Vigilante EndtoEnd Containment of Internet Worms Manuel Costa
- Slides: 23
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham Presented by Mahesh Balakrishnan
Worms l The Morris Worm… 1988 l l l l Zotob – Aug 2005, Windows Plug-and-Play Sasser – May 2004, Windows LSASS Mydoom – Jan 2004, email So. Big, Aug 2003, email Blaster – Aug 2003, Windows RPC Slammer – Jan 2003, SQL Nimda – Sep 2001, email + IE Code. Red – July 2001, IIS
The Anatomy of a Worm l Replicate, replicate, replicate… exponential growth l Exploit Vulnerability in Network-facing Software l Worm Defense involves Detection – of what? l Response l
Existing Work l Network l Level Approaches … Polymorphic? Slow worms? l Host-based Approaches: Instrument code extensively. Slow (? )… l Do it elsewhere: Honeypots… honeyfarms l Worm Defense now has three components: Detection, Propagation, Response
Vigilante l Automates worm defense l ‘Collaborative Infrastructure’ to detect worms l Required: Negligible rate of false positives l Network-level approaches do not have access to vulnerability specifics
Solution Overview Run heavily instrumented versions of software on honeypot or detector machines l Broadcast exploit descriptions to regular machines l Generate message filters at regular machines to block worm traffic l Requires separate detection infrastructure for each particular service: is this a problem? l
SCA: Self-Certifying Alert l Allows exploits to be described, shipped, and reproduced l Self-Certifying: to verify authenticity, just execute within sandbox l Expressiveness: Concise or Inadequate? l Worms defined as ‘exploiters of vulnerability’ rather than ‘generators of traffic’
Types of Vulnerabilities Arbitrary Execution Control: message contains address of code to execute l Arbitrary Code Execution: message contains code to execute l Arbitrary Function Argument: changing arguments to ‘critical’ functions. e. g exec l Is this list comprehensive? l l l C/C++ based vulnerabilities… what about email-based worms – So. Big, Mydoom, Nimda?
Example SCA: Slammer Address of code to execute is contained at this offset within message Execution Control SCA
Alert Generation l Many existing approaches l Non-executable pages: faster, does not catch function argument exploit l Dynamic Data-flow Analysis: track dirty data l Basic Idea: Do not allow incoming messages to execute or cause arbitrary execution
Alert Verification l Hosts run same software with identical configuration within sandbox l Insert call to Verified instead of: Address in execution control alerts l Code in code execution alerts l l Insert a reference argument value instead of argument in arbitrary function argument alert
Alert Verification is fast, simple and generic, and has no false positives l Assumes that address/code/argument is supplied verbatim in messages l l l Works for C/C++ buffer overflows, but what about more complex interactions within the service? Assumes that message replay is sufficient for exploit reproduction l l Scheduling policies, etc? Randomization?
Alert Distribution l Flooding over secure Pastry overlay l What about DOS? Don’t forward already seen or blocked SCAs l Forward only after Verification l Rate-limit SCAs from each neighbor l l Secure l Pastry? Infrastructural solution… super-peers
Distribution – out-crawling the worm l l l Worm has scanning inefficiencies; Slammer doubled every 8. 5 seconds. The myth of the anti-worm… We have perfect topology: around the world in seconds! What if the worm discovers our topology? Infrastructural support required – wormresistant super-peers! Is this sterile medium of transport deployable?
Local Response l Verify SCA l Data and Control Flow Analysis l Generate filters – conjunctions of conditions on single messages l Two levels : general filter with false positives + specific filter with no false positives
Evaluation l Target l Slammer – 75, 000 SQL servers, 8. 5 seconds to double l l Execution Control Alert Code Red – 360, 000 IIS servers, 37 minutes to double l l Worms Code Execution Alert Blaster – 500, 000 Windows boxes, doubling time similar to Code. Red l Execution Control Alert
Evaluation: Alert Generation SCA Generation Time SCA Sizes
Evaluation: Alert Verification l Verification is fast - Sandbox VM constantly running … Verification Time Filter Generation
Simulation Setup l Transit Stub Topology: 500, 000 hosts l Worm propagation using epidemic model l 1000 super-peers that are neither detectors nor susceptible! l Includes modeling of worm-induced congestion
Number of Detectors… l ~0. 001 detectors sufficient… 500 nodes
Real Numbers l 5 -host network: 1 detector + 3 superpeers + 1 susceptible on a LAN l Time between detector probe to SCA verification on susceptible host: Slammer: 79 ms l Blaster: 305 ms l Code. Red: 3044 ms l
The Worm Turns l Outwitting Vigilante One interesting idea, courtesy Saikat: Detect instrumented honeypots via timing differences. Does this work? l Layered exploits: one for the super-peer topology, another for the hosts l Ideas? l
Conclusion l End-to-end solution for stopping worms l Pros: No false positives l Per-vulnerability reaction, not per-variant: handles polymorphism, slow worms l l Concerns: Limited to C/C++ buffer overflow worms l Infrastructural solution – scope of deployment? l
- Reckless containment theory
- Vigilante de keryado
- Asocea protocolo
- Portugaise poilu
- Manuel costa
- Internet or internet
- Interim containment actions
- Accent cost containment solutions
- Oil spill
- Nicholas tsourmas
- Maximum containment laboratory
- Containment in java
- What was the policy of containment
- Strengths of differential association theory
- Sorbweb
- What is a satellite nation
- Containment in java
- Cubakrisen årsaker
- Containment definition cold war
- Where is the deadman on a fiberglass tank
- Father of containment
- The cold war
- Open skies apush
- Opw 687