450 likes | 607 Views
Vigilante: End-to-End Containment of Internet Worms. Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham Microsoft Research University of Cambridge, Computer Laboratory SOSP, 2005. Authors. Manuel Costa. Jon Crowcroft.
E N D
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham Microsoft Research University of Cambridge, Computer Laboratory SOSP, 2005
Authors • Manuel Costa
Jon Crowcroft • He is the Marconi Professor of Communications Systems in the Computer Laboratory of the University of Cambridge. He joined the University of Cambridge in 2001, prior to which he was Professor of Networked Systems at University College London in the Computer Science Department.
Miguel Castro • I work at Microsoft Research on distributed systems, networking, and security. Before joining MSR, I was a graduate student in the Programming Methodology Group at the MITLaboratory for Computer Science working on object-oriented databases and Byzantine fault tolerance.
Citations in SOSP • Jeff H. Perkins, Sunghun Kim, Samuel Larsen, Saman P. Amarasinghe, Jonathan Bachrach, Michael Carbin, Carlos Pacheco, Frank Sherwood, Stelios Sidiroglou, Greg Sullivan, Weng-fai Wong, Yoav Zibin, Michael D. Ernst, Martin C. Rinard:Automatically patching errors in deployed software, SOSP, 2009 • John Dunagan, Alice X. Zheng, Daniel R. Simon: Heat-ray: combating identity snowball attacks using machinelearning, combinatorial optimization and attack graphs, SOSP, 2009 • Manuel Costa, Miguel Castro, Lidong Zhou, Lintao Zhang, Marcus Peinado :Bouncer: securing software by blocking bad input, SOSP, 2007 • Joseph Tucek, Shan Lu, Chengdu Huang, Spiros Xanthos, Yuanyuan Zhou :Triage: diagnosing production run failures at the user’s site, SOSP, 2007
Citations • Prateek Saxena, Pongsin Poosankam, Stephen Mccamant, Dawn Song : Loop-extended symbolic execution on binary programs, ISSTA, 2009 (Citations: 4) • Paolo Milani Comparetti, Gilbert Wondracek, Christopher Krügel, Engin Kirda :Prospex: Protocol Specification Extraction, S&P, 2009 (Citations: 3) • Juan Caballero, Pongsin Poosankam, Christian Kreibich, Dawn Xiaodong Song: Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering, CCS, 2009 • Hyung Chan Kim, Angelos D. Keromytis, Michael Covington, Ravi Sahita : Capturing Information Flow with Concatenated Dynamic Taint Analysis, IEEEARES, 2009 • Patrice Godefroid, Michael Y. Levin, David A. Molnar : Automated Whitebox Fuzz Testing, NDSS, 2008 (Citations: 40) • Gilbert Wondracek, Paolo Milani Comparetti, Christopher Krügel, Engin Kirda : Automatic Network Protocol Analysis, NDSS, 2008 (Citations: 14) • David Brumley, Pongsin Poosankam, Dawn Xiaodong Song, Jiang Zheng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications, S&P, 2008 (Citations: 8)
Citations • Walter Chang, Brandon Streiff, Calvin Lin : Efficient and extensible security enforcement using dynamic data flow analysis, CCS, 2008 (Citations: 8) • Heng Yin, Zhenkai Liang, Dawn Song : HookFinder: Identifying and Understanding Malware Hooking Behaviors, NDSS, 2008 (Citations: 6) • Shobha Venkataraman, Avrim Blum, Dawn Song : Limits of Learning-based Signature Generation with Adversaries, NDSS, 2008 (Citations: 4) • Jaewoong Chung, Michael Dalton, Hari Kannan, Christos Kozyrakis: Thread-safe dynamic binary translation using transactional memory, HPCA, 2008 (Citations: 5) • Olatunji Ruwase, Phillip B. Gibbons, Todd C. Mowry, Vijaya Ramachandran, Shimin Chen, Michael Kozuch, Michael Ryan: Parallelizing dynamic information flow tracking, SPAA, 2008 (Citations: 4) • Andreas Moser, Christopher Krügel, Engin Kirda : Exploring Multiple Execution Paths for Malware Analysis, S&P, 2007 (Citations: 38) • Manuel Egele, Christopher Kruegel, Engin Kirda, Heng Yin, Dawn Xiaodong Song : Dynamic Spyware Analysis, USENIX, 2007 (Citations: 35) • Juan Caballero, Heng Yin, Zhenkai Liang, Dawn Xiaodong Song : Polyglot: automatic extraction of protocol message format using dynamic binary analysis, CCS, 2007 (Citations: 20)
The challenge • worms are bad • worms can infect many machines • attacker gains control of infected machines • worm propagation disrupts Internet traffic • it is crucial to prevent these attacks • not a new challenge but no solution yet • the problem is as serious as ever
Preventing worm infections • techniques to prevent bugs are important • type safe languages, static analysis, … • but unlikely to remove all bugs from services • need research on worm containment • worms spread too fast for human response • worm containment must be automatic
Automatic worm containment • previous solutions are network centric • they analyze network traffic • block suspect packets • no vulnerability information at network level • false negatives: worm traffic appears normal • false positives: good traffic misclassified • fundamental problem false positives are a barrier to automation
Vigilante: End-to-end worm containment • host-based cooperativedetection • detector runs instrumented software • analyzes infection attempt to generate an alert • distributes alert to other hosts • host-based protection • hosts analyze exploit described by alert • generate protection mechanism automatically • for example, a filter to block worm packets
Better host-based detectors • existing detectors are not sufficient • easily bypassed (e.g., stack canaries, NX) • high overhead (e.g., program shepherding) • poor coverage of some attack classes • better instrumentation to detect more worms • low false positives and false negatives • widely applicable (ideally to any binary) • low overhead (no alerts if negligible overhead)
Better host-based protection • robust automatic protection • block all polymorphic variants of detected worms • no false positives • fast inoculation: • fast alert distribution, fast deployment of protection • efficient protection • provide good performance for legitimate requests • existing high coverage detectors are too expensive • recovery after detection is also expensive
Better survivability • worm containment will not be perfect • must survive compromised hosts • without disruptions to critical services • without loss of critical data • better fault tolerant replication • keep faults below threshold with high probability
Vigilante’s components • Detection • SCA generation • SCA distribution • SCA verification • Protection
Outline • self-certifying alerts(SCAs) • detection and generation of self-certifying alerts • verify and distribute a SCA alert • generation of vulnerability filters • evaluation
Self-certifying alerts(SCA) • identify an application vulnerability • describe how to exploit a vulnerability • contain a log of events, verification information • enable hosts to verify if they are vulnerable • hosts modify events to signal verification success • hosts replay events in sandboxed application • there are no false positives enable cooperative worm containment without trust
SCA types • arbitrary execution control (AEC) • attacker can load a value in message into the PC • arbitrary code execution (ACE) • attacker can execute code in message • arbitrary function argument (AFA) • attacker can call function with arbitrary argument
SCA generation • log events • generate SCA when worm is detected • compute verification information • search log for relevant events • generate tentative version of SCA • repeat until verification succeeds • detectors may guide search • dynamic dataflow analysis is one such detector
Dynamic dataflow analysis id 400 stack pointer return address return address • high coverage and low false positive rate • allows direct extraction of verification information stack buffer buffer id 100 id 400 id 400 msg msg id 100 id 100 ( a ) Memory before ( b ) Memory after vulnerable code vulnerable code
Protection • hosts generate filter from SCA • dynamic data and control flow analysis • run vulnerable application in a sandbox • track control and data flow from input messages • compute conditions that determine execution path • filter blocks messages that satisfy conditions • filters can block polymorphic worms • no false positives by design
Filter generation • Uses full data flow information • Dataflow graphs for dirty data and CPU flags • Record decisions on conditional instructions • If SCA verification is successful, the host generates a filter for the exploit described in the SCA. • If the verification fails, the SCA is dropped, no more resources are wasted.
Vulnerability filter generation netbuf mov al,[netbuf] mov cl,0x31 cmp al,cl jne out xor eax,eax loop: mov [esp+eax+4],cl mov cl,[eax+netbuf+1] inc eax test cl,cl jne loop out: 0x31 0x24 0x67 0x42 0x0 Conditions: netbuf[0] == 0x31 netbuf[1] != 0 netbuf[2] != 0
Evaluation • three real worms: • Slammer (SQL server), Blaster (RPC), CodeRed (IIS) • measurements of prototype implementation • SCA generation and verification • filter generation • filtering overhead • simulations of SCA propagation with attacks
Increasing infection rate ß is Slammer’s infection rate(the rate at which a host infects new hosts)
Related Work • network related • signatures: Honeycomb, Autograph, EarlyBird, Polygraph; • throttling [Williamson02]; scanning detectors [Weaver04] • host related • program shepherding [Kiriansky02]; • perltaint mode, concurrent work similar to dynamic dataflow analysis: [Suh04], Minos, TaintCheck; • [Sidiroglou-Douskos05] related host-based system • keep applications running despite attacks • failure oblivious computing, abort/rollback: DIRA, STEM, Rx • human assisted, vulnerability specific detectors/filters • Shield, IntroVirt
Conclusion • Vigilante can contain worms automatically • requires no prior knowledge of vulnerabilities • no false positives • low false negatives • deployable today