Sweeper: A lightweight end-to-end system for defending against fast worms

Operating Systems Review (ACM)

Volumn , Issue , 2007, Pages 115-128

  Tucek, Joseph ^a   Lu, Shan ^a   Huang, Chengdu ^a   Xanthos, Spiros ^a   Zhou, Yuanyuan ^a   Newsome, James ^b   Brumley, David ^b   Song, Dawn ^b  

^a UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN   (United States)

^b CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Antibody; Dynamic instrumentation; Flash worm; VSEF

Indexed keywords

BINARY CODES; COMPUTER CRIME; REAL TIME SYSTEMS; SECURITY OF DATA; SERVERS; SUPERVISORY AND EXECUTIVE PROGRAMS; BINARY SEQUENCES; INSTRUMENTS; NETWORK SECURITY;

DYNAMIC INSTRUMENTATION; FLASH WORMS; VSEF;

DISTRIBUTED COMPUTER SYSTEMS; ANTIBODIES;

ANALYSIS RESULTS; ANALYSIS TECHNIQUES; ATTACK ANALYSIS; CHECK POINTING; CONTINUOUS SERVICES; DYNAMIC BINARY INSTRUMENTATION; DYNAMIC INSTRUMENTATION; END-TO-END SYSTEMS; FAST RECOVERY; FLASH WORM; FLASH WORMS; LIGHTWEIGHT MONITORING TECHNIQUES; NOVEL SOLUTIONS; PARTIAL DEPLOYMENT; REAL SYSTEMS; REAL-WORLD; SECURITY VULNERABILITIES;

EID: 34548043748     PISSN: 01635980     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1272996.1273010     Document Type: Conference Paper

References (57)

1. Dyninst. www.dyninst.org.
2. PaX. http://pax.grsecurity.net/.
3. S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In 12th USENIX Security Symposium, 2003.
4. S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In 14th USENIX Security Symposium, Baltimore, MD, 2005.
5. A. Borg, W. Blau, W. Graetsch, F. Herrmann, and W. Oberle. Fault tolerance under UNIX. ACM TOCS, 7(1), Feb 1989.
6. D. Brumley, L.-H. Liu, P. Poosankam, , and D. Song. Design space and analysis of worm defense strategies. In Proceedings of the 2006 ACM Symposium on Information, Computer, and Communication Security (ASIACCS 2006), March 2006.
7. D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In IEEE Symposium on Security and Privacy, 2006.
8. CERT. Blaster http://www.cert.org/advisories/CA-2003-20.html.
9. CERT. CodeRed http://www.cert.org/advisories/CA-2001-19.html.
10. CERT. Slammer http://www.cert.org/advisories/CA-2003-04.html.
11. CERT/CC. CERT/CC statistics 1988-2005. http://www.cert.org/stats/ cert_stats.html.
12. M. Chew and D. Song. Mitigating buffer overflows by operating system randomization. Technical report, Carnegie Mellon University, 2002.
13. J. Condit, M. Harren, S. McPeak, G. C. Necula, and W. Weimer. CCured in the real world. In PLDI, 2003.
14. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In SOSP'05, 2005.
15. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In the 7th USENIX Security Symposium, 1998.
16. J. R. Crandall, Z. Su, S. F. Wu, and F. T. Chong. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In CCS '05, 2005.
17. D. Dhurjati and V. Adve. Backwards-compatible array bounds checking for c with very low overhe ad. In ICSE, 2006.
18. G. W. Dunlap, S. T. King, S. Cinar, M. Basrai, and P. M. Chen. Revirt: Enabling intrusion analysis through virtualmachine logging and replay. In OSDI'02, 2002.
19. H. Etoh. GCC extension for protecting applications from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp/.
20. S. Forrest, A. Somayaji, and D. H. Ackley. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In HotOS, 1997.
21. S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In Proceedings of 6th workshop on Hot Topics in Operating Systems, 1997.
22. R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Usenix Winter Technical Conference, 1992.
23. H. W. Hethcote. The mathematics of infectious diseases. SIAM Rev., 42(4):599-653, 2000.
24. H.-A. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In the 13th Usenix Security Symposium, 2004.
25. S. T. King, G. W. Dunlap, and P. M. Chen. Debugging operating systems with time-traveling virtual machines. In USENIX, 2005.
26. C. Kreibich and J. Crowcroft. Honeycomb: creating intrusion detection signatures using honeypots. SIGCOMM Comput. Commun. Rev., 2004.
27. R. Lemos. Counting the cost of the slammer worm. http://news.com.com/ 2100-1001-982955.html, 2003.
28. Z. Liang and R. Sekar. Fast and automated generation of attack signatures: a basis for building self-protecting servers. In CCS '05, 2005.
29. D. E. Lowell and P. M. Chen. Free transactions with Rio Vista. In SOSP, 1997.
30. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In PLDI, 2005.
31. G. C. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. In POPL, 2002.
32. N. Nethercote and J. Seward. Valgrind: A program supervision framework. In RV, 2003.
33. J. Newsome, D. Brumley, and D. Song. Vulnerability-specific execution filtering for exploit prevention on commodity software. In NDSS, 2006.
34. J. Newsome, B. Karp, and D. Song. Paragraph: Thwarting signature learning by training maliciously. In RAID, Sept. 2006.
35. J. Newsome, B. Karp, and D. X. Song. Polygraph: Automatically generating signatures for polymorphic worms. In IEEE Symposium on Security and Privacy, 2005.
36. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.
37. R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. Sharif. Misleading worm signature generators using deliberate noise injection. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, May 2006.
38. F. Qin, H. Chen, Z. Li, Y. Zhou, H. seop Kim, and Y. Wu. LIFT: A low-overhead practical information flow tracking system for detecting general security attacks. In MICRO, Dec 2006. To appear.
39. F. Qin, S. Lu, and Y. Zhou. Safemem: Exploiting ECC-Memory for detecting memory leaks and memo ry corruption during production runs. In HPCA, 2005.
40. F. Qin, J. Tucek, J. Sundaresan, and Y. Zhou. Rx: Treating bugs as allergies - A safe method to survive software failures. In SOSP, 2005.
41. D. Scott. Assessing the costs of application downtime, 1998.
42. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In CCS, 2004.
43. S. Sidiroglou, M. Locasto, S. Boyd, and A. Keromytis. Building a reactive immune system for software services. In USENIX, 2005.
44. S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In OSDI'04, 2004.
45. A. Smirnov and T. cker Chiueh. Dira: Automatic detection, identification and repair of control-hijacking attacks. In NDSS, 2005.
46. S. M. Srinivasan, S. Kandula, C. R. Andrews, and Y. Zhou. Flashback: A lightweight extension for rollback and deterministic replay for software debugging. In USENIX, 2004.
47. S. Stamford, D. Moore, V. Paxson, and N. Weaver. The top speed of flash worms, 2004.
48. S. Staniford, V. Paxson, and N. Weaver. How to Own the internet in your spare time. In USENIX Security Symposium, 2002.
49. T. K. Tsai and N. Singh. Libsafe: Transparent system-wide protection against buffer overflow attacks. In DSN, page 541, 2002.
50. US-CERT. Common vulnerabilities and exposures. [51] W. Vogels, D. Dumitriu, A. Agrawal, T. Chia, and K. Guo. Scalability of the Microsoft Cluster Service. In USENIX Windows NT Symposium, Aug 1998.
51. W. Vogels, D. Dumitriu, K. Birman, R. Gamache, M. Massa, R. Short, J. Vert, J. Barrera, and J. Gray. The design and architecture of the Microsoft Cluster Service. In FTCS, Jun 1998.
52. M. Weiser. Programmers use slices when debugging. Commun. ACM, 25(7):446-452, 1982.
53. J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In NDSS, 2003.
54. J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. Technical report, Center for Reliable and Higher Performance Computing, University of Illinois, May 2003.
55. J. Xu, P. Ning, C. Kil, Y. Zhai, and C. Bookholt. Automatic diagnosis and response to memory corruption vulnerabilities. In CCS '05, 2005.
56. X. Zhang, R. Gupta, and Y. Zhang. Precise dynamic slicing algorithms. In ICSE, 2003.
57. P. Zhou, W. Liu, F. Long, S. Lu, F. Qin, Y. Zhou, S. Midkiff, and J. Torrellas. AccMon: Automatically detecting memory-related bugs via program counter-based invariants. In MICRO, 2004.