vigilante end to end containment of internet worms l.
Skip this Video
Loading SlideShow in 5 Seconds..
Vigilante: End-to-End Containment of Internet Worms PowerPoint Presentation
Download Presentation
Vigilante: End-to-End Containment of Internet Worms

Loading in 2 Seconds...

play fullscreen
1 / 34

Vigilante: End-to-End Containment of Internet Worms - PowerPoint PPT Presentation

  • Uploaded on

Vigilante: End-to-End Containment of Internet Worms. Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005. Presented By : Ramanarayanan Ramani.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Vigilante: End-to-End Containment of Internet Worms' - tuesday

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
vigilante end to end containment of internet worms

Vigilante: End-to-End Containment of Internet Worms

Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham

In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005

Presented By : Ramanarayanan Ramani

  • To improve the security of end host computers
  • Share security information between hosts
  • Validation and Verification of the security information
vigilante design
Vigilante Design
  • Self-Certifying Alerts
  • Alert Types
  • Alert Detection & Generation
  • Alert Distribution
  • Alert Verification
  • Automatic Filter Generation
self certifying alerts
Self-Certifying Alerts

1. Infection Attempt

2. Infection Detection

3. Certificate Generation

4. Certificate Distribution

5. Certificate Verification

6. Filter for infection

self certifying alerts5
Self-Certifying Alerts
  • How can the Certificate be trusted?
    • Details of infected Service or Program (including version)
    • Steps of infection
  • End host performs self infection as given in certificate and verifies certificate (in a virtual environment)
alert types
Alert Types
  • Arbitrary Execution Control alerts : Vulnerabilities that allow worms to redirect execution to arbitrary pieces of code in a service’s address space
  • Arbitrary Code Execution alerts : Describe code-injection vulnerabilities
  • Arbitrary Function Argument alerts : Data-injection vulnerabilities that allow worms to change the value of arguments to critical functions
alert detection
Alert Detection
  • Non-executable pages
    • Non-execute protection on stack and heap pages
    • Detect and prevent code injection attacks
  • Dynamic dataflow analysis
    • Network data and data derived from it are dirty
    • Monitor dirty data movement
sca generation
SCA Generation
  • Non-executable pages
    • Use Log file to generate the SCA
    • Locate message which sent infected code
    • Address of the faulting instruction
    • The message and the offset within the message are recorded in the verification information
    • Might be combination of messages
sca generation10
SCA Generation
  • Dynamic dataflow analysis
    • Information is simply read from the data structures maintained by the engine
    • Identifier for the dirty data found from table of dirty memory locations or the table of dirty registers
    • Map identifier to message and offset in message
alert distribution
Alert Distribution
  • Vigilante uses a secure Pastry overlay
  • Each host sends the SCA to all its overlay neighbors
  • Each host has a significant number of neighbors : Flooding provides reliability
  • Compromised hosts refuse to forward an SCA
  • Secure links between neighbors with each having Certificate (Random HostID) to join the overlay
alert distribution13
Alert Distribution
  • Defense against Denial of Service Attacks
    • Hosts do not forward SCAs that are blocked by their filters or are identical to SCAs received recently
    • Only forward SCAs that they can verify
    • Impose a rate limit on the number of SCAs that they are willing to verify from each neighbor
alert verification
Alert Verification
  • SCA verifier receives an SCA
  • Sends the SCA to the verification manager inside the virtual machine
  • Verification manager uses the data in the SCA to identify the vulnerable service
alert verification15
Alert Verification
  • Modifies the sequence of messages in the SCA to trigger execution of Verified when the messages are sent to the vulnerable service
  • If Verified is executed, the verification manager signals success
  • Failure after Timeout
automatic filter generation
Automatic Filter Generation
  • Analyze the execution path followed when the messages in the SCA are replayed
  • Use dynamic data and control flow analysis : Determine the execution path that exploits the vulnerability
automatic filter generation17
Automatic Filter Generation
  • Dynamic Data Flow Analysis
    • Compute data flow graphs for dirty data (data as in SCA)
    • Describes how to compute the current value of the dirty data
    • Associate a data flow graph with every memory position, register, and processor flag that stores dirty data
automatic filter generation18
Automatic Filter Generation
  • Dynamic Control Flow Analysis
    • Keeps track of all conditions that determine the program counter
    • Conditions used when executing conditional move and set instructions
    • Filter Condition is conjunction of these condition and earlier value of condition
    • For example, when the instruction “jz addr” is executed, the filter condition is left unchanged if the zero flag is clean
experimental setup
Experimental setup
  • Dell PrecisionWorkstations with 3GHz Intel Pentium 4 processors
  • 2GB of RAM
  • Intel PRO/1000 Gigabit network cards
  • Hosts were connected through a 100Mbps D-Link Ethernet switch
alert distribution simulation
Alert Distribution - Simulation
  • S : Population of susceptible hosts
  • p : Fraction of them being detectors
  • β : Average infection rate
  • It : The total number of infected hosts at time t
  • Pt : The number of distinct susceptible hosts that have been probed by the worm at time t
alert distribution simulation27
Alert Distribution - Simulation
  • k : Starting infected hosts
  • When a new host infected :
    • Simulator calculates the expected time a new susceptible host receives a worm probe
    • Randomly picks an unprobed susceptible host as the target of that probe
  • If target is detector, SCA is generated and distributed
simulation parameters
Simulation Parameters

Default values for all other experiments : p = 0.001, k = 10, Tg = 1 second, Tv = 100 ms, β = 0.117, and S = 75,000

  • The concept of SCAs and the end-to-end automatic worm containment architecture
  • Mechanisms to generate, verify, and distribute SCAs automatically
  • Automatic mechanism to generate host-based filters that block worm traffic
  • Fast, low false positives and negatives
  • Overhead on network not considered
  • Worms can send false messages to detector and create invalid SCAs
  • Undetected worms may use the overlay to spread
  • More alerts could have been defined
  • Use dummy worms to create invalid SCA and check network overhead
  • What if worm creates its own SCA which may seem valid but may create a backdoor?