A comprehensive cyber attack defense should include (1) an attack detection component that can determine if a network application has been compromised and prevent the attack from further spreading, (2) an attack identification component that can identify the corresponding attack packets and generate the associated attack signatures so as to prevent such attacks from taking place in the future, and (3) an attack repair component that can restore the compromised application's state to that before the attack and allow it to continue normally, and if possible permanently eliminate the vulnerability being exploited. This project aims to build a program transformation system called DIRA that can automatically embed into network applications a comprehensive cyber defense against control-hijacking attacks, which allow remote attackers to hijack a remote program and eventually its underlying system. Control-hijacking attacks have been used as building blocks for many recent Internet worms, and include such attacks as buffer overflow, integer overflow and format string attacks. Given a network application's source or binary code, DIRA can convert it in such a way that the resulting program can automatically detect any incoming control-hijacking attack, repair the memory damage left by the attack, derive the corresponding attack signature and inform the front-end firewall accordingly, and create a permanent patch that seals the security hole being exploited, all without requiring any modifications to the operating system or hardware. To extend these security-enhancing program transformation techniques to commercially distributed Win32/X86 binaries, the DIRA project will develop a novel binary analysis and instrumentation infrastructure using a combination of static and dynamic disassembling.
CT: Automatic Generation of High-Quality Attack Signatures and Patches