Create an Account
username: password:
 
  MemeStreams Logo

Automatic Patch-Based Exploit Generation

search

possibly noteworthy
Picture of possibly noteworthy
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

possibly noteworthy's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
  Humor
Current Events
  War on Terrorism
Recreation
Local Information
  Food
Science
Society
  International Relations
  Politics and Law
   Intellectual Property
  Military
Sports
Technology
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Automatic Patch-Based Exploit Generation
Topic: Technology 5:06 pm EDT, Apr 18, 2008

The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update.

In many cases we are able to automatically generate exploits within minutes or less. Although our techniques may not work in all cases, a fundamental tenet of security is to conservatively estimate the capabilities of attackers. Thus, our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update, may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch. Thus, we conclude update schemes, such as Windows Update as currently implemented, can detract from overall security, and should be redesigned.

Automatic Patch-Based Exploit Generation



 
 
Powered By Industrial Memetics
RSS2.0