{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:59:51Z","timestamp":1750309191675,"version":"3.41.0"},"reference-count":63,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2008,12,1]],"date-time":"2008-12-01T00:00:00Z","timestamp":1228089600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000180","name":"U.S. Department of Homeland Security","doi-asserted-by":"publisher","award":["I3P\/DHS 5-36423.5780"],"award-info":[{"award-number":["I3P\/DHS 5-36423.5780"]}],"id":[{"id":"10.13039\/100000180","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["433540","326472"],"award-info":[{"award-number":["433540","326472"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Cyber Trust program of the National Science Foundation","award":["CNS-0716292"],"award-info":[{"award-number":["CNS-0716292"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2008,12]]},"abstract":"<jats:p>\n            In biology, a\n            <jats:italic>vaccine<\/jats:italic>\n            is a weakened strain of a virus or bacterium that is intentionally injected into the body for the purpose of stimulating antibody production. Inspired by this idea, we propose a\n            <jats:italic>packet vaccine<\/jats:italic>\n            mechanism that randomizes address-like strings in packet payloads to carry out fast exploit detection and signature generation. An exploit with a randomized jump address behaves like a vaccine: it will likely cause an exception in a vulnerable program\u2019s process when attempting to hijack the control flow, and thereby expose itself. Taking that exploit as a template, our signature generator creates a set of new vaccines to probe the program in an attempt to uncover the necessary conditions for the exploit to happen. A signature is built upon these conditions to shield the underlying vulnerability from further attacks. In this way, packet vaccine detects exploits and generates signatures in a black-box fashion, that is, not relying on the knowledge of a vulnerable program\u2019s source and binary code. Therefore, it even works on the commodity software obfuscated for the purpose of copyright protection. In addition, since our approach avoids the expense of tracking the program\u2019s execution flow, it performs almost as fast as a normal run of the program and is capable of generating a signature of high quality within seconds or even subseconds. We present the design of the packet vaccine mechanism and an example of its application. We also describe our proof-of-concept implementation and the evaluation of our technique using real exploits.\n          <\/jats:p>","DOI":"10.1145\/1455518.1455523","type":"journal-article","created":{"date-parts":[[2008,12,17]],"date-time":"2008-12-17T13:25:20Z","timestamp":1229520320000},"page":"1-35","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Fast and Black-box Exploit Detection and Signature Generation for Commodity Software"],"prefix":"10.1145","volume":"12","author":[{"given":"Xiaofeng","family":"Wang","sequence":"first","affiliation":[{"name":"Indiana University"}]},{"given":"Zhuowei","family":"Li","sequence":"additional","affiliation":[{"name":"Indiana University"}]},{"given":"Jong Youl","family":"Choi","sequence":"additional","affiliation":[{"name":"Indiana University"}]},{"given":"Jun","family":"Xu","sequence":"additional","affiliation":[{"name":"Google Inc. and North Carolina State University"}]},{"given":"Michael K.","family":"Reiter","sequence":"additional","affiliation":[{"name":"University of North Carolina at Chapel Hill"}]},{"given":"Chongkyung","family":"Kil","sequence":"additional","affiliation":[{"name":"North Carolina0 State University"}]}],"member":"320","published-online":{"date-parts":[[2008,12]]},"reference":[{"volume-title":"Proceedings of the USENIX Security Symposium (SECURITY\u201905)","author":"Anagnostakis K. G.","key":"e_1_2_1_1_1"},{"key":"e_1_2_1_2_1","unstructured":"Associated Press. 2006. Microsoft warns against outside fixes. http:\/\/biz.yahoo.com\/ap\/060331\/microsoft_s_security_snags.html?.v=4. Associated Press. 2006. Microsoft warns against outside fixes. http:\/\/biz.yahoo.com\/ap\/060331\/microsoft_s_security_snags.html?.v=4."},{"key":"e_1_2_1_3_1","unstructured":"Ballista. 2006. The Ballista@ Project: COTS Software Robustness Testing. http:\/\/www.ece.cmu.edu\/~koopman\/ballista\/. Ballista . 2006. The Ballista@ Project: COTS Software Robustness Testing. http:\/\/www.ece.cmu.edu\/~koopman\/ballista\/."},{"key":"e_1_2_1_4_1","unstructured":"Barton J. H. Czeck E. W. Segall Z. Z. and Siewiorek D. P. 1990. Fault injection. Barton J. H. Czeck E. W. Segall Z. Z. and Siewiorek D. P. 1990. Fault injection."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.41"},{"volume-title":"CRASHME: Random input testing","year":"2006","author":"Carrette G. J.","key":"e_1_2_1_6_1"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/1095810.1095824"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2004.26"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102152"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1007\/11506881_3"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.34"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/11506881_13"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/1060289.1060309"},{"key":"e_1_2_1_14_1","unstructured":"HoneyNet. 2006. http:\/\/www.honeynet.org\/. HoneyNet . 2006. http:\/\/www.honeynet.org\/."},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/12.364536"},{"volume-title":"Proceedings of 13th USENIX Security Symposium (SECURITY\u201904)","author":"Kim H.-A.","key":"e_1_2_1_16_1"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/972374.972384"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1007\/11663812_11"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2005.12"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102150"},{"volume-title":"Proceedings of the USENIX Annual Technical Conference (USENIX\u201905)","year":"2005","author":"Liang Z.","key":"e_1_2_1_21_1"},{"volume-title":"Proceedings of the 13th Annual Network and Distributed Systems Security Symposium (NDSS\u201906)","author":"Locasto M. E.","key":"e_1_2_1_22_1"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/11663812_5"},{"volume-title":"Thor: A tool to test intrusion detection systems by variations of attacks. Master thesis, ETH Zurich.","year":"2002","author":"Marty R.","key":"e_1_2_1_24_1"},{"key":"e_1_2_1_25_1","unstructured":"MemView. 2006. http:\/\/www2.biglobe.ne.jp\/ sota\/memview-e.html. MemView . 2006. http:\/\/www2.biglobe.ne.jp\/ sota\/memview-e.html."},{"key":"e_1_2_1_26_1","unstructured":"Microsoft. 2007. Microsoft debuging tools: Overview. http:\/\/www.microsoft.com\/whdc\/devtools\/debugging\/default.mspx. Microsoft . 2007. Microsoft debuging tools: Overview. http:\/\/www.microsoft.com\/whdc\/devtools\/debugging\/default.mspx."},{"key":"e_1_2_1_27_1","doi-asserted-by":"crossref","unstructured":"Mockapetris P. 1987. DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION. RFC 3425. http:\/\/www.ietf.org\/rfc\/rfc1035.txt. Mockapetris P. 1987. DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION. RFC 3425. http:\/\/www.ietf.org\/rfc\/rfc1035.txt.","DOI":"10.17487\/rfc1035"},{"key":"e_1_2_1_28_1","unstructured":"Musa J. Fuoco G. Irving N. Juhlin B. and Kropfl D. 1996. Handbook of Software Reliability Engineering. McGraw-Hill New York 167--216. Musa J. Fuoco G. Irving N. Juhlin B. and Kropfl D. 1996. Handbook of Software Reliability Engineering . McGraw-Hill New York 167--216."},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2003.1212692"},{"volume-title":"Proceedings of the 13th Annual Network and Distributed Systems Security Symposium (NDSS\u201905)","author":"Newsome J.","key":"e_1_2_1_30_1"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2005.15"},{"volume-title":"Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS\u201905)","author":"Newsome J.","key":"e_1_2_1_32_1"},{"volume-title":"Proceedings of the IEEE\/IFIP Network Operation and Management Symposium (NOMS\u201904)","author":"Pasupulati A.","key":"e_1_2_1_33_1"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.26"},{"key":"e_1_2_1_35_1","unstructured":"Portokalidis G. and Bos H. 2005. SweetBait: Zero-hour worm detection and containment using honeypots. Tech. rep. IR-CS-015 Vrije Universiteit Amsterdam. Portokalidis G. and Bos H. 2005. SweetBait: Zero-hour worm detection and containment using honeypots. Tech. rep. IR-CS-015 Vrije Universiteit Amsterdam."},{"volume-title":"Proceedings of the Annual Hawaii International Conference on System Sciences (HICSS\u201903)","author":"Reynolds J. C.","key":"e_1_2_1_36_1"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/1103626.1103638"},{"key":"e_1_2_1_38_1","unstructured":"SecurityFocus. 2006. http:\/\/www.securityfocus.com. SecurityFocus . 2006. http:\/\/www.securityfocus.com."},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/1030083.1030124"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2004.59"},{"volume-title":"Proceedings of the USENIX Annual Technical Conference (USENIX\u201905)","author":"Sidiroglou S.","key":"e_1_2_1_41_1"},{"volume-title":"Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI\u201904)","author":"Singh S.","key":"e_1_2_1_42_1"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.5555\/956415.956438"},{"volume-title":"Proceedings of USENIX Annual Technical Conference, General Track (USENIX\u201904)","author":"Srinivasan S. M.","key":"e_1_2_1_44_1"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/1024393.1024404"},{"volume-title":"Proceedings of the Annual IEEE Conference on Computer Communications (INFOCOM\u201905)","author":"Tang Y.","key":"e_1_2_1_46_1"},{"key":"e_1_2_1_47_1","unstructured":"Telescope. 2006. http:\/\/www.caida.org\/analysis\/security\/telescope\/. Telescope . 2006. http:\/\/www.caida.org\/analysis\/security\/telescope\/."},{"volume-title":"Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID\u201902)","author":"Toth T.","key":"e_1_2_1_48_1"},{"volume-title":"Proceedings of the 8th International Conference on Modelling Techniques and Tools for Computer Performance Evaluation (MMB\u201995)","author":"Tsai T. K.","key":"e_1_2_1_49_1"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/1272998.1273010"},{"key":"e_1_2_1_51_1","unstructured":"US-CERT. Microsoft windows metafile handler setabortproc gdi escape vulnerability. http:\/\/www.kb.cert.org\/vuls\/id\/181038. US-CERT . Microsoft windows metafile handler setabortproc gdi escape vulnerability. http:\/\/www.kb.cert.org\/vuls\/id\/181038."},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1007\/10958513_1"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/1030083.1030088"},{"key":"e_1_2_1_54_1","unstructured":"Vulnerabilities 2006. http:\/\/www.securityfocus.com\/vulnerabilities. Vulnerabilities 2006. http:\/\/www.securityfocus.com\/vulnerabilities."},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/1015467.1015489"},{"volume-title":"Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID\u201904)","author":"Wang K.","key":"e_1_2_1_56_1"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180412"},{"volume-title":"Proceedings of the 15th Conference on USENIX Security Symposium (SECURITY\u201906)","author":"Wang X.","key":"e_1_2_1_58_1"},{"key":"e_1_2_1_59_1","unstructured":"Wasson S. 2004. The NX bit. http:\/\/techreport.com\/reviews\/2004q4\/pentium4-570j\/index.x?pg=1. Wasson S. 2004. The NX bit. http:\/\/techreport.com\/reviews\/2004q4\/pentium4-570j\/index.x?pg=1."},{"volume-title":"Proceedings of the 12th Network and Distributed System Security Symposium (NDSS). 181--195","year":"2005","author":"Whyte D.","key":"e_1_2_1_60_1"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102151"},{"volume-title":"Proceedings of USENIX Security Symposium (SECURITY\u201905)","author":"Yegneswaran V.","key":"e_1_2_1_62_1"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/PADS.2005.24"}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1455518.1455523","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1455518.1455523","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:54:18Z","timestamp":1750287258000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1455518.1455523"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,12]]},"references-count":63,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2008,12]]}},"alternative-id":["10.1145\/1455518.1455523"],"URL":"https:\/\/doi.org\/10.1145\/1455518.1455523","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"type":"print","value":"1094-9224"},{"type":"electronic","value":"1557-7406"}],"subject":[],"published":{"date-parts":[[2008,12]]},"assertion":[{"value":"2007-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2007-09-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-12-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}