Www.aqualab.cs.northwestern.edu Stamping out worms and other Internet pests Miguel Castro Microsoft...

www.aqualab.cs.northwestern.edu

Stamping out worms and other Internet pests

Miguel Castro

Microsoft Research

Choffnes

EECS, Northwestern University

The challenge

worms are bad– worms can infect many machines– attacker gains control of infected machines– worm propagation disrupts Internet traffic

it is crucial to prevent these attacks– not a new challenge but no solution yet– the problem is as serious as ever

Choffnes


Preventing worm infections

techniques to prevent bugs are important– type safe languages, static analysis, … – but unlikely to remove all bugs from services

need research on worm containment– worms spread too fast for human response

– worm containment must be automatic

Choffnes


Automatic worm containment

previous solutions are network centric– they analyze network traffic – block suspect packets

no vulnerability information at network level– false negatives: worm traffic appears normal– false positives: good traffic misclassified– fundamental problem

false positives are a barrier to automation

Choffnes


End-to-end worm containment

host-based cooperative detection– detector runs instrumented software– analyzes infection attempt to generate an alert– distributes alert to other hosts

host-based protection– hosts analyze exploit described by alert– generate protection mechanism automatically

• for example, a filter to block worm packets

first steps: Vigilante [Costa et al, SOSP 2005]

Choffnes


Better host-based detectors

existing detectors are not sufficient– easily bypassed (e.g., stack canaries, NX)– high overhead (e.g., program shepherding)– poor coverage of some attack classes

better instrumentation to detect more worms– low false positives and false negatives– widely applicable (ideally to any binary)– low overhead (no alerts if negligible overhead)

Choffnes


Better host-based protection

robust automatic protection– block all polymorphic variants of detected worms– no false positives– fast inoculation:

• fast alert distribution, fast deployment of protection

efficient protection – provide good performance for legitimate requests– existing high coverage detectors are too expensive– recovery after detection is also expensive

Choffnes


Better survivability

worm containment will not be perfect

must survive compromised hosts– without disruptions to critical services– without loss of critical data

better Byzantine fault tolerant replication – keep faults below threshold with high probability

Choffnes


Conclusion

worms and viruses must be stopped

need more research to stop them

proposed a new research focus

requires research spanning– operating systems, networking, programming languages,

and distributed systems

Choffnes


Vigilante’s components

Network

Detection Engine

SCA Generation

SCA Verification

SCA Distribution

Detector Host

SCA Verification

Protection

Vulnerable Host

SCA Distribution

Filter

Vulnerable Application

Network Network

• Detection

• SCA generation

• SCA distribution

• SCA verification

• Protection

Choffnes


Outline

self-certifying alerts

detection and generation of self-certifying alerts

generation of vulnerability filters

evaluation

next steps

Choffnes


Self-certifying alerts

identify an application vulnerability– describe how to exploit a vulnerability – contain a log of events, verification information

enable hosts to verify if they are vulnerable– hosts modify events to signal verification success– hosts replay events in sandboxed application– there are no false positives

enable cooperative worm containment without trust

Choffnes


SCA types

arbitrary execution control (AEC)– attacker can load a value in message into the PC

arbitrary code execution (ACE)– attacker can execute code in message

arbitrary function argument (AFA)– attacker can call function with arbitrary argument

Choffnes


Verifying an AEC alert

vulnerable process

normal code

verified

SCA:• message log• verification information

0x111111111114444444411111

ReceiveMessage()0x44444444

proves that external interfaces allow arbitrary control of the execution

Choffnes


SCA generation

log events

generate SCA when worm is detected– compute verification information – search log for relevant events– generate tentative version of SCA– repeat until verification succeeds

detectors may guide search– dynamic dataflow analysis is one such detector

Choffnes


Dynamic dataflow analysis

high coverage and low false positive rateallows direct extraction of verification information

return address

msg

buffer

(a) Memory beforevulnerable code

(b) Memory after vulnerable code

id 100

id 400

stackpointer

return address

msg

buffer

id 100

id 400

id 100

id 400

stack

Choffnes


Cooperative worm containment

SCA enables cooperative containment– any host can be a detector– hosts can run high-overhead detection engines – hosts can run different detection engines

• NX, …

– small TCB for SCA verification

cooperation enables low false negative rate

Choffnes


SCA broadcast

uses secure Pastry– hosts join overlay– detectors flood alerts over overlay links

denial-of-service prevention– per-link rate limiting – per-hop filtering and verification

can reach vulnerable hosts with high probability

Choffnes


Protection

hosts generate filter from SCA

dynamic data and control flow analysis– run vulnerable application in a sandbox– track control and data flow from input messages– compute conditions that determine execution path– filter blocks messages that satisfy conditions

filters can block polymorphic worms

no false positives by design

Choffnes


Vulnerability filter generation

mov al,[netbuf]

mov cl,0x31

cmp al,cl

jne out

xor eax,eax

loop:

mov [esp+eax+4],cl

mov cl,[eax+netbuf+1]

inc eax

test cl,cl

jne loop

out:

Conditions:

netbuf[0] == 0x31

netbuf[1] != 0

netbuf[2] != 0

0x31 0x24 0x67 0x42 0x0

netbuf

Filter

Vulnerable Application

Network

Choffnes


Evaluation

three real worms:– Slammer (SQL server), Blaster (RPC), CodeRed (IIS)

measurements of prototype implementation– SCA generation and verification– filter generation– filtering overhead

simulations of SCA propagation with attacks

Choffnes


Time to generate SCAs

Choffnes


Time to verify SCAs

Choffnes


Time to generate filters

Choffnes


Filtering overhead

Choffnes


0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

0.000 0.002 0.004 0.006 0.008 0.010

Detector Fraction

Infe

cted

Per

cen

tag

e Slammer+DoS

Slammer

Containing Slammer

Choffnes


0%

5%

10%

15%

20%

25%

30%

0.5β β 2β 4β 8β

Infection Rate

Infe

cte

d P

erc

en

tag

e w/ DoS

w/o DoS

Increasing infection rate

ß is Slammer’s infection rate(the rate at which a host infects new hosts)

Choffnes


0%

2%

4%

6%

8%

10%

12%

14%

0 200 400 600 800 1000

SCA Verification Time (msec)

Infe

cte

d P

erc

en

tag

e w/ DoS

w/o DoS

Increasing verification time

Choffnes


0%

5%

10%

15%

20%

25%

30%

35%

0 2000 4000 6000 8000 10000

Number of Initially Infected Hosts

Infe

cte

d P

erc

en

tag

e w/ DoS

w/o DoS

Baseline

Increasing seed hosts

Choffnes


Conclusion

Vigilante can contain worms automatically– requires no prior knowledge of vulnerabilities– no false positives– low false negatives

Www.aqualab.cs.northwestern.edu Stamping out worms and other Internet pests Miguel Castro Microsoft...

Documents

Transcript of Www.aqualab.cs.northwestern.edu Stamping out worms and other Internet pests Miguel Castro Microsoft...