Shield: vulnerability-driven network filters for preventing known vulnerability exploits

Software patching has not been effective as a first-line defense against large-scale worm attacks, even when patches have long been available for their corresponding vulnerabilities. Generally, people have been reluctant to patch their systems immediately, because patches are perceived to be unreliable and disruptive to apply. To address this problem, we propose a first-line worm defense in the network stack, using shields -- vulnerability-specific, exploit-generic network filters installed in end systems once a vulnerability is discovered, but before a patch is applied. These filters examine the incoming or outgoing traffic of vulnerable applications, and correct traffic that exploits vulnerabilities. Shields are less disruptive to install and uninstall, easier to test for bad side effects, and hence more reliable than traditional software patches. Further, shields are resilient to polymorphic or metamorphic variations of exploits [43].In this paper, we show that this concept is feasible by describing a prototype Shield framework implementation that filters traffic above the transport layer. We have designed a safe and restrictive language to describe vulnerabilities as partial state machines of the vulnerable application. The expressiveness of the language has been verified by encoding the signatures of several known vulnerabilites. Our evaluation provides evidence of Shield's low false positive rate and small impact on application throughput. An examination of a sample set of known vulnerabilities suggests that Shield could be used to prevent exploitation of a substantial fraction of the most dangerous ones.

[1]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000 .

[2]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[3]  David Litchfield Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server , 2003 .

[4]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[5]  Sumeet Singh,et al.  The EarlyBird System for Real-time Detection of Unknown Worms , 2005 .

[6]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[7]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[8]  Anthony Jones,et al.  Network Programming for Microsoft Windows , 1999 .

[9]  Anthony Jones,et al.  Network Programming for Microsoft Windows with Cdrom , 2002 .

[10]  Jon Postel,et al.  Simple Mail Transfer Protocol , 1981, RFC.

[11]  J. Postel,et al.  File transfer protocol (FTP) , 1985 .

[12]  Vern Paxson,et al.  Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..

[13]  Satish Chandra,et al.  Packet Types: Abstract specifications of network protocol messages , 2000, SIGCOMM.

[14]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[15]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[16]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[17]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[18]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[19]  Philippe Fouquart,et al.  ASN.1 Communication Between Heterogeneous Systems , 2000 .

[20]  Markus G. Kuhn,et al.  Low-threat security patches and tools , 1997, 1997 Proceedings International Conference on Software Maintenance.

[21]  Daniel R. Simon,et al.  Practical automated filter generation to explicitly enforce implicit input assumptions , 2001, Seventeenth Annual Computer Security Applications Conference.

[22]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[23]  David Watson,et al.  Transport and application protocol scrubbing , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[24]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[25]  Peter Szor,et al.  HUNTING FOR METAMORPHIC , 2001 .

[26]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[27]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[28]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[29]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[30]  Gregory R. Ganger,et al.  Finding and Containing Enemies Within the Walls with Self-securing Network Interfaces (CMU-CS-03-109) , 2003 .

[31]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[32]  Eric Rescorla Security Holes . . . Who Cares? , 2003, USENIX Security Symposium.

[33]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[34]  Todd A. Proebsting,et al.  USC: a universal stub compiler , 1994, SIGCOMM 1994.

[35]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[36]  Vern Paxson,et al.  Very Fast Containment of Scanning Worms , 2004, USENIX Security Symposium.

[37]  Raghupathy Sivakumar,et al.  A Transport Layer Approach for Achieving Aggregate Bandwidths on Multi-Homed Mobile Hosts , 2002, MobiCom '02.

[38]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[39]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[40]  Jon Postel,et al.  Telnet Protocol Specification , 1980, RFC.

[41]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..