research-article

Vigilante: End-to-end containment of Internet worm epidemics

Authors:

Antony Rowstron,

Paul BarhamAuthors Info & Claims

ACM Transactions on Computer Systems (TOCS), Volume 26, Issue 4

Article No.: 9, Pages 1 - 68

https://doi.org/10.1145/1455258.1455259

Published: 19 December 2008 Publication History

Abstract

Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the vulnerabilities exploited by worms at the network level. We propose Vigilante, a new end-to-end architecture to contain worms automatically that addresses these limitations.

In Vigilante, hosts detect worms by instrumenting vulnerable programs to analyze infection attempts. We introduce dynamic data-flow analysis: a broad-coverage host-based algorithm that can detect unknown worms by tracking the flow of data from network messages and disallowing unsafe uses of this data. We also show how to integrate other host-based detection mechanisms into the Vigilante architecture. Upon detection, hosts generate self-certifying alerts (SCAs), a new type of security alert that can be inexpensively verified by any vulnerable host. Using SCAs, hosts can cooperate to contain an outbreak, without having to trust each other. Vigilante broadcasts SCAs over an overlay network that propagates alerts rapidly and resiliently. Hosts receiving an SCA protect themselves by generating filters with vulnerability condition slicing: an algorithm that performs dynamic analysis of the vulnerable program to identify control-flow conditions that lead to successful attacks. These filters block the worm attack and all its polymorphic mutations that follow the execution path identified by the SCA.

Our results show that Vigilante can contain fast-spreading worms that exploit unknown vulnerabilities, and that Vigilante's filters introduce a negligible performance overhead. Vigilante does not require any changes to hardware, compilers, operating systems, or the source code of vulnerable programs; therefore, it can be used to protect current software binaries.

References

[1]

Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. 2005. Control-Flow Integrity: Principles, implementations, and applications. In Proceedings of the 12th ACM Conference on Computer and Communications Security.

Digital Library

[2]

Akamai. 2000. Press release: Akamai helps mcafee.com support flash crowds from iloveyou virus.

[3]

Akritidis, P., Cadar, C., Raiciu, C., Costa, M., and Castro, M. 2008. Preventing memory error exploits with WIT. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[4]

Avots, D., Dalton, M., Livshits, V. B., and Lam, M. S. 2005. Improving software security with a C pointer analysis. In Proceedings of the 27th International Conference on Software Engineering.

Digital Library

[5]

Bailey, M., Cooke, E., Jahanian, F., Watson, D., and Nazario, J. 2005. The Blaster worm: Then and now. IEEE Secur. Privacy 3, 4, 26--31.

Digital Library

[6]

Baratloo, A., Singh, N., and Tsai, T. 2000. Transparent runtime defense against stack smashing attacks. In Proceedings of the USENIX Technical Conference.

Digital Library

[7]

Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A. 2003. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP).

Digital Library

[8]

Barrantes, E. G., Ackley, D. H., Palmer, T. S., Stefanovic, D., and Zov, D. D. 2003. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security.

Digital Library

[9]

Bethencourt, J., Franklin, J., and Vernon, M. 2005. Mapping Internet sensors with probe response attacks. In Proceedings of 14th USENIX Security Symposium.

Digital Library

[10]

Bhansali, S., Chen, W.-K., de Jong, S., Edwards, A., Murray, R., Drinic, M., Mihocka, D., and Chau, J. 2006. Framework for instruction-level tracing and analysis of program executuions. In Proceedings of the 2nd International Conference on Virtual Execution Environments.

Digital Library

[11]

Bhatkar, S., DuVarney, D. C., and Sekar, R. 2003. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of 12th USENIX Security Symposium.

Digital Library

[12]

Bhatkar, S., Sekar, R., and DuVarney, D. C. 2005. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of 14th USENIX Security Symposium.

Digital Library

[13]

Biba, K. J. 1977. Integrity considerations for secure computer systems. Tech. Rep. TR-3153, MITRE. April.

[14]

blexim. 2002. Basic integer overflows. Phrack 60.

[15]

Bochs. 2006. Bochs ia-32 emulator. http://bochs.sourceforge.net.

[16]

Boyer, R. S., Elspas, B., and Levitt, K. N. 1975. SELECT—A formal system for testing and debugging programs by symbolic execution. In Proceedings of the International Conference on Reliable Software.

Digital Library

[17]

Bruening, D., Duesterwald, E., and Amarasinghe, S. 2001. Design and implementation of a dynamic optimization framework for Windows. In Proceedings of the 4th ACM Workshop on Feedback-Directed and Dynamic Optimization.

[18]

Brumley, D., Newsome, J., Song, D., Wang, H., and Jha, S. 2006. Towards automatic generation of vulnerability signatures. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[19]

Bulba and Kil3r. 2000. Bypassing stackguard and stackshield. Phrack 10, 46 (May).

[20]

Bush, W. R., Pincus, J. D., and Sielaff, D. J. 2000. A static analyzer for finding dynamic programming errors. Softw. Practice Exper. 30, 775--802.

Digital Library

[21]

Cardelli, L. 2004. Type systems. In The Computer Science and Engineering Handbook. CRC Press.

[22]

Castro, M., Costa, M., and Harris, T. 2006. Securing software by enforcing data-flow integrity. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation.

Digital Library

[23]

Castro, M., Costa, M., and Rowstron, A. 2004. Performance and dependability of structured peer-to-peer overlays. In Proceedings of the International Conference on Dependable Systems and Networks.

Digital Library

[24]

Castro, M., Druschel, P., Ganesh, A., Rowstron, A., and Wallach, D. S. 2002. Security for structured peer-to-peer overlay networks. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation.

Digital Library

[25]

CERT. 2001. Cert advisory ca-2001-26 nimda worm. http://www.cert.org/advisories/ca-2001-26.html.

[26]

CERT. 2005. Technical cyber security alerts. http://www.us-cert.gov.

[27]

Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., and Iyer, R. K. 2005. Defeating memory corruption attacks via pointer taintedness detection. In Proceedings of the International Conference on Dependable Systems and Networks.

Digital Library

[28]

Chen, S., Xu, J., Sezer, E. C., Gauriar, P., and Iyer, R. K. 2005. Non-Control-Data attacks are realistic threats. In Proceedings of 14th USENIX Security Symposium.

Digital Library

[29]

Chen, Z., Gao, L., and Kwiat, K. 2003. Modelling the spread of active worms. In Proceedings of the 22th IEEE Conference on Computer Communications.

[30]

Cheswick, W. R., Bellovin, S. M., and Rubin, A. D. 2003. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley.

Digital Library

[31]

Chinchani, R. and van den Berg, E. 2005. A fast static analysis approach to detect exploit code inside network flows. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection.

[32]

Chiueh, T. and Hsu, F. 2001. RAD: A compile-time solution to buffer overflow attacks. In Proceedings of the 21st International Conference on Distributed Computing Systems.

Digital Library

[33]

Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., and Rosenblum, M. 2004. Understanding data lifetime via whole system simulation. In Proceedings of 13th USENIX Security Symposium.

Digital Library

[34]

Cohen, F. 1987. Computer viruses, theory and experiments. Comput. Secur. 6, 22--35.

Digital Library

[35]

Cormen, T. H., Leiserson, C. E., and Rivest, R. L. 1990. Introduction to Algorithms. MIT Electrical Engineering and Computer Science Series. MIT Press.

Digital Library

[36]

Costa, M., Castro, M., Zhou, L., Zhang, L., and Peinado, M. 2007. Bouncer: Securing software by blocking bad input. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP).

Digital Library

[37]

Costa, M., Crowcroft, J., Castro, M., and Rowstron, A. 2004. Can we contain Internet worms&quest; In Proceedings of the 3rd Workshop on Hot Topics in Networks.

[38]

Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., and Barham, P. 2005. Vigilante: End-to-End containment of Internet worms. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP).

Digital Library

[39]

Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., and Lokier, J. 2001. Formatguard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium.

Digital Library

[40]

Cowan, C., Beattie, S., Johansen, J., and Wagle, P. 2003. Pointguard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium.

Digital Library

[41]

Cowan, C., Pu, C., Maier, D., Hinton, H., Wadpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., and Zhang, Q. 1998. Stackguard: Automatic detection and prevention of buffer-overrun attacks. In Proceedings of the 7th USENIX Security Symposium.

Digital Library

[42]

Crandall, J. R. and Chong, F. T. 2004. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture.

Digital Library

[43]

Crandall, J. R., Su, Z., Wu, S. F., and Chong, F. T. 2005. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In Proceedings of the 12th ACM Conference on Computer and Communications Security.

Digital Library

[44]

Dark Spyrit. 1999. Win32 buffer overflows. Phrack 9, 55.

[45]

Denning, D. 1976. A lattice model of secure information flow. ACM Trans. Commun. 19, 5, 236--243.

Digital Library

[46]

Dijkstra, E. W. 1975. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18, 8 (Aug.), 453--457.

Digital Library

[47]

Douceur, J. R. 2002. The Sybil attack. In Proceedings of the 1st International Workshop on Peer-to-Peer Systems.

Digital Library

[48]

Dunlap, G. W., King, S. T., Cinar, S., Basrai, M. A., and Chen, P. M. 2002. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation.

Digital Library

[49]

Durden, T. 2002. Bypassing pax aslr protection. Phrack 59 (Jul.).

[50]

Eichin, M. W. and Rochlis, J. A. 1989. With microscope and tweezers: An analysis of the Internet virus of November 1988. In Proceedings of the IEEE Symposium on Security and Privacy.

[51]

Elnozahy, E. N., Alvisi, L., Wang, Y.-M., and Johnson, D. B. 2002. A survey of rollback-recovery protocols in message-passing systems. ACM Comput. Surv. 34, 3 (Sept.), 375--408.

Digital Library

[52]

Engler, D., Chen, D. Y., Hallem, S., Chou, A., and Chelf, B. 2001. Bugs as deviant behaviour: A general approach to inferring errors in systems code. In Proceedings of the 18th ACM Symposium on Operating Systems Principles (SOSP).

Digital Library

[53]

Evans, D. and Larochelle, D. 2002. Improving security using extensible lightweight static analysis. IEEE Softw.

Digital Library

[54]

Feng, H., Kolesnikov, O., Fogla, P., Lee, W., and Gong, W. 2003. Anomaly detection using system call information. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[55]

Fenton, J. 1973. Information protection systems. Ph.D. thesis, University of Cambridge.

[56]

Fenton, J. 1974a. An abstract computer model demonstrating directional information flow. University of Cambridge, Cambridge, UK.

[57]

Fenton, J. S. 1974b. Memoryless subsystems. Comput. J. 17, 2, 143--147.

[58]

Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., and Lee, W. 2006. Polymorphic blending attacks. In Proceedings of 15th USENIX Security Symposium.

Digital Library

[59]

Forescout. 2006. Wormscout. http://www.forescout.com/wormscout.html.

[60]

Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for Unix processes. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[61]

Forrest, S., Somayaji, A., and Ackley, D. 1997. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems.

Digital Library

[62]

Fraser, K. and Chang, F. 2003. Operating System I/O Speculation: How two invocations are faster than one. In Proceedings of the USENIX Annual Technical Conference.

[63]

Ganesh, A., Gunawardena, D., Key, P., Massoulie, L., and Scott, J. 2006. Efficient quarantining of scanning worms: Optimal detection and coordination. In Proceedings of the 25th IEEE Conference on Computer Communications.

[64]

Ganger, G., Economu, G., and Bielski, S. 2002. Self-Securing network interfaces: What, why and how. Tech. Rep. CS-02-144, Carnegie Mellon University. May.

[65]

Georgatos, F., Gruber, F., Karrenberg, D., Santcroos, M., Uijterwaal, H., and Wilhelm, R. 2001. Providing Active Measurements as a Regular Service for ISPs. http://www.ripe.net/ttm.

[66]

gera and riq. 2002. Advances in format string exploitation. Phrack 59 (Jul.).

[67]

Giffin, J., Jha, S., and Miller, B. P. 2004. Efficient context-sensitive intrusion detection. In Proceedings of the 11th Annual Network and Distributed System Security Symposium.

[68]

Goldenberg, J., Shavitt, Y., Shir, E., and Solomon, S. 2005. Distributive immunization of networks against viruses using the ‘honey pot’ architecture. Nature Phys. 1, 184--188.

[69]

Heberlein, L. T., Dias, G., K, L., Wood, B. M. J., and Wolber, D. 1990. A network security monitor. In Proceedings of the IEEE Symposium on Security and Privacy.

[70]

Hethcote, H. W. 2000. The mathematics of infectious deseases. SIAM Rev. 42, 4, 599--653.

Digital Library

[71]

Ho, A., Fetterman, M., Clark, C., Warfield, A., and Hand, S. 2006. Practical taint-based protection using demand emulation. In Proceedings of the SiGOPS European Conference on Computer Systems (EuroSys).

Digital Library

[72]

Hofmeyr, S. A. and Forrest, S. 2000. Architecture for an artificial immune system. Evolutionary Comput. 8, 4(Dec.), 443--473.

Digital Library

[73]

Holz, T. and Raynal, F. 2005. Detecting honeypots and other suspicious environments. In Workshop on Information Assurance and Security.

[74]

Hsu, F. and Chiueh, T. 2004. CTCP: A centralized TCP architecture for networking security. In Proceedings of the Annual Computer Society Applications Conference (ACSAC).

Digital Library

[75]

Hua, W., Ohlund, J., and Butterklee, B. 1999. Unraveling the mysteries of writing a winsock 2 layered service provider. Microsoft Syst. J.

[76]

Hunt, G. and Brubacher, D. 1999. Detours: Binary interception of Win32 functions. In USENIX Windows NT Symposium.

Digital Library

[77]

Intel. 1999. Intel architecture software developer's manual, vol. 2: Instruction set reference.

[78]

Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., and Wang, Y. 2002. Cyclone: A safe dialect of C. In Proceedings of the USENIX Annual Technical Conference.

Digital Library

[79]

Johnson, R. and Wagner, D. 2004. Finding user/kernel pointer bugs with type inference. In Proceedings of 13th USENIX Security Symposium.

Digital Library

[80]

Johnson, S. C. 1984. Lint, a C program checker. In Unix Programmer's Manual, 4.2. Berkeley Software Distribution Supplementary Documents.

[81]

Jones, R. and Kelly, P. 1997. Backwards-Compatible bounds checking for arrays and pointers in C programs. In Proceedings of the International Workshop on Automatic Debugging.

[82]

Joshi, A., King, S., Dunlap, G., and Chen, P. 2005. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP).

Digital Library

[83]

jp. 2003. Advanced doug lea's malloc exploits. Phrack 61 (Sept.).

[84]

Jung, J. 2006. Real-Time detection of malicious network activity using stochastic models. Ph.D. thesis, Massachusetts Institute of Technology.

Digital Library

[85]

Jung, J., Paxson, V., Berger, A. W., and Balakrishnan, H. 2004. Fast portscan detection using sequential hypothesis testing. In Proceedings of the IEEE Symposium on Security and Privacy.

[86]

Kc, G. S., Keromytis, A. D., and Prevelakis, V. 2003. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security.

Digital Library

[87]

Kephart, J. O. and Arnold, W. C. 1994. Automatic extraction of computer virus signatures. In International Virus Bulletin Conference.

[88]

Kephart, J. O., Sorkin, G. B., Swimmer, M., and White, S. R. 1997. Blueprint for a computer immune system. In International Virus Bulletin Conference.

[89]

Kephart, J. O. and White, S. R. 1991. Directed-Graph epidemiological models of computer viruses. In Proceedings of the IEEE Symposium on Security and Privacy.

[90]

Kim, H. and Karp, B. 2004. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium.

Digital Library

[91]

King, J. C. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (Jul.), 385--394.

Digital Library

[92]

Kiriansky, V., Bruening, D., and Amarasinghe, S. P. 2002. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium.

Digital Library

[93]

Kreibich, C. and Crowcroft, J. 2003. Honeycomb Creating intrusion detection signatures using honeypots. In Proceedings of the 2nd Workshop on Hot Topics in Networks.

[94]

Kruegel, C., Kirda, E., Mutz, D., Robertson, W., and Vigna, G. 2005. Polymorphic worm detection using structural information of executables. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection.

[95]

Kruegel, C., Kirda, E., Mutz, D., Robertsonand, W., and Vigna, G. 2005. Automating mimicry attacks using static binary analysis. In Proceedings of the 14th USENIX Security Symposium.

Digital Library

[96]

Larochelle, D. and Evans, D. 2001. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the 10th USENIX Security Symposium.

Digital Library

[97]

Liang, Z. and Sekar, R. 2005a. Automatic generation of buffer overflow signatures: An approach based on program behavior models. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[98]

Liang, Z. and Sekar, R. 2005b. Fast and automated generation of attack signatures: A basis for building self-protecting servers. In Proceedings of the 12th ACM Conference on Computer and Communications Security.

Digital Library

[99]

Livshits, V. B. and Lam, M. S. 2005. Finding security vulnerabilities in java applications using static analysis. In Proceedings of the 14th USENIX Security Symposium.

Digital Library

[100]

Locasto, M., Sidiroglou, S., and Keromytis, A. 2006. Software self-healling using collaborative application communities. In Proceedings of the 13th Annual Network and Distributed System Security Symposium.

[101]

Madhavapeddy, A. 2006. Creating high-performance statically type-safe network applications. Ph.D. thesis, University of Cambridge.

[102]

Mirage. 2006. Mirage networks. http://www.miragenetworks.com.

[103]

Mockapetris, P. 1987. Domain names: Concepts and facilities. Tech. Rep. RFC-1034, Internet Engineering Task Force. November.

Digital Library

[104]

Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. 2003. Inside the Slammer worm. IEEE Secur. Privacy 1, 4 (Jul.).

Digital Library

[105]

Moore, D., Shannon, C., and Brown, J. 2002. Code-Red: A case study on the spread and victims of an Internet worm. In ACM Internet Measurement Workshop.

Digital Library

[106]

Moore, D., Shannon, C., Voelker, G., and Savage, S. 2003. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of the 22th IEEE Conference on Computer Communications.

[107]

Moore, D., Shannon, C., Voelker, G. M., and Savage, S. 2004. Network telescopes: Tech. Rep. CS2004-0795, University of California at San Diego. July.

[108]

Moore, D., Voelker, G. M., and Savage, S. 2001. Inferring Internet denial of service activity. In Proceedings of the 10th USENIX Security Symposium.

Digital Library

[109]

Myers, A. C. 1999. Jflow: Practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages.

Digital Library

[110]

Necula, G. C. and Lee, P. 1996. Safe kernel extensions without run-time checking. In Proceedings of the ACM USENIX Symposium on Operating Systems Design and Implementation (OSDI).

Digital Library

[111]

Necula, G. C., McPeak, S., and Weimer, W. 2002. CCured: Type-Safe retrofitting of legacy code. In 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages.

Digital Library

[112]

nergal. 2001. The advanced return-into-lib(c) exploits: Pax case study. Phrack 58.

[113]

Nethercote, N. and Seward, J. 2003. Valgrind: A program supervision framework. In Proceedings of the 3rd Workshop on Runtime Verification (RV).

[114]

Newsome, J., Karp, B., and Song, D. 2005. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[115]

Newsome, J. and Song, D. 2005. Dynamic taint analysis for automatic detection, analysis and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium.

[116]

One, A. 1996. Smashing the stack for fun and profit. Phrack 7, 49 (Nov.).

[117]

Pasupulati, A., Coit, J., Levitt, K., Wu, S. F., Li, S. H., Kuo, J. C., and Fan, K. P. 2004. Buttercup: On network-based detection of polymorphic buffer overflow vulnerabilities. In Proceedings of the IEEE IFIP Network Operations and Management Symposium (NOMS).

[118]

PAX. 2001. PaX system. http://pax.grsecurity.net/.

[119]

Paxson, V. 1999. Bro. A system for detecting network intruders in real time. Comput. Netw. 31, 23--24 (Dec.), 2435--2463.

Digital Library

[120]

Perdisci, R., Dagon, D., Lee, W., Fogla, P., and Sharif, M. 2006. Misleading worm signature generators using deliberate noise injection. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[121]

PERL. 2006. Perl security manual page. http://www.perldoc.com.

[122]

Portokalidis, G., Slowinska, A., and Bos, H. 2006. Argos: An emulator for fingerprinting zero-day attacks. In Proceedings of the SIGOPS European Conference on Computer Systems (EuroSys).

Digital Library

[123]

Provos, N. 2004. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium.

Digital Library

[124]

Ptacek, T. H. and Newsham, T. N. 1998. Insertion, evasion, and denial of service: Eluding network intrusion detection. Tech. Rep., Secure Networks, Inc. January.

[125]

QEMU. 2006. Qemu open source processor emulator. http://fabrice.bellard.free.fr/qemu/.

[126]

Qin, F., Tucek, J., Sundaresan, J., and Zhou, Y. 2005. Rx: Treating bugs as allergies: A safe method to survive software failures. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP).

Digital Library

[127]

Raiciu, C., Handley, M., and Rosenblum, D. S. 2006. Exploit hijacking: Side effects of smart defenses. In Proceedings of the SIGCOMM Workshops.

Digital Library

[128]

Rinard, M., Cadar, C., Dumitran, D., Roy, D. M., Leu, T., and Jr., W. S. B. 2004. Enhancing server availability and security through failure-oblivious computing. In Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation.

Digital Library

[129]

rix&commat;hert.org. 2001. Writing ia32 alphanumeric shellcodes. Phrack 11, 57 (Aug.).

[130]

Roesch, M. 1999. Snort: Lightweight intrusion detection for networks. In Conference on Systems Administration.

Digital Library

[131]

Ruwase, O. and Lam, M. 2004. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium.

[132]

Schechter, S., Jung, J., and Berger, A. 2004. Fast detection of scanning worm infections. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection.

[133]

SecurityFocus. 2002. Microsoft jvm class loader buffer overrun vulnerability. http://www.securityfocus.com/bid/6134.

[134]

Sekar, R., Bendre, M., Dhurjati, D., and Bollineni, P. 2001. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[135]

Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. 2004. On the effectiveness of address space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security.

Digital Library

[136]

Shankar, U., Talwar, K., Foster, J. S., and Wagner, D. 2001. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th USENIX Security Symposium.

Digital Library

[137]

Shannon, C. and Moore, D. 2004. The spread of the Witty worm. IEEE Secur. Privacy 2, 4 (Jul.).

Digital Library

[138]

Shinoda, Y., Ikai, K., and Itoh, M. 2005. Vulnerabilities of passive Internet threat monitors. In Proceedings of the 14th USENIX Security Symposium.

Digital Library

[139]

Shoch, J. F. and Hupp, J. A. 1982. The worm programs: Early experience with a distributed computation. Commun. ACM 25, 3 (Mar.), 172--180.

Digital Library

[140]

Sidiroglou, S., Locasto, M. E., Boyd, S. W., and Keromytis, A. D. 2005. Building a reactive immune system for software services. In Proceedings of the USENIX Annual Technical Conference.

Digital Library

[141]

Singh, S., Estan, C., Varghese, G., and Savage, S. 2004. Automated worm fingerprinting. In Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation.

Digital Library

[142]

Smirnov, A. and Chiueh, T. 2005. DIRA: Automatic detection, identification, and repair of control-hijacking attacks. In Proceedings of the 12th Annual Network and Distributed System Security Symposium.

[143]

Somayaji, A. and Forrest, S. 2000. Automated response using system-call delays. In Proceedings of the 9th USENIX Security Symposium.

Digital Library

[144]

Sovarel, N., Evans, D., and Paul, N. 2005. Where's the FEEB&quest; The effectiveness of instruction set randomization. In Proceedings of the 14th USENIX Security Symposium.

Digital Library

[145]

Spafford, E. H. 1989. The Internet worm: Crisis and aftermath. Commun. ACM 32, 6 (Jun.), 678--687.

Digital Library

[146]

SPEC. Specweb99 benchmark. http://www.spec.org/osg/web99.

[147]

Staniford, S. 2004. Containment of scanning worms in enterprise networks. J. Comput. Secur.

[148]

Staniford, S., Hoagland, J., and McAlerney, J. 2002. Practical automated detection of stealthy portscans. J. Comput. Secur. 10, 105--136.

Digital Library

[149]

Staniford, S., Moore, D., Paxson, V., and Weaver, N. 2004. The top speed of flash worms. In Proceedings of the 2nd Workshop on Rapid Malcode.

Digital Library

[150]

Staniford, S., Paxson, V., and Weaver, N. 2002. How to 0wn the Internet in your spare time. In Proceedings of the 11th USENIX Security Symposium.

Digital Library

[151]

Staniford-Chen, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., and Zerkle, D. 1996. GrIDS: A graph-based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference.

[152]

Suh, G. E., Lee, J., and Devadas, S. 2004. Secure program execution via dynamic information flow tracking. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XI).

Digital Library

[153]

Szor, P. and Ferrie, P. 2001. Hunting for metamorphic. In the International Virus Bulletin Conference.

[154]

Tang, Y. and Chen, S. 2005. Defending against Internet worms: A signature-based approach. In Proceedings of the 24th IEEE Conference on Computer Communications.

[155]

Toth, T. and Kruegel, C. 2002a. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection.

[156]

Toth, T. and Kruegel, C. 2002b. Connection-History based anomaly detection. In the IEEE Information Assurance Workshop.

[157]

TPC. 1999. TPC-C online transaction processing benchmark. http://www.tpc.org/tpcc/default.asp.

[158]

Vendicator. 2001. Stack shield technical info. http://www.angelfire.com/sk/stackshield.

[159]

Vojnović, M. and Ganesh, A. 2005. On the race of worms, alerts and patches. In Proceedings of the 3rd Workshop on Rapid Malcode.

[160]

Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A. C., Voelker, G. M., and Savage, S. 2005. Scalability, fidelity and containment in the potemkin virtual honeyfarm. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP).

Digital Library

[161]

Wagner, D., Foster, J. S., Brewer, E. A., and Aiken, A. 2000. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of the 7th Annual Network and Distributed System Security Symposium.

[162]

Wagner, D. and Soto, P. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the 9th ACM Conference on Computer and Communications Security.

Digital Library

[163]

Wang, C., Knight, J., and Elder, M. 2000. On computer viral infection and the effect of immunization. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[164]

Wang, H. J., Guo, C., Simon, D. R., and Zugenmaier, A. 2004. Shield: Vulnerability-Driven network filters for preventing known vulnerability exploits. In Proceedings of the ACM SIGCOMM Data Communications Festival.

Digital Library

[165]

Wang, K., Cretu, G., and Stolfo, S. J. 2005. Anomalous payload-based worm detection and signature generation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection.

[166]

Wang, X., Pan, C.-C., Liu, P., and Zhu, S. 2006. Sigfree: A signature-free buffer overflow attack blocker. In Proceedings of the 15th USENIX Security Symposium.

Digital Library

[167]

Weaver, N., Ellis, D., Staniford, S., and Paxson, V. 2004. Worms vs. perimeters: The case for hard-LANs. In Hot Interconnects 2.

Digital Library

[168]

Weaver, N., Staniford, S., and Paxson, V. 2004. Very fast containment of scanning worms. In Proceedings of the 13th USENIX Security Symposium.

Digital Library

[169]

Weiser, M. 1984. Program slicing. IEEE Trans. Softw. Eng. 10, 4, 352--357.

Digital Library

[170]

Whyte, D., Kranakis, E., and Oorschot, P. C. V. 2005. Dns-Based detection of scanning worms in an enterprise network. In Proceedings of the 12th Annual Network and Distributed System Security Symposium.

[171]

Wilander, J. and Kamkar, M. 2003. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the 10th Annual Network and Distributed System Security Symposium.

[172]

Williamnson, M. M. 2002. Throttling viruses: Restricting propagation to defeat mobile malicious code. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[173]

Winskel, G. 1993. The Formal Semantics of Programming Languages. MIT Press.

Digital Library

[174]

Xie, Y. and Aiken, A. 2005. Scalable error detection using Boolean satisfiability. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages.

Digital Library

[175]

Xu, J., Kalbarczyk, Z., and Iyer, R. K. 2003. Transparent runtime randomization for security. In Proceedings of the IEEE Symposium on Reliability in Distributed Software (SRDS).

[176]

Yang, J., Twohey, P., Engler, D., and Musuvathi, M. 2004. Using model checking to find serious file system errors. In Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation.

Digital Library

[177]

Yegneswaran, V., Giffin, J. T., Barford, P., and Jha, S. 2005. An architecture for generating semantics aware signatures. In Proceedings of the 14th USENIX Security Symposium.

Digital Library

[178]

Zegura, E., Calvert, K., and Bhattacharjee, S. 1996. How to model an internetwork. In Proceedings of the Annual Joint Conference of the IEEE Computer Communications Societies (IEEE INFOCOM).

[179]

Zheng, L., Chong, S., Myers, A. C., and Zdancewic, S. 2003. Using replication and partitioning to build secure distributed systems. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[180]

Zou, C. C., Gao, L., Gong, W., and Towsley, D. 2003. Monitoring and early warning for Internet worms. In Proceedings of the 10th ACM Conference on Computer and Communications Security.

Digital Library

Cited By

Elsayed M(2021)Rearguard: A Novel Blockchain-based Automatic Worm Containment System2021 International Telecommunications Conference (ITC-Egypt)10.1109/ITC-Egypt52936.2021.9513932(1-8)Online publication date: 13-Jul-2021
https://doi.org/10.1109/ITC-Egypt52936.2021.9513932
Jerkins JStupiansky JWong KShen CBrown D(2018)Mitigating IoT insecurity with inoculation epidemicsProceedings of the 2018 ACM Southeast Conference10.1145/3190645.3190678(1-6)Online publication date: 29-Mar-2018
https://dl.acm.org/doi/10.1145/3190645.3190678
Hussain MCrowcroft J(2018)Kiram and WOE: Distributed Denial of Service Attacks in Named-Data Networking2018 IEEE 26th International Conference on Network Protocols (ICNP)10.1109/ICNP.2018.00040(255-256)Online publication date: Sep-2018
https://doi.org/10.1109/ICNP.2018.00040
Show More Cited By

Index Terms

Vigilante: End-to-end containment of Internet worm epidemics
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Vigilante: end-to-end containment of internet worms
SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principles

Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work has proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the ...
Vigilante: end-to-end containment of internet worms
SOSP '05

Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work has proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the ...
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Computer Systems

ACM Transactions on Computer Systems Volume 26, Issue 4

December 2008

98 pages

ISSN:0734-2071

EISSN:1557-7333

DOI:10.1145/1455258

Issue’s Table of Contents

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 December 2008

Accepted: 01 September 2008

Revised: 01 June 2008

Received: 01 November 2005

Published in TOCS Volume 26, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

37
Total Citations
View Citations
1,182
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Elsayed M(2021)Rearguard: A Novel Blockchain-based Automatic Worm Containment System2021 International Telecommunications Conference (ITC-Egypt)10.1109/ITC-Egypt52936.2021.9513932(1-8)Online publication date: 13-Jul-2021
https://doi.org/10.1109/ITC-Egypt52936.2021.9513932
Jerkins JStupiansky JWong KShen CBrown D(2018)Mitigating IoT insecurity with inoculation epidemicsProceedings of the 2018 ACM Southeast Conference10.1145/3190645.3190678(1-6)Online publication date: 29-Mar-2018
https://dl.acm.org/doi/10.1145/3190645.3190678
Hussain MCrowcroft J(2018)Kiram and WOE: Distributed Denial of Service Attacks in Named-Data Networking2018 IEEE 26th International Conference on Network Protocols (ICNP)10.1109/ICNP.2018.00040(255-256)Online publication date: Sep-2018
https://doi.org/10.1109/ICNP.2018.00040
Stamatogiannakis MAthanasopoulos EBos HGroth P(2017)PROV2RACM Transactions on Internet Technology10.1145/306217617:4(1-24)Online publication date: 18-Aug-2017
https://dl.acm.org/doi/10.1145/3062176
Hasabnis NSekar R(2016)Lifting Assembly to Intermediate RepresentationACM SIGARCH Computer Architecture News10.1145/2980024.287238044:2(311-324)Online publication date: 25-Mar-2016
https://dl.acm.org/doi/10.1145/2980024.2872380
Hasabnis NSekar R(2016)Lifting Assembly to Intermediate RepresentationACM SIGOPS Operating Systems Review10.1145/2954680.287238050:2(311-324)Online publication date: 25-Mar-2016
https://doi.org/10.1145/2954680.2872380
Hasabnis NSekar R(2016)Lifting Assembly to Intermediate RepresentationACM SIGPLAN Notices10.1145/2954679.287238051:4(311-324)Online publication date: 25-Mar-2016
https://dl.acm.org/doi/10.1145/2954679.2872380
Sultana NKohlweiss MMoore AHan DRaz D(2016)Light at the middle of the tunnelProceedings of the 2016 workshop on Hot topics in Middleboxes and Network Function Virtualization10.1145/2940147.2940151(1-6)Online publication date: 22-Aug-2016
https://dl.acm.org/doi/10.1145/2940147.2940151
Hasabnis NSekar RConte TZhou Y(2016)Lifting Assembly to Intermediate RepresentationProceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/2872362.2872380(311-324)Online publication date: 25-Mar-2016
https://dl.acm.org/doi/10.1145/2872362.2872380
Liu WLiu CLiu XCui SHuang X(2016)Modeling the spread of malware with the influence of heterogeneous immunizationApplied Mathematical Modelling10.1016/j.apm.2015.09.10540:4(3141-3152)Online publication date: Feb-2016
https://doi.org/10.1016/j.apm.2015.09.105
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents