Researchers led by the Massachusetts Institute of Technology and funded by the Defense Advanced Research Projects Agency have developed software that keeps applications running during attacks, then finds and installs permanent patches to protect them. The ClearView system detects attacks by noting when applications perform outside their normal range of behavior, indicating an attack of some sort. To fend off attacks, it tries out a variety of patches on the fly, choosing the one that best returns the application to normal.

The researchers are running a feasibility study to determine whether to develop the system into a commercial product, says Martin Rinard, the lead researcher on the project. What sets ClearView apart from other attack-mitigation schemes is that programs don't stop running while patches are chosen and put in place, Rinard says, so users of the applications can continue to work.

During testing required by DARPA, ClearView underwent attacks designed by a team from security contractor SPARTA and prevented it from injecting and executing any malicious code in the application, Rinard says.

The system works by running a piece of ClearView monitoring software on host machines that keeps an eye on the application as it runs to define a set of normal behaviors. When ClearView detects that the application is going beyond normal, it chooses and tries out patches from a server-based template library of fixes in an attempt to return the application performance back within normal ranges.

The system scores each patch for how well it works to mitigate the abnormal behavior and chooses the one with the best score. That patch is applied to all instances of the application within the network being protected, a tactic that can prevent any impact to those instances of the target application running on devices that have not yet been attacked.

Researchers ran two phases of the project, the first checking for effects code injection attacks had on general application processes. The second phase focused on monitoring system calls to the operating system, determining a range of normal calls during a learning phase, and seeking suspicious calls that fell outside normal.

For the purposes of the test, the researchers used Firefox 1.0 as the target application. "It could be any application server or client," Rinard says, but Firefox 1.0 was fairly complex, readily available and had known security flaws that have been fixed in later versions.

In the first phase, the group used Determina, a commercial intrusion-detection platform owned by VMware to detect code-injection attacks and to add and delete patches. In phase two, the researchers used the open source Pin dynamic instrumentation engine to monitor system calls and insert patches while the application was running.

To analyze how well the patches worked, the researchers used daikon, software developed by Prof. Michael Ernst of University of Washington who worked on the ClearView project. Daikon infers what program properties are necessary to successfully running it and that must be preserved when modifying the code.

In the first phase of the tests, it took minutes to detect and fix the application against attacks. In phase two it took just seconds, primarily because system calls have a well-defined interface that supports more efficient selection and repair strategies, Rinard says.

ClearView code has nothing in it that is specific to any particular application, so it can be used to detect attacks and attempt patches to any application.

In tests of how well the system worked, the attackers were told ahead of time what application they were going to attack. ClearView fixed the application in 70% of the cases in phase one, and in 92% of the cases in phase two, Rinard says.