Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump

Shubham Tripathi; Gustavo Grieco; Sanjay Rawat

doi:10.1109/APSEC.2017.30

Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump

Shubham Tripathi, Gustavo Grieco, Sanjay Rawat

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

An important component of software reliability is the assurance of certain security guarantees, such as absence of low-level bugs that may result in code exploitation, for example. A program crash is an early indicator of possible errors in the program like memory corruption, access violation or division by zero. In particular, a crash may indicate the presence of safety or security critical errors. A safety-error crash does not result in any exploitable condition, whereas a security-error crash allows an attacker to exploit a vulnerability. However, distinguishing one from the other is a non-trivial task. This exacerbates the problem in cases where we get hundreds of crashes and programmers have to make choices which crash to patch first! In this work, we present a technique to identify security critical crashes by applying machine learning on a set of features derived from core-dump files and runtime information obtained from hardware assisted monitoring such as the last branch record (LBR) register. We implement the proposed technique in a prototype called Exniffer. Our empirical results, obtained by experimenting Exniffer on several crashes on real-world applications show that proposed technique is able to classify a given crash as exploitable or not-exploitable with high accuracy.

Original language	English
Title of host publication	Proceedings - 24th Asia-Pacific Software Engineering Conference, APSEC 2017
Publisher	ACM, IEEE Computer Society
Pages	239-248
Number of pages	10
Volume	2017-December
ISBN (Electronic)	9781538636817
DOIs	https://doi.org/10.1109/APSEC.2017.30
Publication status	Published - 5 Mar 2018
Event	24th Asia-Pacific Software Engineering Conference, APSEC 2017 - Nanjing, Jiangsu, China Duration: 4 Dec 2017 → 8 Dec 2017

Conference

Conference	24th Asia-Pacific Software Engineering Conference, APSEC 2017
Country	China
City	Nanjing, Jiangsu
Period	4/12/17 → 8/12/17

Keywords

core-dump
crash analysis
hardware branch tracing
information security
machine learning
operating systems security
software security engineering
vulnerability management

Access to Document

10.1109/APSEC.2017.30

Cite this

@inproceedings{07f9d70101124090aa5c8ed1c56a946c,

title = "Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump",

abstract = "An important component of software reliability is the assurance of certain security guarantees, such as absence of low-level bugs that may result in code exploitation, for example. A program crash is an early indicator of possible errors in the program like memory corruption, access violation or division by zero. In particular, a crash may indicate the presence of safety or security critical errors. A safety-error crash does not result in any exploitable condition, whereas a security-error crash allows an attacker to exploit a vulnerability. However, distinguishing one from the other is a non-trivial task. This exacerbates the problem in cases where we get hundreds of crashes and programmers have to make choices which crash to patch first! In this work, we present a technique to identify security critical crashes by applying machine learning on a set of features derived from core-dump files and runtime information obtained from hardware assisted monitoring such as the last branch record (LBR) register. We implement the proposed technique in a prototype called Exniffer. Our empirical results, obtained by experimenting Exniffer on several crashes on real-world applications show that proposed technique is able to classify a given crash as exploitable or not-exploitable with high accuracy.",

keywords = "core-dump, crash analysis, hardware branch tracing, information security, machine learning, operating systems security, software security engineering, vulnerability management",

author = "Shubham Tripathi and Gustavo Grieco and Sanjay Rawat",

year = "2018",

month = mar,

day = "5",

doi = "10.1109/APSEC.2017.30",

language = "English",

volume = "2017-December",

pages = "239--248",

booktitle = "Proceedings - 24th Asia-Pacific Software Engineering Conference, APSEC 2017",

publisher = "ACM, IEEE Computer Society",

note = "24th Asia-Pacific Software Engineering Conference, APSEC 2017 ; Conference date: 04-12-2017 Through 08-12-2017",

}

Tripathi, S, Grieco, G & Rawat, S 2018, Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump. in Proceedings - 24th Asia-Pacific Software Engineering Conference, APSEC 2017. vol. 2017-December, ACM, IEEE Computer Society, pp. 239-248, 24th Asia-Pacific Software Engineering Conference, APSEC 2017, Nanjing, Jiangsu, China, 4/12/17. https://doi.org/10.1109/APSEC.2017.30

Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump. / Tripathi, Shubham; Grieco, Gustavo; Rawat, Sanjay.

Proceedings - 24th Asia-Pacific Software Engineering Conference, APSEC 2017. Vol. 2017-December ACM, IEEE Computer Society, 2018. p. 239-248.

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump

AU - Tripathi, Shubham

AU - Grieco, Gustavo

AU - Rawat, Sanjay

PY - 2018/3/5

Y1 - 2018/3/5

N2 - An important component of software reliability is the assurance of certain security guarantees, such as absence of low-level bugs that may result in code exploitation, for example. A program crash is an early indicator of possible errors in the program like memory corruption, access violation or division by zero. In particular, a crash may indicate the presence of safety or security critical errors. A safety-error crash does not result in any exploitable condition, whereas a security-error crash allows an attacker to exploit a vulnerability. However, distinguishing one from the other is a non-trivial task. This exacerbates the problem in cases where we get hundreds of crashes and programmers have to make choices which crash to patch first! In this work, we present a technique to identify security critical crashes by applying machine learning on a set of features derived from core-dump files and runtime information obtained from hardware assisted monitoring such as the last branch record (LBR) register. We implement the proposed technique in a prototype called Exniffer. Our empirical results, obtained by experimenting Exniffer on several crashes on real-world applications show that proposed technique is able to classify a given crash as exploitable or not-exploitable with high accuracy.

AB - An important component of software reliability is the assurance of certain security guarantees, such as absence of low-level bugs that may result in code exploitation, for example. A program crash is an early indicator of possible errors in the program like memory corruption, access violation or division by zero. In particular, a crash may indicate the presence of safety or security critical errors. A safety-error crash does not result in any exploitable condition, whereas a security-error crash allows an attacker to exploit a vulnerability. However, distinguishing one from the other is a non-trivial task. This exacerbates the problem in cases where we get hundreds of crashes and programmers have to make choices which crash to patch first! In this work, we present a technique to identify security critical crashes by applying machine learning on a set of features derived from core-dump files and runtime information obtained from hardware assisted monitoring such as the last branch record (LBR) register. We implement the proposed technique in a prototype called Exniffer. Our empirical results, obtained by experimenting Exniffer on several crashes on real-world applications show that proposed technique is able to classify a given crash as exploitable or not-exploitable with high accuracy.

KW - core-dump

KW - crash analysis

KW - hardware branch tracing

KW - information security

KW - machine learning

KW - operating systems security

KW - software security engineering

KW - vulnerability management

UR - http://www.scopus.com/inward/record.url?scp=85045885950&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85045885950&partnerID=8YFLogxK

U2 - 10.1109/APSEC.2017.30

DO - 10.1109/APSEC.2017.30

M3 - Conference contribution

AN - SCOPUS:85045885950

VL - 2017-December

SP - 239

EP - 248

BT - Proceedings - 24th Asia-Pacific Software Engineering Conference, APSEC 2017

PB - ACM, IEEE Computer Society

T2 - 24th Asia-Pacific Software Engineering Conference, APSEC 2017

Y2 - 4 December 2017 through 8 December 2017

ER -

Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this