Abstract
Software patching has not been effective as a first-line defense against large-scale worm attacks, even when patches have long been available for their corresponding vulnerabilities. Generally, people have been reluctant to patch their systems immediately, because patches are perceived to be unreliable and disruptive to apply. To address this problem, we propose a first-line worm defense in the network stack, using shields -- vulnerability-specific, exploit-generic network filters installed in end systems once a vulnerability is discovered, but before a patch is applied. These filters examine the incoming or outgoing traffic of vulnerable applications, and correct traffic that exploits vulnerabilities. Shields are less disruptive to install and uninstall, easier to test for bad side effects, and hence more reliable than traditional software patches. Further, shields are resilient to polymorphic or metamorphic variations of exploits [43].In this paper, we show that this concept is feasible by describing a prototype Shield framework implementation that filters traffic above the transport layer. We have designed a safe and restrictive language to describe vulnerabilities as partial state machines of the vulnerable application. The expressiveness of the language has been verified by encoding the signatures of several known vulnerabilites. Our evaluation provides evidence of Shield's low false positive rate and small impact on application throughput. An examination of a sample set of known vulnerabilities suggests that Shield could be used to prevent exploitation of a substantial fraction of the most dangerous ones.
- W. A. Arbaugh, W. L. Fithen, and J. McHugh. Windows of Vulnerability: a Case Study Analysis. IEEE Computer, 2000.]] Google ScholarDigital Library
- Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright. Timing the application of security patches for optimal uptime. In LISA XVI, November 2002.]]Google Scholar
- William Bush, Jonathan D. Pincus, and David J. Sielaff. A Static Analyzer for Finding Dynamic Programming Errors. Software-Practice and Experience (SP&E), 2000.]] Google ScholarDigital Library
- Byacc. http://dickey.his.com/byacc/byacc.html.]]Google Scholar
- H. Chen and B. Karp. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th Usenix Security Symposium, 2004.]] Google ScholarDigital Library
- Z. Chen, L. Gao, and K. Kwiat. Modeling the Spread of Active Worms. In Proceedings of IEEE Infocom, 2003.]]Google ScholarCross Ref
- Microsoft Security Bulletin MS01-033, November 2003. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp.]]Google Scholar
- Microsoft Corp. URLScan Security Tool. http://www.microsoft.com/technet/security/URLScan.asp.]]Google Scholar
- Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of 7th USENIX Security Conference, 1998.]] Google ScholarDigital Library
- David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, Julian Grizzard, John Levine, and Henry Owen. HoneyStat: LocalWorm Detection Using Honeypots. In RAID, 2004.]]Google Scholar
- O. Dubuisson. ASN.1 - Communication Between Heterogeneous Systems. Morgan Kaufmann Publishers, 2000.]] Google ScholarDigital Library
- R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol -- HTTP/1.1 (RFC 2616), June 1999.]] Google ScholarDigital Library
- Alan O. Freier, Philip Karlton, and Paul C. Kocher. The SSL Protocol Version 3.0. http://wp.netscape.com/eng/ssl3/ssl-toc.html.]]Google Scholar
- Mark Handley, Vern Paxson, and Christian Kreibich. Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In Proceedings of USENIX Security Symposium, August 2001.]] Google ScholarDigital Library
- Hung-Yun Hsieh and Raghupathy Sivakumar. A transport layer approach for achieving aggregate bandwidths on multi-homed mobile hosts. In ACM Mobicom, September 2002.]] Google ScholarDigital Library
- Anthony Jones and Jim Ohlund. Network Programming for Microsoft Windows. Microsoft Publishing, 2002.]] Google ScholarDigital Library
- J. Klensin. Simple Mail Transfer Protocol (RFC 2821), April 2001.]] Google ScholarDigital Library
- C. Kreibich and J. Crowcroft. Honeycomb: Creating Intrusion Detection Signatures Using Honeypots. In HotNets-II, 2003.]]Google Scholar
- David Litchfield. Defeating the stack based buffer overflow prevention mechanism of microsoft windows 2003 server. http://www.nextgenss.com/papers.htm, September 2003.]]Google Scholar
- G. Robert Malan, David Watson, and Farnam Jahanian. Transport and application protocol scrubbing. In Proceedings of IEEE Infocom, 2000.]]Google ScholarCross Ref
- P. J. McCann and S. Chandra. PacketTypes: Abstract Specification of Network Protocol Messages. In Proceedings of ACM SIGCOMM, 2000.]] Google ScholarDigital Library
- David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver. Inside the Slammer Worm. http://www.computer.org/security/v1n4/j4wea.htm, 2003.]] Google ScholarDigital Library
- David Moore, Colleen Shannon, and Jeffery Brown. Code-Red: a case study on the spread and victims of an Internet worm. In ACM Internet Measurement Workshop (IMW), 2002.]] Google ScholarDigital Library
- Microsoft Security Bulletin MS03-026, September 2003. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp.]]Google Scholar
- S. W. O'Malley, T. A. Proebsting, and A. B. Montz. USC: A Universal Stub Compiler. In Proceedings of ACM SIGCOMM, 1994.]] Google ScholarDigital Library
- Vern Paxson. Flex - a scanner generator - Table of Contents. http://www.gnu.org/software/flex/manual/.]]Google Scholar
- Vern Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Computer Networks, Dec 1999.]] Google ScholarDigital Library
- Jonathan Pincus and Brandon Baker. Mitigations for Low-level Coding Vulnerabilities: Incomparability and Limitations. http://research.microsoft.com/users/jpincus/mitigations.pdf, 2004.]]Google Scholar
- J. Postel and J. Reynolds. Telnet Protocol Specification (RFC 854), May 1983.]] Google ScholarDigital Library
- J. Postel and J. Reynolds. RFC 765 - File Transfer Protocol (FTP), October 1985.]]Google Scholar
- Niels Provos. A Virtual Honeypot Framework. Technical Report CITI-03-1, Center for Information Technology Integration, University of Michigan, October 2003.]]Google Scholar
- Thomas H. Ptacek and Timothy N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection, January 1998. http://www.insecure.org/stf/secnet ids/secnet ids.html.]]Google Scholar
- Eric Rescorla. Security holes... Who cares? In Proceedings of USENIX Security Symposium, August 2003.]] Google ScholarDigital Library
- DCE 1.1: Remote Procedure Call. http://www.opengroup.org/onlinepubs/9629399/.]]Google Scholar
- W32.Sasser.Worm, April 2004. http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html.]]Google Scholar
- H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson. RTP: A Transport Protocol for Real-Time Applications (RFC 1889), January 1996.]]Google Scholar
- Umesh Shankar and Vern Paxson. Active Mapping: Resisting NIDS Evasion Without Altering Traffic. In Proceedings of IEEE Symposium on Security and Privacy, May 2003.]] Google ScholarDigital Library
- Richard Sharpe. Server message block. http://samba.anu.edu.au/cifs/docs/what-is-smb.html.]]Google Scholar
- Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage. The EarlyBird System for Real-time Detection of Unknown Worms. Technical Report CS2003-0761, University of California at San Diego, 2003.]]Google Scholar
- Microsoft security bulletin ms02-039, January 2003. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp.]]Google Scholar
- The Open Source Network Intrusion Detection System. http://www.snort.org/.]]Google Scholar
- Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to 0wn the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium, August 2002.]] Google ScholarDigital Library
- Peter Szor and Peter Ferrie. Hunting for Metamorphic. Symantec Security Response.]]Google Scholar
- David Wagner, Jeffrey S. Foster, Eric A. Brewer, and Alexander Aiken. A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. In NDSS, 2000.]]Google Scholar
- Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham. Large Scale Malicious Code: A Research Agenda. http://www.cs.berkeley.edu/~nweaver/large scale malicious code.pdf, 2003.]]Google Scholar
- Nicholas Weaver, Stuart Staniford, and Vern Paxson. Very Fast Containment of Scanning Worms, 2004. http://www.icsi.berkeley.edu/nweaver/containment/.]]Google Scholar
- Nick Weaver. The potential for very fast internet plagues. http://www.cs.berkeley.edu/~nweaver/warhol.html.]]Google Scholar
- Matthew M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. Technical Report HPL-2002-172, HP Labs Bristol, 2002.]]Google ScholarDigital Library
- Rafal Wojtczuk. Defeating Solar Designer's Non-executable Stack Patch. http://www.insecure.org/sploits/non-executable.stack.problems.html, January 1998.]]Google Scholar
Index Terms
- Shield: vulnerability-driven network filters for preventing known vulnerability exploits
Recommendations
Shield: vulnerability-driven network filters for preventing known vulnerability exploits
SIGCOMM '04: Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communicationsSoftware patching has not been effective as a first-line defense against large-scale worm attacks, even when patches have long been available for their corresponding vulnerabilities. Generally, people have been reluctant to patch their systems ...
Defending against hitlist worms using network address space randomization
Worms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms ...
Fast and automated generation of attack signatures: a basis for building self-protecting servers
CCS '05: Proceedings of the 12th ACM conference on Computer and communications securityLarge-scale attacks, such as those launched by worms and zombie farms, pose a serious threat to our network-centric society. Existing approaches such as software patches are simply unable to cope with the volume and speed with which new vulnerabilities ...
Comments