Vigilante: End-to-End Containment of Internet Worms
Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham
In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005
Presented By : Ramanarayanan Ramani
Motivation
To improve the security of end host computers
Share security information between hosts
Validation and Verification of the security information
Vigilante Design
Self-Certifying AlertsAlert TypesAlert Detection & GenerationAlert DistributionAlert VerificationAutomatic Filter Generation
Self-Certifying Alerts
1. Infection Attempt2. Infection Detection
3. Certificate Generation
4. Certificate Distribution
5. Certificate Verification
6. Filter for infection
Self-Certifying Alerts
How can the Certificate be trusted?Details of infected Service or Program
(including version)Steps of infection
End host performs self infection as given in certificate and verifies certificate (in a virtual environment)
Alert Types
Arbitrary Execution Control alerts : Vulnerabilities that allow worms to redirect execution to arbitrary pieces of code in a service’s address space
Arbitrary Code Execution alerts : Describe code-injection vulnerabilities
Arbitrary Function Argument alerts : Data-injection vulnerabilities that allow worms to change the value of arguments to critical functions
Alert Detection
Non-executable pagesNon-execute protection on stack and heap
pagesDetect and prevent code injection attacks
Dynamic dataflow analysisNetwork data and data derived from it are
dirtyMonitor dirty data movement
SCA Generation
Non-executable pagesUse Log file to generate the SCALocate message which sent infected codeAddress of the faulting instructionThe message and the offset within the
message are recorded in the verification information
Might be combination of messages
SCA Generation
Dynamic dataflow analysis Information is simply read from the data
structures maintained by the engine Identifier for the dirty data found from table
of dirty memory locations or the table of dirty registers
Map identifier to message and offset in message
Alert Distribution
Vigilante uses a secure Pastry overlay Each host sends the SCA to all its overlay
neighbors Each host has a significant number of
neighbors : Flooding provides reliability Compromised hosts refuse to forward an SCA Secure links between neighbors with each
having Certificate (Random HostID) to join the overlay
Alert Distribution
Defense against Denial of Service AttacksHosts do not forward SCAs that are blocked
by their filters or are identical to SCAs received recently
Only forward SCAs that they can verify Impose a rate limit on the number of SCAs
that they are willing to verify from each neighbor
Alert Verification
SCA verifier receives an SCA
Sends the SCA to the verification manager inside the virtual machine
Verification manager uses the data in the SCA to identify the vulnerable service
Alert Verification
Modifies the sequence of messages in the SCA to trigger execution of Verified when the messages are sent to the vulnerable service
If Verified is executed, the verification manager signals success
Failure after Timeout
Automatic Filter Generation
Analyze the execution path followed when the messages in the SCA are replayed
Use dynamic data and control flow analysis : Determine the execution path that exploits the vulnerability
Automatic Filter Generation
Dynamic Data Flow AnalysisCompute data flow graphs for dirty data
(data as in SCA)Describes how to compute the current value
of the dirty dataAssociate a data flow graph with every
memory position, register, and processor flag that stores dirty data
Automatic Filter Generation
Dynamic Control Flow AnalysisKeeps track of all conditions that determine
the program counterConditions used when executing conditional
move and set instructionsFilter Condition is conjunction of these
condition and earlier value of conditionFor example, when the instruction “jz addr”
is executed, the filter condition is left unchanged if the zero flag is clean
Experimental setup
Dell PrecisionWorkstations with 3GHz Intel Pentium 4 processors
2GB of RAMIntel PRO/1000 Gigabit network cards Hosts were connected through a
100Mbps D-Link Ethernet switch
Alert Distribution - Simulation
S : Population of susceptible hosts p : Fraction of them being detectors β : Average infection rate It : The total number of infected hosts at time t
Pt : The number of distinct susceptible hosts that have been probed by the worm at time t
Alert Distribution - Simulation
k : Starting infected hostsWhen a new host infected :
Simulator calculates the expected time a new susceptible host receives a worm probe
Randomly picks an unprobed susceptible host as the target of that probe
If target is detector, SCA is generated and distributed
Simulation Parameters
Default values for all other experiments : p = 0.001, k = 10, Tg = 1 second, Tv = 100 ms, β = 0.117, and S = 75,000
Strengths
The concept of SCAs and the end-to-end automatic worm containment architecture
Mechanisms to generate, verify, and distribute SCAs automatically
Automatic mechanism to generate host-based filters that block worm traffic
Fast, low false positives and negatives
Weaknesses
Overhead on network not consideredWorms can send false messages to
detector and create invalid SCAsUndetected worms may use the overlay
to spreadMore alerts could have been defined
Suggestions
Use dummy worms to create invalid SCA and check network overhead
What if worm creates its own SCA which may seem valid but may create a backdoor?