Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Slides:

Advertisements

Similar presentations

Lecture 6 User Authentication (cont)

Advertisements

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Vigilante: End-to-End Containment of Internet Worms Paper by: Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao Zhang, Paul.

Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.

Secure routing for structured peer-to-peer overlay networks (by Castro et al.) Shariq Rizvi CS 294-4: Peer-to-Peer Systems.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Lecture 11 Reliability and Security in IT infrastructure.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

1 Computer Communication & Networks Lecture 21 Network Layer: Delivery, Forwarding, Routing Waleed.

Focus On Bluetooth Security Presented by Kanij Fatema Sharme.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Operating Systems Security

EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.

Wireless and Mobile Security

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.

DoS/DDoS attack and defense

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Ethernet Network Systems Security Mort Anvari. 9/28/20042 Ethernet Most widely used LAN technology Low cost and high flexibility Versions of different.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Presented By: Mohammed Al-Mehdhar Presentation Outline Introduction Approaches Implementation Evaluation Conclusion Q & A.

MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa Joint work with: Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang,

Network Security Lab Jelena Mirkovic Sig NewGrad presentantion.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Operating System Concepts

Presentation transcript:

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct Presented By : Ramanarayanan Ramani

Motivation To improve the security of end host computers Share security information between hosts Validation and Verification of the security information

Vigilante Design Self-Certifying Alerts Alert Types Alert Detection & Generation Alert Distribution Alert Verification Automatic Filter Generation

Self-Certifying Alerts 1. Infection Attempt 2. Infection Detection 3. Certificate Generation 4. Certificate Distribution 5. Certificate Verification 6. Filter for infection

Self-Certifying Alerts How can the Certificate be trusted? Details of infected Service or Program (including version) Steps of infection End host performs self infection as given in certificate and verifies certificate (in a virtual environment)

Alert Types Arbitrary Execution Control alerts : Vulnerabilities that allow worms to redirect execution to arbitrary pieces of code in a service’s address space Arbitrary Code Execution alerts : Describe code-injection vulnerabilities Arbitrary Function Argument alerts : Data- injection vulnerabilities that allow worms to change the value of arguments to critical functions

Example SCA

Alert Detection Non-executable pages Non-execute protection on stack and heap pages Detect and prevent code injection attacks Dynamic dataflow analysis Network data and data derived from it are dirty Monitor dirty data movement

SCA Generation Non-executable pages Use Log file to generate the SCA Locate message which sent infected code Address of the faulting instruction The message and the offset within the message are recorded in the verification information Might be combination of messages

SCA Generation Dynamic dataflow analysis Information is simply read from the data structures maintained by the engine Identifier for the dirty data found from table of dirty memory locations or the table of dirty registers Map identifier to message and offset in message

Dynamic dataflow analysis Example

Alert Distribution Vigilante uses a secure Pastry overlay Each host sends the SCA to all its overlay neighbors Each host has a significant number of neighbors : Flooding provides reliability Compromised hosts refuse to forward an SCA Secure links between neighbors with each having Certificate (Random HostID) to join the overlay

Alert Distribution Defense against Denial of Service Attacks Hosts do not forward SCAs that are blocked by their filters or are identical to SCAs received recently Only forward SCAs that they can verify Impose a rate limit on the number of SCAs that they are willing to verify from each neighbor

Alert Verification SCA verifier receives an SCA Sends the SCA to the verification manager inside the virtual machine Verification manager uses the data in the SCA to identify the vulnerable service

Alert Verification Modifies the sequence of messages in the SCA to trigger execution of Verified when the messages are sent to the vulnerable service If Verified is executed, the verification manager signals success Failure after Timeout

Automatic Filter Generation Analyze the execution path followed when the messages in the SCA are replayed Use dynamic data and control flow analysis : Determine the execution path that exploits the vulnerability

Automatic Filter Generation Dynamic Data Flow Analysis Compute data flow graphs for dirty data (data as in SCA) Describes how to compute the current value of the dirty data Associate a data flow graph with every memory position, register, and processor flag that stores dirty data

Automatic Filter Generation Dynamic Control Flow Analysis Keeps track of all conditions that determine the program counter Conditions used when executing conditional move and set instructions Filter Condition is conjunction of these condition and earlier value of condition For example, when the instruction “jz addr” is executed, the filter condition is left unchanged if the zero flag is clean

Filter Generation Example

Experimental setup Dell PrecisionWorkstations with 3GHz Intel Pentium 4 processors 2GB of RAM Intel PRO/1000 Gigabit network cards Hosts were connected through a 100Mbps D-Link Ethernet switch

Alert Generation

SCA Size

Alert Verification

Filter Generation

Filter Overhead

Alert Distribution - Simulation S : Population of susceptible hosts p : Fraction of them being detectors β : Average infection rate I t : The total number of infected hosts at time t P t : The number of distinct susceptible hosts that have been probed by the worm at time t

Alert Distribution - Simulation k : Starting infected hosts When a new host infected : Simulator calculates the expected time a new susceptible host receives a worm probe Randomly picks an unprobed susceptible host as the target of that probe If target is detector, SCA is generated and distributed

Simulation Parameters Default values for all other experiments : p = 0.001, k = 10, Tg = 1 second, Tv = 100 ms, β = 0.117, and S = 75,000

Simulation Results

Strengths The concept of SCAs and the end-to-end automatic worm containment architecture Mechanisms to generate, verify, and distribute SCAs automatically Automatic mechanism to generate host- based filters that block worm traffic Fast, low false positives and negatives

Weaknesses Overhead on network not considered Worms can send false messages to detector and create invalid SCAs Undetected worms may use the overlay to spread More alerts could have been defined

Suggestions Use dummy worms to create invalid SCA and check network overhead What if worm creates its own SCA which may seem valid but may create a backdoor?

Questions?