Vigilante: End-to-End Containment of Internet Worms Manuel Costa Joint work with: Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang,

Slides:



Advertisements
Similar presentations
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Advertisements

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Vigilante: End-to-End Containment of Internet Worms Paper by: Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao Zhang, Paul.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.
A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
Very Fast containment of Scanning Worms Presented by Vinay Makula.
Security Methods and Practice CET4884
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.
Network Security Lab Jelena Mirkovic Sig NewGrad presentantion.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.
Shellcode COSC 480 Presentation Alison Buben.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Problem: Internet diagnostics and forensics
Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir. A.C. Verschueren Eindhoven University of Technology Section of Digital.
Very Fast containment of Scanning Worms
Taint tracking Suman Jana.
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.
Detecting Targeted Attacks Using Shadow Honeypots
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson
Introduction to Internet Worm
Sampling Dynamic Dataflow Analyses
Presentation transcript:

Vigilante: End-to-End Containment of Internet Worms Manuel Costa Joint work with: Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham Microsoft Research University of Cambridge, Computer Laboratory

The worm threat worms are a serious threat –worm propagation disrupts Internet traffic –attacker gains control of infected machines worms spread too fast for human response –Slammer scanned most of the Internet in 10 minutes –infected 90% of vulnerable hosts worm containment must be automatic

Automatic worm containment previous solutions are network centric –analyze network traffic –generate signature and drop matching traffic or –block hosts with abnormal network behavior no vulnerability information at network level –false negatives: worm traffic appears normal –false positives: good traffic misclassified false positives are a barrier to automation

Vigilante’s end-to-end architecture host-based detection –instrument software to analyze infection attempts cooperative detection without trust –detectors generate self-certifying alerts (SCAs) –detectors broadcast SCAs hosts generate filters to block infection contains fast spreading worms: no false positives, deployable today

Outline detection self-certifying alerts (SCAs) generation of vulnerability-specific filters evaluation

Detection diverse set of detection mechanisms diverse set of implementations detection mechanisms can have high- coverage

Detection dynamic dataflow analysis track the flow of data from input messages –mark memory as dirty when data is received –track all data movement trap the worm before it executes any instructions –trap execution of dirty data –trap loading of dirty data into program counter

Dynamic dataflow analysis stack pointer points to dirty data return address msg1 buffer //vulnerable code push len push netbuf push sock call recv push netbuf push localbuf call strcpy ret alert: value loaded into program counter is dirty high-coverage: stack, function pointers, …

Dynamic dataflow analysis works with normal binaries instrumentation at runtime vulnerable process normal.exe detection

Where are the detectors? general detectors are expensive centralized detectors can be attacked any host can be a detector –load sharing, high coverage, resilience –detectors create self-certifying alerts

Self-certifying alerts machine-verifiable proofs of vulnerability –identify an application and a type of vulnerability –contain log of attack messages –contain verification information enable hosts to verify if they are vulnerable –replay infection with modified messages –verification has no false positives

arbitrary code execution (ACE) arbitrary execution control (AEC) arbitrary function argument (AFA) SCA types alert type: ACE attack messages: verification information: … SCA what can the attacker do? inject code what is the verification information? code location

arbitrary code execution (ACE) arbitrary execution control (AEC) arbitrary function argument (AFA) SCA types alert type: AEC attack messages: verification information: … SCA what can the attacker do? force a control flow transfer what is the verification information? location of program counter

arbitrary code execution (ACE) arbitrary execution control (AEC) arbitrary function argument (AFA) SCA types alert type: AFA attack messages: verification information: … SCA what can the attacker do? supply an argument to a function what is the verification information? function name location of argument

SCA generation log messages generate SCA when worm is detected –search log for relevant messages –compute verification information –generate tentative version of SCA –repeat until verification succeeds detectors may guide search

Generating an AEC alert stack pointer return address msg1 buffer id100 id400 id100 id400 //vulnerable code push len push netbuf push sock call recv push netbuf push localbuf call strcpy ret log: id400id100 msg1 id 236 AEC,, pc at offset 136 SCA:

Verifying an AEC alert vulnerable process normal code verified alert type: Arbitrary Execution Control attack message: verification information: pc at offset 6 of message recv 0x proves that external interfaces allow arbitrary control of the execution SCA verification is independent of detection mechanism virtual machine

SCA broadcast uses overlay of superpeers –Akamai-like overlay with added security –detectors flood alerts over overlay links denial-of-service prevention –per-link rate limiting –per-hop filtering and verification –controlled disclosure of overlay membership hosts receive SCAs with high probability

Protection hosts generate filter from SCA mutations make protection difficult (as in real diseases) 0x30x240x670x420x1 attack: add eax,1; mov ebx, eax mutation: 0x30x120x280x630x4 inc eax; push eax; pop ebx

Filter generation dynamic data and control flow analysis –track control and data flow from input messages –compute conditions that determine execution path –filter blocks messages that satisfy conditions uses full data flow information –dataflow graphs for dirty data and CPU flags –record decisions on conditional instructions

Generating filters for vulnerabilities 0x30x240x670x420x1 attack: mutation: 0x30x120x280x630x4 =3≠0 filter: //vulnerable code //recv msg mov al,[msg] mov cl,0x3 cmp al,cl jne L2 //msg[0] == 3 ? xor eax,eax L1 mov [esp+eax+4],cl mov cl,[eax+msg+1] inc eax test cl,cl jne L1 //msg[i] == 0 ? L2 ret Match! look at the program, not at the messages

test msg[1],msg1[1]; je out //recv msg Filters as program slices cmp msg[0],3; jne out... mov al,[msg] mov cl,0x3 cmp al,cl jne L2 //msg[0] == 3 ? xor eax,eax mov [esp+eax+4],cl mov cl,[eax+msg+1] inc eax test cl,cl jne L1 //msg[i] == 0 ? ret filters are a subset of the program’s instructions //recv msg mov al,[msg] mov cl,0x3 cmp al,cl jne L2 //msg[0] == 3 ? xor eax,eax mov [esp+eax+4],cl mov cl,[eax+msg+1] inc eax test cl,cl jne L1 //msg[i] == 0 ? ret

Filters capture generic conditions –filters are assembly programs safe and efficient –no side effects, no loops two-filter design reduces false negatives –still improving

Putting it all together DetectorHost VulnerableHost Protection SCADistribution SCA Verification Filter Vulnerable Application Network SCADistribution SCA Verification Detection Engine SCA Generation Network

Evaluation three real worms: –Slammer (SQL server), Blaster (RPC), CodeRed (IIS) measurements of prototype implementation –SCA generation and verification –filter generation –filtering overhead simulations of SCA propagation with attacks

Time to generate SCAs

Time to verify SCAs

Time to generate filters

Filtering overhead

Simulating SCA propagation Susceptible/Infective epidemic model 500,000 node network on GeorgiaTech topology network congestion effects –RIPE data gathered during Slammer’s outbreak –delay/loss increase linearly with infected hosts DoS attacks –infected hosts generate fake SCAs –verification increases linearly with number of SCAs

Containing Slammer

Related Work network related –signatures: Honeycomb, Autograph, EarlyBird, Polygraph; throttling [Williamson02]; scanning detectors [Weaver04] host related –program shepherding [Kiriansky02]; perl taint mode, concurrent work similar to dynamic dataflow analysis: [Suh04], Minos, TaintCheck, Argos; [Sidiroglou05] related host-based system keep applications running despite attacks –failure oblivious computing, abort/rollback: DIRA, STEM, Rx human assisted, vulnerability specific detectors/filters –Shield, IntroVirt

Conclusion Vigilante can contain worms automatically –requires no prior knowledge of vulnerabilities –no false positives –low false negatives –deployable today

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.