Microsoft Switzerland Security Blog

Security informations brought to you by the Swiss Security Team.

Automatic Patch-Based Exploit Generation

Automatic Patch-Based Exploit Generation

  • Comments 1
  • Likes

Paper Abstract:
In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update.

In many cases we are able to automatically generate exploits within minutes or less. Although our techniques may not work in all cases, a fundamental tenant of security is to conservatively estimate the capabilities of attackers. Thus, our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update, may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch. Thus, we conclude update schemes, such as Windows Update as currently implemented, can detract from overall security, and should be redesigned.
  
http://www.cs.cmu.edu/~dbrumley/pubs/apeg.html

Urs

Comments
  • The length of time between the development of security patches and the development of exploits targeting

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment