Skip to main content
SpringerLink
Log in

Sting: An End-to-End Self-Healing System for Defending against Internet Worms

  • Conference paper
Malware Detection

Part of the book series: Advances in Information Security ((ADIS,volume 27))

Abstract

We increasingly rely on highly available systems in all areas of society, from the economy, to military, to the government. Unfortunately, much software, including critical applications, contains vulnerabilities unknown at the time of deployment, with memory-overwrite vulnerabilities (such as buffer overflow and format string vulnerabilities) accounting for more than 60% of total vulnerabilities [10]. These vulnerabilities, when exploited, can cause devastating effects, such as self-propagating worm attacks which can compromise millions of vulnerable hosts within a matter of minutes or even seconds [32],[61], and cause millions of dollars of damage [30]. Therefore, we need to develop effective mechanisms to protect vulnerable hosts from being compromised and allow them to continue providing critical services, even under aggressively spreading attacks on previously unknown vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 259.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 329.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 329.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. K2, admmutate. http://www.ktwo.ca/c/ADMrnutate-0.8.4.tar.gz.

    Google Scholar 

  2. K. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. Keromytis. Detecting targeted attacks using shadow honeypots. In Proceedings in USENlX Security Symposium, 2005.

    Google Scholar 

  3. K. Avijit, P. Gupta, and D. Gupta. Tied, libsafeplus: Tools for runtime buffer overflow protection. In USENIX Security Symposium, August 2004.

    Google Scholar 

  4. A. Baratloo, N. Singh, and T. Tsai. Transparent run-time defense against stack smashing attacks. In USENMAnnual Technical Conference 2000,2000.

    Google Scholar 

  5. S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of 12th USENM Security Symposium, 2003.

    Google Scholar 

  6. S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENM Security Symposium, 2005.

    Google Scholar 

  7. D. Bnunley, L.-H. Liu, P. Poosank, and D. Song. Design space and analysis of worm defense systems. In Pmc of the 2006 ACM Symposium on Infomtion, Computes and Communication Security (ASIACCS), 2006. Full version in CMU TR CMU-CS-05-156.

    Google Scholar 

  8. D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proceedings of the IEEE Symposium on Security and Privacy, 2006.

    Google Scholar 

  9. C. Cermdo. Story of a dumb patch. http://argeniss.codresearch/MSBugPaper.pdf, 2005.

    Google Scholar 

  10. CERTICC. CERTICC statistics 1988-2005. http://www.cert.org/stats/cert-stats.htm1.

    Google Scholar 

  11. M. Chew and D. Song. Mitigating buffer overflows by operating system randomization. Technical report, Carnegie Mellon University, 2002.

    Google Scholar 

  12. M. Cost, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In 2oth ACM Symposium on Operating System Principles (SOSP 2005), 2005.

    Google Scholar 

  13. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Proceedings of the twentieth ACM symposium on Operating systems principles (SOSP), Oct. 2005.

    Google Scholar 

  14. C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. FormatGuard: automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, August 2001.

    Google Scholar 

  15. C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In 12th USENIX Security Symposium, 2003.

    Google Scholar 

  16. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: automatic adaptive detection and prevention of bufferoverflow attacks. In Proceedings of the 7th USENIXSecurity Symposium, January 1998.

    Google Scholar 

  17. J. R. Crandall and E Chong. Minos: Architectural support for software security through control data integrity. In International Symposium on Microarchitecture, December 2004.

    Google Scholar 

  18. T. Detristan, T. Ulenspiegel, Y. Malcom, and M. V. Underduk. Polymorphic shellcode engineusing spectrumanalysis. http://www.phrack.org/show.php?p=61&a=9.

    Google Scholar 

  19. G. Dunlap, S. King, S. Cinar, M. Basrai, and P. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 2002 Symposium on Operating System Design and Implementation (OSDI), 2002.

    Google Scholar 

  20. D. C. DuVarney, R. Sekar, and Y.-J. Lin. Benign software mutations: A novel approach to protect against large-scale network attacks. Center for Cybersecurity White Paper, October 2002.

    Google Scholar 

  21. Dynamorio. http://www.cag.lcs.mit.edu/dynamorio/.

    Google Scholar 

  22. S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In Proceedings of 6th workshop on Hot Topics in Operating Systems, 1997.

    Google Scholar 

  23. J. Hopcroft, R. Motwani, and J. Ullman. Introduction to automata theory, langauges, and computation. Addison-Wesley, 2001.

    Google Scholar 

  24. D. Jackson and E. Rollins. Chopping: A generalization of slicing. In Proc. of the Second ACM SIGSOFT Symposium on the Foundations of Software Engineering, 1994.

    Google Scholar 

  25. R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the Third International Workshop on Automated Debugging, 1995.

    Google Scholar 

  26. A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 2005 Symposium on Operating Systems Principles (SOSP), 2005.

    Google Scholar 

  27. H.-A. Kim and B. Karp. Autograph: toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Securiiy Symposium, August 2004.

    Google Scholar 

  28. V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENZXSecurity Symposium, August 2002.

    Google Scholar 

  29. C. Kreibich and J. Crowcroft. Honeycomb-creating intrusion detection signatures using honeypots. In Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II), November 2003.

    Google Scholar 

  30. R. Lemos. Counting the cost of the slammer worm. http://news.corn.com/ 2100-1001-982955.html,2003.

    Google Scholar 

  31. Z. Liang and R. Sekar. Fast and automated generation of attack signatures: A basis for building self-protecting servers. In Proc. of the 12th ACM Conference on Computer and Communications Security (CCS), 2005.

    Google Scholar 

  32. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. In IEEE Security and Privacy, volume 1,2003.

    Google Scholar 

  33. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. In IEEE Security and Privacy, volume 1,2003.

    Google Scholar 

  34. D. Moore, C. Shannon, G. Voelker, and S. Savage. Internet quarantine: Requirements for containing self-propagating code. In 2003 IEEE lnfocom Conference, 2003.

    Google Scholar 

  35. C. Nachanberg. Computer virus-antivirus coevolution. Communications of The ACM, 1997.

    Google Scholar 

  36. G. C. Necula, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy code. In Proceedings of the Symposium on Principles of Programming Languages, 2002.

    Google Scholar 

  37. N. Nethercote and J. Fitzhardinge. Bounds-checking entire programs without recompiling. In Proceedings of the Second Workshop on Semantics, Program Analysis, and Computing Environments for Memory Management (SPACE 2004), Venice, Italy, Jan. 2004. (Proceedings not formally published.).

    Google Scholar 

  38. N. Nethercote and J. Seward. Valgrind: A program supervision framework. In Proceedings of the Third Workshop on Runtime VerGcation (RV’03), Boulder, Colorado, USA, July 2003.

    Google Scholar 

  39. J. Newsome, D. Brumley, and D. Song. Vulnerability-specific execution filtering for exploit prevention on commodity software. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS), 2006.

    Google Scholar 

  40. J. Newsome, D. Brumley, D. Song, and M. R. Pariente. Sting: An end-to-end self-healing system for defending against zero-day worm attacks on commodity software. Technical Report CMU-CS-05-19 1, Carnegie Mellon University, February 2006.

    Google Scholar 

  41. J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy,May 2005.

    Google Scholar 

  42. J. Newsome, B. Karp, and D. Song. Paragraph: Thwarting signature learning by training maliciously. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, Sept. 2006.

    Google Scholar 

  43. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), February 2005.

    Google Scholar 

  44. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. Technical Report CMU-CS-04-140, Carnegie Mellon University, May 2005.

    Google Scholar 

  45. PaX. http://pax.grsecurity.net/.

    Google Scholar 

  46. E Qin, J. Tucek, J. Sundaresan, and Y. Zhou. Rx:Treating bugs as allergies-a safe method to survive software failures. In 2oth ACM Symposium on Operating System Principles (SOSP), 2005.

    Google Scholar 

  47. r code. ATPhttpd exploit. http://www.cotse.com_mailing-lists/todays/att-O003/01-atphttpOxO6.c.

    Google Scholar 

  48. T. Reps and G. Rosay. Precise interprocedural chopping. In Proc. of the Third ACM SIGSOFT Symposium on the Foundations of Sofrware Engineering, 1995.

    Google Scholar 

  49. M. Rinard, C. Cadar, D. Dumitran, D. Roy, T. Leu, and W. B. Jr. Enhancing server availability and security through failure-oblivious computing. In Operating System Design & Implementation (OSDI), 2004.

    Google Scholar 

  50. T. J. Robbins. libformat. http://www.securityfocus.com/tools/1818, 2001.

    Google Scholar 

  51. 0. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, February 2004.

    Google Scholar 

  52. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11 th ACM Conference on Computer and Communications Security, October 2004.

    Google Scholar 

  53. S. Sidiroglou and A. D. Keromytis. A network worm vaccine architecture. In Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pages 220–225, June 2003.

    Google Scholar 

  54. S. Sidiroglou and A. D. Keromytis. Countering network worms through automatic patch generation. lEEE Security and Privacy, 2005.

    Google Scholar 

  55. S. Sidiroglou, M. Locasto, and A. Keromytis. Software self-healing using collaborative application communities. In Proceedings of the 1 3th Annual Network and Distributed System Security Symposium (NDSS), 2006.

    Google Scholar 

  56. S. Sidiroglou, M. E. Locasto, S. W. Boyd, and A. D. Keromytis. Building a reactive immune system for software services. In USENlX Annual Technical Conference, 2005.

    Google Scholar 

  57. S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of the 6th ACMAYSENIX Symposium on Operating System Design and Implementation’( OSDI), Dec. 2004.

    Google Scholar 

  58. A. Smirnov and T. cker Chiueh. DIRA: Automatic detection, identification, and repair of control-hijacking attacks. In Proceedings of the 12th annual Network and Distributed System Security Symposium (NDSS), 2005.

    Google Scholar 

  59. S. M. Srinivasan, S. Kandula, C. R. Andrews, and Y. Zhou. Flashback: A lightweight extension for rollback and deterministic replay for software debugging. In Proceedings of the 2004 USENIX Technical Conference, 2004.

    Google Scholar 

  60. S. Staniford, D. Moore, V. Paxson, and N. Weaver. The top speed of flash worms. In ACM CCS WORM,Oct. 2004.

    Google Scholar 

  61. S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in your spare time. In 11th USENIX Security Symposium, 2002.

    Google Scholar 

  62. G. E. Suh, J. Lee, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of ASPLOS, 2004.

    Google Scholar 

  63. P. Szor. Hunting for metamorphic. In Proceedings of the Wrus Bulletin Conference, 2001.

    Google Scholar 

  64. J. Twycross and M. M. Williamson. Implementing and testing a virus throttle. In Proceedings of 12th USENlX Security Symposium, August 2003.

    Google Scholar 

  65. US-CERT. Vulnerability note vu#196945-isc bind 8 contains buffer overflow in transaction signature (tsig) handling code. http://www.kb.cert.org/vuls/id/196945.

    Google Scholar 

  66. H. J. Wang, C. Guo, D. Simon, and A. Zugenmaier. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In ACM SIGCOMM, August 2004.

    Google Scholar 

  67. M. M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. In Proceedings of the 18th Annual Computer Security Applications Conference, 2002.

    Google Scholar 

  68. J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. Technical report, Center for Reliable and Higher Performance Computing, University of Illinois at Urbana-Champaign, May 2003.

    Google Scholar 

  69. J. Xu, P. Ning, C. Kil, Y. Zhai, and C. Bookholt. Automatic diagnosis and response to memory corruption vulnerabilities. In Proceedings of the 12th Annual ACM Conference on Computer and Communication Security (CCS), 2005.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Carnegie Mellon University, Pittsburgh, PA, USA

    David Brumley, James Newsome & Dawn Song

Authors
  1. David Brumley
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. James Newsome
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dawn Song
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 1210 W Dayton St, Madison, WI, 53706-1685

    Mihai Christodorescu  & Somesh Jha  & 

  2. Dept. of Homeland Security, Washington D.C., 20528

    Douglas Maughan

  3. Carnegie Mellon University, CIC 2122, 4720 Forbes Ave, Pittsburgh, PA, 15213

    Dawn Song

  4. Computing and Information Science Div., U.S. Army Research Office, P.O. Box 12211, Research Triangle Park, NC, 27709-2211

    Cliff Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer Science+Business Media, LLC.

About this paper

Cite this paper

Brumley, D., Newsome, J., Song, D. (2007). Sting: An End-to-End Self-Healing System for Defending against Internet Worms. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds) Malware Detection. Advances in Information Security, vol 27. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-44599-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-44599-1_7

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-32720-4

  • Online ISBN: 978-0-387-44599-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation