Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Slides:

Advertisements

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Advertisements

P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.

Memory Management: Overlays and Virtual Memory

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

What’s the Problem Web Server 1 Web Server N Web system played an essential role in Proving and Retrieve information. Cause Overloaded Status and Longer.

Vigilante: End-to-End Containment of Internet Worms Paper by: Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao Zhang, Paul.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).

© nCode 2000 Title of Presentation goes here - go to Master Slide to edit - Slide 1 Reliable Communication for Highly Mobile Agents ECE 7995: Term Paper.

DISTRIBUTED CONSISTENCY MANAGEMENT IN A SINGLE ADDRESS SPACE DISTRIBUTED OPERATING SYSTEM Sombrero.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

The MS Blaster worm Presented by: Zhi-Wen Ouyang.

Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>>

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Address Space Layout Permutation

PIC: Practical Internet Coordinates for Distance Estimation Manuel Costa joint work with Miguel Castro, Ant Rowstron, Peter Key Microsoft Research Cambridge.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

IMPLEMENTING F-SECURE POLICY MANAGER. Page 2 Agenda Main topics Pre-deployment phase Is the implementation possible? Implementation scenarios and examples.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.

CS 153 Design of Operating Systems Spring 2015 Lecture 17: Paging.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

CS533 Concepts of Operating Systems Jonathan Walpole.

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

Quasi-Static Binary Analysis Hassen Saidi. Quasi-Static Analysis in VERNIER Node level: –Quasi-static analysis is a detector of malicious and bad behavior.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Online Music Store. MSE Project Presentation III

Packet-Marking Scheme for DDoS Attack Prevention

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Mobile Agent Security Presented By Sayuri Yonekawa October 17, 2000.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Operating Systems Security

Wireless and Mobile Security

Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam.

Memory Management: Overlays and Virtual Memory. Agenda Overview of Virtual Memory –Review material based on Computer Architecture and OS concepts Credits.

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.

Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University.

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.

Enabling Control over Adaptive Program Transformation for Dynamically Evolving Mobile Software Validation Mike Jochen, Anteneh Anteneh, Lori Pollock University.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa Joint work with: Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang,

Network Security Lab Jelena Mirkovic Sig NewGrad presentantion.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Intrusion Tolerant Architectures

Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.

Community Awareness Initial Results

The SMART Way to Migrate Replicated Stateful Services

Presentation transcript:

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group

Overview: Automatic Worm Containment  Vigilante: a person who ignores due process of law and enacts his or her own form of justice when they deem the response of the authorities to be insufficient.  Self-certifying alert (SCA): machine-verifiable proof of a vulnerability Can be honeypot

Outline  Self-certifying alerts  Local countermeasures  Evaluation  Related work  Conclusion

What is an SCA?  A sequence of messages, when received by the vulnerable service, cause it to reach a disallowed state  Verification: send messages + check  Detection: message logging + detector

SCA Types  Arbitrary Execution Control Jump to arbitrary existing code in a service’s address space Specifies how to jump to an address supplied in a message  Arbitrary Code Execution Code-injection vulnerability Specifies how to execute an arbitrary piece of code supplied in a message  Arbitrary Function Argument Data-injection vulnerability Specifies how to invoke a specific critical function with an argument supplied by a message

SCA Format:  Vulnerable service  Alert type  Verification information: Where in the message to put the supplied address/code/function argument  Sequence of messages

Example

Alert Verification sandbox Load a library & binary rewrite critical functions (e.g., exec)

Alert Generation  Log message and network endpoints Remove old messages (e.g., an hour old) Remove messages in generated SCAs Log is small in a honeypot system  Any detection methods: (in this paper) Non-executable pages Dynamic dataflow analysis  Upon detection, search the log to generate candidate SCAs and verify them

Non-executable pages  Low overhead  Upon catching an exception: 1. Search messages for the address or the code of the faulting instruction 2. Use a single message as a candidate SCA 3. If this is not verified, add more messages until the log is empty 4. (On a honeypot, at step 3, add the entire log if the log is less than 5 messages long)

Dynamic dataflow analysis  A flavor of taintcheck  Metadata: One bit per 4K page: if a page is entirely clean For dirty pages, keep one identifier per memory location:  Identifier: an integer – represents the input message and message offset A separate list mapping identifiers to messages  Propagate for only data movement instructions: MOV, MOVS, PUSH, POP

Alert Distribution  Assume some kind of secure overlay  Flooding: each host sends the SCA to all its overlay neighbors  Problems discussed in paper Compromised hosts may flood the overlay with bad/old SCAs Must prevent worms to use the overlay for propagation

Outline  Self-certifying alerts  Local countermeasures  Evaluation  Related work  Conclusion

Automatic filter generation Basically, Bouncer is the improvement of the proposal here.

Evaluation  Prototype: x86 + Windows  Dell Precision workstations with 3GHz Pentium 4, 2GB RAM, 100Mbps Ethernet  Real worms: Slammer: MS SQL Server CodeRed: MS IIS Server Blaster: RPC service (2 message attack)

Alert Generation  The moment the last worm message is received till the detector generates an SCA  No verification  Only worm messages in the log

SCA Sizes

Alert Verification  Verification time when VM is already running  The verification VM has low overhead normally: Less than 1% of CPU cost About 84 MB memory

Alert Distribution (Network Simulation)

End-to-End Experiments  5 machines: is the detector 5 is the vulnerable host 2,3,4 are intermediate overlay nodes  Time from worm probe reaching 1 till 5 verifies SCA Slammer: 79ms Blaster: 305ms CodeRed: 3044ms

Conclusion  Automatic worm containment is important  SCA enables cooperation across many hosts that do not trust each other