Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group."— Presentation transcript:

1 Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group

2 Overview: Automatic Worm Containment  Vigilante: a person who ignores due process of law and enacts his or her own form of justice when they deem the response of the authorities to be insufficient.  Self-certifying alert (SCA): machine-verifiable proof of a vulnerability Can be honeypot

3 Outline  Self-certifying alerts  Local countermeasures  Evaluation  Related work  Conclusion

4 What is an SCA?  A sequence of messages, when received by the vulnerable service, cause it to reach a disallowed state  Verification: send messages + check  Detection: message logging + detector

5 SCA Types  Arbitrary Execution Control Jump to arbitrary existing code in a service’s address space Specifies how to jump to an address supplied in a message  Arbitrary Code Execution Code-injection vulnerability Specifies how to execute an arbitrary piece of code supplied in a message  Arbitrary Function Argument Data-injection vulnerability Specifies how to invoke a specific critical function with an argument supplied by a message

6 SCA Format:  Vulnerable service  Alert type  Verification information: Where in the message to put the supplied address/code/function argument  Sequence of messages

7 Example

8 Alert Verification sandbox Load a library & binary rewrite critical functions (e.g., exec)

9 Alert Generation  Log message and network endpoints Remove old messages (e.g., an hour old) Remove messages in generated SCAs Log is small in a honeypot system  Any detection methods: (in this paper) Non-executable pages Dynamic dataflow analysis  Upon detection, search the log to generate candidate SCAs and verify them

10 Non-executable pages  Low overhead  Upon catching an exception: 1. Search messages for the address or the code of the faulting instruction 2. Use a single message as a candidate SCA 3. If this is not verified, add more messages until the log is empty 4. (On a honeypot, at step 3, add the entire log if the log is less than 5 messages long)

11 Dynamic dataflow analysis  A flavor of taintcheck  Metadata: One bit per 4K page: if a page is entirely clean For dirty pages, keep one identifier per memory location:  Identifier: an integer – represents the input message and message offset A separate list mapping identifiers to messages  Propagate for only data movement instructions: MOV, MOVS, PUSH, POP

12 Alert Distribution  Assume some kind of secure overlay  Flooding: each host sends the SCA to all its overlay neighbors  Problems discussed in paper Compromised hosts may flood the overlay with bad/old SCAs Must prevent worms to use the overlay for propagation

13 Outline  Self-certifying alerts  Local countermeasures  Evaluation  Related work  Conclusion

14 Automatic filter generation Basically, Bouncer is the improvement of the proposal here.

15 Evaluation  Prototype: x86 + Windows  Dell Precision workstations with 3GHz Pentium 4, 2GB RAM, 100Mbps Ethernet  Real worms: Slammer: MS SQL Server CodeRed: MS IIS Server Blaster: RPC service (2 message attack)

16 Alert Generation  The moment the last worm message is received till the detector generates an SCA  No verification  Only worm messages in the log

17 SCA Sizes

18 Alert Verification  Verification time when VM is already running  The verification VM has low overhead normally: Less than 1% of CPU cost About 84 MB memory

19 Alert Distribution (Network Simulation)

20

21 End-to-End Experiments  5 machines: 1-2-3-4-5 1 is the detector 5 is the vulnerable host 2,3,4 are intermediate overlay nodes  Time from worm probe reaching 1 till 5 verifies SCA Slammer: 79ms Blaster: 305ms CodeRed: 3044ms

22 Conclusion  Automatic worm containment is important  SCA enables cooperation across many hosts that do not trust each other

Download ppt "Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.

P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.
Memory Management: Overlays and Virtual Memory

Memory Management: Overlays and Virtual Memory
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.

Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
What’s the Problem Web Server 1 Web Server N Web system played an essential role in Proving and Retrieve information. Cause Overloaded Status and Longer.

What’s the Problem Web Server 1 Web Server N Web system played an essential role in Proving and Retrieve information. Cause Overloaded Status and Longer.
Vigilante: End-to-End Containment of Internet Worms Paper by: Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao Zhang, Paul.

Vigilante: End-to-End Containment of Internet Worms Paper by: Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao Zhang, Paul.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).

Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).
© nCode 2000 Title of Presentation goes here - go to Master Slide to edit - Slide 1 Reliable Communication for Highly Mobile Agents ECE 7995: Term Paper.

© nCode 2000 Title of Presentation goes here - go to Master Slide to edit - Slide 1 Reliable Communication for Highly Mobile Agents ECE 7995: Term Paper.
DISTRIBUTED CONSISTENCY MANAGEMENT IN A SINGLE ADDRESS SPACE DISTRIBUTED OPERATING SYSTEM Sombrero.

DISTRIBUTED CONSISTENCY MANAGEMENT IN A SINGLE ADDRESS SPACE DISTRIBUTED OPERATING SYSTEM Sombrero.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.

Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
The MS Blaster worm Presented by: Zhi-Wen Ouyang.

The MS Blaster worm Presented by: Zhi-Wen Ouyang.
Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.

Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.

Similar presentations

Ads by Google