Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump

Shubham Tripathi; Gustavo Grieco; Sanjay Rawat

doi:10.1109/APSEC.2017.30

Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump

Shubham Tripathi, Gustavo Grieco, Sanjay Rawat

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

An important component of software reliability is the assurance of certain security guarantees, such as absence of low-level bugs that may result in code exploitation, for example. A program crash is an early indicator of possible errors in the program like memory corruption, access violation or division by zero. In particular, a crash may indicate the presence of safety or security critical errors. A safety-error crash does not result in any exploitable condition, whereas a security-error crash allows an attacker to exploit a vulnerability. However, distinguishing one from the other is a non-trivial task. This exacerbates the problem in cases where we get hundreds of crashes and programmers have to make choices which crash to patch first! In this work, we present a technique to identify security critical crashes by applying machine learning on a set of features derived from core-dump files and runtime information obtained from hardware assisted monitoring such as the last branch record (LBR) register. We implement the proposed technique in a prototype called Exniffer. Our empirical results, obtained by experimenting Exniffer on several crashes on real-world applications show that proposed technique is able to classify a given crash as exploitable or not-exploitable with high accuracy.

Original language	English
Title of host publication	Proceedings - 24th Asia-Pacific Software Engineering Conference, APSEC 2017
Publisher	ACM, IEEE Computer Society
Pages	239-248
Number of pages	10
Volume	2017-December
ISBN (Electronic)	9781538636817
DOIs	https://doi.org/10.1109/APSEC.2017.30
Publication status	Published - 5 Mar 2018
Event	24th Asia-Pacific Software Engineering Conference, APSEC 2017 - Nanjing, Jiangsu, China Duration: 4 Dec 2017 → 8 Dec 2017

Conference

Conference	24th Asia-Pacific Software Engineering Conference, APSEC 2017
Country/Territory	China
City	Nanjing, Jiangsu
Period	4/12/17 → 8/12/17

Funding

We would like to thank the anonymous reviewers for their comments. This work was partially supported (for one author) by the Netherlands Organisation for Scientific Research through grant NWO 639.023.309 VICI (Dowsing).

Funders	Funder number
Nederlandse Organisatie voor Wetenschappelijk Onderzoek	NWO 639.023.309 VICI

Keywords

core-dump
crash analysis
hardware branch tracing
information security
machine learning
operating systems security
software security engineering
vulnerability management

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1109/APSEC.2017.30

Persistent URL (handle)

Persistent link

Cite this

@inproceedings{07f9d70101124090aa5c8ed1c56a946c,

title = "Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump",

abstract = "An important component of software reliability is the assurance of certain security guarantees, such as absence of low-level bugs that may result in code exploitation, for example. A program crash is an early indicator of possible errors in the program like memory corruption, access violation or division by zero. In particular, a crash may indicate the presence of safety or security critical errors. A safety-error crash does not result in any exploitable condition, whereas a security-error crash allows an attacker to exploit a vulnerability. However, distinguishing one from the other is a non-trivial task. This exacerbates the problem in cases where we get hundreds of crashes and programmers have to make choices which crash to patch first! In this work, we present a technique to identify security critical crashes by applying machine learning on a set of features derived from core-dump files and runtime information obtained from hardware assisted monitoring such as the last branch record (LBR) register. We implement the proposed technique in a prototype called Exniffer. Our empirical results, obtained by experimenting Exniffer on several crashes on real-world applications show that proposed technique is able to classify a given crash as exploitable or not-exploitable with high accuracy.",

keywords = "core-dump, crash analysis, hardware branch tracing, information security, machine learning, operating systems security, software security engineering, vulnerability management",

author = "Shubham Tripathi and Gustavo Grieco and Sanjay Rawat",

year = "2018",

month = mar,

day = "5",

doi = "10.1109/APSEC.2017.30",

language = "English",

volume = "2017-December",

pages = "239--248",

booktitle = "Proceedings - 24th Asia-Pacific Software Engineering Conference, APSEC 2017",

publisher = "ACM, IEEE Computer Society",

note = "24th Asia-Pacific Software Engineering Conference, APSEC 2017 ; Conference date: 04-12-2017 Through 08-12-2017",

}

Tripathi, S, Grieco, G & Rawat, S 2018, Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump. in Proceedings - 24th Asia-Pacific Software Engineering Conference, APSEC 2017. vol. 2017-December, ACM, IEEE Computer Society, pp. 239-248, 24th Asia-Pacific Software Engineering Conference, APSEC 2017, Nanjing, Jiangsu, China, 4/12/17. https://doi.org/10.1109/APSEC.2017.30

Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump. / Tripathi, Shubham; Grieco, Gustavo; Rawat, Sanjay.
Proceedings - 24th Asia-Pacific Software Engineering Conference, APSEC 2017. Vol. 2017-December ACM, IEEE Computer Society, 2018. p. 239-248.

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump

AU - Tripathi, Shubham

AU - Grieco, Gustavo

AU - Rawat, Sanjay

PY - 2018/3/5

Y1 - 2018/3/5

N2 - An important component of software reliability is the assurance of certain security guarantees, such as absence of low-level bugs that may result in code exploitation, for example. A program crash is an early indicator of possible errors in the program like memory corruption, access violation or division by zero. In particular, a crash may indicate the presence of safety or security critical errors. A safety-error crash does not result in any exploitable condition, whereas a security-error crash allows an attacker to exploit a vulnerability. However, distinguishing one from the other is a non-trivial task. This exacerbates the problem in cases where we get hundreds of crashes and programmers have to make choices which crash to patch first! In this work, we present a technique to identify security critical crashes by applying machine learning on a set of features derived from core-dump files and runtime information obtained from hardware assisted monitoring such as the last branch record (LBR) register. We implement the proposed technique in a prototype called Exniffer. Our empirical results, obtained by experimenting Exniffer on several crashes on real-world applications show that proposed technique is able to classify a given crash as exploitable or not-exploitable with high accuracy.

AB - An important component of software reliability is the assurance of certain security guarantees, such as absence of low-level bugs that may result in code exploitation, for example. A program crash is an early indicator of possible errors in the program like memory corruption, access violation or division by zero. In particular, a crash may indicate the presence of safety or security critical errors. A safety-error crash does not result in any exploitable condition, whereas a security-error crash allows an attacker to exploit a vulnerability. However, distinguishing one from the other is a non-trivial task. This exacerbates the problem in cases where we get hundreds of crashes and programmers have to make choices which crash to patch first! In this work, we present a technique to identify security critical crashes by applying machine learning on a set of features derived from core-dump files and runtime information obtained from hardware assisted monitoring such as the last branch record (LBR) register. We implement the proposed technique in a prototype called Exniffer. Our empirical results, obtained by experimenting Exniffer on several crashes on real-world applications show that proposed technique is able to classify a given crash as exploitable or not-exploitable with high accuracy.

KW - core-dump

KW - crash analysis

KW - hardware branch tracing

KW - information security

KW - machine learning

KW - operating systems security

KW - software security engineering

KW - vulnerability management

UR - http://www.scopus.com/inward/record.url?scp=85045885950&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85045885950&partnerID=8YFLogxK

U2 - 10.1109/APSEC.2017.30

DO - 10.1109/APSEC.2017.30

M3 - Conference contribution

AN - SCOPUS:85045885950

VL - 2017-December

SP - 239

EP - 248

BT - Proceedings - 24th Asia-Pacific Software Engineering Conference, APSEC 2017

PB - ACM, IEEE Computer Society

T2 - 24th Asia-Pacific Software Engineering Conference, APSEC 2017

Y2 - 4 December 2017 through 8 December 2017

ER -

Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump

Abstract

Conference

Funding

Keywords

UN SDGs

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this