End-to-End Containment of Internet Worm Epidemics

PhD Thesis: University of Cambridge |

Worms — programs that self-replicate automatically over computer networks — are a serious threat to hosts connected to the Internet. They infect hosts by exploiting software vulnerabilities, and they can use their victims for many malicious activities. Past outbreaks show that worms can spread too fast for humans to respond, hence worm containment must be automatic.

Recent work proposed network-level techniques to automate worm containment, but these techniques have limitations because there is no information about vulnerabilities at the network level. We propose Vigilante: a new end-to-end architecture to contain worms automatically that addresses these limitations. In Vigilante, hosts detect worms by instrumenting vulnerable programs to analyze infection attempts. We introduce dynamic data-flow analysis: a broad-coverage host-based algorithm that can detect unknown worms, by tracking the flow of data from network messages, and disallowing unsafe uses of that data. We also show how to integrate other host-based detection mechanisms into the Vigilante architecture.
Upon detection, hosts generate self-certifying alerts (SCAs), a new type of security alert that can be inexpensively verified by any vulnerable host. Using SCAs, hosts can cooperate to contain an outbreak, without having to trust each other. Vigilante broadcasts SCAs over an overlay network that propagates alerts rapidly and resiliently.
Hosts receiving an SCA protect themselves by generating filters with vulnerability condition slicing: an algorithm that performs dynamic analysis of the vulnerable program to identify control-flow conditions that lead to successful attacks. These filters block the worm attack, including all mutations that follow the execution path identified by the SCA, while introducing a negligible performance overhead.

Our results show that Vigilante can contain fast spreading worms that exploit unknown vulnerabilities without false positives. Vigilante does not require any changes to hardware, compilers, operating systems or the source code of vulnerable programs; therefore, it can be used to protect software as it exists today in binary form.