Abstract
In biology, a vaccine is a weakened strain of a virus or bac- terium that is intentionally injected into the body for the purpose of stimulating antibody production. Inspired by this idea, we propose a packet vaccine mechanism that ran- domizes address-like strings in packet payloads to carry out fast exploit detection, vulnerability diagnosis and signature generation. An exploit with a randomized jump address be- haves like a vaccine: it will likely cause an exception in a vulnerable program's process when attempting to hijack the control °ow, and thereby expose itself. Taking that exploit as a template, our signature generator creates a set of new vaccines to probe the program, in an attempt to uncover the necessary conditions for the exploit to happen. A signa- ture is built upon these conditions to shield the underlying vulnerability from further attacks. In this way, packet vac- cine detects and ¯lters exploits in a black-box fashion, i.e., avoiding the expense of tracking the program's execution °ow. We present the design of the packet vaccine mecha- nism and an example of its application. We also describe our proof-of-concept implementation and the evaluation of our technique using real exploits.