Abstract
We increasingly rely on highly available systems in all areas of society, from the economy, to military, to the government. Unfortunately, much software, including critical applications, contains vulnerabilities unknown at the time of deployment, with memory-overwrite vulnerabilities (such as buffer overflow and format string vulnerabilities) accounting for more than 60% of total vulnerabilities [10]. These vulnerabilities, when exploited, can cause devastating effects, such as self-propagating worm attacks which can compromise millions of vulnerable hosts within a matter of minutes or even seconds [32],[61], and cause millions of dollars of damage [30]. Therefore, we need to develop effective mechanisms to protect vulnerable hosts from being compromised and allow them to continue providing critical services, even under aggressively spreading attacks on previously unknown vulnerabilities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
K2, admmutate. http://www.ktwo.ca/c/ADMrnutate-0.8.4.tar.gz.
K. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. Keromytis. Detecting targeted attacks using shadow honeypots. In Proceedings in USENlX Security Symposium, 2005.
K. Avijit, P. Gupta, and D. Gupta. Tied, libsafeplus: Tools for runtime buffer overflow protection. In USENIX Security Symposium, August 2004.
A. Baratloo, N. Singh, and T. Tsai. Transparent run-time defense against stack smashing attacks. In USENMAnnual Technical Conference 2000,2000.
S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of 12th USENM Security Symposium, 2003.
S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENM Security Symposium, 2005.
D. Bnunley, L.-H. Liu, P. Poosank, and D. Song. Design space and analysis of worm defense systems. In Pmc of the 2006 ACM Symposium on Infomtion, Computes and Communication Security (ASIACCS), 2006. Full version in CMU TR CMU-CS-05-156.
D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proceedings of the IEEE Symposium on Security and Privacy, 2006.
C. Cermdo. Story of a dumb patch. http://argeniss.codresearch/MSBugPaper.pdf, 2005.
CERTICC. CERTICC statistics 1988-2005. http://www.cert.org/stats/cert-stats.htm1.
M. Chew and D. Song. Mitigating buffer overflows by operating system randomization. Technical report, Carnegie Mellon University, 2002.
M. Cost, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In 2oth ACM Symposium on Operating System Principles (SOSP 2005), 2005.
M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Proceedings of the twentieth ACM symposium on Operating systems principles (SOSP), Oct. 2005.
C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. FormatGuard: automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, August 2001.
C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In 12th USENIX Security Symposium, 2003.
C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: automatic adaptive detection and prevention of bufferoverflow attacks. In Proceedings of the 7th USENIXSecurity Symposium, January 1998.
J. R. Crandall and E Chong. Minos: Architectural support for software security through control data integrity. In International Symposium on Microarchitecture, December 2004.
T. Detristan, T. Ulenspiegel, Y. Malcom, and M. V. Underduk. Polymorphic shellcode engineusing spectrumanalysis. http://www.phrack.org/show.php?p=61&a=9.
G. Dunlap, S. King, S. Cinar, M. Basrai, and P. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 2002 Symposium on Operating System Design and Implementation (OSDI), 2002.
D. C. DuVarney, R. Sekar, and Y.-J. Lin. Benign software mutations: A novel approach to protect against large-scale network attacks. Center for Cybersecurity White Paper, October 2002.
Dynamorio. http://www.cag.lcs.mit.edu/dynamorio/.
S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In Proceedings of 6th workshop on Hot Topics in Operating Systems, 1997.
J. Hopcroft, R. Motwani, and J. Ullman. Introduction to automata theory, langauges, and computation. Addison-Wesley, 2001.
D. Jackson and E. Rollins. Chopping: A generalization of slicing. In Proc. of the Second ACM SIGSOFT Symposium on the Foundations of Software Engineering, 1994.
R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the Third International Workshop on Automated Debugging, 1995.
A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 2005 Symposium on Operating Systems Principles (SOSP), 2005.
H.-A. Kim and B. Karp. Autograph: toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Securiiy Symposium, August 2004.
V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENZXSecurity Symposium, August 2002.
C. Kreibich and J. Crowcroft. Honeycomb-creating intrusion detection signatures using honeypots. In Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II), November 2003.
R. Lemos. Counting the cost of the slammer worm. http://news.corn.com/ 2100-1001-982955.html,2003.
Z. Liang and R. Sekar. Fast and automated generation of attack signatures: A basis for building self-protecting servers. In Proc. of the 12th ACM Conference on Computer and Communications Security (CCS), 2005.
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. In IEEE Security and Privacy, volume 1,2003.
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. In IEEE Security and Privacy, volume 1,2003.
D. Moore, C. Shannon, G. Voelker, and S. Savage. Internet quarantine: Requirements for containing self-propagating code. In 2003 IEEE lnfocom Conference, 2003.
C. Nachanberg. Computer virus-antivirus coevolution. Communications of The ACM, 1997.
G. C. Necula, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy code. In Proceedings of the Symposium on Principles of Programming Languages, 2002.
N. Nethercote and J. Fitzhardinge. Bounds-checking entire programs without recompiling. In Proceedings of the Second Workshop on Semantics, Program Analysis, and Computing Environments for Memory Management (SPACE 2004), Venice, Italy, Jan. 2004. (Proceedings not formally published.).
N. Nethercote and J. Seward. Valgrind: A program supervision framework. In Proceedings of the Third Workshop on Runtime VerGcation (RV’03), Boulder, Colorado, USA, July 2003.
J. Newsome, D. Brumley, and D. Song. Vulnerability-specific execution filtering for exploit prevention on commodity software. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS), 2006.
J. Newsome, D. Brumley, D. Song, and M. R. Pariente. Sting: An end-to-end self-healing system for defending against zero-day worm attacks on commodity software. Technical Report CMU-CS-05-19 1, Carnegie Mellon University, February 2006.
J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy,May 2005.
J. Newsome, B. Karp, and D. Song. Paragraph: Thwarting signature learning by training maliciously. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, Sept. 2006.
J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), February 2005.
J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. Technical Report CMU-CS-04-140, Carnegie Mellon University, May 2005.
PaX. http://pax.grsecurity.net/.
E Qin, J. Tucek, J. Sundaresan, and Y. Zhou. Rx:Treating bugs as allergies-a safe method to survive software failures. In 2oth ACM Symposium on Operating System Principles (SOSP), 2005.
r code. ATPhttpd exploit. http://www.cotse.com_mailing-lists/todays/att-O003/01-atphttpOxO6.c.
T. Reps and G. Rosay. Precise interprocedural chopping. In Proc. of the Third ACM SIGSOFT Symposium on the Foundations of Sofrware Engineering, 1995.
M. Rinard, C. Cadar, D. Dumitran, D. Roy, T. Leu, and W. B. Jr. Enhancing server availability and security through failure-oblivious computing. In Operating System Design & Implementation (OSDI), 2004.
T. J. Robbins. libformat. http://www.securityfocus.com/tools/1818, 2001.
0. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, February 2004.
H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11 th ACM Conference on Computer and Communications Security, October 2004.
S. Sidiroglou and A. D. Keromytis. A network worm vaccine architecture. In Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pages 220–225, June 2003.
S. Sidiroglou and A. D. Keromytis. Countering network worms through automatic patch generation. lEEE Security and Privacy, 2005.
S. Sidiroglou, M. Locasto, and A. Keromytis. Software self-healing using collaborative application communities. In Proceedings of the 1 3th Annual Network and Distributed System Security Symposium (NDSS), 2006.
S. Sidiroglou, M. E. Locasto, S. W. Boyd, and A. D. Keromytis. Building a reactive immune system for software services. In USENlX Annual Technical Conference, 2005.
S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of the 6th ACMAYSENIX Symposium on Operating System Design and Implementation’( OSDI), Dec. 2004.
A. Smirnov and T. cker Chiueh. DIRA: Automatic detection, identification, and repair of control-hijacking attacks. In Proceedings of the 12th annual Network and Distributed System Security Symposium (NDSS), 2005.
S. M. Srinivasan, S. Kandula, C. R. Andrews, and Y. Zhou. Flashback: A lightweight extension for rollback and deterministic replay for software debugging. In Proceedings of the 2004 USENIX Technical Conference, 2004.
S. Staniford, D. Moore, V. Paxson, and N. Weaver. The top speed of flash worms. In ACM CCS WORM,Oct. 2004.
S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in your spare time. In 11th USENIX Security Symposium, 2002.
G. E. Suh, J. Lee, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of ASPLOS, 2004.
P. Szor. Hunting for metamorphic. In Proceedings of the Wrus Bulletin Conference, 2001.
J. Twycross and M. M. Williamson. Implementing and testing a virus throttle. In Proceedings of 12th USENlX Security Symposium, August 2003.
US-CERT. Vulnerability note vu#196945-isc bind 8 contains buffer overflow in transaction signature (tsig) handling code. http://www.kb.cert.org/vuls/id/196945.
H. J. Wang, C. Guo, D. Simon, and A. Zugenmaier. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In ACM SIGCOMM, August 2004.
M. M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. In Proceedings of the 18th Annual Computer Security Applications Conference, 2002.
J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. Technical report, Center for Reliable and Higher Performance Computing, University of Illinois at Urbana-Champaign, May 2003.
J. Xu, P. Ning, C. Kil, Y. Zhai, and C. Bookholt. Automatic diagnosis and response to memory corruption vulnerabilities. In Proceedings of the 12th Annual ACM Conference on Computer and Communication Security (CCS), 2005.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer Science+Business Media, LLC.
About this paper
Cite this paper
Brumley, D., Newsome, J., Song, D. (2007). Sting: An End-to-End Self-Healing System for Defending against Internet Worms. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds) Malware Detection. Advances in Information Security, vol 27. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-44599-1_7
Download citation
DOI: https://doi.org/10.1007/978-0-387-44599-1_7
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-32720-4
Online ISBN: 978-0-387-44599-1
eBook Packages: Computer ScienceComputer Science (R0)