Sting: An End-to-End Self-Healing System for Defending against Internet Worms

  • David Brumley
  • James Newsome
  • Dawn Song
Part of the Advances in Information Security book series (ADIS, volume 27)

Abstract

We increasingly rely on highly available systems in all areas of society, from the economy, to military, to the government. Unfortunately, much software, including critical applications, contains vulnerabilities unknown at the time of deployment, with memory-overwrite vulnerabilities (such as buffer overflow and format string vulnerabilities) accounting for more than 60% of total vulnerabilities [10]. These vulnerabilities, when exploited, can cause devastating effects, such as self-propagating worm attacks which can compromise millions of vulnerable hosts within a matter of minutes or even seconds [32],[61], and cause millions of dollars of damage [30]. Therefore, we need to develop effective mechanisms to protect vulnerable hosts from being compromised and allow them to continue providing critical services, even under aggressively spreading attacks on previously unknown vulnerabilities.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    K2, admmutate. http://www.ktwo.ca/c/ADMrnutate-0.8.4.tar.gz.Google Scholar
  2. 2.
    K. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. Keromytis. Detecting targeted attacks using shadow honeypots. In Proceedings in USENlX Security Symposium, 2005.Google Scholar
  3. 3.
    K. Avijit, P. Gupta, and D. Gupta. Tied, libsafeplus: Tools for runtime buffer overflow protection. In USENIX Security Symposium, August 2004.Google Scholar
  4. 4.
    A. Baratloo, N. Singh, and T. Tsai. Transparent run-time defense against stack smashing attacks. In USENMAnnual Technical Conference 2000,2000.Google Scholar
  5. 5.
    S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of 12th USENM Security Symposium, 2003.Google Scholar
  6. 6.
    S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENM Security Symposium, 2005.Google Scholar
  7. 7.
    D. Bnunley, L.-H. Liu, P. Poosank, and D. Song. Design space and analysis of worm defense systems. In Pmc of the 2006 ACM Symposium on Infomtion, Computes and Communication Security (ASIACCS), 2006. Full version in CMU TR CMU-CS-05-156.Google Scholar
  8. 8.
    D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proceedings of the IEEE Symposium on Security and Privacy, 2006.Google Scholar
  9. 9.
    C. Cermdo. Story of a dumb patch. http://argeniss.codresearch/MSBugPaper.pdf, 2005.Google Scholar
  10. 10.
    CERTICC. CERTICC statistics 1988-2005. http://www.cert.org/stats/cert-stats.htm1.Google Scholar
  11. 11.
    M. Chew and D. Song. Mitigating buffer overflows by operating system randomization. Technical report, Carnegie Mellon University, 2002.Google Scholar
  12. 12.
    M. Cost, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In 2oth ACM Symposium on Operating System Principles (SOSP 2005), 2005.Google Scholar
  13. 13.
    M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Proceedings of the twentieth ACM symposium on Operating systems principles (SOSP), Oct. 2005.Google Scholar
  14. 14.
    C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. FormatGuard: automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, August 2001.Google Scholar
  15. 15.
    C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In 12th USENIX Security Symposium, 2003.Google Scholar
  16. 16.
    C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: automatic adaptive detection and prevention of bufferoverflow attacks. In Proceedings of the 7th USENIXSecurity Symposium, January 1998.Google Scholar
  17. 17.
    J. R. Crandall and E Chong. Minos: Architectural support for software security through control data integrity. In International Symposium on Microarchitecture, December 2004.Google Scholar
  18. 18.
    T. Detristan, T. Ulenspiegel, Y. Malcom, and M. V. Underduk. Polymorphic shellcode engineusing spectrumanalysis. http://www.phrack.org/show.php?p=61&a=9.Google Scholar
  19. 19.
    G. Dunlap, S. King, S. Cinar, M. Basrai, and P. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 2002 Symposium on Operating System Design and Implementation (OSDI), 2002.Google Scholar
  20. 20.
    D. C. DuVarney, R. Sekar, and Y.-J. Lin. Benign software mutations: A novel approach to protect against large-scale network attacks. Center for Cybersecurity White Paper, October 2002.Google Scholar
  21. 21.
    Dynamorio. http://www.cag.lcs.mit.edu/dynamorio/.Google Scholar
  22. 22.
    S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In Proceedings of 6th workshop on Hot Topics in Operating Systems, 1997.Google Scholar
  23. 23.
    J. Hopcroft, R. Motwani, and J. Ullman. Introduction to automata theory, langauges, and computation. Addison-Wesley, 2001.Google Scholar
  24. 24.
    D. Jackson and E. Rollins. Chopping: A generalization of slicing. In Proc. of the Second ACM SIGSOFT Symposium on the Foundations of Software Engineering, 1994.Google Scholar
  25. 25.
    R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the Third International Workshop on Automated Debugging, 1995.Google Scholar
  26. 26.
    A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 2005 Symposium on Operating Systems Principles (SOSP), 2005.Google Scholar
  27. 27.
    H.-A. Kim and B. Karp. Autograph: toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Securiiy Symposium, August 2004.Google Scholar
  28. 28.
    V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENZXSecurity Symposium, August 2002.Google Scholar
  29. 29.
    C. Kreibich and J. Crowcroft. Honeycomb-creating intrusion detection signatures using honeypots. In Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II), November 2003.Google Scholar
  30. 30.
    R. Lemos. Counting the cost of the slammer worm. http://news.corn.com/ 2100-1001-982955.html,2003.Google Scholar
  31. 31.
    Z. Liang and R. Sekar. Fast and automated generation of attack signatures: A basis for building self-protecting servers. In Proc. of the 12th ACM Conference on Computer and Communications Security (CCS), 2005.Google Scholar
  32. 32.
    D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. In IEEE Security and Privacy, volume 1,2003.Google Scholar
  33. 33.
    D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. In IEEE Security and Privacy, volume 1,2003.Google Scholar
  34. 34.
    D. Moore, C. Shannon, G. Voelker, and S. Savage. Internet quarantine: Requirements for containing self-propagating code. In 2003 IEEE lnfocom Conference, 2003.Google Scholar
  35. 35.
    C. Nachanberg. Computer virus-antivirus coevolution. Communications of The ACM, 1997.Google Scholar
  36. 36.
    G. C. Necula, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy code. In Proceedings of the Symposium on Principles of Programming Languages, 2002.Google Scholar
  37. 37.
    N. Nethercote and J. Fitzhardinge. Bounds-checking entire programs without recompiling. In Proceedings of the Second Workshop on Semantics, Program Analysis, and Computing Environments for Memory Management (SPACE 2004), Venice, Italy, Jan. 2004. (Proceedings not formally published.).Google Scholar
  38. 38.
    N. Nethercote and J. Seward. Valgrind: A program supervision framework. In Proceedings of the Third Workshop on Runtime VerGcation (RV’03), Boulder, Colorado, USA, July 2003.Google Scholar
  39. 39.
    J. Newsome, D. Brumley, and D. Song. Vulnerability-specific execution filtering for exploit prevention on commodity software. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS), 2006.Google Scholar
  40. 40.
    J. Newsome, D. Brumley, D. Song, and M. R. Pariente. Sting: An end-to-end self-healing system for defending against zero-day worm attacks on commodity software. Technical Report CMU-CS-05-19 1, Carnegie Mellon University, February 2006.Google Scholar
  41. 41.
    J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy,May 2005.Google Scholar
  42. 42.
    J. Newsome, B. Karp, and D. Song. Paragraph: Thwarting signature learning by training maliciously. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, Sept. 2006.Google Scholar
  43. 43.
    J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), February 2005.Google Scholar
  44. 44.
    J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. Technical Report CMU-CS-04-140, Carnegie Mellon University, May 2005.Google Scholar
  45. 45.
    PaX. http://pax.grsecurity.net/.Google Scholar
  46. 46.
    E Qin, J. Tucek, J. Sundaresan, and Y. Zhou. Rx:Treating bugs as allergies-a safe method to survive software failures. In 2oth ACM Symposium on Operating System Principles (SOSP), 2005.Google Scholar
  47. 47.
    r code. ATPhttpd exploit. http://www.cotse.com_mailing-lists/todays/att-O003/01-atphttpOxO6.c.Google Scholar
  48. 48.
    T. Reps and G. Rosay. Precise interprocedural chopping. In Proc. of the Third ACM SIGSOFT Symposium on the Foundations of Sofrware Engineering, 1995.Google Scholar
  49. 49.
    M. Rinard, C. Cadar, D. Dumitran, D. Roy, T. Leu, and W. B. Jr. Enhancing server availability and security through failure-oblivious computing. In Operating System Design & Implementation (OSDI), 2004.Google Scholar
  50. 50.
    T. J. Robbins. libformat. http://www.securityfocus.com/tools/1818, 2001.Google Scholar
  51. 51.
    0. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, February 2004.Google Scholar
  52. 52.
    H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11 th ACM Conference on Computer and Communications Security, October 2004.Google Scholar
  53. 53.
    S. Sidiroglou and A. D. Keromytis. A network worm vaccine architecture. In Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pages 220–225, June 2003.Google Scholar
  54. 54.
    S. Sidiroglou and A. D. Keromytis. Countering network worms through automatic patch generation. lEEE Security and Privacy, 2005.Google Scholar
  55. 55.
    S. Sidiroglou, M. Locasto, and A. Keromytis. Software self-healing using collaborative application communities. In Proceedings of the 1 3th Annual Network and Distributed System Security Symposium (NDSS), 2006.Google Scholar
  56. 56.
    S. Sidiroglou, M. E. Locasto, S. W. Boyd, and A. D. Keromytis. Building a reactive immune system for software services. In USENlX Annual Technical Conference, 2005.Google Scholar
  57. 57.
    S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of the 6th ACMAYSENIX Symposium on Operating System Design and Implementation’( OSDI), Dec. 2004.Google Scholar
  58. 58.
    A. Smirnov and T. cker Chiueh. DIRA: Automatic detection, identification, and repair of control-hijacking attacks. In Proceedings of the 12th annual Network and Distributed System Security Symposium (NDSS), 2005.Google Scholar
  59. 59.
    S. M. Srinivasan, S. Kandula, C. R. Andrews, and Y. Zhou. Flashback: A lightweight extension for rollback and deterministic replay for software debugging. In Proceedings of the 2004 USENIX Technical Conference, 2004.Google Scholar
  60. 60.
    S. Staniford, D. Moore, V. Paxson, and N. Weaver. The top speed of flash worms. In ACM CCS WORM,Oct. 2004.Google Scholar
  61. 61.
    S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in your spare time. In 11th USENIX Security Symposium, 2002.Google Scholar
  62. 62.
    G. E. Suh, J. Lee, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of ASPLOS, 2004.Google Scholar
  63. 63.
    P. Szor. Hunting for metamorphic. In Proceedings of the Wrus Bulletin Conference, 2001.Google Scholar
  64. 64.
    J. Twycross and M. M. Williamson. Implementing and testing a virus throttle. In Proceedings of 12th USENlX Security Symposium, August 2003.Google Scholar
  65. 65.
    US-CERT. Vulnerability note vu#196945-isc bind 8 contains buffer overflow in transaction signature (tsig) handling code. http://www.kb.cert.org/vuls/id/196945.Google Scholar
  66. 66.
    H. J. Wang, C. Guo, D. Simon, and A. Zugenmaier. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In ACM SIGCOMM, August 2004.Google Scholar
  67. 67.
    M. M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. In Proceedings of the 18th Annual Computer Security Applications Conference, 2002.Google Scholar
  68. 68.
    J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. Technical report, Center for Reliable and Higher Performance Computing, University of Illinois at Urbana-Champaign, May 2003.Google Scholar
  69. 69.
    J. Xu, P. Ning, C. Kil, Y. Zhai, and C. Bookholt. Automatic diagnosis and response to memory corruption vulnerabilities. In Proceedings of the 12th Annual ACM Conference on Computer and Communication Security (CCS), 2005.Google Scholar

Copyright information

© Springer Science+Business Media, LLC. 2007

Authors and Affiliations

  • David Brumley
    • 1
  • James Newsome
    • 1
  • Dawn Song
    • 1
  1. 1.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations