Abstract
As modern operating systems and software become larger and more complex, they are more likely to contain bugs, which may allow attackers to gain illegitimate access. A fast and reliable mechanism to discern and generate vaccines for such attacks is vital for the successful protection of networks and systems. In this paper we present Argos, a containment environment for worms as well as human orchestrated attacks. Argos is built upon a fast x86 emulator which tracks network data throughout execution to identify their invalid use as jump targets, function addresses, instructions, etc. Furthermore, system call policies disallow the use of network data as arguments to certain calls. When an attack is detected, we perform 'intelligent' process- or kernel-aware logging of the corresponding emulator state for further offline processing. In addition, our own forensics shellcode is injected, replacing the malevolent shellcode, to gather information about the attacked process. By correlating the data logged by the emulator with the data collected from the network, we are able to generate accurate network intrusion detection signatures for the exploits that are immune to payload mutations. The entire process can be automated and has few if any false positives, thus rapid global scale deployment of the signatures is possible.
- Diamondes openports. http://www.diamondes.com.au/openports/.Google Scholar
- Basic Architecture, volume 1 of Intel Architecture Software Developer's Manual. Intel Corporation, 1997.Google Scholar
- Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 7(49), November 1996.Google Scholar
- C. C. A. W. Alex Ho, Michael Fetterman and S. Hand. Practical taint-based protection using demand emulation. In Proc. of the 1st EuroSys Conference, April 2006. Google ScholarDigital Library
- F. Bellard. QEMU, a fast and portable dynamic translator. In In Proc. of the USENIX Annual Technical Conference, pages 41--46, April 2005. Google ScholarDigital Library
- H. Bos, W. de Bruijn, M. Cristea, T. Nguyen, and G. Portokalidis. FFPF: Fairly Fast Packet Filters. In Proceedings of OSDI'04, San Francisco, CA, December 2004. Google ScholarDigital Library
- bulba and Kil3r. Bypassing Stackguard and Stackshield. Phrack Magazine, 10(56), January 2000.Google Scholar
- C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. of the 7th USENIX Security Symposium, 1998. Google ScholarDigital Library
- C. Cowan, M. Barringer, S. Beattie and G. Kroah-Hartman. FormatGuard: Automatic protection from printf format string vulnerabilities. In In Proc. of the 10th Usenix Security Symposium, August 2001. Google ScholarDigital Library
- C. Cowan, S. Beattie, J. Johansen and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In In Proc. of the 12th USENIX Security Symposium, pages 91--104, August 2003. Google ScholarDigital Library
- M. Conover. w00w00 on heap overflows. http://www.w00w00.org/articles.html, January 1999.Google Scholar
- J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model. In In Proc. of the 37th annual International Symposium on Microarchitecture, pages 221--232, 2004. Google ScholarDigital Library
- J. R. Crandall, S. F. Wu, and F. T. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. In Intrusion and Malware Detection and Vulnerability Assessment: Second International Conference (DIMVA05), Vienna, Austria, July 2005. Google ScholarDigital Library
- W. Cui, V. Paxson, N. Weaver, and R. Katz. Protocol-independent adaptive replay of application dialog. In The 13th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2006.Google Scholar
- D. Dagonand, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine and Henry Owen. HoneyStat: Local worm detection using honeypots. In In Proc. of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), 2004.Google Scholar
- E. G. Barrantes, D. H. Ackley, S. Forrest, T. S. Palmer, D. Stefanovix and D. D. Zovi. Randomized instruction set emulation to disrupt code injection attacks. In In Proc. of the 10th ACM Conference on Computer and Communications Security (CCS), pages 281--289, October 2003. Google ScholarDigital Library
- G. E. Suh, J. W. Lee, D. Zhang and S. Devadas. Secure program execution via dynamic information flow tracking. ACM SIGOPS Operating Systems Review, 38(5):86--96, December 2004. SESSION: Security. Google ScholarDigital Library
- G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In In Proc. of the ACM Computer and Communications Security (CCS) Conference, pages 272--280, October 2003. Google ScholarDigital Library
- G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In In Proc. of the 5th USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2002. Google ScholarDigital Library
- T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In In Proc. of the 10th ISOC Symposium on Network and Distributed Systems Security (SNDSS), February 2003.Google Scholar
- gera and riq. Advances in format string exploitation. Phrack Magazine, 11(59), July 2002.Google Scholar
- H. Bos and K. Huang. Towards software-based signature detection for intrusion prevention on the network card. In Proc of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), 2005. Google ScholarDigital Library
- K. Hyang-Ah and B. Karp. Autograph: Toward automated, distributed worm signature detection. In In Proc. of the 13th USENIX Security Symposium, 2004. Google ScholarDigital Library
- J. C. Rabek, R. I. Khazan, S. M. Lewandowski and R. K. Cunningham. Detection of injected, dynamically generated, and obfuscated malicious code. In In Proc. of the ACM workshop on Rapid Malcode, 2003. Google ScholarDigital Library
- J. Etoh. GCC extension for protecting applications from stack-smashing attacks. Technical report, IBM, June 2000.Google Scholar
- B. Jack. Remote windows kernel exploitation - step into the ring 0. eEye Digital Security Whitepaper, www.eeye.com/~data/publish/whitepapers/research/0T20050205.FILE.pdf, 2005.Google Scholar
- C. Kreibich and J. Crowcroft. Honeycomb - creating intrusion detection signatures using honeypots. In 2nd Workshop on Hot Topics in Networks (HotNets-II), 2003.Google Scholar
- M. Costa, J. Crowcroft, M. Castro, A Rowstron, L. Zhou, L. Zhang and P. Barham. Vigilante: End-to-end containment of internet worms. In In Proc. of the 20th ACM Symposium on Operating Systems Principles (SOSP), Brighton, UK, October 2005. Google ScholarDigital Library
- M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In In Proc. of the 10th USENIX Security Symposium, pages 55--66, August 2001. Google ScholarDigital Library
- N. Dor, M. Rodeh, and M. Sagiv. CSSV: Towards a realistic tool for statically detecting all buffer overlows in C. In In Proc. of the ACM Conference on Object-Oriented Programming, Systems, Languages and Application, October 2003.Google ScholarDigital Library
- J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proc. of the 12th Annual Network and Distributed System Security Symposium (NDSS), 2005.Google Scholar
- G. Portokalidis and H. Bos. SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots, (An extended version of this report was accepted by Elsevier Journal on Computer Networks, Special Issue on Security through Self-Protecting and Self-Healing Systems), TR IR-CS-015. Technical report, Vrije Universiteit Amsterdam, May 2005. Google ScholarDigital Library
- N. Provos. A virtual honeypot framework. In Proc. of the 13th USENIX Security Symposium, 2004. Google ScholarDigital Library
- rix. Smashing C++ VPTRS. Phrack Magazine, 10(56), January 2000.Google Scholar
- M. Roesch. Snort - lightweight intrusion detection for networks. In Proc. of LISA '99: 13th Systems Administration Conference, 1999. Google ScholarDigital Library
- S. Bhatkar, D. C. Du Varney and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In In Proc. of the 12th USENIX Security Symposium, pages 105--120, August 2003. Google ScholarDigital Library
- S. Singh, C. Estan, G. Varghese and S. Savage. Automated worm fingerprinting. In In Proc. of the 6th USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 45--60, 2004. Google ScholarDigital Library
- S. Sidiroglou and A. D. Keromytis. Using execution transactions to recover from buffer overflow attacks. Cucs-031-04, Columbia University, 2004.Google Scholar
- D. Spyrit. Win32 buffer overows (location, exploitation, and prevention). Phrack 55, 1999.Google Scholar
- V. P. Stuart Staniford and N. Weaver. How to Own the internet in your spare time. In Proc. of the 11th USENIX Security Symposium, 2002. Google ScholarDigital Library
- U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In In Proc. of the 10th USENIX Security Symposium, pages 201--216, August 2001. Google ScholarDigital Library
- V. Kiriansky, D. Bruening and S. Amarasinghe. Secure execution via program shepherding. In In Proc. of the 11th USENIX Security Symposium, 2002. Google ScholarDigital Library
- M. M. Williamson. Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. In Proc. of ACSAC Security Conference, Las Vegas, Nevada, 2002. Google ScholarDigital Library
Index Terms
- Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation
Recommendations
Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation
EuroSys '06: Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006As modern operating systems and software become larger and more complex, they are more likely to contain bugs, which may allow attackers to gain illegitimate access. A fast and reliable mechanism to discern and generate vaccines for such attacks is ...
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsThe fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAlthough network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Comments