Vigilante: End-to-end containment of Internet worm epidemics

Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the vulnerabilities exploited by worms at the network level. We propose Vigilante, a new end-to-end architecture to contain worms automatically that addresses these limitations. In Vigilante, hosts detect worms by instrumenting vulnerable programs to analyze infection attempts. We introduce dynamic data-flow analysis: a broad-coverage host-based algorithm that can detect unknown worms by tracking the flow of data from network messages and disallowing unsafe uses of this data. We also show how to integrate other host-based detection mechanisms into the Vigilante architecture. Upon detection, hosts generate self-certifying alerts (SCAs), a new type of security alert that can be inexpensively verified by any vulnerable host. Using SCAs, hosts can cooperate to contain an outbreak, without having to trust each other. Vigilante broadcasts SCAs over an overlay network that propagates alerts rapidly and resiliently. Hosts receiving an SCA protect themselves by generating filters with vulnerability condition slicing: an algorithm that performs dynamic analysis of the vulnerable program to identify control-flow conditions that lead to successful attacks. These filters block the worm attack and all its polymorphic mutations that follow the execution path identified by the SCA. Our results show that Vigilante can contain fast-spreading worms that exploit unknown vulnerabilities, and that Vigilante's filters introduce a negligible performance overhead. Vigilante does not require any changes to hardware, compilers, operating systems, or the source code of vulnerable programs; therefore, it can be used to protect current software binaries.

[1]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[2]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[3]  Stephanie Forrest,et al.  Architecture for an Artificial Immune System , 2000, Evolutionary Computation.

[4]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[5]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[6]  Laurent Massoulié,et al.  Efficient Quarantining of Scanning Worms: Optimal Detection and Coordination , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[7]  Peter Druschel,et al.  Pastry: Scalable, distributed object location and routing for large-scale peer-to- , 2001 .

[8]  Tzi-cker Chiueh,et al.  CTCP: a transparent centralized TCP/IP architecture for network security , 2004, 20th Annual Computer Security Applications Conference.

[9]  Eugene H. Spafford,et al.  Crisis and aftermath , 1989, Commun. ACM.

[10]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[11]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[12]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[13]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[14]  A.J. Ganesh,et al.  On the Race of Worms, Alerts, and Patches , 2008, IEEE/ACM Transactions on Networking.

[15]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[16]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[17]  Andrew Warfield,et al.  Practical taint-based protection using demand emulation , 2006, EuroSys.

[18]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[19]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[20]  Manuel Costa,et al.  Bouncer: securing software by blocking bad input , 2008, WRAITS '08.

[21]  Junfeng Yang,et al.  Using model checking to find serious file system errors , 2004, TOCS.

[22]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[23]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[24]  Christopher Kruegel,et al.  Connection-History Based Anomaly Detection , 2002 .

[25]  Herbert W. Hethcote,et al.  The Mathematics of Infectious Diseases , 2000, SIAM Rev..

[26]  Anil Madhavapeddy,et al.  Creating high-performance statically type-safe network applications , 2010 .

[27]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[28]  Wenke Lee,et al.  Polymorphic Blending Attacks , 2006, USENIX Security Symposium.

[29]  Jaeyeon Jung,et al.  Real-time detection of malicious network activity using stochastic models , 2006 .

[30]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[31]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[32]  Jon A. Rochlis,et al.  With microscope and tweezers: an analysis of the Internet virus of November 1988 , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[33]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[34]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[35]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[36]  Christopher Krügel,et al.  Accurate Buffer Overflow Detection via Abstract Payload Execution , 2002, RAID.

[37]  Jacob Goldenberg,et al.  Distributive immunization of networks against viruses using the ‘honey-pot’ architecture , 2005 .

[38]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[39]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[40]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[41]  David Watson,et al.  The Blaster worm: then and now , 2005, IEEE Security & Privacy Magazine.

[42]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[43]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[44]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[45]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[46]  Christopher Krügel,et al.  Automating Mimicry Attacks Using Static Binary Analysis , 2005, USENIX Security Symposium.

[47]  Yong Tang,et al.  Defending against Internet worms: a signature-based approach , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[48]  Karl N. Levitt,et al.  Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[49]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[50]  Jeffrey O. Kephart,et al.  Blueprint for a Computer Immune System , 1999 .

[51]  Daniel M. Roy,et al.  Enhancing Server Availability and Security Through Failure-Oblivious Computing , 2004, OSDI.

[52]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[53]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[54]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[55]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[56]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[57]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[58]  John Wilander,et al.  A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention , 2003, NDSS.

[59]  Evelyn Duesterwald,et al.  Design and implementation of a dynamic optimization framework for windows , 2000 .

[60]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[61]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[62]  Angelos D. Keromytis,et al.  Software Self-Healing Using Collaborative Application Communities , 2006, NDSS.

[63]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[64]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM 2004.

[65]  Frederic T. Chong,et al.  Minos: Control Data Attack Prevention Orthogonal to Memory Model , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[66]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[67]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[68]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[69]  Somesh Jha,et al.  An architecture for generating semantics-aware signatures , 2005 .

[70]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[71]  Fay W. Chang,et al.  Operating System I/O Speculation: How Two Invocations Are Faster Than One , 2003, USENIX Annual Technical Conference, General Track.

[72]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM.

[73]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[74]  Yuanyuan Zhou,et al.  Rx: treating bugs as allergies---a safe method to survive software failures , 2005, SOSP '05.

[75]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[76]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[77]  rey O. Kephart,et al.  Automatic Extraction of Computer Virus SignaturesJe , 2006 .

[78]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[79]  Eric van den Berg,et al.  A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows , 2005, RAID.

[80]  Nathanael Paul,et al.  Where's the FEEB? The Effectiveness of Instruction Set Randomization , 2005, USENIX Security Symposium.

[81]  Matthew C. Elder,et al.  On computer viral infection and the effect of immunization , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[82]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[83]  Peter Szor,et al.  HUNTING FOR METAMORPHIC , 2001 .

[84]  Robert Morris,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM 2001.

[85]  EvansDavid,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002 .

[86]  Ellen W. Zegura,et al.  How to model an internetwork , 1996, Proceedings of IEEE INFOCOM '96. Conference on Computer Communications.

[87]  Ravishankar K. Iyer,et al.  Transparent runtime randomization for security , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[88]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[89]  Yoichi Shinoda,et al.  Vulnerabilities of Passive Internet Threat Monitors , 2005, USENIX Security Symposium.

[90]  Mary K. Vernon,et al.  Mapping Internet Sensors with Probe Response Attacks , 2005, USENIX Security Symposium.

[91]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Worm Detection and Signature Generation , 2005, RAID.

[92]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[93]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000 .

[94]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[95]  Miguel Castro,et al.  Secure routing for structured peer-to-peer overlay networks , 2002, OSDI '02.

[96]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[97]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[98]  Navjot Singh,et al.  Transparent Run-Time Defense Against Stack-Smashing Attacks , 2000, USENIX Annual Technical Conference, General Track.

[99]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[100]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[101]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[102]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[103]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[104]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[105]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[106]  Vern Paxson,et al.  Very Fast Containment of Scanning Worms , 2004, USENIX Security Symposium.

[107]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[108]  Jeffrey S. Fenton Information Protection Systems , 1973 .

[109]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[110]  Mark Handley,et al.  A scalable content-addressable network , 2001, SIGCOMM '01.

[111]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[112]  Max Crochemore,et al.  The Computer Science and Engineering Handbook , 2004 .

[113]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[114]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[115]  Sanjay Bhansali,et al.  Framework for instruction-level tracing and analysis of program executions , 2006, VEE '06.

[116]  Gregory R. Ganger,et al.  Self-Securing Network Interfaces: What, Why and How (CMU-CS-02-144) , 2002 .

[117]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[118]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[119]  Miguel Castro,et al.  Security for Structured Peer-to-peer Overlay Networks , 2004 .

[120]  G. Winskel The formal semantics of programming languages , 1993 .

[121]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[122]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[123]  Zhendong Su,et al.  On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits , 2005, CCS '05.

[124]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[125]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[126]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[127]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[128]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[129]  Andrew C. Myers,et al.  Using replication and partitioning to build secure distributed systems , 2003, 2003 Symposium on Security and Privacy, 2003..

[130]  Ozalp Babaoglu,et al.  ACM Transactions on Computer Systems , 2007 .

[131]  Somesh Jha,et al.  Efficient Context-Sensitive Intrusion Detection , 2004, NDSS.

[132]  Benjamin Livshits,et al.  Improving software security with a C pointer analysis , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[133]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[134]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[135]  Miguel Castro,et al.  Can we contain Internet worms , 2004 .

[136]  Antony I. T. Rowstron,et al.  Pastry: Scalable, Decentralized Object Location, and Routing for Large-Scale Peer-to-Peer Systems , 2001, Middleware.

[137]  D. Avots,et al.  Improving software security with a C pointer analysis , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[138]  Zhenkai Liang,et al.  Fast and automated generation of attack signatures: a basis for building self-protecting servers , 2005, CCS '05.

[139]  Wenke Lee,et al.  Misleading worm signature generators using deliberate noise injection , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[140]  John F. Shoch,et al.  The “worm” programs—early experience with a distributed computation , 1982, CACM.

[141]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[142]  Miguel Castro,et al.  Bouncer: securing software by blocking bad input , 2007, SOSP.

[143]  David A. Wagner,et al.  Finding User/Kernel Pointer Bugs with Type Inference , 2004, USENIX Security Symposium.

[144]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[145]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[146]  Angelos D. Keromytis,et al.  Building a Reactive Immune System for Software Services , 2005, USENIX Annual Technical Conference, General Track.

[147]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[148]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[149]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[150]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[151]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[152]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[153]  Jeffrey O. Kephart,et al.  Directed-graph epidemiological models of computer viruses , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[154]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[155]  Zhenkai Liang,et al.  Automatic generation of buffer overflow attack signatures: an approach based on program behavior models , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[156]  William Cheswick,et al.  Firewalls and Internet Security , 1994 .

[157]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[158]  Nicholas Nethercote,et al.  Valgrind: A Program Supervision Framework , 2003, RV@CAV.

[159]  Daniel P. W. Ellis,et al.  Worms vs. perimeters: the case for hard-LANs , 2004, Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects.

[160]  Evangelos Kranakis,et al.  DNS-based Detection of Scanning Worms in an Enterprise Network , 2005, NDSS.

[161]  Mark Santcroos,et al.  Providing Active Measurements as a Regular Service for ISP's , 2001 .

[162]  Tzi-cker Chiueh,et al.  DIRA: Automatic Detection, Identification and Repair of Control-Hijacking Attacks , 2005, NDSS.

[163]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[164]  Mark Handley,et al.  Exploit hijacking: side effects of smart defenses , 2006, LSAD '06.

[165]  Sencun Zhu,et al.  SigFree: A Signature-Free Buffer Overflow Attack Blocker , 2010, IEEE Transactions on Dependable and Secure Computing.

[166]  Eugene H. Spafford,et al.  The internet worm: crisis and aftermath , 1989 .

[167]  Thomas W. Reps,et al.  Precise interprocedural chopping , 1995, SIGSOFT FSE.

[168]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[169]  Murray Hill,et al.  Lint, a C Program Checker , 1978 .

[170]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[171]  L. Alvisi,et al.  A Survey of Rollback-Recovery Protocols , 2002 .

[172]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[173]  Miguel Castro,et al.  Performance and dependability of structured peer-to-peer overlays , 2004, International Conference on Dependable Systems and Networks, 2004.