Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa Joint work with: Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang,

PublishMichael Harrington Modified over 8 years ago

Similar presentations

Presentation on theme: "Vigilante: End-to-End Containment of Internet Worms Manuel Costa Joint work with: Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang,"— Presentation transcript:

1 Vigilante: End-to-End Containment of Internet Worms Manuel Costa Joint work with: Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham Microsoft Research University of Cambridge, Computer Laboratory

2 The worm threat worms are a serious threat –worm propagation disrupts Internet traffic –attacker gains control of infected machines worms spread too fast for human response –Slammer scanned most of the Internet in 10 minutes –infected 90% of vulnerable hosts worm containment must be automatic

3 Automatic worm containment previous solutions are network centric –analyze network traffic –generate signature and drop matching traffic or –block hosts with abnormal network behavior no vulnerability information at network level –false negatives: worm traffic appears normal –false positives: good traffic misclassified false positives are a barrier to automation

4 Vigilante’s end-to-end architecture host-based detection –instrument software to analyze infection attempts cooperative detection without trust –detectors generate self-certifying alerts (SCAs) –detectors broadcast SCAs hosts generate filters to block infection contains fast spreading worms: no false positives, deployable today

5 Outline detection self-certifying alerts (SCAs) generation of vulnerability-specific filters evaluation

6 Detection diverse set of detection mechanisms diverse set of implementations detection mechanisms can have high- coverage

7 Detection dynamic dataflow analysis track the flow of data from input messages –mark memory as dirty when data is received –track all data movement trap the worm before it executes any instructions –trap execution of dirty data –trap loading of dirty data into program counter

8 Dynamic dataflow analysis stack pointer points to dirty data return address msg1 buffer //vulnerable code push len push netbuf push sock call recv push netbuf push localbuf call strcpy ret alert: value loaded into program counter is dirty high-coverage: stack, function pointers, …

9 Dynamic dataflow analysis works with normal binaries instrumentation at runtime vulnerable process normal.exe detection

10 Where are the detectors? general detectors are expensive centralized detectors can be attacked any host can be a detector –load sharing, high coverage, resilience –detectors create self-certifying alerts

11 Self-certifying alerts machine-verifiable proofs of vulnerability –identify an application and a type of vulnerability –contain log of attack messages –contain verification information enable hosts to verify if they are vulnerable –replay infection with modified messages –verification has no false positives

12 arbitrary code execution (ACE) arbitrary execution control (AEC) arbitrary function argument (AFA) SCA types alert type: ACE attack messages: verification information: … SCA what can the attacker do? inject code what is the verification information? code location

13 arbitrary code execution (ACE) arbitrary execution control (AEC) arbitrary function argument (AFA) SCA types alert type: AEC attack messages: verification information: … SCA what can the attacker do? force a control flow transfer what is the verification information? location of program counter

14 arbitrary code execution (ACE) arbitrary execution control (AEC) arbitrary function argument (AFA) SCA types alert type: AFA attack messages: verification information: … SCA what can the attacker do? supply an argument to a function what is the verification information? function name location of argument

15 SCA generation log messages generate SCA when worm is detected –search log for relevant messages –compute verification information –generate tentative version of SCA –repeat until verification succeeds detectors may guide search

16 Generating an AEC alert stack pointer return address msg1 buffer id100 id400 id100 id400 //vulnerable code push len push netbuf push sock call recv push netbuf push localbuf call strcpy ret log: 1111111111111111111 id400id100 msg1 id 236 AEC,, pc at offset 136 SCA: 1111111111111111111

17 Verifying an AEC alert vulnerable process normal code verified alert type: Arbitrary Execution Control attack message: verification information: pc at offset 6 of message 11111144444444111 recv 0x44444444 proves that external interfaces allow arbitrary control of the execution SCA 11111111111111111 verification is independent of detection mechanism virtual machine

18 SCA broadcast uses overlay of superpeers –Akamai-like overlay with added security –detectors flood alerts over overlay links denial-of-service prevention –per-link rate limiting –per-hop filtering and verification –controlled disclosure of overlay membership hosts receive SCAs with high probability

19 Protection hosts generate filter from SCA mutations make protection difficult (as in real diseases) 0x30x240x670x420x1 attack: add eax,1; mov ebx, eax mutation: 0x30x120x280x630x4 inc eax; push eax; pop ebx

20 Filter generation dynamic data and control flow analysis –track control and data flow from input messages –compute conditions that determine execution path –filter blocks messages that satisfy conditions uses full data flow information –dataflow graphs for dirty data and CPU flags –record decisions on conditional instructions

21 Generating filters for vulnerabilities 0x30x240x670x420x1 attack: mutation: 0x30x120x280x630x4 =3≠0 filter: //vulnerable code //recv msg mov al,[msg] mov cl,0x3 cmp al,cl jne L2 //msg[0] == 3 ? xor eax,eax L1 mov [esp+eax+4],cl mov cl,[eax+msg+1] inc eax test cl,cl jne L1 //msg[i] == 0 ? L2 ret Match! look at the program, not at the messages

22 test msg[1],msg1[1]; je out //recv msg Filters as program slices cmp msg[0],3; jne out... mov al,[msg] mov cl,0x3 cmp al,cl jne L2 //msg[0] == 3 ? xor eax,eax mov [esp+eax+4],cl mov cl,[eax+msg+1] inc eax test cl,cl jne L1 //msg[i] == 0 ? ret filters are a subset of the program’s instructions //recv msg mov al,[msg] mov cl,0x3 cmp al,cl jne L2 //msg[0] == 3 ? xor eax,eax mov [esp+eax+4],cl mov cl,[eax+msg+1] inc eax test cl,cl jne L1 //msg[i] == 0 ? ret

23 Filters capture generic conditions –filters are assembly programs safe and efficient –no side effects, no loops two-filter design reduces false negatives –still improving

24 Putting it all together DetectorHost VulnerableHost Protection SCADistribution SCA Verification Filter Vulnerable Application Network SCADistribution SCA Verification Detection Engine SCA Generation Network

25 Evaluation three real worms: –Slammer (SQL server), Blaster (RPC), CodeRed (IIS) measurements of prototype implementation –SCA generation and verification –filter generation –filtering overhead simulations of SCA propagation with attacks

26 Time to generate SCAs

27 Time to verify SCAs

28 Time to generate filters

29 Filtering overhead

30 Simulating SCA propagation Susceptible/Infective epidemic model 500,000 node network on GeorgiaTech topology network congestion effects –RIPE data gathered during Slammer’s outbreak –delay/loss increase linearly with infected hosts DoS attacks –infected hosts generate fake SCAs –verification increases linearly with number of SCAs

31 Containing Slammer

32 Related Work network related –signatures: Honeycomb, Autograph, EarlyBird, Polygraph; throttling [Williamson02]; scanning detectors [Weaver04] host related –program shepherding [Kiriansky02]; perl taint mode, concurrent work similar to dynamic dataflow analysis: [Suh04], Minos, TaintCheck, Argos; [Sidiroglou05] related host-based system keep applications running despite attacks –failure oblivious computing, abort/rollback: DIRA, STEM, Rx human assisted, vulnerability specific detectors/filters –Shield, IntroVirt

33 Conclusion Vigilante can contain worms automatically –requires no prior knowledge of vulnerabilities –no false positives –low false negatives –deployable today

Download ppt "Vigilante: End-to-End Containment of Internet Worms Manuel Costa Joint work with: Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang,"

Similar presentations

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Vigilante: End-to-End Containment of Internet Worms Paper by: Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao Zhang, Paul.

Vigilante: End-to-End Containment of Internet Worms Paper by: Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao Zhang, Paul.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).

Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.

Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

Similar presentations

Ads by Google