Skip to main content
SpringerLink
Log in

Return Value Predictability Profiles for Self–healing

  • Conference paper
Advances in Information and Computer Security (IWSEC 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5312))

Included in the following conference series:

  • 572 Accesses

Abstract

Current embryonic attempts at software self–healing produce mechanisms that are often oblivious to the semantics of the code they supervise. We believe that, in order to help inform runtime repair strategies, such systems require a more detailed analysis of dynamic application behavior. We describe how to profile an application by analyzing all function calls (including library and system) made by a process. We create predictability profiles of the return values of those function calls. Self–healing mechanisms that rely on a transactional approach to repair (that is, rolling back execution to a known safe point in control flow or slicing off the current function sequence) can benefit from these return value predictability profiles. Profiles built for the applications we tested can predict behavior with 97% accuracy given a context window of 15 functions. We also present a survey of the distribution of actual return values for real software as well as a novel way of visualizing both the macro and micro structure of the return value distributions. Our system helps demonstrate the feasibility of combining binary–level behavior profiling with self–healing repairs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Mutz, D., Robertson, W., Vigna, G., Kemmerer, R.: Exploiting Execution Context for the Detection of Anomalous System Calls. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 1–20. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  2. Chari, S.N., Cheng, P.C.: BlueBoX: A Policy–driven, Host–Based Intrusion Detection System. In: Proceedings of the 9th Symposium on Network and Distributed Systems Security (NDSS 2002) (2002)

    Google Scholar 

  3. Somayaji, A., Forrest, S.: Automated Response Using System-Call Delays. In: Proceedings of the 9th USENIX Security Symposium (August 2000)

    Google Scholar 

  4. Feng, H.H., Kolesnikov, O., Fogla, P., Lee, W., Gong, W.: Anomaly Detection Using Call Stack Information. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy (May 2003)

    Google Scholar 

  5. Gao, D., Reiter, M.K., Song, D.: Gray-Box Extraction of Execution Graphs for Anomaly Detection. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2004)

    Google Scholar 

  6. Gao, D., Reiter, M.K., Song, D.: Behavioral Distance for Intrusion Detection. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 63–81. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  7. Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (November 2002)

    Google Scholar 

  8. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-Control-Data Attacks Are Realistic Threats. In: Proceedings of the 14th USENIX Security Symposium, August 2005, pp. 177–191 (2005)

    Google Scholar 

  9. Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In: Proceedings of Programming Language Design and Implementation (PLDI) (June 2005)

    Google Scholar 

  10. Rinard, M., Cadar, C., Dumitran, D., Roy, D., Leu, T.: Enhancing Server Availability and Security Through Failure-Oblivious Computing. In: Proceedings 6th Symposium on Operating Systems Design and Implementation (OSDI) (December 2004)

    Google Scholar 

  11. Qin, F., Tucek, J., Sundaresan, J., Zhou, Y.: Rx: Treating Bugs as Allergies – A Safe Method to Survive Software Failures. In: Proceedings of the Symposium on Systems and Operating Systems Principles (SOSP) (2005)

    Google Scholar 

  12. Sidiroglou, S., Locasto, M.E., Boyd, S.W., Keromytis, A.D.: Building a Reactive Immune System for Software Services. In: Proceedings of the USENIX Annual Technical Conference, April 2005, pp. 149–161 (2005)

    Google Scholar 

  13. Smirnov, A., Chiueh, T.: DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks. In: Proceedings of the 12th Symposium on Network and Distributed System Security (NDSS) (February 2005)

    Google Scholar 

  14. Brown, A., Patterson, D.A.: Rewind, Repair, Replay: Three R’s to dependability. In: 10th ACM SIGOPS European Workshop, Saint-Emilion, France (September 2002)

    Google Scholar 

  15. Sidiroglou, S., Laadan, O., Keromytis, A.D., Nieh, J.: Using Rescue Points to Navigate Software Recovery (Short Paper). In: Proceedings of the IEEE Symposium on Security and Privacy (May 2007)

    Google Scholar 

  16. Provos, N.: Improving Host Security with System Call Policies. In: Proceedings of the 12th USENIX Security Symposium, August 2003, pp. 207–225 (2003)

    Google Scholar 

  17. Lam, L.C., Cker Chiueh, T.: Automatic Extraction of Accurate Application-Specific Sandboxing Policy. In: Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (September 2004)

    Google Scholar 

  18. Locasto, M.E., Stavrou, A., Cretu, G.F., Keromytis, A.D.: From STEM to SEAD: Speculative Execution for Automatic Defense. In: Proceedings of the USENIX Annual Technical Conference, June 2007, pp. 219–232 (2007)

    Google Scholar 

  19. Hofmeyr, S.A., Somayaji, A., Forrest, S.: Intrusion Detection System Using Sequences of System Calls. Journal of Computer Security 6(3), 151–180 (1998)

    Article  Google Scholar 

  20. Bhatkar, S., Chaturvedi, A., Sekar, R.: Improving Attack Detection in Host-Based IDS by Learning Properties of System Call Arguments. In: Proceedings of the IEEE Symposium on Security and Privacy (2006)

    Google Scholar 

  21. Giffin, J.T., Dagon, D., Jha, S., Lee, W., Miller, B.P.: Environment-Sensitive Intrusion Detection. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 185–206. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  22. Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous System Call Detection. ACM Transactions on Information and System Security 9(1), 61–93 (2006)

    Article  Google Scholar 

  23. Eskin, E., Lee, W., Stolfo, S.J.: Modeling System Calls for Intrusion Detection with Dynamic Window Sizes. In: Proceedings of DARPA Information Survivabilty Conference and Exposition II (DISCEX II) (June 2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for Security Technology Studies, Dartmouth College, USA

    Michael E. Locasto

  2. Department of Computer Science, George Mason University, USA

    Angelos Stavrou

  3. Department of Computer Science, Columbia University, USA

    Gabriela F. Cretu, Angelos D. Keromytis & Salvatore J. Stolfo

Authors
  1. Michael E. Locasto
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Angelos Stavrou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gabriela F. Cretu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Salvatore J. Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute of Industrial Science, University of Tokyo, 4-6-1 Komaba, Meguro-ku, 153-8505, Tokyo, Japan

    Kanta Matsuura

  2. NTT Information Sharing Platform Laboratories, NTT Corporation, Japan

    Eiichiro Fujisaki

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Locasto, M.E., Stavrou, A., Cretu, G.F., Keromytis, A.D., Stolfo, S.J. (2008). Return Value Predictability Profiles for Self–healing. In: Matsuura, K., Fujisaki, E. (eds) Advances in Information and Computer Security. IWSEC 2008. Lecture Notes in Computer Science, vol 5312. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89598-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-89598-5_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-89597-8

  • Online ISBN: 978-3-540-89598-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation