Vigilante: End-to-End Containment of Internet Worms

Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham

In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005

Presented By : Ramanarayanan Ramani

Motivation

To improve the security of end host computers

Share security information between hosts

Validation and Verification of the security information

Vigilante Design

Self-Certifying AlertsAlert TypesAlert Detection & GenerationAlert DistributionAlert VerificationAutomatic Filter Generation

Self-Certifying Alerts

1. Infection Attempt2. Infection Detection

3. Certificate Generation

4. Certificate Distribution

5. Certificate Verification

6. Filter for infection

Self-Certifying Alerts

How can the Certificate be trusted?Details of infected Service or Program

(including version)Steps of infection

End host performs self infection as given in certificate and verifies certificate (in a virtual environment)

Alert Types

Arbitrary Execution Control alerts : Vulnerabilities that allow worms to redirect execution to arbitrary pieces of code in a service’s address space

Arbitrary Code Execution alerts : Describe code-injection vulnerabilities

Arbitrary Function Argument alerts : Data-injection vulnerabilities that allow worms to change the value of arguments to critical functions

Example SCA

Alert Detection

Non-executable pagesNon-execute protection on stack and heap

pagesDetect and prevent code injection attacks

Dynamic dataflow analysisNetwork data and data derived from it are

dirtyMonitor dirty data movement

SCA Generation

Non-executable pagesUse Log file to generate the SCALocate message which sent infected codeAddress of the faulting instructionThe message and the offset within the

message are recorded in the verification information

Might be combination of messages

SCA Generation

Dynamic dataflow analysis Information is simply read from the data

structures maintained by the engine Identifier for the dirty data found from table

of dirty memory locations or the table of dirty registers

Map identifier to message and offset in message

Dynamic dataflow analysis Example

Alert Distribution

Vigilante uses a secure Pastry overlay Each host sends the SCA to all its overlay

neighbors Each host has a significant number of

neighbors : Flooding provides reliability Compromised hosts refuse to forward an SCA Secure links between neighbors with each

having Certificate (Random HostID) to join the overlay

Alert Distribution

Defense against Denial of Service AttacksHosts do not forward SCAs that are blocked

by their filters or are identical to SCAs received recently

Only forward SCAs that they can verify Impose a rate limit on the number of SCAs

that they are willing to verify from each neighbor

Alert Verification

SCA verifier receives an SCA

Sends the SCA to the verification manager inside the virtual machine

Verification manager uses the data in the SCA to identify the vulnerable service

Alert Verification

Modifies the sequence of messages in the SCA to trigger execution of Verified when the messages are sent to the vulnerable service

If Verified is executed, the verification manager signals success

Failure after Timeout

Automatic Filter Generation

Analyze the execution path followed when the messages in the SCA are replayed

Use dynamic data and control flow analysis : Determine the execution path that exploits the vulnerability

Automatic Filter Generation

Dynamic Data Flow AnalysisCompute data flow graphs for dirty data

(data as in SCA)Describes how to compute the current value

of the dirty dataAssociate a data flow graph with every

memory position, register, and processor flag that stores dirty data

Automatic Filter Generation

Dynamic Control Flow AnalysisKeeps track of all conditions that determine

the program counterConditions used when executing conditional

move and set instructionsFilter Condition is conjunction of these

condition and earlier value of conditionFor example, when the instruction “jz addr”

is executed, the filter condition is left unchanged if the zero flag is clean

Filter Generation Example

Experimental setup

Dell PrecisionWorkstations with 3GHz Intel Pentium 4 processors

2GB of RAMIntel PRO/1000 Gigabit network cards Hosts were connected through a

100Mbps D-Link Ethernet switch

Alert Generation

SCA Size

Alert Verification

Filter Generation

Filter Overhead

Alert Distribution - Simulation

S : Population of susceptible hosts p : Fraction of them being detectors β : Average infection rate It : The total number of infected hosts at time t

Pt : The number of distinct susceptible hosts that have been probed by the worm at time t

Alert Distribution - Simulation

k : Starting infected hostsWhen a new host infected :

Simulator calculates the expected time a new susceptible host receives a worm probe

Randomly picks an unprobed susceptible host as the target of that probe

If target is detector, SCA is generated and distributed

Simulation Parameters

Default values for all other experiments : p = 0.001, k = 10, Tg = 1 second, Tv = 100 ms, β = 0.117, and S = 75,000

Simulation Results

Strengths

The concept of SCAs and the end-to-end automatic worm containment architecture

Mechanisms to generate, verify, and distribute SCAs automatically

Automatic mechanism to generate host-based filters that block worm traffic

Fast, low false positives and negatives

Weaknesses

Overhead on network not consideredWorms can send false messages to

detector and create invalid SCAsUndetected worms may use the overlay

to spreadMore alerts could have been defined

Suggestions

Use dummy worms to create invalid SCA and check network overhead

What if worm creates its own SCA which may seem valid but may create a backdoor?

Questions?