomaticallyfromasampleexecutionofstricmpwillonlycaptureapar-ticularvalueofsthatsatisesthecomparison.Thetech-niquesdescribedinthenextsectiongenerateexecutionswithalternativeinputstogeneralizethelters.Buttheywouldrequireatleast28inputs(where8isthesizeof\Astring")togeneratealterthatcanblockalltheattacksthatcanexploitthevulnerability.Ifwereplacetheconditionsfortheexecutionofstricmpinthesampletracebythesummary(s[0]=A_s[0]=a)^:::^(s[8]=G_s[8]=g)^s[9]=0wecancapturesuccinctlyallvaluesofsthatcanbeusedtoexploitthevulnerability.Sincethevulnerabilityisnotinsidethesefunctions,wecanalternativelychoosetocallthemdirectlyinthelter.Currently,weonlygeneratesummariesforfunctionsinthemiddleofthepathiftheyhavenosideeects.Thereissomerecentworkthatproposescomputingsimilarsummariesautomaticallyforarbitraryfunctions[22].7.SEARCHFOROTHERATTACKSThetechniquesdescribedintheprevioussectionsgener-ateltersthatblockmanyattacksthatexploitthesamevulnerability,buttheyarenotsucienttogenerateoptimalltersthatblockallexploits.Togeneralizeourltersfurther,wesearchforalterna-tiveexploitsofthesamevulnerability,obtainnewexecu-tiontracesusingtheseexploits,andapplythealgorithmsdescribedintheprevioussectionstocomputeanewlter.Thedisjunctionoftheltersobtainedfromthedierentex-ecutiontracescatchesmoreexploits.Thesearchforallpossibleexploitsmaytakeasignicantamountoftime.Therefore,theinitialltermaybedeployedassoonasitisavailable(withintensofseconds),whilethesearchprocedureincrementallyimprovesitsaccuracy.Weexperimentedwithtwotechniquestosearchforalter-nativeexploits.First,weimplementedthetestgenerationapproachofDART[23](whichwasalsoproposedin[41,11]).Thisapproachusesconditionsobtainedfromsymbolicexecution(asinSection3)toguidenewtestinputgenera-tion.Ittakesaprexoftheconditionsnegatesthelastoneandfeedstheresultingconditionstoaconstraintsolvertoobtainnewtestinputs.Thisapproachhasthenicepropertythatgivenenoughtimeitcanndallexploitsofthesamevulnerability.Theproblemisthatitrequirestoomuchtimeinpractice.Weareworkingonsearchheuristicsthatmightmakethisapproachpractical.Wecurrentlyuseasecondsearchstrategythatgeneratesalternativeexploitsbyremovingorduplicatingbytesintheoriginalexploitmessages.Thisstrategyisnotguaranteedtondallexploitsofthesamevulnerabilitybutitissimple,fastandeasytoparallelize.Wepickbytestoremoveorduplicateusinganheuris-ticbasedonthelterconditions.Wegiveascoretoeachconditionequaltothetotalnumberofbytesinconditionsdividedbythenumberofbytesthathaveanidenticalcondi-tion.Eachbytehasascoreequaltothesumofthescoresoftheconditionsitappearsin.Wepickthebyteswiththelow-estscoresbecausetheyarelikelytobellerbytesinbuerover\rowexploits.Aftergeneratingapotentialnewexploit,wesendittotheversionofthevulnerableprogramthatisinstrumentedtodetectattacks(asshowninFigure2).Ifthedetectorsignalsthattheexploitisvalid,werepeattheltergen-erationprocessforthenewexploit.Whenusingsymbolicsummariesforthelibraryfunctionwiththevulnerability,weinstrumentthevulnerableprogramtosignalsuccesswhenthecallsitewiththevulnerabilityisreached.Iftheexploitisnotvalid,thedetectordoesnotraiseanexception.Wedetectthiscaseusingawatchdogthatchecksifallthreadsinthevulnerableprogramareidle.Thisworkswellinpracticeandavoidshavingtowaitforalargetimeout.Weuseourheuristictoselectbytestoremove.Ifafterremovingabytetheresultingmessageisnotavalidexploit,weretainthatbyteandpickanotheronetoremove.Werepeatthisprocessuntilwehavetriedtoremoveallbytesorthemessagesizeislowerthanaboundfromasymbolicsummary.Then,westartgeneratingnewexploitsbydupli-catingbytesintheoriginalexploitmessage.Wepickanotherbytetoduplicateifwedidnotobtainanexploitoriftherearebytesintheresultingexploitmessagethatarenotreadbythevulnerableprogram.Westopafterwehavetriedtoduplicateallbytes.Wecombinetheltersgeneratedforeachalternativeex-ploittoobtainthenallter.Simplytakingthedisjunctionofalllterscanresultinanallterwithhighoverhead.In-stead,wecomparetheconditionsappliedtoeachbyteindexbyeachlter.Acommonstructureisasetofbyteindicesinthebeginningofamessagethathavethesameconditioninalllters.Thesearetypicallyfollowedbysequencesofbyteindicesthathavedierentlengthsindierentltersbuthavethesameconditionsappliedtoeachbyteinthe sequenceineachlter.Theremaybeseveralofthesese-quences.Typically,theyarefollowedbyterminatorbyteswiththesameconditionsineachlter.Ifwerecognizethisstructure,wetakeadvantageofittogenerateanecientnallter.Inthiscase,thenallterhastheconditionsfortheinitialbytesfollowedbyloopsthatchecktheconditionsonthevariablelengthbytesequences,andconditionsthatchecktheterminatorbytes.Thenallterisanx86executable.Itisstraightforwardtoconverttheconditionsgeneratedduringsymbolicexe-cutionintoexecutablecode.Weuseasimplestack-basedstrategytoevaluateeachconditionandashort-circuiteval-uationoftheconjunctionoftheconditions.Thesizeofthestackisboundedbythedepthofthetreesintheconditionsandltersonlyaccessthisstackandtheinputmessages.Therefore,ltersareguaranteedtoruninboundedtimeandtouseaboundedamountofmemory.8.EVALUATIONWeimplementedaprototypeofBouncerandweevaluateditusingrealvulnerabilitiesinrealprograms:MicrosoftSQLserver,ghttpd,nullhttpd,andstunnel.Westartedbyan-alyzingeachvulnerabilitycarefullytocharacterizethesetofattackmessagesthatcanexploitit.Then,weusedBouncertogeneratealterforeachvulnerabilityandevaluatedthefractionofattackvariantsblockedbythelter.Theresultsshowthatourlterscanblockallattacksthatexploittwoofthevulnerabilities.Wealsoranexperimentstostudyltergeneration.Wemeasuredltergenerationtime,thenumberofiterationsinthesearchforalternativeexploits,andthecontributionofeachofourtechniquestogeneralizetheinitiallter.Thenalsetofexperimentsmeasuredtheoverheadintro-ducedbythelterswhenusedtoprotectrunningservices.Wemeasuredboththerunningtimeoftheltersandthedegradationinservicethroughputwithandwithoutattacks.Ourresultsshowthatthedeployedltershavenegligibleoverheadandthatattackersmustconsumealargeamountofbandwidthtoreduceservicethroughputsignicantly.8.1ServicesandvulnerabilitiesWestartbydescribingtheservicesandvulnerabilitiesthatwestudied,andalltheattacksthatcanexploiteachvulner-ability.Determiningthesetofallattacksrequireddetailedanalysisofthevulnerableprogramsaidedbyourtools.Wealsodescribethesampleexploitthatweusedtobootstraptheltergenerationprocessforeachvulnerability.SQLserverisarelationaldatabasefromMicrosoftthatwasinfectedbytheinfamousSlammer[34]worm.Westud-iedthebuerover\rowvulnerabilityexploitedbySlammer.Anattackercanover\rowastackbuerbysendingaUDPmessagewiththerstbyteequalto0x4followedbymorethan60bytesdierentfromzero.Thestackover\rowoccursinsideacalltosprintf.WeusethesameexploitasSlam-mertostarttheltergenerationprocess.Thisexploithastherstbytesetto0x4followedbya375-bytestringwiththewormcode,anditoverwritesthereturnaddressofthefunctionthatcallssprintf.GhttpdisanHTTPserverwithseveralvulnerabilities[1].Thevulnerabilitythatwechoseisastackbuerover\rowwhenprocessingthetargetURLforGETrequests.Theover\rowoccurswhenloggingtherequestinsideacalltovsprintf.Therearemanyexploitsthatcanover\rowthebuer.Successfulexploitsmusthavelessthan4Kbytesandhaveasequenceofnon-zerobytesterminatedby"\n\n"or"\r\n\r\n".Theymuststartwithzeroormorespacechar-actersfollowedbythestring"GET"andbyoneormorespacecharacters.Thesequenceofremainingcharactersuntiltherst'\n'or'\r'cannotcontainthestring"\\.."andmusthavemorethan150bytes.Thesampleexploittostartltergenerationforghttpdbeginswiththestring"GET"followedbyasequenceof203non-zerobytesterminatedby"\n\n".Thisexploitover\rowsthereturnaddressofthefunctionthatcallsvsprintf.NullhttpdisanotherHTTPserver.Thisserverhasaheapover\rowvulnerabilitythatanattackercanexploitbysendingHTTPPOSTrequestswithanegativevalueforthecontentlengtheld[2].TheserequestscausetheservertoallocateaheapbuerthatistoosmalltoholdthedatainthePOSTrequest.WhilecallingrecvtoreadthePOSTdataintothebuer,theserveroverwritestheheapmanagementdatastructuresmaintainedbytheClibrary.Thisvulnerabilitycanbeexploitedtooverwritearbitrarywordsinmemory.Thereisaverylargenumberofmessagesthatcancausethebuertoover\rowinnullhttpd.Eachofthesemessagesisasequenceoflineswithupto2046non-zerobytesdif-ferentfrom'\n'terminatedby'\n'.Therstlinemuststartwith"POST"(caseinsensitive)followedbytwoothereldsseparatedbyspaces.Then,therecanbeanynum-berofarbitrarynon-emptylinesuntilalinethatstartswith"Content-Length:"(caseinsensitive)followedbyastringthatisinterpretedasanegativenumberNbyatoi.Thislinecanthenbefollowedbyanynumberofnon-emptylinesthatdonotstartwith"Content-Length:".Themessagemustendwithanemptylinefollowedbyatleast1024NbytesofPOSTdata.Weusedtheexploitdescribedin[14]tostarttheltergenerationprocessfornullhttpd.Thisisatwomessageex-ploit.TherstmessageexploitsthevulnerabilitytomodifytheCGI-BINcongurationstringtoallowtheattackertostartanarbitraryprogram.Thesecondmessagestartsashell.Therstmessagehasalinewithacookiethatisnotnecessaryfortheattack.StunnelisagenerictunnelingservicethatencryptsTCPconnectionsusingSSL.Westudiedaformatstringvulner-abilityinthecodethatestablishesatunnelforSMTP[3].Anattackercanover\rowastackbuerbysendingamessagethatispassedasaformatstringtothevsprintffunction.Thebuerover\rowsiftheattackersendsanymessagewithupto1024bytesterminatedby'\n'withasequenceofinitialbytesdierentfrom'\n'thatexpandstomorethan1024byteswheninterpretedasaformatstring.Therearemanymessagesthatsatisfytheseconditionsandtheycanbesmall,forexample,"%1025.x\n"over\rowsthebuer.Thesampleexploitthatweusedtobootstraptheltergenerationprocessforstunnelwasamessagestartingwith"%.512x"followedby602'A'charactersanda'\n'.Thismessageoverwritesthereturnaddressofthefunctionthatcallsvsprintf.8.2FilteraccuracyThissectionevaluatestheaccuracyofBouncerlters.Ta-ble1summarizesourresults.Alterhasfalsenegativesifitfailstoblockinputthatcanexploitthevulnerabilityun-derstudyandfalsepositivesifitblocksinputthatcannotexploitthevulnerability. service falsepositives falsenegatives SQLserver no no ghttpd no yes nullhttpd no yes stunnel no no Table1:AccuracyofBouncerlters. 10002000300040005000600070008000 SQL Server Nullhttpd ghttpd stunnel Number of conditions Symbolic execution Detector accuracy Summaries Slicing Figure8:NumberofconditionsinBouncerltersafterapplyingeachtechnique.Thenumberofcon-ditionsaftersymbolicexecutionisthenumberofconditionsinVigilantelters.FiltersgeneratedbyBouncerhavenofalsepositivesbydesign:allthemessagestheyblockcanexploitthevulner-ability.Althoughwecannotprovidestrongguaranteesonfalsenegatives,wefoundempiricallythatBouncergenerateslterswithnofalsenegativesforthevulnerabilitiesinSQLserverandstunnel:ourltersblockalltheattacksthatcanexploitthesevulnerabilities.Theltersfortheothervulnerabilitiesfailtoblocksomeexploitsbuttheyblockmanyexploitsdierentfromthesam-pleexploit.ItisharderforBouncertogeneratelterswithnofalsenegativeswhenprotocolsallowsemanticallyequiv-alentmessagestobeencodedinmanydierentways,orwhenthereareseveralvariablelengtheldsthatarepro-cessedbeforereachingthevulnerability.Forexample,HTTPGETmessagescanhavezeroormorespacesbefore"GET"andoneofmorespacesafter"GET".Bouncer'slterforghttpdfailstoblockexploitmessagesthathavespacesbefore"GET"butcapturesexploitsthataddspacesafter"GET".BouncerltersblocksignicantlymoreattacksthanVig-ilantelters[16].BouncerremovesalargefractionoftheconditionsinVigilantelters(whichareobtainedusingsym-bolicexecutionaloneasdescribedinSection3).Figure8showsthenumberofconditionsinBouncerltersaftersymbolicexecution(sameasVigilante),afterimprov-ingdetectoraccuracy,afterreplacingtheconditionsinthelibraryfunctionwherethevulnerabilityoccursbyasym-bolicsummary,andafterpreconditionslicing.Thesenum-berswereobtainedintherstiteration(whichprocessesthesampleexploit)andalltheconditionsdependontheinput.AdditionaliterationswouldimprovetheaccuracyofBouncerltersrelativetoVigilanteltersevenfurther.TheresultsshowthatallthetechniquesimprovetheaccuracyofBouncerlters.Preconditionslicinghasthelargestim-pactforSQLserver,ghttpd,andstunnel.Fornullhttpd,improvingdetectoraccuracyisthelargestcontributor.Webelievethatitwouldbepossibletoreducefalseneg-ativesbycombiningBouncer'stechniqueswithothertech-niquestocomputeweakestpreconditions(e.g.,[6]).How- 20000400006000080000100000SQL ServernullhttpdghttpdstunnelFilter generation time (s)Vulnerable applicationFigure9:Totaltimetogeneratelters. 20040060080010001200SQL ServernullhttpdghttpdstunnelNumber of filter iterationsVulnerable applicationFigure10:Numberofiterationstogeneratelters.ever,thereareproblemswithloopsandrecursionthathavetobesolvedforthesetechniquestobeuseful.Additionally,wecouldexploitprotocolknowledge(whenavailable)toim-provethesearchforalternativeexploitsasinShieldGen[19].8.3FiltergenerationWealsoevaluatedthecostofltergenerationbymeasur-ingthenumberofiterationsandthetimetogeneratethelters.WerantheseexperimentsonaDellPrecisionWork-station350witha3GHzIntelPentium4processorand1GBofmemory.TheoperatingsystemwasWindowsXPprofes-sionalwithservicepack2.Figures9and10showthetotaltimeandthenumberofiterationstogeneratethelters,respectively.Werantheexperimentswitha24-hourtimelimit.Theltergenerationprocessfornullhttpdandghttpddidnotterminatebeforethislimit.IttookBouncer4.7hourstogeneratethelterforSQLserverand16.2forstunnel.Theltergenerationprocessranforroughly1000itera-tionsinallcases.Itstoppedafter967iterationsforSQLserverandafter1025iterationsforstunnel.TheminimumexploitsizeforSQLserveris61bytesandthemaximumis1024.Forstunneltheminimumexploitsizeis2bytesandthemaximumisalso1024.Therearetworeasonsfortherelativelylargeltergen-erationtimes.First,thetimeperiterationislargeduetoinecienciesinourprototype:17sforSQLServer,83sfornullhttpd,79sforghttpd,and57sforstunnel.Forexam-ple,generationandremovalofconditionsisperformedbyseparateprocessesthatcommunicatebyreadingandwritinglargeles.Betterintegrationwouldsignicantlyreducethetimeperiteration.Second,thenumberofiterationsisalsolargetoensurethenallterhasnofalsepositives.Wearestudyingtechniquestoanalyzeloopsstaticallythatshouldreducethenumberofiterationsnecessary.Ourprototypeisusefulevenwiththeselimitations. 400800120016000100200300400Running time (ns)Message size (bytes) SQL filterFigure11:FilteroverheadfortheMicrosoftSQLservervulnerabilityasafunctionofmessagesize.Insomedeploymentscenarios,itiseasytoreduceltergenerationtimesbyexploitingparallelism.Sinceiterationsinourltergenerationprocessareindependent,itcanbeparallelizedbyassigningeachiterationtoadierentpro-cessor.Forexample,alargesoftwarevendorlikeMicrosoftcouldruntheltergenerationprocessinaclusterwith1000machinesandthendisseminatethelterstousersofvulner-ablesoftware.Thiscouldspeedupltergenerationtimesbyuptothreeordersofmagnitude,forexample,generatingtheltersfortheSQLServerandstunnelvulnerabilitieswouldtakelessthanoneminute.Inotherscenarios,wecandeployalteraftertherstiteration,whichtakestensofseconds.Thenwecandeployanimprovedlteraftereachiteration.Additionally,ifwerunthevulnerableprograminstrumentedtodetectattackswithDFIandtologinputs,BouncercanrenethelterwhenanattackthatbypassesthelterisdetectedbyDFI.8.4FilteroverheadWealsoranexperimentstomeasuretheoverheadintro-ducedbydeployedlters.Theresultsshowthattheover-headtoprocessbothexploitandnon-exploitmessagesislowforalltheltersgenerated.Therefore,ltersallowservicestoworkcorrectlyandecientlyevenunderattack.8.4.1RunningtimeTomeasurethelterrunningtime,wevariedmessagesizesfrom16to400bytesinincrementsof16bytes.Foreachmessagesize,wemeasuredthetimetoprocess1000messagesandrepeatedthisexperiment1000times.Wepresenttheaveragetimeacrossthe1000experiments.Werantheseex-perimentsinthemachinedescribedintheprevioussection.Wechosemessagestoobtainaworst-caseoverheadforthelters.Themessagesarepickedrandomlybutwithcon-straintsdesignedtoforcetheltertocheckconditionsonthemaximumnumberofmessagebytespossible.Forex-ample,themessagesusedtomeasuretheoverheadoftheSQLserverlterhavetherstbyteequalto0x4toforcetheltertocheckiftheremainingbytesinthemessagearedierentfromzero.Ontheotherhand,themessagessenttothestunnellterhaveno%charactersbecausethel-terstopsprocessingthemessagebyteswhenitndsavalidformatspecier.Figure11showstheSQLserverlteroverhead.Theover-headcurveis\ratforsmallmessagesizesbecausetherstconditioninthelterchecksifthemessagehasatleast61bytes.Thisconditionisobtainedfromthesymbolicsum-maryforthesprintffunctionwherethevulnerabilityoc-curs.Theoverheadgrowslinearlywiththesizeforlonger 400800120016000100200300400Running time (ns)Message size (bytes) ghttpd filterFigure12:Filteroverheadfortheghttpdvulnerabil-ityasafunctionofmessagesize. 400800120016000100200300400Running time (ns)Message size (bytes) nullhttpd filterFigure13:Filteroverheadforthenullhttpdvulner-abilityasafunctionofmessagesize.messages(whichareallexploits)becausethenumberofbytesprocessedbythelterincreaseslinearly.Figure12showsthelteroverheadfortheghttpdvulner-ability.ThecurveissimilartotheoneforSQLserver:itis\ratformessagesupto156bytesbecauseoftheconditionobtainedfromthesymbolicsummaryofthevsprintffunc-tionwherethevulnerabilityoccurs.Theoverheadgrowslinearlyforexploitmessages.AsinSQLservertheover-headforprocessingnon-exploitmessagesisnegligibleandtheoverheadforprocessingexploitmessagesislow.TheoverheadcurvefornullhttpdisdierentfromtheprevioustwoasshowninFigure13.ThishappensbecauseweusePOSTrequeststotestthislterandincreasemessagesizebyaddingbytestothePOSTdata,whichisnotprocessedbythelter.TheresultsshowthattheoverheadtoprocessPOSTrequestsislow.SinceoneoftherstconditionsinthelterchecksifthemessagestartswithPOST,theoverheadtoprocessmessagesthatdonotstartwithPOSTisverylow.Figure14showsthelteroverheadforthestunnelvul-nerability.Thiscurveisdierentfromalltheothersbecausethisvulnerabilitycanbeexploitedwithverysmallmessagesandtheltermustcheckeverybyteinthemessagelook-ingforvalidformatspeciers.Theoverheadishigherthanthatobservedfortheotherltersbutthislterisonlyap-pliedtogreetingmessageswhenestablishingSSLtunnelsfortheSMTPprotocol.Therefore,itsoverallimpactonperformanceisnegligible.Inallcasesshown,thetimetorunthelteronnon-exploitmessagesisbetweenthreeandveordersofmag-nitudesmallerthantypicalwide-areanetworklatenciesandbetweentwoandthreeordersofmagnitudesmallerthantypicallocal-areanetworklatencies.Therefore,ourltershaveanegligibleimpactonoverallservicelatency. 100020003000400050000100200300400Running time (ns)Message size (bytes) stunnel filterFigure14:Filteroverheadforthestunnelvulnera-bilityasafunctionofmessagesize.8.4.2EffectonthroughputWealsomeasuredthroughputreductionduetoltersonSQLserverandnullhttpd.ThevulnerableservicesranonaDellPrecisionworkstation350witha3GHzIntelPentium4processorand2GBofRAM,runningWindows2000.WeranclientsonaDellLatitudeD600laptopwitha2GHzIn-telPentiumprocessorand1GBofRAM,runningWindowsXPprofessionalwithservicepack2,andonaDellLatitudeD620laptopwitha2.16GHzCore2Duoprocessorand2GBofRAM,runningWindowsVista.Serverandclientswereconnectedbya100MbpsD-LinkEthernetswitch.ForSQLserver,weusedtheTPC-Cbenchmark[45]togenerateload.Tomeasuretheworstcasescenarioforthelteroverhead,clientswereconguredwithzerothinktimeandweusedemptyimplementationsfortheTPC-Cstoredprocedures.Fornullhttpd,wegeneratedloadusingare-questfromtheSPECWeb1999benchmark[43].There-questfetchesastaticlewith102bytes.Wechosethisre-questbecausetheleiscachedbytheserver,whichensuresthelteroverheadisnotmaskedbyI/O.ForbothSQLserverandnullhttpd,wemeasuredthemaximumthroughputintheabsenceofattacksforabaseversionwithoutthelterandforaversionwiththelterdeployed.Forbothversions,weincreasedtherequestrateuntiltheserverreached100%CPUusage.Wereporttheaverageofthreeruns.Theoverheadisverylow:itwasbelow1%forbothservices.Onasecondsetofexperiments,wemeasuredthethrough-putofthetwoservicesunderattack.Wesentattackprobestoserversthatwerefullyloadedandmeasuredthereduc-tioninthroughputasweincreasedtherateofattackprobes.Theattacksprobescarriedthesameexploitsthatwereusedtostarttheltergenerationprocess.Weranthisexper-imentwithservicesprotectedbyBouncerltersandwithservicesthatrestartwhentheydetectanattack.Werestarttheserviceimmediatelyafteranattackprobeisreceivedtomakethecomparisonindependentoftheperformanceofanyparticulardetectionmechanism.Figures15and16showthenormalizedthroughputunderattackofSQLserverandnullhttpd,respectively.Detectingtheattacksisnotenough.IfSQLserverisrestartedwheneveranattackisdetected,theattackercanmaketheserviceunavailablewithverylittleeort.TheresultsshowthatanattackercanreducethethroughputofSQLserverbymorethan90%withanattackrateofonly12probesperminute.ThishappensbecauseSQLserverhasacomplexstartupprocedurethattakesapproximatelyveseconds.WithBouncerlters,thereductioninthroughputwiththisattackrateisnegligible. 0.20.40.60.8024681012Normalized throughputAttack probes/minute SQL with Bouncer filter SQL restarting on attackFigure15:NormalizedthroughputforBouncerandRestartonaSQLserverunderattack. 0.00.20.40.60.81.0102030405060708090100Normalized throughputAttack probes/minute nullhttpd with Bouncer filter nullhttpd restarting on attack Figure16:NormalizedthroughputforBouncerandRestartonanullhttpdWebserverunderattack.Theresultswhennullhttpdisrestartedonattackaresim-ilar:theattackercanreducethethroughputofnullhttpdbymorethan90%witharateofonly100probesperminute.TheattackraterequiredtomaketheserviceunavailableislargerfornullhttpdthanforSQLserverbecausethestartuptimefornullhttpdismorethananorderofmagnitudesmaller.TheversionofnullhttpdprotectedbyBouncerisessentiallyunaectedbyattackswiththisrate.TheattackerneedstoexpendordersofmagnitudemorebandwidthtoaectthethroughputofservicesprotectedbyBouncer.Figure17showsthatwhentheattackersendsalmost18000probespersecond,SQLserverprotectedbyBouncercanstilldeliver80%ofthethroughputachievablewithoutattacks.Figure18showsthatnullhttpdprotectedbyBouncercandeliver65%ofthenormalthroughputatanattackrateof1000probespersecond.Thethroughputde-gradesfasterfornullhttpdbecauseitcreatesanewthreadforeachrequest(includingattackprobes),whileSQLserverusesanecientthreadpoolingmechanism.9.RELATEDWORKTherehasbeenpreviousworkonautomaticgenerationoflterstoblockexploitmessages.Mostproposals[25,26,42,30,36,44,47,31,32,19]providenoguaranteesontherateoffalsepositives.Therefore,theycanmaketheprogramstopworkingevenwhenitisnotunderattack.Fromthesetech-niques,ShieldGen[19]isthemostcloselyrelatedtoBouncer.Itusesaprotocolspecicationtogeneratedierentpoten-tialexploitsfromaninitialsample,anditinstrumentstheprogramtocheckifpotentialexploitsarevalidexploits.WecouldimproveBouncer'salternativeexploitgenerationbyleveragingaprotocolspecication,butthesespecicationsdonotexistformostprograms. 0.00.20.40.60.81.020006000100001400018000Normalized throughputAttack probes/second SQL with Bouncer filter Figure17:NormalizedthroughputforSQLserverunderattack. 0.20.40.60.802004006008001000Normalized throughputAttack probes/second nullhttpd with Bouncer filter Figure18:NormalizedthroughputfornullhttpdWebserverunderattack.Vigilante[16]computesltersautomaticallyusingaformofsymbolicexecution[27]alongthepathtakenbyasampleexploit.Filtersareguaranteedtohavenofalsepositivesandtheyblockallexploitsthatcausetheprogramtofollowthesameexecutionpathuntilthevulnerabilitypoint.Crandalletal.[18]haveshownthattheselterscancatchmanyat-tackvariants.However,attackerscanbypasstheseltersbygeneratingexploitsthatfollowadierentexecutionpath.RecentworkhasexploredtechniquestogeneralizeVigi-lantelterstoblockexploitsthatfollowdierentexecutionpaths.Brumleyetal[9]proposethreelterrepresentations:Turingmachines,symbolicconstraints,andregularexpres-sions.Turingmachineltersareachoppedversionofthevulnerableprogramthatisinstrumentedtodetecttheat-tack.Programchoppingremovesinstructionsthatcannotbeexecutedfromthepointwheretheexploitmessageisre-ceivedtothevulnerabilitypoint.Turingmachinelterscanhavelowfalsenegativesandnofalsepositives,buttheirover-headishigh.Theltercanincludemostoftheinstructionsintheoriginalprogram(becausechoppingisimprecise)anditisnecessarytoinitializethestateofthelterbeforepro-cessingeachmessage.Thetechniquestogeneratesymbolicconstraintandregularexpressionltersdonotscaletorealprograms[10].Concurrentlywithourwork,Brumleyetal.[10]proposedapromisingtechniquetocomputesymbolicconstraintl-ters,whicharesimilartoBouncer'slters.Theyleveragepreviousworkoncomputingweakestpreconditions[6]tocreatethelter.Theseltershavenofalsepositivesbuttheymayhavefalsenegativesbecauseloopsareunrolledaconstantnumberoftimesbeforecomputingweakestprecon-ditions.Anotherconcernisthattheltersarelarge(evenwhenloopsareunrolledonlyonce)becausetheaddressesinmemoryaccessesaretreatedsymbolically[6].Bouncer'ssymbolicexecutiontechniqueusesconcreteaddressestore-trievethesymbolicorconcretevaluesofmemorycells.Thishastwoadvantages:itsimpliestheconditionsinthel-teranditremovesunnecessaryconditions.Additionally,weusepreconditionslicingtoremoveunecessaryconditions.ItwouldbeinterestingtocombineBouncer'stechniqueswithothertechniquestocomputeweakestpreconditions[6].Othertechniquespreventattacksbyaddingcheckstopro-gramstodetectexploits(e.g.,type-safelanguagesandtrans-parentinstrumentationforunsafeprograms[4,12,13,16,17,28,40]).Thesetechniquescanintroduceasignicantoverheadandtheydetectattackstoolatewhentheonlywaytorecovermaybetorestarttheprogram.Vulnerability-specicexecutionlters[35,46]canreducetheoverheadbyinstrumentingtheprogramtodetectexploitsofasinglevul-nerability,buttheycannotsolvethesecondproblem.Thereareseveraltechniquesthatallowprogramstokeepworkingunderattack.Failure-obliviouscomputing[39]usesCRED[40]tocheckforout-of-boundsaccessesbutdoesnotaborttheexecutionwhenacheckfails.Instead,itig-noresout-of-boundswritesanditgeneratesvaluesforout-of-boundsreads.Thisallowsprogramstokeepworkingbuttheoverheadcanbehighandprogramscanbehaveincor-rectly,forexample,theauthorshadtocarefullycraftvaluesforout-of-boundsreadstopreventinniteloopsintheirex-amples.DieHard[7]randomizesthelocationofobjectsinalargeheaptomakeitlesslikelyforout-of-boundswritestooverwriteanotherobject.Thistechniquehaslowoverheadbutitcanbeeasyforattackerstobypass.Checkpointingandrollbackrecovery[21]aregeneraltechniquestorecoverfromfaults.Theycanbeusedtorecoverwhenanattackisdetected[38,46]butrecoverycanberelativelyexpen-siveandtheysuerfromtheoutputcommitproblem[21],thatis,theycannotrollbacktheenvironmentaftersendingoutput.Sweeper[46]proposestheuseofltersoninputmessagestoreducethenumberoftimesrecoveryisneeded.10.CONCLUSIONSThispaperdescribedBouncer,asystemthatautomati-callygenerateslterstoblockexploitmessagesbeforetheyareprocessedbyavulnerableprogram.BouncerusesDFItoobtainsampleexploitsfor(potentiallyunknown)vulner-abilitiesanditgeneratesltersfromthesesamples.Bouncergeneratesltersusingacombinationoffourtechniques:sym-bolicexecutioncomputesaninitialsetoflterconditions;preconditionslicingusesacombinationofstaticanddy-namicanalysistoremoveunnecessaryconditionsfromthelter;symbolicsummariescharacterizethebehaviorofcom-monlibraryfunctionssuccinctlyasasetofconditionsontheinput;andalternativeattacksearchgeneratesnewat-tackinputguidedbysymbolicexecution.Bouncerltersdonothavefalsepositivesbydesignandourresultsshowthatitcangeneratelterswithnofalsenegativesforreal-worldvulnerabilitiesinSQLserverandstunnel.Theresultsalsoshowthattheseltersintroducelowoverheadandallowpro-gramstokeeprunningecientlyevenwhenunderattack.AcknowledgmentsWethankAngelosStavrouandLaurentViscontiforhelpwiththecode.WethankByronCook,TomBallandMadanMusuvathifordiscussionsaboutthiswork.WethankourshepherdYuanyuanZhouandtheanonymousreviewersforcommentsthathelpedtoimprovethepaper. 11.REFERENCES[1]GHttpdLog()FunctionBuerOver\rowVulnerability.http://www.securityfocus.com/bid/5960.[2]NullHTTPdRemoteHeapOver\rowVulnerability.http://www.securityfocus.com/bid/5774.[3]STunnelClientNegotiationProtocolFormatStringVulnerability.http://www.securityfocus.com/bid/3748.[4]M.Abadi,M.Budiu,U.Erlingsson,andJ.Ligatti.Control-\rowIntegrity:Principles,implementations,andapplications.InACMCCS,Nov.2005.[5]A.Aho,R.Sethi,andJ.D.Ullman.Compilers:Principles,techniques,andtools.PrenticeHall,1986.[6]M.BarnettandK.R.M.Leino.Weakest-preconditionofunstructuredprograms.InPASTE,Sept.2005.[7]E.D.BergerandB.G.Zorn.DieHard:Probabilisticmemorysafetyforunsafelanguages.InPLDI,June2006.[8]S.Bhansali,W.-K.Chen,S.deJong,A.Edwards,R.Murray,M.Drinic,D.Mihocka,andJ.Chau.Frameworkforinstruction-leveltracingandanalysisofprogramexecutuions.InVEE,June2006.[9]D.Brumley,J.Newsome,D.Song,H.Wang,andS.Jha.Towardsautomaticgenerationofvulnerabilitysignatures.InIEEESymposiumonSecurityandPrivacy,May2006.[10]D.Brumley,H.Wang,S.Jha,andD.Song.CreatingVulnerabilitySignaturesUsingWeakestPre-conditions.InComputerSecurityFoundationsSymposium,July2007.[11]C.Cadar,V.Ganesh,P.M.Pawlowski,D.L.Dill,andD.R.Engler.EXE:Automaticallygeneratinginputsofdeath.InACMCCS,2006.[12]M.Castro,M.Costa,andT.Harris.Securingsoftwarebyenforcingdata-\rowintegrity.InOSDI,Nov.2006.[13]S.Chen,J.Xu,N.Nakka,Z.Kalbarczyk,andR.K.Iyer.Defeatingmemorycorruptionattacksviapointertaintednessdetection.InDSN,July2005.[14]S.Chen,J.Xu,E.C.Sezer,P.Gauriar,andR.K.Iyer.Non-control-dataattacksarerealisticthreats.InUSENIXSecuritySymposium,July2005.[15]M.Costa.End-to-EndContainmentofInternetWormEpidemics.PhDthesis,UniversityofCambridge,Oct.2006.[16]M.Costa,J.Crowcroft,M.Castro,A.Rowstron,L.Zhou,L.Zhang,andP.Barham.Vigilante:End-to-EndContainmentofInternetWorms.InSOSP,Oct.2005.[17]C.Cowan,C.Pu,D.Maier,H.Hinton,J.Wadpole,P.Bakke,S.Beattie,A.Grier,P.Wagle,andQ.Zhang.Stackguard:Automaticdetectionandpreventionofbuer-overrunattacks.InUSENIXSecuritySymposium,Jan.1998.[18]J.R.Crandall,Z.Su,S.F.Wu,andF.T.Chong.Onderivingunknownvulnerabilitiesfromzero-daypolymorphicandmetamorphicwormexploits.InACMCCS,Nov.2005.[19]W.Cui,M.Peinado,H.J.Wang,andM.Locasto.ShieldGen:Automaticdatapatchgenerationforunknownvulnerabilitieswithinformedprobing.InIEEESymposiumonSecurityandPrivacy,May2007.[20]E.W.Dijkstra.Guardedcommands,nondeterminacyandformalderivationofprograms.CommunicationsoftheACM,Aug.1975.[21]E.N.Elnozahy,L.Alvisi,Y.-M.Wang,andD.B.Johnson.Asurveyofrollback-recoveryprotocolsinmessage-passingsystems.ACMComputingSurveys,34(3):375{408,Sept.2002.[22]P.Godefroid.CompositionalDynamicTestGeneration.InPOPL,Jan.2007.[23]P.Godefroid,N.Klarlund,andK.Sen.DART:DirectedAutomatedRandomTesting.InPLDI,2005.[24]R.JhalaandR.Majumdar.Pathslicing.InPLDI,June2005.[25]J.O.KephartandW.C.Arnold.Automaticextractionofcomputervirussignatures.InVirusBulletin,Sept.1994.[26]H.KimandB.Karp.Autograph:Towardautomated,distributedwormsignaturedetection.InUSENIXSecuritySymposium,Aug.2004.[27]J.C.King.Symbolicexecutionandprogramtesting.CommunicationsoftheACM,19(7):385{394,July1976.[28]V.Kiriansky,D.Bruening,andS.P.Amarasinghe.Secureexecutionviaprogramshepherding.InUSENIXSecuritySymposium,Aug.2002.[29]B.KorelandJ.Laski.Dynamicprogramslicing.InformationProcessingLetters,29,1988.[30]C.KreibichandJ.Crowcroft.Honeycomb-creatingintrusiondetectionsignaturesusinghoneypots.InHotNets,Nov.2003.[31]Z.LiangandR.Sekar.Automaticgenerationofbuerover\rowsignatures:Anapproachbasedonprogrambehaviormodels.InACSAC,Dec.2005.[32]Z.LiangandR.Sekar.Fastandautomatedgenerationofattacksignatures:Abasisforbuildingself-protectingservers.InACMCCS,Nov.2005.[33]Microsoft.Phoenixcompilerframework.http://research.microsoft.com/phoenix/phoenixrdk.aspx.[34]D.Moore,V.Paxson,S.Savage,C.Shannon,S.Staniford,andN.Weaver.InsidetheSlammerworm.IEEESecurityandPrivacy,1(4),July2003.[35]J.Newsome,D.Brumley,andD.Song.Vulnerability-specicexecutionlteringforexploitpreventiononcommoditysoftware.InNDSS,Feb.2006.[36]J.Newsome,B.Karp,andD.Song.Polygraph:Automaticallygeneratingsignaturesforpolymorphicworms.InIEEESymposiumonSecurityandPrivacy,May2005.[37]J.NewsomeandD.Song.Dynamictaintanalysisforautomaticdetection,analysisandsignaturegenerationofexploitsoncommoditysoftware.InNDSS,Feb.2005.[38]F.Qin,J.Tucek,J.Sundaresan,andY.Zhou.Rx:Treatingbugsasallergies-asafemethodtosurvivesoftwarefailures.InSOSP,Nov.2005.[39]M.Rinard,C.Cadar,D.Dumitran,D.M.Roy,T.Leu,andW.Beebee.Enhancingserveravailabilityandsecuritythroughfailure-obliviouscomputing.InOSDI,Dec.2004.[40]O.RuwaseandM.Lam.Apracticaldynamicbuerover\rowdetector.InNDSS,Feb.2004.[41]K.Sen,D.Marinov,andG.Agha.CUTE:AConcolicUnitTestingEngineforC.InESEC/FSE,2005.[42]S.Singh,C.Estan,G.Varghese,andS.Savage.Automatedwormngerprinting.InOSDI,Dec.2004.[43]SPEC.Specweb99benchmark.http://www.spec.org/osg/web99.[44]T.TothandC.Kruegel.Accuratebuerover\rowdetectionviaabstractpayloadexecution.InRAID,Oct.2002.[45]TPC.TPC-Conlinetransactionprocessingbenchmark.1999.http://www.tpc.org/tpcc.[46]J.Tucek,J.Newsome,S.Lu,C.Huang,S.Xanthos,D.Brumley,Y.Zhou,andD.Song.Sweeper:Alightweightend-to-endsystemfordefendingagainstfastworms.InEuroSys,Mar.2007.[47]X.Wang,C.-C.Pan,P.Liu,andS.Zhu.Sigfree:Asignature-freebuerover\rowattackblocker.InUsenixSecuritySymposium,Aug.2006.[48]W.WeimerandG.C.Necula.Findingandpreventingruntimeerrorhandlingmistakes.InOOPSLA,Oct.2004.[49]M.Weiser.Programslicing.InConferenceonSoftwareEngineering.IEEEComputerSocietyPress,1981.[50]G.Winskel.TheFormalSemanticsofProgrammingLanguages.MITPress,1993.[51]X.ZhangandR.Gupta.Costeectivedynamicprogramslicing.InPLDI,June2004.