Vigilante: End-to-End Containment of Internet Worms

Vigilante: End-to-End Containment of Internet Worms

Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron,

Lidong Zhou, Lintao Zhang, Paul Barham

Microsoft Research

University of Cambridge, Computer Laboratory

SOSP, 2005

Authors

• Manuel Costa

Jon Crowcroft

• He is the Marconi Professor of Communications Systems in the Computer Laboratory of the University of Cambridge. He joined the University of Cambridge in 2001, prior to which he was Professor of Networked Systems at University College London in the Computer Science Department.

• Miguel Castro

• I work at Microsoft Research on distributed systems, networking, and security. Before joining MSR, I was a graduate student in the Programming Methodology Group at the MIT Laboratory for Computer Science working on object-oriented databases and Byzantine fault tolerance.

Citations in SOSP

• Jeff H. Perkins, Sunghun Kim, Samuel Larsen, Saman P. Amarasinghe, Jonathan Bachrach, Michael Carbin, Carlos Pacheco, Frank Sherwood, Stelios Sidiroglou, Greg Sullivan, Weng-fai Wong, Yoav Zibin, Michael D. Ernst, Martin C. Rinard :Automatically patching errors in deployed software, SOSP, 2009

• John Dunagan, Alice X. Zheng, Daniel R. Simon : Heat-ray: combating identity snowball attacks using machinelearning, combinatorial optimization and attack graphs, SOSP, 2009

• Manuel Costa, Miguel Castro, Lidong Zhou, Lintao Zhang, Marcus Peinado :Bouncer: securing software by blocking bad input, SOSP, 2007

• Joseph Tucek, Shan Lu, Chengdu Huang, Spiros Xanthos, Yuanyuan Zhou :Triage: diagnosing production run failures at the user’s site, SOSP, 2007

Citations• Prateek Saxena, Pongsin Poosankam, Stephen Mccamant, Dawn Song : Loop-

extended symbolic execution on binary programs, ISSTA, 2009 (Citations: 4)

• Paolo Milani Comparetti, Gilbert Wondracek, Christopher Krügel, Engin Kirda :Prospex: Protocol Specification Extraction, S&P, 2009 (Citations: 3)

• Juan Caballero, Pongsin Poosankam, Christian Kreibich, Dawn Xiaodong Song : Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering, CCS, 2009

• Hyung Chan Kim, Angelos D. Keromytis, Michael Covington, Ravi Sahita : Capturing Information Flow with Concatenated Dynamic Taint Analysis, IEEEARES, 2009

• Patrice Godefroid, Michael Y. Levin, David A. Molnar : Automated Whitebox Fuzz Testing, NDSS, 2008 (Citations: 40)

• Gilbert Wondracek, Paolo Milani Comparetti, Christopher Krügel, Engin Kirda : Automatic Network Protocol Analysis, NDSS, 2008 (Citations: 14)

• David Brumley, Pongsin Poosankam, Dawn Xiaodong Song, Jiang Zheng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications, S&P, 2008 (Citations: 8)

Citations• Walter Chang, Brandon Streiff, Calvin Lin : Efficient and extensible security

enforcement using dynamic data flow analysis, CCS, 2008 (Citations: 8)• Heng Yin, Zhenkai Liang, Dawn Song : HookFinder: Identifying and Understanding

Malware Hooking Behaviors, NDSS, 2008 (Citations: 6)• Shobha Venkataraman, Avrim Blum, Dawn Song : Limits of Learning-based

Signature Generation with Adversaries, NDSS, 2008 (Citations: 4)• Jaewoong Chung, Michael Dalton, Hari Kannan, Christos Kozyrakis: Thread-safe

dynamic binary translation using transactional memory, HPCA, 2008 (Citations: 5)• Olatunji Ruwase, Phillip B. Gibbons, Todd C. Mowry, Vijaya Ramachandran, 

Shimin Chen, Michael Kozuch, Michael Ryan: Parallelizing dynamic information flow tracking, SPAA, 2008 (Citations: 4)

• Andreas Moser, Christopher Krügel, Engin Kirda : Exploring Multiple Execution Paths for Malware Analysis, S&P, 2007 (Citations: 38)

• Manuel Egele, Christopher Kruegel, Engin Kirda, Heng Yin, Dawn Xiaodong Song : Dynamic Spyware Analysis, USENIX, 2007 (Citations: 35)

• Juan Caballero, Heng Yin, Zhenkai Liang, Dawn Xiaodong Song : Polyglot: automatic extraction of protocol message format using dynamic binary analysis, CCS, 2007 (Citations: 20)

The challenge

• worms are bad– worms can infect many machines– attacker gains control of infected machines– worm propagation disrupts Internet traffic

• it is crucial to prevent these attacks– not a new challenge but no solution yet– the problem is as serious as ever

Preventing worm infections

• techniques to prevent bugs are important– type safe languages, static analysis, … – but unlikely to remove all bugs from services

• need research on worm containment– worms spread too fast for human response

– worm containment must be automatic

Automatic worm containment

• previous solutions are network centric– they analyze network traffic – block suspect packets

• no vulnerability information at network level– false negatives: worm traffic appears normal– false positives: good traffic misclassified– fundamental problem

false positives are a barrier to automation

Vigilante: End-to-end worm containment

• host-based cooperative detection– detector runs instrumented software– analyzes infection attempt to generate an alert– distributes alert to other hosts

• host-based protection– hosts analyze exploit described by alert– generate protection mechanism automatically

• for example, a filter to block worm packets

Better host-based detectors

• existing detectors are not sufficient– easily bypassed (e.g., stack canaries, NX)– high overhead (e.g., program shepherding)– poor coverage of some attack classes

• better instrumentation to detect more worms– low false positives and false negatives– widely applicable (ideally to any binary)– low overhead (no alerts if negligible overhead)

Better host-based protection

• robust automatic protection– block all polymorphic variants of detected worms– no false positives– fast inoculation:

• fast alert distribution, fast deployment of protection

• efficient protection – provide good performance for legitimate requests– existing high coverage detectors are too expensive– recovery after detection is also expensive

Better survivability

• worm containment will not be perfect

• must survive compromised hosts– without disruptions to critical services– without loss of critical data

• better fault tolerant replication – keep faults below threshold with high probability

Vigilante’s components

Network

Detection Engine

SCA Generation

SCA Verification

SCA Distribution

Detector Host

SCA Verification

Protection

Vulnerable Host

SCA Distribution

Filter

Vulnerable Application

Network Network

• Detection

• SCA generation

• SCA distribution

• SCA verification

• Protection

Outline

• self-certifying alerts(SCAs)

• detection and generation of self-certifying alerts

• verify and distribute a SCA alert

• generation of vulnerability filters

• evaluation

Self-certifying alerts(SCA)

• identify an application vulnerability– describe how to exploit a vulnerability – contain a log of events, verification information

• enable hosts to verify if they are vulnerable– hosts modify events to signal verification success– hosts replay events in sandboxed application– there are no false positives

enable cooperative worm containment without trust

SCA types

• arbitrary execution control (AEC)– attacker can load a value in message into the PC

• arbitrary code execution (ACE)– attacker can execute code in message

• arbitrary function argument (AFA)– attacker can call function with arbitrary argument

SCA generation

• log events

• generate SCA when worm is detected– compute verification information – search log for relevant events– generate tentative version of SCA– repeat until verification succeeds

• detectors may guide search– dynamic dataflow analysis is one such detector

Dynamic dataflow analysis

• high coverage and low false positive rate• allows direct extraction of verification information

return address

msg

buffer

(a) Memory beforevulnerable code

(b) Memory after vulnerable code

id 100

id 400

stackpointer

return address

msg

buffer

id 100

id 400

id 100

id 400

stack

Protection

• hosts generate filter from SCA

• dynamic data and control flow analysis– run vulnerable application in a sandbox– track control and data flow from input messages– compute conditions that determine execution path– filter blocks messages that satisfy conditions

• filters can block polymorphic worms

• no false positives by design

Filter generation

• Uses full data flow information– Dataflow graphs for dirty data and CPU flags– Record decisions on conditional instructions

• If SCA verification is successful, the host generates a filter for the exploit described in the SCA.

• If the verification fails, the SCA is dropped, no more resources are wasted.

• Depth-first traversal

Vulnerability filter generationmov al,[netbuf]

mov cl,0x31

cmp al,cl

jne out

xor eax,eax

loop:

mov [esp+eax+4],cl

mov cl,[eax+netbuf+1]

inc eax

test cl,cl

jne loop

out:

Conditions:

netbuf[0] == 0x31

netbuf[1] != 0

netbuf[2] != 0

0x31 0x24 0x67 0x42 0x0

netbuf

Filter

Vulnerable Application

Network

Evaluation

• three real worms:– Slammer (SQL server), Blaster (RPC), CodeRed (IIS)

• measurements of prototype implementation– SCA generation and verification– filter generation– filtering overhead

• simulations of SCA propagation with attacks

Time to generate SCAs

Time to verify SCAs

Time to generate filters

Filtering overhead

0%

2%

4%

6%

8%

10%

12%

14%

0 200 400 600 800 1000

SCA Verification Time (msec)

Infe

cte

d P

erc

en

tag

e w/ DoS

w/o DoS

Increasing verification time

0%

5%

10%

15%

20%

25%

30%

0.5β β 2β 4β 8β

Infection Rate

Infe

cte

d P

erc

en

tag

e w/ DoS

w/o DoS

Increasing infection rate

ß is Slammer’s infection rate(the rate at which a host infects new hosts)

0%

5%

10%

15%

20%

25%

30%

35%

0 2000 4000 6000 8000 10000

Number of Initially Infected Hosts

Infe

cte

d P

erc

en

tag

e w/ DoS

w/o DoS

Baseline

Increasing seed hosts

Related Work• network related

– signatures: Honeycomb, Autograph, EarlyBird, Polygraph;– throttling [Williamson02]; scanning detectors [Weaver04]

• host related– program shepherding [Kiriansky02]; – perltaint mode, concurrent work similar to dynamic dataflow

analysis: [Suh04], Minos, TaintCheck; – [Sidiroglou-Douskos05] related host-based system

• keep applications running despite attacks– failure oblivious computing, abort/rollback: DIRA, STEM, Rx

• human assisted, vulnerability specific detectors/filters– Shield, IntroVirt

Conclusion

• Vigilante can contain worms automatically– requires no prior knowledge of vulnerabilities– no false positives– low false negatives– deployable today

Thank you!