Originally published on ieee.org
014 Tenth European Dependable Computing Conference, Newcastle, United Kingdom, May 13-16, 2014
Author:
Anh Nguyen-Tuong, Jason Hiser, Michele Co, Nathan Kennedy, David Melski, William Ella, David Hyde, Jack W. Davidson and John C. Knight
Abstract:
We introduce Software DNA Shotgun Sequencing (S3), a novel, biologically-inspired approach to combat OS Injection Attacks, the #2 most dangerous software error as identified by MITRE. To thwart such attacks, researchers have advocated various forms of taint-tracking techniques. Despite promising results, e.g., few missed attacks and few false alarms, taint-tracking has not seen widespread adoption. Impediments to adoption include high overhead and difficulty of deployment. S3 is based on a novel technique: positive taint inference which dynamically reassembles string fragments from a binary to infer blessed, i.e. trusted, parts of an OS command. S3 incurs negligible performance overhead and is easy to deploy as it operates directly on binary programs.