Vigilante end to end containment of internet worms
1 / 34

Vigilante: End-to-End Containment of Internet Worms - PowerPoint PPT Presentation

  • Uploaded on

Vigilante: End-to-End Containment of Internet Worms. Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005. Presented By : Ramanarayanan Ramani.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Vigilante: End-to-End Containment of Internet Worms' - tuesday

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Vigilante end to end containment of internet worms l.jpg

Vigilante: End-to-End Containment of Internet Worms

Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham

In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005

Presented By : Ramanarayanan Ramani

Motivation l.jpg

  • To improve the security of end host computers

  • Share security information between hosts

  • Validation and Verification of the security information

Vigilante design l.jpg
Vigilante Design

  • Self-Certifying Alerts

  • Alert Types

  • Alert Detection & Generation

  • Alert Distribution

  • Alert Verification

  • Automatic Filter Generation

Self certifying alerts l.jpg
Self-Certifying Alerts

1. Infection Attempt

2. Infection Detection

3. Certificate Generation

4. Certificate Distribution

5. Certificate Verification

6. Filter for infection

Self certifying alerts5 l.jpg
Self-Certifying Alerts

  • How can the Certificate be trusted?

    • Details of infected Service or Program (including version)

    • Steps of infection

  • End host performs self infection as given in certificate and verifies certificate (in a virtual environment)

Alert types l.jpg
Alert Types

  • Arbitrary Execution Control alerts : Vulnerabilities that allow worms to redirect execution to arbitrary pieces of code in a service’s address space

  • Arbitrary Code Execution alerts : Describe code-injection vulnerabilities

  • Arbitrary Function Argument alerts : Data-injection vulnerabilities that allow worms to change the value of arguments to critical functions

Alert detection l.jpg
Alert Detection

  • Non-executable pages

    • Non-execute protection on stack and heap pages

    • Detect and prevent code injection attacks

  • Dynamic dataflow analysis

    • Network data and data derived from it are dirty

    • Monitor dirty data movement

Sca generation l.jpg
SCA Generation

  • Non-executable pages

    • Use Log file to generate the SCA

    • Locate message which sent infected code

    • Address of the faulting instruction

    • The message and the offset within the message are recorded in the verification information

    • Might be combination of messages

Sca generation10 l.jpg
SCA Generation

  • Dynamic dataflow analysis

    • Information is simply read from the data structures maintained by the engine

    • Identifier for the dirty data found from table of dirty memory locations or the table of dirty registers

    • Map identifier to message and offset in message

Alert distribution l.jpg
Alert Distribution

  • Vigilante uses a secure Pastry overlay

  • Each host sends the SCA to all its overlay neighbors

  • Each host has a significant number of neighbors : Flooding provides reliability

  • Compromised hosts refuse to forward an SCA

  • Secure links between neighbors with each having Certificate (Random HostID) to join the overlay

Alert distribution13 l.jpg
Alert Distribution

  • Defense against Denial of Service Attacks

    • Hosts do not forward SCAs that are blocked by their filters or are identical to SCAs received recently

    • Only forward SCAs that they can verify

    • Impose a rate limit on the number of SCAs that they are willing to verify from each neighbor

Alert verification l.jpg
Alert Verification

  • SCA verifier receives an SCA

  • Sends the SCA to the verification manager inside the virtual machine

  • Verification manager uses the data in the SCA to identify the vulnerable service

Alert verification15 l.jpg
Alert Verification

  • Modifies the sequence of messages in the SCA to trigger execution of Verified when the messages are sent to the vulnerable service

  • If Verified is executed, the verification manager signals success

  • Failure after Timeout

Automatic filter generation l.jpg
Automatic Filter Generation

  • Analyze the execution path followed when the messages in the SCA are replayed

  • Use dynamic data and control flow analysis : Determine the execution path that exploits the vulnerability

Automatic filter generation17 l.jpg
Automatic Filter Generation

  • Dynamic Data Flow Analysis

    • Compute data flow graphs for dirty data (data as in SCA)

    • Describes how to compute the current value of the dirty data

    • Associate a data flow graph with every memory position, register, and processor flag that stores dirty data

Automatic filter generation18 l.jpg
Automatic Filter Generation

  • Dynamic Control Flow Analysis

    • Keeps track of all conditions that determine the program counter

    • Conditions used when executing conditional move and set instructions

    • Filter Condition is conjunction of these condition and earlier value of condition

    • For example, when the instruction “jz addr” is executed, the filter condition is left unchanged if the zero flag is clean

Experimental setup l.jpg
Experimental setup

  • Dell PrecisionWorkstations with 3GHz Intel Pentium 4 processors

  • 2GB of RAM

  • Intel PRO/1000 Gigabit network cards

  • Hosts were connected through a 100Mbps D-Link Ethernet switch

Alert distribution simulation l.jpg
Alert Distribution - Simulation

  • S : Population of susceptible hosts

  • p : Fraction of them being detectors

  • β : Average infection rate

  • It : The total number of infected hosts at time t

  • Pt : The number of distinct susceptible hosts that have been probed by the worm at time t

Alert distribution simulation27 l.jpg
Alert Distribution - Simulation

  • k : Starting infected hosts

  • When a new host infected :

    • Simulator calculates the expected time a new susceptible host receives a worm probe

    • Randomly picks an unprobed susceptible host as the target of that probe

  • If target is detector, SCA is generated and distributed

Simulation parameters l.jpg
Simulation Parameters

Default values for all other experiments : p = 0.001, k = 10, Tg = 1 second, Tv = 100 ms, β = 0.117, and S = 75,000

Strengths l.jpg

  • The concept of SCAs and the end-to-end automatic worm containment architecture

  • Mechanisms to generate, verify, and distribute SCAs automatically

  • Automatic mechanism to generate host-based filters that block worm traffic

  • Fast, low false positives and negatives

Weaknesses l.jpg

  • Overhead on network not considered

  • Worms can send false messages to detector and create invalid SCAs

  • Undetected worms may use the overlay to spread

  • More alerts could have been defined

Suggestions l.jpg

  • Use dummy worms to create invalid SCA and check network overhead

  • What if worm creates its own SCA which may seem valid but may create a backdoor?