Software patching has not been an effective first-line defense preventing large-scale worm attacks, even when patches had long been available for their corresponding vulnerabilities. Generally, people have been reluctant to patch their systems immediately, because patches are perceived to be unreliable and disruptive to apply. To address this problem, we propose a first-line worm defense in the network stack, using shields -- vulnerability-specific, exploit-generic network filters installed in end systems once a vulnerability is discovered, and before the patch is applied. These filters examine the incoming or outgoing traffic of vulnerable applications, and drop or correct traffic that exploits vulnerabilities. Shields are less disruptive to install and uninstall, easier to test for bad side effects, and hence more reliable than traditional software patches. Further, shields are resilient to polymorphic or metamorphic variations of exploits
In the Shield project, we're showing that this concept is feasible by implementing a prototype Shield framework that filters traffic at the transport layer. We have designed a safe and restrictive language to describe vulnerabilities as partial state machines of the vulnerable application. The expressiveness of the language has been verified by encoding the signatures of a number of known vulnerabilities. Our evaluation provides evidence of Shield's low false positive rate and impact on application throughput. An examination of a sample set of known vulnerabilities suggests that Shield could be used to prevent exploitation of a substantial fraction of the most dangerous ones.
Vulnerability-driven filtering of network data can offer a fast and
easy-to-deploy alternative or intermediary to software patching, as
exemplified in Shield. This approach provides protection for the time
window between patch release and patch application. This time window is
critical because attackers often reverse engineer newly released patches to
gain vulnerability knowledge and then launch attacks against unpatched
machines.
In this paper, we take Shield's vision to a new domain, inspecting and
cleansing not just static content, but also dynamic content. The dynamic
content we target is the dynamic HTML in web pages, which have become a
popular vector for attacks. The key challenge in filtering dynamic HTML is
that it is undecidable to statically determine whether an embedded script
will exploit the browser at run-time. We avoid this undecidability problem
by rewriting web pages and any embedded scripts into safe equivalents,
inserting checks so that the filtering is done at run-time. The rewritten
pages contain logic for recursively applying run-time checks to dynamically
generated or modified web content, based on known vulnerabilities. We have
built and evaluated BrowserShield , a system that performs this
dynamic instrumentation of embedded scripts, and that admits policies for
customized run-time actions, such as vulnerability-driven filtering.
| John Dunagan | |
| Helen J. Wang | (Project leader) |
| Nikita Borisov | (U. C. Berkeley) |
| David Brumley | (CMU) |
| Pallavi Joshi | (Indian Institute of Technology, Kharagpur) |
| Charlie Reis | (University of Washington, Seattle) |
| Justin Ma | (U. C. San Diego) |
| Dan Simon | (MSR-R) |
| Chuanxiong Guo | (former MSR-A) |
| Alf Zugenmaier | (former MSR-C) |
ACM SIGCOMM 2004: "Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits" [ pdf ]
UCSD system and networking seminar: "Shield: First-Line Worm Defense" [pdf]
Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits
Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier
In the Proceedings of ACM SIGCOMM, August, 2004, Portland, OR [pdf] [older]
December 4, 2006, InformationWeek: Inside Microsoft Labs
August 2006, Microsoft Research News & Highlights: BrowserShield: Helping Make the Web Safe for Surfers
September 4, 2006, eWeek: Microsoft Research Builds 'BrowserShield'. The same article is alos posted at Slashdot, newwin.net, OSNews.com, cgisecurity.com, IT professionals, clipmarks, The NewTech
September 5, 2006, Windows IT Pro: BrowserShield Defends Browsers At Network Borders
September 5, 2006, Ars Technica: Microsoft hefts a heavy mithril BrowserShield
September, 2006, Softpedia: Microsoft Reveals the BrowserShield Research Project
September, 2006, download squad: Microsoft's BrowserShield to nullify malicious sites
March 04, 2004, Seattle Times: Microsoft's researchers display wares at TechFest
June 9, 2004, IDG News Service: Microsoft research targets security, searching. PC World, Info World, Australian Reseller News.com , NetworkWorldFusion, Computer World, PC World Magazine (Australia) Computer Weekly
June 10, 2004, CNet: "Microsoft Researchers Dream Big", news.com, New York Times, Silicon.com (UK), ZDNet UK, CNet Asia, ZDNet,
June 10, 2004, Vnunet.com: Microsoft 'shield' to fight off worms
June 10, 2004, SearchExchange.com: What Microsoft gets for its $7B R&D budget
June 10, 2004, InternetNews.com, What's Under Wraps at Microsoft?
June 11, 2004, SearchWin2000.com: Microsoft grabs spotlight even when it stands pat
June 13, 2004, CRN: Microsoft Research: Beam Me Up Scotty?
The name of our research project coincides with our company's "shield" security strategy. In fact, our research project started before the Microsoft "shield" initiative. Some of the news articles listed here have made some connections between the two, which are inaccurate. Our project is purely a research project at this stage.