Shield: vulnerability-driven network filters for preventing known vulnerability exploits

Software patching has not been effective as a first-line defense against large-scale worm attacks, even when patches have long been available for their corresponding vulnerabilities. Generally, people have been reluctant to patch their systems immediately, because patches are perceived to be unreliable and disruptive to apply. To address this problem, we propose a first-line worm defense in the network stack, using shields -- vulnerability-specific, exploit-generic network filters installed in end systems once a vulnerability is discovered, but before a patch is applied. These filters examine the incoming or outgoing traffic of vulnerable applications, and correct traffic that exploits vulnerabilities. Shields are less disruptive to install and uninstall, easier to test for bad side effects, and hence more reliable than traditional software patches. Further, shields are resilient to polymorphic or metamorphic variations of exploits [43].In this paper, we show that this concept is feasible by describing a prototype Shield framework implementation that filters traffic above the transport layer. We have designed a safe and restrictive language to describe vulnerabilities as partial state machines of the vulnerable application. The expressiveness of the language has been verified by encoding the signatures of several known vulnerabilites. Our evaluation provides evidence of Shield's low false positive rate and small impact on application throughput. An examination of a sample set of known vulnerabilities suggests that Shield could be used to prevent exploitation of a substantial fraction of the most dangerous ones.

[1]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[2]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[3]  Eric Rescorla Security Holes . . . Who Cares? , 2003, USENIX Security Symposium.

[4]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[5]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[6]  David Watson,et al.  Transport and application protocol scrubbing , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[7]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[8]  Tim Berners-Lee,et al.  Hypertext transfer protocol--http/i , 1993 .

[9]  Robert K. Cunningham,et al.  Large Scale Malicious Code: A Research Agenda , 2003 .

[10]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[11]  Eddie Kohler,et al.  Programming language techniques for modular router congurations , 2000 .

[12]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[13]  Vern Paxson,et al.  Very Fast Containment of Scanning Worms , 2004, USENIX Security Symposium.

[14]  Raghupathy Sivakumar,et al.  A transport layer approach for achieving aggregate bandwidths on multi-homed mobile hosts , 2002, MobiCom '02.

[15]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[16]  Gregory R. Ganger,et al.  Finding and Containing Enemies Within the Walls with Self-securing Network Interfaces (CMU-CS-03-109) , 2003 .

[17]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[18]  William R. Bush,et al.  Software–Practice and Experience , 2000 .

[19]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[20]  S. Hadjiefthymiades,et al.  Hypertext Transfer Protocol (HTTP) , 1996 .

[21]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[22]  Vern Paxson,et al.  Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..

[23]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[24]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[25]  Jonathan B. Postel Rfc821: simple mail transfer protocol , 1982 .

[26]  Todd A. Proebsting,et al.  USC: A Universal Stub Compiler , 1994, SIGCOMM.

[27]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[28]  David Litchfield Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server , 2003 .

[29]  Markus G. Kuhn,et al.  Low-threat security patches and tools , 1997, 1997 Proceedings International Conference on Software Maintenance.

[30]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[31]  Sumeet Singh,et al.  The EarlyBird System for Real-time Detection of Unknown Worms , 2005 .

[32]  Satish Chandra,et al.  Packet types: abstract specification of network protocol messages , 2000 .

[33]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[34]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[35]  Daniel R. Simon,et al.  Practical automated filter generation to explicitly enforce implicit input assumptions , 2001, Seventeenth Annual Computer Security Applications Conference.

[36]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[37]  Philippe Fouquart,et al.  ASN.1 Communication Between Heterogeneous Systems , 2000 .

[38]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[39]  Anthony Jones,et al.  Network Programming for Microsoft Windows , 1999 .