Collaborative learning for security and repair in application communities

MIT site visitApril 10, 2007

Welcome

Why use a community?

• Increased accuracy: richer learning• Amortized risk: learn from failure• Shared burden: distribute tasks

Community approach1. Monitor behavior for learning2. Detect attacks (not just constraint violations)3. Correlate violations to attacks4. Enforce the properties via patches (fixes)5. Evaluate fixes in community, deploy best ones

Two instantiations of community approach• Constraints approach (repair violations)• Genealogy approach (semantic whitelists)

Scope of our solution

The most important attacks in practice:1. Execution of malicious code

• Memory-based (constraints approach)• Script-based (constraints approach)• Executable-based (genealogy approach)

2. Denial of service (constraints approach)

Accomplishments

• New approach to detection– Fewer false positives than constraint violation

• Instrumentation of stripped Windows binaries– Variables and program points in binaries

• Technique for creating LiveShield patches• Investigated real exploits

• Program genealogy approach and experiments

Schedule11:30 - Welcome (Michael Ernst) 11:45 - Overview (Saman Amarasinghe) 12:15 - Lunch, discussion of approach01:15 - Constraints Approach

– Constraint framework (Jeff Perkins) – Instrumentation (Sung Kim) – Constraint and patch generation (Yoav Zibin) – Exploits and demo (Sung Kim and Yoav Zibin)

02:30 - Break 02:45 - Program Genealogy (DNA) Approach (Sam Larsen) 03:15 - Conclusion (Michael Ernst) 04:00 - Break (Lee Badger departs) 04:15 - Discussion of Red Team evaluation with IET 05:00 - IET departs