{"title":"CloudER:用于在云中自动定位和修补软件漏洞的框架","authors":"Ping Chen, Dongyan Xu, Bing Mao","doi":"10.1145/2414456.2414485","DOIUrl":null,"url":null,"abstract":"In a virtualization-based cloud infrastructure, customers of the cloud deploy virtual machines (VMs) with their own applications and customized runtime environments. The cloud provider supports the execution of these VMs without detailed knowledge of the guest applications and operating systems in the VMs. In addition to elastic resource provisioning for the VMs, a desirable \"value-added\" service the cloud provider can provide is the emergency response to runtime incidences of software bugs and vulnerabilities. The challenge is to facilitate the automatic runtime detection, location, and patching of the software vulnerability -- outside the VMs and without the source code. In this paper, we present CloudER, a cloud \"emergency room\" architecture that automatically detect, locate, and patch software vulnerabilities in cloud application binaries at runtime. CloudER leverages an existing taint-based system (Demand Emulation) for runtime anomaly detection, employs new algorithms for software vulnerability location and patch generation, and adapts a virtual machine introspection system (XenAccess) for dynamic patching. Our preliminary evaluation experiments with a number of real-world server applications show that CloudER achieves timely response to runtime software faults or attacks from outside the VMs. The main contributions of this paper are highlighted as follows: (1) CloudER is an integrated architecture that improves the runtime reliability of cloud applications. It covers the full life cycle of exploit detection, culprit instruction location, patch generation and application, and execution state recording and reset -- all performed from outside the protected VM and without the source code of the applications. (2) While leveraging existing techniques for taint-based exploit detection, CloudER involves new methods for culprit instruction location and binary patch generation. The methods cover some of the most common types of software vulnerabilities and the patches generated are of small size (tens of bytes). (3) CloudER incurs reasonable performance overhead to the application in comparison with running the application in an unprotected VM. The interruption to the production VM's execution (for culprit instruction location and patch generation) is less than half a minute in our experiments with real-world applications.","PeriodicalId":72308,"journal":{"name":"Asia CCS '22 : proceedings of the 2022 ACM Asia Conference on Computer and Communications Security : May 30-June 3, 2022, Nagasaki, Japan. ACM Asia Conference on Computer and Communications Security (17th : 2022 : Nagasaki-shi, Japan ; ...","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2012-05-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"CloudER: a framework for automatic software vulnerability location and patching in the cloud\",\"authors\":\"Ping Chen, Dongyan Xu, Bing Mao\",\"doi\":\"10.1145/2414456.2414485\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In a virtualization-based cloud infrastructure, customers of the cloud deploy virtual machines (VMs) with their own applications and customized runtime environments. The cloud provider supports the execution of these VMs without detailed knowledge of the guest applications and operating systems in the VMs. In addition to elastic resource provisioning for the VMs, a desirable \\\"value-added\\\" service the cloud provider can provide is the emergency response to runtime incidences of software bugs and vulnerabilities. The challenge is to facilitate the automatic runtime detection, location, and patching of the software vulnerability -- outside the VMs and without the source code. In this paper, we present CloudER, a cloud \\\"emergency room\\\" architecture that automatically detect, locate, and patch software vulnerabilities in cloud application binaries at runtime. CloudER leverages an existing taint-based system (Demand Emulation) for runtime anomaly detection, employs new algorithms for software vulnerability location and patch generation, and adapts a virtual machine introspection system (XenAccess) for dynamic patching. Our preliminary evaluation experiments with a number of real-world server applications show that CloudER achieves timely response to runtime software faults or attacks from outside the VMs. The main contributions of this paper are highlighted as follows: (1) CloudER is an integrated architecture that improves the runtime reliability of cloud applications. It covers the full life cycle of exploit detection, culprit instruction location, patch generation and application, and execution state recording and reset -- all performed from outside the protected VM and without the source code of the applications. (2) While leveraging existing techniques for taint-based exploit detection, CloudER involves new methods for culprit instruction location and binary patch generation. The methods cover some of the most common types of software vulnerabilities and the patches generated are of small size (tens of bytes). (3) CloudER incurs reasonable performance overhead to the application in comparison with running the application in an unprotected VM. The interruption to the production VM's execution (for culprit instruction location and patch generation) is less than half a minute in our experiments with real-world applications.\",\"PeriodicalId\":72308,\"journal\":{\"name\":\"Asia CCS '22 : proceedings of the 2022 ACM Asia Conference on Computer and Communications Security : May 30-June 3, 2022, Nagasaki, Japan. ACM Asia Conference on Computer and Communications Security (17th : 2022 : Nagasaki-shi, Japan ; ...\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2012-05-02\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Asia CCS '22 : proceedings of the 2022 ACM Asia Conference on Computer and Communications Security : May 30-June 3, 2022, Nagasaki, Japan. ACM Asia Conference on Computer and Communications Security (17th : 2022 : Nagasaki-shi, Japan ; ...\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2414456.2414485\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Asia CCS '22 : proceedings of the 2022 ACM Asia Conference on Computer and Communications Security : May 30-June 3, 2022, Nagasaki, Japan. ACM Asia Conference on Computer and Communications Security (17th : 2022 : Nagasaki-shi, Japan ; ...","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2414456.2414485","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
CloudER: a framework for automatic software vulnerability location and patching in the cloud
In a virtualization-based cloud infrastructure, customers of the cloud deploy virtual machines (VMs) with their own applications and customized runtime environments. The cloud provider supports the execution of these VMs without detailed knowledge of the guest applications and operating systems in the VMs. In addition to elastic resource provisioning for the VMs, a desirable "value-added" service the cloud provider can provide is the emergency response to runtime incidences of software bugs and vulnerabilities. The challenge is to facilitate the automatic runtime detection, location, and patching of the software vulnerability -- outside the VMs and without the source code. In this paper, we present CloudER, a cloud "emergency room" architecture that automatically detect, locate, and patch software vulnerabilities in cloud application binaries at runtime. CloudER leverages an existing taint-based system (Demand Emulation) for runtime anomaly detection, employs new algorithms for software vulnerability location and patch generation, and adapts a virtual machine introspection system (XenAccess) for dynamic patching. Our preliminary evaluation experiments with a number of real-world server applications show that CloudER achieves timely response to runtime software faults or attacks from outside the VMs. The main contributions of this paper are highlighted as follows: (1) CloudER is an integrated architecture that improves the runtime reliability of cloud applications. It covers the full life cycle of exploit detection, culprit instruction location, patch generation and application, and execution state recording and reset -- all performed from outside the protected VM and without the source code of the applications. (2) While leveraging existing techniques for taint-based exploit detection, CloudER involves new methods for culprit instruction location and binary patch generation. The methods cover some of the most common types of software vulnerabilities and the patches generated are of small size (tens of bytes). (3) CloudER incurs reasonable performance overhead to the application in comparison with running the application in an unprotected VM. The interruption to the production VM's execution (for culprit instruction location and patch generation) is less than half a minute in our experiments with real-world applications.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
