Download presentation
Presentation is loading. Please wait.
Published byBranden Allison Modified over 9 years ago
1
www.aqualab.cs.northwestern.edu Stamping out worms and other Internet pests Miguel Castro Microsoft Research
2
Choffnes EECS, Northwestern University The challenge worms are bad –worms can infect many machines –attacker gains control of infected machines –worm propagation disrupts Internet traffic it is crucial to prevent these attacks –not a new challenge but no solution yet –the problem is as serious as ever
3
Choffnes EECS, Northwestern University Preventing worm infections techniques to prevent bugs are important –type safe languages, static analysis, … –but unlikely to remove all bugs from services need research on worm containment –worms spread too fast for human response –worm containment must be automatic
4
Choffnes EECS, Northwestern University Automatic worm containment previous solutions are network centric –they analyze network traffic –block suspect packets no vulnerability information at network level –false negatives: worm traffic appears normal –false positives: good traffic misclassified –fundamental problem false positives are a barrier to automation
5
Choffnes EECS, Northwestern University End-to-end worm containment host-based cooperative detection –detector runs instrumented software –analyzes infection attempt to generate an alert –distributes alert to other hosts host-based protection –hosts analyze exploit described by alert –generate protection mechanism automatically for example, a filter to block worm packets first steps: Vigilante [Costa et al, SOSP 2005]
6
Choffnes EECS, Northwestern University Better host-based detectors existing detectors are not sufficient –easily bypassed (e.g., stack canaries, NX) –high overhead (e.g., program shepherding) –poor coverage of some attack classes better instrumentation to detect more worms –low false positives and false negatives –widely applicable (ideally to any binary) –low overhead (no alerts if negligible overhead)
7
Choffnes EECS, Northwestern University Better host-based protection robust automatic protection –block all polymorphic variants of detected worms –no false positives –fast inoculation: fast alert distribution, fast deployment of protection efficient protection –provide good performance for legitimate requests –existing high coverage detectors are too expensive –recovery after detection is also expensive
8
Choffnes EECS, Northwestern University Better survivability worm containment will not be perfect must survive compromised hosts –without disruptions to critical services –without loss of critical data better Byzantine fault tolerant replication –keep faults below threshold with high probability
9
Choffnes EECS, Northwestern University Conclusion worms and viruses must be stopped need more research to stop them proposed a new research focus requires research spanning –operating systems, networking, programming languages, and distributed systems
10
Choffnes EECS, Northwestern University Vigilante’s components Detection SCA generation SCA distribution SCA verification Protection
11
Choffnes EECS, Northwestern University Outline self-certifying alerts detection and generation of self-certifying alerts generation of vulnerability filters evaluation next steps
12
Choffnes EECS, Northwestern University Self-certifying alerts identify an application vulnerability –describe how to exploit a vulnerability –contain a log of events, verification information enable hosts to verify if they are vulnerable –hosts modify events to signal verification success –hosts replay events in sandboxed application –there are no false positives enable cooperative worm containment without trust
13
Choffnes EECS, Northwestern University SCA types arbitrary execution control (AEC) –attacker can load a value in message into the PC arbitrary code execution (ACE) –attacker can execute code in message arbitrary function argument (AFA) –attacker can call function with arbitrary argument
14
Choffnes EECS, Northwestern University Verifying an AEC alert vulnerable process normal code verified SCA: message log verification information 0x111111111114444444411111 ReceiveMessage() 0x44444444 proves that external interfaces allow arbitrary control of the execution
15
Choffnes EECS, Northwestern University SCA generation log events generate SCA when worm is detected –compute verification information –search log for relevant events –generate tentative version of SCA –repeat until verification succeeds detectors may guide search –dynamic dataflow analysis is one such detector
16
Choffnes EECS, Northwestern University Dynamic dataflow analysis high coverage and low false positive rate allows direct extraction of verification information return address msg buffer (a)Memory before vulnerable code (b)Memory after vulnerable code id100 id400 stack pointer return address msg buffer id100 id400 id100 id400 stack
17
Choffnes EECS, Northwestern University Cooperative worm containment SCA enables cooperative containment –any host can be a detector –hosts can run high-overhead detection engines –hosts can run different detection engines NX, … –small TCB for SCA verification cooperation enables low false negative rate
18
Choffnes EECS, Northwestern University SCA broadcast uses secure Pastry –hosts join overlay –detectors flood alerts over overlay links denial-of-service prevention –per-link rate limiting –per-hop filtering and verification can reach vulnerable hosts with high probability
19
Choffnes EECS, Northwestern University Protection hosts generate filter from SCA dynamic data and control flow analysis –run vulnerable application in a sandbox –track control and data flow from input messages –compute conditions that determine execution path –filter blocks messages that satisfy conditions filters can block polymorphic worms no false positives by design
20
Choffnes EECS, Northwestern University Vulnerability filter generation mov al,[netbuf] mov cl,0x31 cmp al,cl jne out xor eax,eax loop: mov [esp+eax+4],cl mov cl,[eax+netbuf+1] inc eax test cl,cl jne loop out: Conditions: netbuf[0] == 0x31 netbuf[1] != 0 netbuf[2] != 0 0x310x240x670x420x0 netbuf
21
Choffnes EECS, Northwestern University Evaluation three real worms: –Slammer (SQL server), Blaster (RPC), CodeRed (IIS) measurements of prototype implementation –SCA generation and verification –filter generation –filtering overhead simulations of SCA propagation with attacks
22
Choffnes EECS, Northwestern University Time to generate SCAs
23
Choffnes EECS, Northwestern University Time to verify SCAs
24
Choffnes EECS, Northwestern University Time to generate filters
25
Choffnes EECS, Northwestern University Filtering overhead
26
Choffnes EECS, Northwestern University Containing Slammer
27
Choffnes EECS, Northwestern University Increasing infection rate ß is Slammer’s infection rate (the rate at which a host infects new hosts)
28
Choffnes EECS, Northwestern University Increasing verification time
29
Choffnes EECS, Northwestern University Increasing seed hosts
30
Choffnes EECS, Northwestern University Conclusion Vigilante can contain worms automatically –requires no prior knowledge of vulnerabilities –no false positives –low false negatives
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.