Vigilante end to end containment of internet worms
1 / 34

Vigilante: End-to-End Containment of Internet Worms PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Vigilante: End-to-End Containment of Internet Worms. Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005. Presented By : Ramanarayanan Ramani.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Vigilante: End-to-End Containment of Internet Worms

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Vigilante end to end containment of internet worms l.jpg

Vigilante: End-to-End Containment of Internet Worms

Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham

In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005

Presented By : Ramanarayanan Ramani

Motivation l.jpg


  • To improve the security of end host computers

  • Share security information between hosts

  • Validation and Verification of the security information

Vigilante design l.jpg

Vigilante Design

  • Self-Certifying Alerts

  • Alert Types

  • Alert Detection & Generation

  • Alert Distribution

  • Alert Verification

  • Automatic Filter Generation

Self certifying alerts l.jpg

Self-Certifying Alerts

1. Infection Attempt

2. Infection Detection

3. Certificate Generation

4. Certificate Distribution

5. Certificate Verification

6. Filter for infection

Self certifying alerts5 l.jpg

Self-Certifying Alerts

  • How can the Certificate be trusted?

    • Details of infected Service or Program (including version)

    • Steps of infection

  • End host performs self infection as given in certificate and verifies certificate (in a virtual environment)

Alert types l.jpg

Alert Types

  • Arbitrary Execution Control alerts : Vulnerabilities that allow worms to redirect execution to arbitrary pieces of code in a service’s address space

  • Arbitrary Code Execution alerts : Describe code-injection vulnerabilities

  • Arbitrary Function Argument alerts : Data-injection vulnerabilities that allow worms to change the value of arguments to critical functions

Example sca l.jpg

Example SCA

Alert detection l.jpg

Alert Detection

  • Non-executable pages

    • Non-execute protection on stack and heap pages

    • Detect and prevent code injection attacks

  • Dynamic dataflow analysis

    • Network data and data derived from it are dirty

    • Monitor dirty data movement

Sca generation l.jpg

SCA Generation

  • Non-executable pages

    • Use Log file to generate the SCA

    • Locate message which sent infected code

    • Address of the faulting instruction

    • The message and the offset within the message are recorded in the verification information

    • Might be combination of messages

Sca generation10 l.jpg

SCA Generation

  • Dynamic dataflow analysis

    • Information is simply read from the data structures maintained by the engine

    • Identifier for the dirty data found from table of dirty memory locations or the table of dirty registers

    • Map identifier to message and offset in message

Dynamic dataflow analysis example l.jpg

Dynamic dataflow analysis Example

Alert distribution l.jpg

Alert Distribution

  • Vigilante uses a secure Pastry overlay

  • Each host sends the SCA to all its overlay neighbors

  • Each host has a significant number of neighbors : Flooding provides reliability

  • Compromised hosts refuse to forward an SCA

  • Secure links between neighbors with each having Certificate (Random HostID) to join the overlay

Alert distribution13 l.jpg

Alert Distribution

  • Defense against Denial of Service Attacks

    • Hosts do not forward SCAs that are blocked by their filters or are identical to SCAs received recently

    • Only forward SCAs that they can verify

    • Impose a rate limit on the number of SCAs that they are willing to verify from each neighbor

Alert verification l.jpg

Alert Verification

  • SCA verifier receives an SCA

  • Sends the SCA to the verification manager inside the virtual machine

  • Verification manager uses the data in the SCA to identify the vulnerable service

Alert verification15 l.jpg

Alert Verification

  • Modifies the sequence of messages in the SCA to trigger execution of Verified when the messages are sent to the vulnerable service

  • If Verified is executed, the verification manager signals success

  • Failure after Timeout

Automatic filter generation l.jpg

Automatic Filter Generation

  • Analyze the execution path followed when the messages in the SCA are replayed

  • Use dynamic data and control flow analysis : Determine the execution path that exploits the vulnerability

Automatic filter generation17 l.jpg

Automatic Filter Generation

  • Dynamic Data Flow Analysis

    • Compute data flow graphs for dirty data (data as in SCA)

    • Describes how to compute the current value of the dirty data

    • Associate a data flow graph with every memory position, register, and processor flag that stores dirty data

Automatic filter generation18 l.jpg

Automatic Filter Generation

  • Dynamic Control Flow Analysis

    • Keeps track of all conditions that determine the program counter

    • Conditions used when executing conditional move and set instructions

    • Filter Condition is conjunction of these condition and earlier value of condition

    • For example, when the instruction “jz addr” is executed, the filter condition is left unchanged if the zero flag is clean

Filter generation example l.jpg

Filter Generation Example

Experimental setup l.jpg

Experimental setup

  • Dell PrecisionWorkstations with 3GHz Intel Pentium 4 processors

  • 2GB of RAM

  • Intel PRO/1000 Gigabit network cards

  • Hosts were connected through a 100Mbps D-Link Ethernet switch

Alert generation l.jpg

Alert Generation

Sca size l.jpg

SCA Size

Alert verification23 l.jpg

Alert Verification

Filter generation l.jpg

Filter Generation

Filter overhead l.jpg

Filter Overhead

Alert distribution simulation l.jpg

Alert Distribution - Simulation

  • S : Population of susceptible hosts

  • p : Fraction of them being detectors

  • β : Average infection rate

  • It : The total number of infected hosts at time t

  • Pt : The number of distinct susceptible hosts that have been probed by the worm at time t

Alert distribution simulation27 l.jpg

Alert Distribution - Simulation

  • k : Starting infected hosts

  • When a new host infected :

    • Simulator calculates the expected time a new susceptible host receives a worm probe

    • Randomly picks an unprobed susceptible host as the target of that probe

  • If target is detector, SCA is generated and distributed

Simulation parameters l.jpg

Simulation Parameters

Default values for all other experiments : p = 0.001, k = 10, Tg = 1 second, Tv = 100 ms, β = 0.117, and S = 75,000

Simulation results l.jpg

Simulation Results

Strengths l.jpg


  • The concept of SCAs and the end-to-end automatic worm containment architecture

  • Mechanisms to generate, verify, and distribute SCAs automatically

  • Automatic mechanism to generate host-based filters that block worm traffic

  • Fast, low false positives and negatives

Weaknesses l.jpg


  • Overhead on network not considered

  • Worms can send false messages to detector and create invalid SCAs

  • Undetected worms may use the overlay to spread

  • More alerts could have been defined

Suggestions l.jpg


  • Use dummy worms to create invalid SCA and check network overhead

  • What if worm creates its own SCA which may seem valid but may create a backdoor?

Questions l.jpg


  • Login