Vigilante: EndtoEnd Containment of Internet Worms - PowerPoint PPT Presentation

About This Presentation

Title:

Vigilante: EndtoEnd Containment of Internet Worms

Description:

... for dirty data (data as in SCA) Describes how to compute the current value of the dirty data ... register, and processor flag that stores dirty data ... – PowerPoint PPT presentation

Number of Views:64

Avg rating:3.0/5.0

Slides: 35

Provided by: Ent65

Learn more at: http://www.cs.ucf.edu

Category:

more less

Transcript and Presenter's Notes

Title: Vigilante: EndtoEnd Containment of Internet Worms

1
Vigilante End-to-End Containment of Internet
Worms

Authors M. Costa, J. Crowcroft, M. Castro, A.
Rowstron, L. Zhou, L. Zhang, and P. Barham
In Proceedings of the 20th ACM Symposium on
Operating System Principles (SOSP), Brighton, UK,
Oct. 2005

Presented By Ramanarayanan Ramani
2
Motivation

To improve the security of end host computers
Share security information between hosts
Validation and Verification of the security
information

3
Vigilante Design

Self-Certifying Alerts
Alert Types
Alert Detection Generation
Alert Distribution
Alert Verification
Automatic Filter Generation

4
Self-Certifying Alerts
1. Infection Attempt
2. Infection Detection
3. Certificate Generation
4. Certificate Distribution
5. Certificate Verification
6. Filter for infection
5
Self-Certifying Alerts

How can the Certificate be trusted?
Details of infected Service or Program (including
version)
Steps of infection
End host performs self infection as given in
certificate and verifies certificate (in
a virtual environment)

6
Alert Types

Arbitrary Execution Control alerts
Vulnerabilities that allow worms to redirect
execution to arbitrary pieces of code in a
services address space
Arbitrary Code Execution alerts Describe
code-injection vulnerabilities
Arbitrary Function Argument alerts
Data-injection vulnerabilities that allow worms
to change the value of arguments to critical
functions

7
Example SCA
8
Alert Detection

Non-executable pages
Non-execute protection on stack and heap pages
Detect and prevent code injection attacks
Dynamic dataflow analysis
Network data and data derived from it are dirty
Monitor dirty data movement

9
SCA Generation

Non-executable pages
Use Log file to generate the SCA
Locate message which sent infected code
Address of the faulting instruction
The message and the offset within the message are
recorded in the verification information
Might be combination of messages

10
SCA Generation

Dynamic dataflow analysis
Information is simply read from the data
structures maintained by the engine
Identifier for the dirty data found from table of
dirty memory locations or the table of dirty
registers
Map identifier to message and offset in message

11
Dynamic dataflow analysis Example
12
Alert Distribution

Vigilante uses a secure Pastry overlay
Each host sends the SCA to all its overlay
neighbors
Each host has a significant number of neighbors
Flooding provides reliability
Compromised hosts refuse to forward an SCA
Secure links between neighbors with each having
Certificate (Random HostID) to join the overlay

13
Alert Distribution

Defense against Denial of Service Attacks
Hosts do not forward SCAs that are blocked by
their filters or are identical to SCAs received
recently
Only forward SCAs that they can verify
Impose a rate limit on the number of SCAs that
they are willing to verify from each neighbor

14
Alert Verification

SCA verifier receives an SCA
Sends the SCA to the verification manager inside
the virtual machine
Verification manager uses the data in the SCA to
identify the vulnerable service

15
Alert Verification

Modifies the sequence of messages in the SCA to
trigger execution of Verified when the messages
are sent to the vulnerable service
If Verified is executed, the verification manager
signals success
Failure after Timeout

16
Automatic Filter Generation

Analyze the execution path followed when the
messages in the SCA are replayed
Use dynamic data and control flow analysis
Determine the execution path that exploits the
vulnerability

17
Automatic Filter Generation

Dynamic Data Flow Analysis
Compute data flow graphs for dirty data (data as
in SCA)
Describes how to compute the current value of the
dirty data
Associate a data flow graph with every memory
position, register, and processor flag that
stores dirty data

18
Automatic Filter Generation

Dynamic Control Flow Analysis
Keeps track of all conditions that determine the
program counter
Conditions used when executing conditional move
and set instructions
Filter Condition is conjunction of these
condition and earlier value of condition
For example, when the instruction jz addr is
executed, the filter condition is left unchanged
if the zero flag is clean

19
Filter Generation Example
20
Experimental setup

Dell PrecisionWorkstations with 3GHz Intel
Pentium 4 processors
2GB of RAM
Intel PRO/1000 Gigabit network cards
Hosts were connected through a 100Mbps D-Link
Ethernet switch

21
Alert Generation
22
SCA Size
23
Alert Verification
24
Filter Generation
25
Filter Overhead
26
Alert Distribution - Simulation

S Population of susceptible hosts
p Fraction of them being detectors
ß Average infection rate
It The total number of infected hosts at time t
Pt The number of distinct susceptible hosts
that have been probed by the worm at time t

27
Alert Distribution - Simulation

k Starting infected hosts
When a new host infected
Simulator calculates the expected time a new
susceptible host receives a worm probe
Randomly picks an unprobed susceptible host as
the target of that probe
If target is detector, SCA is generated and
distributed

28
Simulation Parameters
Default values for all other experiments p
0.001, k 10, Tg 1 second, Tv 100 ms, ß
0.117, and S 75,000
29
Simulation Results
30
(No Transcript)
31
Strengths