1 / 34

Vigilante: End-to-End Containment of Internet Worms

Vigilante: End-to-End Containment of Internet Worms. Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005. Presented By : Ramanarayanan Ramani.

tuesday
Download Presentation

Vigilante: End-to-End Containment of Internet Worms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005 Presented By : Ramanarayanan Ramani

  2. Motivation • To improve the security of end host computers • Share security information between hosts • Validation and Verification of the security information

  3. Vigilante Design • Self-Certifying Alerts • Alert Types • Alert Detection & Generation • Alert Distribution • Alert Verification • Automatic Filter Generation

  4. Self-Certifying Alerts 1. Infection Attempt 2. Infection Detection 3. Certificate Generation 4. Certificate Distribution 5. Certificate Verification 6. Filter for infection

  5. Self-Certifying Alerts • How can the Certificate be trusted? • Details of infected Service or Program (including version) • Steps of infection • End host performs self infection as given in certificate and verifies certificate (in a virtual environment)

  6. Alert Types • Arbitrary Execution Control alerts : Vulnerabilities that allow worms to redirect execution to arbitrary pieces of code in a service’s address space • Arbitrary Code Execution alerts : Describe code-injection vulnerabilities • Arbitrary Function Argument alerts : Data-injection vulnerabilities that allow worms to change the value of arguments to critical functions

  7. Example SCA

  8. Alert Detection • Non-executable pages • Non-execute protection on stack and heap pages • Detect and prevent code injection attacks • Dynamic dataflow analysis • Network data and data derived from it are dirty • Monitor dirty data movement

  9. SCA Generation • Non-executable pages • Use Log file to generate the SCA • Locate message which sent infected code • Address of the faulting instruction • The message and the offset within the message are recorded in the verification information • Might be combination of messages

  10. SCA Generation • Dynamic dataflow analysis • Information is simply read from the data structures maintained by the engine • Identifier for the dirty data found from table of dirty memory locations or the table of dirty registers • Map identifier to message and offset in message

  11. Dynamic dataflow analysis Example

  12. Alert Distribution • Vigilante uses a secure Pastry overlay • Each host sends the SCA to all its overlay neighbors • Each host has a significant number of neighbors : Flooding provides reliability • Compromised hosts refuse to forward an SCA • Secure links between neighbors with each having Certificate (Random HostID) to join the overlay

  13. Alert Distribution • Defense against Denial of Service Attacks • Hosts do not forward SCAs that are blocked by their filters or are identical to SCAs received recently • Only forward SCAs that they can verify • Impose a rate limit on the number of SCAs that they are willing to verify from each neighbor

  14. Alert Verification • SCA verifier receives an SCA • Sends the SCA to the verification manager inside the virtual machine • Verification manager uses the data in the SCA to identify the vulnerable service

  15. Alert Verification • Modifies the sequence of messages in the SCA to trigger execution of Verified when the messages are sent to the vulnerable service • If Verified is executed, the verification manager signals success • Failure after Timeout

  16. Automatic Filter Generation • Analyze the execution path followed when the messages in the SCA are replayed • Use dynamic data and control flow analysis : Determine the execution path that exploits the vulnerability

  17. Automatic Filter Generation • Dynamic Data Flow Analysis • Compute data flow graphs for dirty data (data as in SCA) • Describes how to compute the current value of the dirty data • Associate a data flow graph with every memory position, register, and processor flag that stores dirty data

  18. Automatic Filter Generation • Dynamic Control Flow Analysis • Keeps track of all conditions that determine the program counter • Conditions used when executing conditional move and set instructions • Filter Condition is conjunction of these condition and earlier value of condition • For example, when the instruction “jz addr” is executed, the filter condition is left unchanged if the zero flag is clean

  19. Filter Generation Example

  20. Experimental setup • Dell PrecisionWorkstations with 3GHz Intel Pentium 4 processors • 2GB of RAM • Intel PRO/1000 Gigabit network cards • Hosts were connected through a 100Mbps D-Link Ethernet switch

  21. Alert Generation

  22. SCA Size

  23. Alert Verification

  24. Filter Generation

  25. Filter Overhead

  26. Alert Distribution - Simulation • S : Population of susceptible hosts • p : Fraction of them being detectors • β : Average infection rate • It : The total number of infected hosts at time t • Pt : The number of distinct susceptible hosts that have been probed by the worm at time t

  27. Alert Distribution - Simulation • k : Starting infected hosts • When a new host infected : • Simulator calculates the expected time a new susceptible host receives a worm probe • Randomly picks an unprobed susceptible host as the target of that probe • If target is detector, SCA is generated and distributed

  28. Simulation Parameters Default values for all other experiments : p = 0.001, k = 10, Tg = 1 second, Tv = 100 ms, β = 0.117, and S = 75,000

  29. Simulation Results

  30. Strengths • The concept of SCAs and the end-to-end automatic worm containment architecture • Mechanisms to generate, verify, and distribute SCAs automatically • Automatic mechanism to generate host-based filters that block worm traffic • Fast, low false positives and negatives

  31. Weaknesses • Overhead on network not considered • Worms can send false messages to detector and create invalid SCAs • Undetected worms may use the overlay to spread • More alerts could have been defined

  32. Suggestions • Use dummy worms to create invalid SCA and check network overhead • What if worm creates its own SCA which may seem valid but may create a backdoor?

  33. Questions?

More Related