vigilante: end-to-end containment of internet worms m. costa et al. (msr) sosp 2005
DESCRIPTION
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005. Shimin Chen LBA Reading Group. Overview: Automatic Worm Containment. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/1.jpg)
Vigilante: End-to-End Containment of Internet WormsM. Costa et al. (MSR) SOSP 2005
Shimin ChenLBA Reading Group
![Page 2: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/2.jpg)
Overview: Automatic Worm Containment
Vigilante: a person who ignores due process of law and enacts his or her own form of justice when they deem the response of the authorities to be insufficient.
Self-certifying alert (SCA): machine-verifiable proof of a vulnerability
Can be honeypot
![Page 3: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/3.jpg)
Outline
Self-certifying alerts Local countermeasures Evaluation Related work Conclusion
![Page 4: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/4.jpg)
What is an SCA?
A sequence of messages, when received by the vulnerable service, cause it to reach a disallowed state
Verification: send messages + check
Detection: message logging + detector
![Page 5: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/5.jpg)
SCA Types
Arbitrary Execution Control Jump to arbitrary existing code in a service’s
address space Specifies how to jump to an address supplied
in a message Arbitrary Code Execution
Code-injection vulnerability Specifies how to execute an arbitrary piece of
code supplied in a message Arbitrary Function Argument
Data-injection vulnerability Specifies how to invoke a specific critical
function with an argument supplied by a message
![Page 6: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/6.jpg)
SCA Format:
Vulnerable service Alert type Verification information:
Where in the message to put the supplied address/code/function argument
Sequence of messages
![Page 7: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/7.jpg)
Example
![Page 8: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/8.jpg)
Alert Verification
sandbox
Load a library& binary rewrite critical functions (e.g., exec)
![Page 9: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/9.jpg)
Alert Generation
Log message and network endpoints Remove old messages (e.g., an hour old) Remove messages in generated SCAs Log is small in a honeypot system
Any detection methods: (in this paper) Non-executable pages Dynamic dataflow analysis
Upon detection, search the log to generate candidate SCAs and verify them
![Page 10: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/10.jpg)
Non-executable pages
Low overhead Upon catching an exception:
1. Search messages for the address or the code of the faulting instruction
2. Use a single message as a candidate SCA3. If this is not verified, add more messages
until the log is empty4. (On a honeypot, at step 3, add the entire log
if the log is less than 5 messages long)
![Page 11: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/11.jpg)
Dynamic dataflow analysis
A flavor of taintcheck Metadata:
One bit per 4K page: if a page is entirely clean For dirty pages, keep one identifier per
memory location: Identifier: an integer – represents the input
message and message offset A separate list mapping identifiers to messages
Propagate for only data movement instructions: MOV, MOVS, PUSH, POP
![Page 12: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/12.jpg)
Alert Distribution
Assume some kind of secure overlay Flooding: each host sends the SCA to all
its overlay neighbors Problems discussed in paper
Compromised hosts may flood the overlay with bad/old SCAs
Must prevent worms to use the overlay for propagation
![Page 13: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/13.jpg)
Outline
Self-certifying alerts Local countermeasures Evaluation Related work Conclusion
![Page 14: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/14.jpg)
Automatic filter generation
Basically, Bouncer is the improvement of the proposal here.
![Page 15: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/15.jpg)
Evaluation
Prototype: x86 + Windows Dell Precision workstations with 3GHz Pentium 4,
2GB RAM, 100Mbps Ethernet Real worms:
Slammer: MS SQL Server CodeRed: MS IIS Server Blaster: RPC service (2 message attack)
![Page 16: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/16.jpg)
Alert Generation
The moment the last worm message is received till the detector generates an SCA
No verification Only worm messages in the log
![Page 17: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/17.jpg)
SCA Sizes
![Page 18: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/18.jpg)
Alert Verification
Verification time when VM is already running The verification VM has low overhead normally:
Less than 1% of CPU cost About 84 MB memory
![Page 19: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/19.jpg)
Alert Distribution (Network Simulation)
![Page 20: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/20.jpg)
![Page 21: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/21.jpg)
End-to-End Experiments
5 machines: 1-2-3-4-5 1 is the detector 5 is the vulnerable host 2,3,4 are intermediate overlay nodes
Time from worm probe reaching 1 till 5 verifies SCA Slammer: 79ms Blaster: 305ms CodeRed: 3044ms
![Page 22: Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568149a2550346895db6e35d/html5/thumbnails/22.jpg)
Conclusion
Automatic worm containment is important
SCA enables cooperation across many hosts that do not trust each other