Abstract: Signatures can be generated based on characteristics of attacks. Using dynamic program analyzing skills we generated binary signatures for control flow attack to return value of function call and function call pointer, and noncontrol flow attack to decision-related variable. First, we identified instructions related to the vulnerability. Second, we monitored these instructions using a modified virtual machine. At last, we alerted and generated signature after finding any malicious write behaviors. Patch recorded malicious write instructions could be generated meanwhile to ignore these instructions in future execution. Generated signature could be sent to other computers to monitor the same software's execution using lightweight virtual machine. Experiment results show that binary level signature has simplified form and precise functionality and low false negative and is effective to defense polymorphic attack. Besides, lightweight virtual machine makes use of the signature fast.

Key words: Computer security, Software security, Software vulnerability, Binary signature, Binary patch