Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits H. Wang, C. Guo, D. Simon, and A. Zugenmaier Microsoft Research.

Slides:



Advertisements
Similar presentations
Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
Advertisements

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
BrowserShield: Vulnerability- Driven Filtering of Dynamic HTML  CHARLES REIS University of Washington  JOHN DUNAGAN, HELEN J. WANG, and OPHER DUBROVSKY.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Lecturer: Sebastian Coope Ashton Building, Room G.18 COMP 201 web-page: Lecture.
CS533 - Concepts of Operating Systems 1 Remote Procedure Calls - Alan West.
CS335 Networking & Network Administration Tuesday, May 11, 2010.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
1/28/2004CSCI 315 Operating Systems Design1 Operating System Structures & Processes Notice: The slides for this lecture have been largely based on those.
ITIS 6167/8167: Network and Information Security Weichao Wang.
Chapter 19 Binding Protocol Addresses (ARP) Chapter 20 IP Datagrams and Datagram Forwarding.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Chapter 9 Classification And Forwarding. Outline.
Lecture 11 Intrusion Detection (cont)
Copyrighted material John Tullis 8/13/2015 page 1 Blaze Software John Tullis DePaul Instructor
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Shield: Vulnerability-Driven End- Host Firewall for Preventing Known Vulnerability Attacks Sigcomm ’04.
Presentation on Osi & TCP/IP MODEL
Chapter 6: Packet Filtering
Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
An IPSec-based Host Architecture for Secure Internet Multicast R. Canetti, P-C. Cheng, F.Giraud, D. Pendarakis, J.R. Rao, P. Rohatgi, IBM Research D. Saha.
Honeypot and Intrusion Detection System
6.1. Transport Control Protocol (TCP) It is the most widely used transport protocol in the world. Provides reliable end to end connection between two hosts.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 10Slide 1 Architectural Design l Establishing the overall structure of a software system.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Internet Protocol Internetworking Lab 1. Why Internet?
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 2.5 Internetworking Chapter 25 (Transport Protocols, UDP and TCP, Protocol Port Numbers)
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 10Slide 1 Architectural Design l Establishing the overall structure of a software system.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
Configuring Cisco Switches Chapter 13 powered by DJ 1.
SOFTWARE DESIGN AND ARCHITECTURE LECTURE 13. Review Shared Data Software Architectures – Black board Style architecture.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets, 5e By Douglas E. Comer Lecture PowerPoints.
Mike Hsiao Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits Helen J. Wang, Chuanxiong Guo, Daniel R. Simon,
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits By Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier.
A Dynamic Operating System for Sensor Nodes Chih-Chieh Han, Ram Kumar, Roy Shea, Eddie Kohler, Mani, Srivastava, MobiSys ‘05 Oct., 2009 발표자 : 김영선, 윤상열.
Review of Parnas’ Criteria for Decomposing Systems into Modules Zheng Wang, Yuan Zhang Michigan State University 04/19/2002.
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
1 Review – The Internet’s Protocol Architecture. Protocols, Internetworking & the Internet 2 Introduction Internet standards Internet standards Layered.
4343 X2 – The Transport Layer Tanenbaum Ch.6.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
Working at a Small-to-Medium Business or ISP – Chapter 8
Managing Secure Network Systems
TCP-in-UDP draft-welzl-irtf-iccrg-tcp-in-udp-00.txt
Understand the OSI Model Part 2
Introduction to Networking
Authors: Helen J. Wang, Chuanxiong Guo, Daniel R
Strayer University at Arlington, VA
Lecture 2: Overview of TCP/IP protocol
Net 323 D: Networks Protocols
Outline Chapter 2 (cont) OS Design OS structure
Ch 17 - Binding Protocol Addresses
Authors: Helen J. Wang, Chuanxiong Guo, Daniel R
ITIS 6167/8167: Network and Information Security
Transport Layer 9/22/2019.
Presentation transcript:

Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits H. Wang, C. Guo, D. Simon, and A. Zugenmaier Microsoft Research

Motivation Slammer, MSBlast, CodeRed, Nimda, all exploit known vulnerabilities whose patches are already released. Software patching has not been an effective first line worm defense.

Why don’t people patch? Disruption –Service or machine reboot Unreliability –Patches can have serious undetected side effects Irreversibility –Most patches are not designed to be easily reversible Unawareness –Miss a patch announcement

Our Proposal: Shielding Before Patching Shields: vulnerability-specific network filters that lie above the transport layer. Currently focused on end-host based shields. Patch is the ultimate fix of the vulnerability –Shield is removed upon patch application

Why apply Shields instead? Non-intrusive –No service or machine reboot Easy testability – Reliable –Configuration independent, unlike patches Easily reversible

1.Write a policy 2.A syntax tree is made from the policy Ex: the arrival of a UDP packet at port 1434 with a size of 376 bytes is the Slammer worm Vulnerability Modeling

Shield Architecture: Goal Minimize the amount of state maintained by Shield Enough flexibility to support any application level protocol Defensive design –Shield does not become an easier alternative attack target

Flexibility: Separate Policy from Mechanism Shield Mechanisms: generic for all applications –Out-of-order datagram handling –Application level fragmentation handling Shield Policies: dependent on application –Application identification –Event identification –Session identification –Vulnerability state machine specifications

Shield Architecture: Essential Data Structures Per-app vulnerability state machine spec (Spec): –Transformed from Shield policy –Instructions for emulating vulnerability state machines in Shield at the runtime: Application identification: static or dynamic port States, events, handlers for recognizing and reacting to potential exploits The offset and size of necessary information in the packet Session State: current state for exploit-checking

Shield Architecture

Shield Modules Policy Loader: Turns the Shield policy expressed in the Shield policy language into the syntax tree Application Dispatcher: Determines which Spec to reference for the arrived data based on the port number Session Dispatcher: Recognizes the event type and session ID State machine Instance (SMI): Consults which event handler to invoke Shield Interpreter: Interprets the event handler, which specifies how to examine for exploits. Also carries out actions like packet dropping and registering dynamic port.

Scattered Arrivals of an Application Message Each data does not necessarily represent a complete application level message An application message is the smallest interpretable unit by the application Parsing state: the name of the current incomplete field, the value of the current incomplete field only if the value is needed by Shield later –Per application message

Out-of-Order Application Datagrams Save out-of-order datagrams Additional information needed in Shield policy: sequence number location and max number of saved datagrams

Application Level Fragmentation Treated the same as scattered arrivals Additional information needed in Shield policy: frag ID location

Shield Policy Language Describes the vulnerabilities and their countermeasures for an application Highly specialized for Shield’s purpose

(state transition) Policy description (MSBlast) (state, event, handler) (handlers) maybe MSBlast not MSBlast It’s MSBlast. Tear down session. (events) (Shield description) (information location)

Analysis: Scalability Number of Shields doesn’t grow indefinitely, because Shields are removed upon corresponding patching N Shields for N applications are equivalent to a single Shield in terms of their effect on the performance of any single application Multiple vulnerabilities of a single application can be compounded

Analysis: False Positives Low false positives by nature –Filters only traffic that exploits a specific vulnerability False positives may arise from incorrect policy specification due to misunderstanding –Can easily be debugged with large traffic trace or test suites

Shield Prototype Implementation Shield Prototype Using WinSock2 LSP

Evaluation: Applicability (1) What are hard to shield: –Virus Anti-virus software would be a better alternative –Vulnerabilities that could be embedded in HTML scripting –Application-specific encrypted traffic May be hard to get the key

Evaluation: Applicability (2) Study of 49 vulnerabilities from MS Security bulletin board in While many vulnerabilities may not appear to be suitable for the Shield treatment, the most threatening ones (those prone to exploitation by worms) are Shield-compatible.

Evaluation: CPU Usage CPU Usage at the server. Most overhead is caused by LSP, not by Shield.

Evaluation: Throughput Shield degrades the throughput by 11 %. A well-designed kernel implementation of Shield could eliminate much of the overhead.

Evaluation: False Positives Evaluated on Shield for Slammer Used a stress test suite obtained from MS test group which contains a total of 36 test cases for exhaustive testing. No false positives observed.

Conclusion Shield: vulnerability-specific network filters for preventing exploits against known vulnerabilities Initial prototyping and evaluation results are encouraging