250 likes | 389 Views
CS-558. Vigilante: End-to-End Containment of Internet Worms. Manuel Costa, Jon Crowcroft , Miguel Castro, Antony Rowstron , Lidong Zhou, Lintao Zhang, Paul Barham. Smyrnaki Ourania. Problems with Worm Containment. Worms spread too fast for humans to respond.
E N D
CS-558 Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham SmyrnakiOurania
Problems with Worm Containment • Worms spread too fast for humans to respond. • Recent network-level techniques have limitations: No information about the vulnerabilities exploited by worms at the network level.
Introduction-Proposal • Propose a new system called Vigilante used for automatic Worm Containment. • Detector hosts distributed all over the network. Hard for worms to avoid detection Hard to disable them with denial-of-service attacks.
Vigilante • End-to-end approach that contains worms automatically • Collaborative worm detection at end hosts, does not require hosts to trust each other. • Hosts detect worms and broadcast SCAs upon worm detection
Components in Vigilante • Detection of Worms • Generation of SCAs • Verification Process • Distribution Process • Protection Process by generating filters to protect themselves
Network Network Network Network Vigilante Vulnerable Application Generation of SCAs Filter Detection Engine Protection SCA Verification Network SCA Verification SCA Distribution SCA Distribution Vulnerable host Detector host
Self-Certifying Alert (SCA) • Three different types of SCAs (describe vulerability) • Arbitrary Execution Control Alert: • Identifies vulnerabilities that allow worms to redirect execution to arbitrary pieces of code. • Arbitrary Code Execution Alert: • Describes code-injection vulnerabilities • Arbitrary Function argument: • Identify data-injection vulnerabilities that allow worms to to change the values of arguments to critical functions
Self-Certifying Alert (SCA) for Slammer Worm • All three types of SCAs have a common format
Alert cerification • Reproduce the infection process in a Virtual Machine. • Each host runs a VM with a verification manager. Step 2:Verification manager uses the data in the SCA to identify the vulnerable service Step 4:If Verified is executed, the Verification Manager signals SUCCESS to the SCA Verifier. Otherwise the SCA Verifier declares failure after timeout.
Alert generation 2 Detection engines • Non-executable pages • Dynamic DataFlow Analysis
Non-executable pages • Non-execute protection on stack and heap pages. • When a worm attempts to execute code in a protected page exception is thrown. • Detector catches exception and tries to generate a SCA. • Traverses the message logs searching for the code to be executed or for the address of the faulting instructions Generates a SCA
Dynamic-Dataflow Analysis • Dynamic information flow tracking is a hardware mechanism to protect programs against malicious attacks by identifying spurious information flows and restricting the usage of spurious information • Track flow data received in certain network/input operations. • Instrument every control transfer instruction RET,CALL,JPM and every push instruction MOV,PUSH
Dynamic-Dataflow Analysis • Simple algorithm: • Whenever an instruction moves data from a source to a destination, the Destinations becomes dirty if the source is dirty, or clean otherwise • .
Distribution of SCAs Race Worm propagation Vs SCA Distribution
Distribution process Secure Overlay network called Pastry with super peers in order to broadcast the alerts • Flooding in order to broadcast alerts to ALL the hosts in the overlay. • Each hosts maintains 15log16N neighbors and the expected length is log16N • Vigilante overlay extremely effective once a detector is probed, it takes 2.5 secs to reach almost all the vulnerable hosts
Evaluation • Evaluated Vigilante with Real Worms • Slammer: • Infected approximately 75,000 Microsoft SQL Servers. • Fastest computer worm in History • During its outbreak, the number of infected machines doubled every 8.5 seconds
Evaluation CodeRed: • Infected approximately 360,000 Microsoft IIS Servers. • Speads much slower than Slammer. • Took 37 minutes to double the infected population
Evaluation Blaster: • Infected the RPC service on Microsoft Windows machines. • Infected 500,000 hosts • Spread rate similar to CodeRed’s.
Evaluation- Alert Generation Detectors generate arbritaryexecution control alert for Slammer and Blaster and arbritary code execution alert for CodeRed. Both detectors generate SCAs fast. Generation is higher in CodeRed since the number of instructions executed is larger. NX detector performs best: Instrumentation is less intrusive and less general. SCA generation time in milliseconds for real worms using two detectors
Evaluation- Alert Generation Size of SCAs is small Mostly determined by the size of the worm probe messages SCAsizes in bytes for real worms
Evaluation- Alert Verification Verification is fast. Keep a VM running, ready to verify SCAs when they arrive Starting VMs on demand resulted in additional delay SCAverification time in ms for real worms
Modeling of Worm propagation/Infection • S: Susceptible hosts • Fraction p for detectors • β : infection rate • It total number of infected hosts at time t • Pt number of distinct susceptible hosts that have been probed by worm at time t
Evaluation- Containment Infected percentage of vulnerable hosts with different fractions of p detectors. A small fraction of detectors p=0.001 is enough to contain the worm infection to less than 5% of the vulnerable population, even under DoS attacks.
Evaluation- Filter generation Filter generation for CodeRed more expensive Number of instructions analysed is larger Filter generation time for real worms
Evaluation- Containment Effect of SCA Verification time, infection rate and number of initially infected hosts. • When is ffectiveness of Vigilante reduced ? • Verification time is 1000 ms • Infection rate is 8β • 10000 initially infected nodes