Automatic Defenses
A system protects software by detecting and patching errors.

Source: “Automatically Patching Errors in Deployed Software”
Jeff H. Perkins et al.
ACM Symposium on Operating Systems Principles, October 11-14, 2009, Big Sky, MT

Results: Software called ClearView automatically detected seven different types of attacks on the Internet browser Firefox and corrected the errors that the attacks exploited, all while the browser was running. It also ensured that the corrections didn’t lead to other errors.

Why it matters: Security is a race between attackers and defenders. The researchers found that it takes nearly a month after an attack, on average, for human defenders to create a patch and get it in place. ClearView solves the problem within minutes, and the researchers say it could be optimized to work even faster.

Methods: The researchers programmed ClearView to monitor Firefox during operation and assemble a list of rules that describe the ordinary behavior of the binary machine code that executes instructions from the program’s source code. ClearView then monitors the program for errors, such as an attempt by the browser to access a block of memory beyond what’s been allocated to it by the operating system. When it finds an error, ClearView identifies which rule has been violated and then generates sets of instructions that force the browser to follow that rule. For example, if an error occurs because a URL entered into a browser is too long, a patch might check the length of URLs and chop off everything over the allowed length. The system uses statistical analysis to gauge which patches are most likely to work and then installs those patches to test their effectiveness. If additional rules are violated after one patch is installed, it rejects that solution and tries another.

Next steps: ClearView has been applied to errors that allow code injection attacks (those caused when an attacker introduces bits of malicious code into a program). The researchers are working on expanding the system to patch other kinds of errors.