This talk presents ClearView, a system that automatically creates patches
for zero-day exploits: previously unknown security vulnerabilities in COTS
software. The patched program survives otherwise fatal attacks, and it
provides uninterrupted service both during and after attacks.
ClearView first observes normal executions to learn the program's intended
behavior. ClearView correlates violations of this behavior with attacks,
by using an attack detector and run-time checking of the inferred behavior.
ClearView converts the behavior differences into patches that may repair
the behavior violation and eliminate the exploited vulnerability. Finally,
ClearView dynamically evaluates each patch, distributing the most
successful one.
The ClearView implementation protects Windows x86 binaries. DARPA hired an
external Red Team to evaluate ClearView by attacking a protected system.
The Red Team had access to our design and implementation, and spent several
months devising attacks that cause the Firefox browser to execute arbitrary
code. ClearView prevented all of the attacks from executing malicious
code. In 70% of cases, ClearView generated a patch that rendered the
attack harmless while preserving application functionality.