1. Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005 Presented By : Ramanarayanan Ramani

2. Motivation To improve the security of end host computers Share security information between hosts Validation and Verification of the security information

3. Vigilante Design Self-Certifying Alerts Alert Types Alert Detection & Generation Alert Distribution Alert Verification Automatic Filter Generation

4. Self-Certifying Alerts 1. Infection Attempt 2. Infection Detection 3. Certificate Generation 4. Certificate Distribution 5. Certificate Verification 6. Filter for infection

5. Self-Certifying Alerts How can the Certificate be trusted? Details of infected Service or Program (including version) Steps of infection End host performs self infection as given in certificate and verifies certificate (in a virtual environment)

6. Alert Types Arbitrary Execution Control alerts : Vulnerabilities that allow worms to redirect execution to arbitrary pieces of code in a service’s address space Arbitrary Code Execution alerts : Describe code-injection vulnerabilities Arbitrary Function Argument alerts : Data- injection vulnerabilities that allow worms to change the value of arguments to critical functions

7. Example SCA

8. Alert Detection Non-executable pages Non-execute protection on stack and heap pages Detect and prevent code injection attacks Dynamic dataflow analysis Network data and data derived from it are dirty Monitor dirty data movement

9. SCA Generation Non-executable pages Use Log file to generate the SCA Locate message which sent infected code Address of the faulting instruction The message and the offset within the message are recorded in the verification information Might be combination of messages

10. SCA Generation Dynamic dataflow analysis Information is simply read from the data structures maintained by the engine Identifier for the dirty data found from table of dirty memory locations or the table of dirty registers Map identifier to message and offset in message

11. Dynamic dataflow analysis Example

12. Alert Distribution Vigilante uses a secure Pastry overlay Each host sends the SCA to all its overlay neighbors Each host has a significant number of neighbors : Flooding provides reliability Compromised hosts refuse to forward an SCA Secure links between neighbors with each having Certificate (Random HostID) to join the overlay

13. Alert Distribution Defense against Denial of Service Attacks Hosts do not forward SCAs that are blocked by their filters or are identical to SCAs received recently Only forward SCAs that they can verify Impose a rate limit on the number of SCAs that they are willing to verify from each neighbor

14. Alert Verification SCA verifier receives an SCA Sends the SCA to the verification manager inside the virtual machine Verification manager uses the data in the SCA to identify the vulnerable service

15. Alert Verification Modifies the sequence of messages in the SCA to trigger execution of Verified when the messages are sent to the vulnerable service If Verified is executed, the verification manager signals success Failure after Timeout

16. Automatic Filter Generation Analyze the execution path followed when the messages in the SCA are replayed Use dynamic data and control flow analysis : Determine the execution path that exploits the vulnerability

17. Automatic Filter Generation Dynamic Data Flow Analysis Compute data flow graphs for dirty data (data as in SCA) Describes how to compute the current value of the dirty data Associate a data flow graph with every memory position, register, and processor flag that stores dirty data

18. Automatic Filter Generation Dynamic Control Flow Analysis Keeps track of all conditions that determine the program counter Conditions used when executing conditional move and set instructions Filter Condition is conjunction of these condition and earlier value of condition For example, when the instruction “jz addr” is executed, the filter condition is left unchanged if the zero flag is clean

19. Filter Generation Example

20. Experimental setup Dell PrecisionWorkstations with 3GHz Intel Pentium 4 processors 2GB of RAM Intel PRO/1000 Gigabit network cards Hosts were connected through a 100Mbps D-Link Ethernet switch

21. Alert Generation

22. SCA Size

23. Alert Verification

24. Filter Generation

25. Filter Overhead

26. Alert Distribution - Simulation S : Population of susceptible hosts p : Fraction of them being detectors β : Average infection rate I t : The total number of infected hosts at time t P t : The number of distinct susceptible hosts that have been probed by the worm at time t

27. Alert Distribution - Simulation k : Starting infected hosts When a new host infected : Simulator calculates the expected time a new susceptible host receives a worm probe Randomly picks an unprobed susceptible host as the target of that probe If target is detector, SCA is generated and distributed

28. Simulation Parameters Default values for all other experiments : p = 0.001, k = 10, Tg = 1 second, Tv = 100 ms, β = 0.117, and S = 75,000

29. Simulation Results

31. Strengths The concept of SCAs and the end-to-end automatic worm containment architecture Mechanisms to generate, verify, and distribute SCAs automatically Automatic mechanism to generate host- based filters that block worm traffic Fast, low false positives and negatives

32. Weaknesses Overhead on network not considered Worms can send false messages to detector and create invalid SCAs Undetected worms may use the overlay to spread More alerts could have been defined

33. Suggestions Use dummy worms to create invalid SCA and check network overhead What if worm creates its own SCA which may seem valid but may create a backdoor?

34. Questions?