Automatic data patch generation for unknown vulnerabilities

US 8,613,096 B2
Filed: 11/30/2007
Issued: 12/17/2013
Est. Priority Date: 11/30/2007
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one processing device; and

at least one computer-readable storage medium storing instructions which, when executed by the at least one processing device, cause the at least one processing device to;

analyze a data stream having an associated data format, the data stream comprising an attack,generate multiple probes having multiple different values for multiple different data fields of the data format of the data stream,test for a vulnerability to the attack using the multiple probes, andgenerate an attack predicate for the vulnerability, the attack predicate comprising a conjunction of multiple conditions on the multiple data fields of the data stream, the attack predicate being generated by;

relaxing a first condition of the multiple conditions, andrelaxing a second condition of the multiple conditions.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The claimed subject matter provides a system and/or method that generates data patches for vulnerabilities. The system can include devices and components that examine exploits received or obtained from data streams, constructs probes and determines whether the probes take advantage of vulnerabilities. Based at least in part on such determinations data patches are dynamically generated to remedy the hitherto vulnerabilities.

37 Citations

View as Search Results

23 Claims

1. A system comprising:
- at least one processing device; and
  
  at least one computer-readable storage medium storing instructions which, when executed by the at least one processing device, cause the at least one processing device to;
  
  analyze a data stream having an associated data format, the data stream comprising an attack,generate multiple probes having multiple different values for multiple different data fields of the data format of the data stream,test for a vulnerability to the attack using the multiple probes, andgenerate an attack predicate for the vulnerability, the attack predicate comprising a conjunction of multiple conditions on the multiple data fields of the data stream, the attack predicate being generated by;
  
  relaxing a first condition of the multiple conditions, andrelaxing a second condition of the multiple conditions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the first condition identifies a first specific value of the attack for the first data field and the second condition identifies a second specific value of the attack for the second data field.
  - 3. The system of claim 2, wherein the relaxed first condition identifies additional first values other than the first specific value and the relaxed second condition identifies additional second values other than the second specific value.
  - 4. The system of claim 3, wherein the instructions further cause the at least one processing device to:
    - generate a predicate-based data patch using the attack predicate.
  - 5. The system of claim 4, wherein the predicate-based data patch is configured to be utilized as a data filter in a network security device or a filtering application.
  - 6. The system of claim 1, wherein the instructions further cause the at least one processing device to:
    - identify a violation of a format constraint associated with the data format of the data stream;
      
      based on the violation of the format constraint, generate an individual probe that satisfies the format constraint; and
      
      determine whether the individual probe that satisfies the format constraint exploits the vulnerability.
  - 7. The system of claim 1, wherein the multiple probes are configured to uncover a new potential attack variant that is identified by the attack predicate.
  - 8. The system of claim 1, wherein the data stream is obtained or received from a crash dump or a honeyfarm.
  - 9. The system of claim 1, wherein the instructions further cause the at least one processing device to:
    - remove a third condition on a third data field of the data format.
  - 10. The system of claim 1, wherein the data format is specified using a domain-specific language.
  - 11. The system of claim 1, wherein the instructions further cause the at least one processing device to:
    - enforce dependency constraints across the multiple different data fields to prevent construction of invalid probes.
  - 12. The system of claim 1, wherein the instructions further cause the at least one processing device to:
    - employ dynamic dataflow analysis to generate the multiple probes.
  - 13. The system of claim 1, wherein:
    - the relaxing the first condition comprises obtaining a first relaxed condition on a first data field of the data stream, andthe relaxing the second condition comprises obtaining a second relaxed condition on a second data field of the data stream.

14. A method performed by at least one computer processing device, the method comprising:
- detecting an exploit received from a data stream having an associated data format identifying multiple data fields of the data stream;
  
  creating multiple different probes based on the exploit by;
  
  using one or more of the multiple different probes to identify an individual field of the format that does not affect the exploit, andeliminating an individual condition on the individual field of the format that does not affect the exploit when generating additional probes of the multiple different probes;
  
  ascertaining whether the multiple different probes make evident at least one vulnerability; and
  
  automatically generating a data patch for the at least one vulnerability.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14, wherein the one or more of the multiple different probes comprise multiple different values of the individual field of the format that does not affect the exploit.
  - 16. The method of claim 14, further comprising:
    - generating an attack predicate comprising a conjunction of multiple conditions on the multiple data fields of the data stream, the multiple conditions excluding the individual condition on the individual field of the format that does not affect the exploit.
  - 17. The method of claim 16, wherein creating the multiple different probes comprises:
    - relaxing a first condition on the individual field of the format, andrelaxing a second condition on another individual field of the format.
  - 18. The method of claim 17, wherein the relaxing comprises trying all possible values of the individual field, and determining that the individual field does not affect the exploit when the exploit occurs for all of the possible values of the individual field.
  - 19. The method of claim 14, wherein the generating the additional probes comprises varying other fields of the format without varying values of the individual field of the format that does not affect the exploit.

20. A computer-readable storage device storing instructions executable by a processing device that, when executed by the processing device, cause the processing device to perform operations comprising:
- creating multiple different probes based on a received attack message that exploits at least one vulnerability, the received attack message having an associated protocol with multiple different protocol states;
  
  using the multiple different probes to identify a first protocol state in which the attack message is not sent and a second protocol state in which the attack message is sent; and
  
  dynamically creating a data patch to cure the at least one vulnerability, wherein the data patch;
  
  identifies the second protocol state in which the attack message is sent, andhas an attack predicate that includes conditions on fields of the attack message that is sent in the second protocol state and excludes conditions on other fields of one or more other messages that are sent in the first protocol state.
- View Dependent Claims (21, 22, 23)
- - 21. The computer-readable storage device of claim 20, wherein the second protocol state corresponds to a last message in a message sequence of the protocol and the first protocol state corresponds to one or more other messages of the protocol other than the last message.
  - 22. The computer-readable storage device of claim 20, wherein the data patch protects against multiple different sequences of messages that provide the attack message in the second protocol state.
  - 23. The computer-readable storage device of claim 20, the operations comprising:
    - using a protocol state machine to determine when the protocol is in the first protocol state and when the protocol is in the second protocol state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Peinado, Marcus, Cui, Weidong, Wang, Jiahe Helen, Locasto, Michael E.
Primary Examiner(s)
PEARSON, DAVID J

Application Number

US11/948,681
Publication Number

US 20090144827A1
Time in Patent Office

2,209 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

Automatic data patch generation for unknown vulnerabilities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic data patch generation for unknown vulnerabilities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links