skip to main content
10.1145/1015467.1015489acmconferencesArticle/Chapter ViewAbstractPublication PagescommConference Proceedingsconference-collections
Article
Free access

Shield: vulnerability-driven network filters for preventing known vulnerability exploits

Published: 30 August 2004 Publication History

Abstract

Software patching has not been effective as a first-line defense against large-scale worm attacks, even when patches have long been available for their corresponding vulnerabilities. Generally, people have been reluctant to patch their systems immediately, because patches are perceived to be unreliable and disruptive to apply. To address this problem, we propose a first-line worm defense in the network stack, using shields -- vulnerability-specific, exploit-generic network filters installed in end systems once a vulnerability is discovered, but before a patch is applied. These filters examine the incoming or outgoing traffic of vulnerable applications, and correct traffic that exploits vulnerabilities. Shields are less disruptive to install and uninstall, easier to test for bad side effects, and hence more reliable than traditional software patches. Further, shields are resilient to polymorphic or metamorphic variations of exploits [43].In this paper, we show that this concept is feasible by describing a prototype Shield framework implementation that filters traffic above the transport layer. We have designed a safe and restrictive language to describe vulnerabilities as partial state machines of the vulnerable application. The expressiveness of the language has been verified by encoding the signatures of several known vulnerabilites. Our evaluation provides evidence of Shield's low false positive rate and small impact on application throughput. An examination of a sample set of known vulnerabilities suggests that Shield could be used to prevent exploitation of a substantial fraction of the most dangerous ones.

References

[1]
W. A. Arbaugh, W. L. Fithen, and J. McHugh. Windows of Vulnerability: a Case Study Analysis. IEEE Computer, 2000.]]
[2]
Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright. Timing the application of security patches for optimal uptime. In LISA XVI, November 2002.]]
[3]
William Bush, Jonathan D. Pincus, and David J. Sielaff. A Static Analyzer for Finding Dynamic Programming Errors. Software-Practice and Experience (SP&E), 2000.]]
[4]
Byacc. http://dickey.his.com/byacc/byacc.html.]]
[5]
H. Chen and B. Karp. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th Usenix Security Symposium, 2004.]]
[6]
Z. Chen, L. Gao, and K. Kwiat. Modeling the Spread of Active Worms. In Proceedings of IEEE Infocom, 2003.]]
[7]
Microsoft Security Bulletin MS01-033, November 2003. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp.]]
[8]
Microsoft Corp. URLScan Security Tool. http://www.microsoft.com/technet/security/URLScan.asp.]]
[9]
Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of 7th USENIX Security Conference, 1998.]]
[10]
David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, Julian Grizzard, John Levine, and Henry Owen. HoneyStat: LocalWorm Detection Using Honeypots. In RAID, 2004.]]
[11]
O. Dubuisson. ASN.1 - Communication Between Heterogeneous Systems. Morgan Kaufmann Publishers, 2000.]]
[12]
R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol -- HTTP/1.1 (RFC 2616), June 1999.]]
[13]
Alan O. Freier, Philip Karlton, and Paul C. Kocher. The SSL Protocol Version 3.0. http://wp.netscape.com/eng/ssl3/ssl-toc.html.]]
[14]
Mark Handley, Vern Paxson, and Christian Kreibich. Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In Proceedings of USENIX Security Symposium, August 2001.]]
[15]
Hung-Yun Hsieh and Raghupathy Sivakumar. A transport layer approach for achieving aggregate bandwidths on multi-homed mobile hosts. In ACM Mobicom, September 2002.]]
[16]
Anthony Jones and Jim Ohlund. Network Programming for Microsoft Windows. Microsoft Publishing, 2002.]]
[17]
J. Klensin. Simple Mail Transfer Protocol (RFC 2821), April 2001.]]
[18]
C. Kreibich and J. Crowcroft. Honeycomb: Creating Intrusion Detection Signatures Using Honeypots. In HotNets-II, 2003.]]
[19]
David Litchfield. Defeating the stack based buffer overflow prevention mechanism of microsoft windows 2003 server. http://www.nextgenss.com/papers.htm, September 2003.]]
[20]
G. Robert Malan, David Watson, and Farnam Jahanian. Transport and application protocol scrubbing. In Proceedings of IEEE Infocom, 2000.]]
[21]
P. J. McCann and S. Chandra. PacketTypes: Abstract Specification of Network Protocol Messages. In Proceedings of ACM SIGCOMM, 2000.]]
[22]
David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver. Inside the Slammer Worm. http://www.computer.org/security/v1n4/j4wea.htm, 2003.]]
[23]
David Moore, Colleen Shannon, and Jeffery Brown. Code-Red: a case study on the spread and victims of an Internet worm. In ACM Internet Measurement Workshop (IMW), 2002.]]
[24]
Microsoft Security Bulletin MS03-026, September 2003. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp.]]
[25]
S. W. O'Malley, T. A. Proebsting, and A. B. Montz. USC: A Universal Stub Compiler. In Proceedings of ACM SIGCOMM, 1994.]]
[26]
Vern Paxson. Flex - a scanner generator - Table of Contents. http://www.gnu.org/software/flex/manual/.]]
[27]
Vern Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Computer Networks, Dec 1999.]]
[28]
Jonathan Pincus and Brandon Baker. Mitigations for Low-level Coding Vulnerabilities: Incomparability and Limitations. http://research.microsoft.com/users/jpincus/mitigations.pdf, 2004.]]
[29]
J. Postel and J. Reynolds. Telnet Protocol Specification (RFC 854), May 1983.]]
[30]
J. Postel and J. Reynolds. RFC 765 - File Transfer Protocol (FTP), October 1985.]]
[31]
Niels Provos. A Virtual Honeypot Framework. Technical Report CITI-03-1, Center for Information Technology Integration, University of Michigan, October 2003.]]
[32]
Thomas H. Ptacek and Timothy N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection, January 1998. http://www.insecure.org/stf/secnet ids/secnet ids.html.]]
[33]
Eric Rescorla. Security holes... Who cares? In Proceedings of USENIX Security Symposium, August 2003.]]
[34]
DCE 1.1: Remote Procedure Call. http://www.opengroup.org/onlinepubs/9629399/.]]
[35]
W32.Sasser.Worm, April 2004. http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html.]]
[36]
H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson. RTP: A Transport Protocol for Real-Time Applications (RFC 1889), January 1996.]]
[37]
Umesh Shankar and Vern Paxson. Active Mapping: Resisting NIDS Evasion Without Altering Traffic. In Proceedings of IEEE Symposium on Security and Privacy, May 2003.]]
[38]
Richard Sharpe. Server message block. http://samba.anu.edu.au/cifs/docs/what-is-smb.html.]]
[39]
Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage. The EarlyBird System for Real-time Detection of Unknown Worms. Technical Report CS2003-0761, University of California at San Diego, 2003.]]
[40]
Microsoft security bulletin ms02-039, January 2003. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp.]]
[41]
The Open Source Network Intrusion Detection System. http://www.snort.org/.]]
[42]
Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to 0wn the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium, August 2002.]]
[43]
Peter Szor and Peter Ferrie. Hunting for Metamorphic. Symantec Security Response.]]
[44]
David Wagner, Jeffrey S. Foster, Eric A. Brewer, and Alexander Aiken. A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. In NDSS, 2000.]]
[45]
Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham. Large Scale Malicious Code: A Research Agenda. http://www.cs.berkeley.edu/~nweaver/large scale malicious code.pdf, 2003.]]
[46]
Nicholas Weaver, Stuart Staniford, and Vern Paxson. Very Fast Containment of Scanning Worms, 2004. http://www.icsi.berkeley.edu/nweaver/containment/.]]
[47]
Nick Weaver. The potential for very fast internet plagues. http://www.cs.berkeley.edu/~nweaver/warhol.html.]]
[48]
Matthew M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. Technical Report HPL-2002-172, HP Labs Bristol, 2002.]]
[49]
Rafal Wojtczuk. Defeating Solar Designer's Non-executable Stack Patch. http://www.insecure.org/sploits/non-executable.stack.problems.html, January 1998.]]

Cited By

View all
  • (2024)6Subpattern: Target Generation Based on Subpattern Analysis for Internet-Wide IPv6 ScanningIEEE Transactions on Network and Service Management10.1109/TNSM.2024.340086421:4(3692-3710)Online publication date: Aug-2024
  • (2023)Impact Assessment and Defense for Smart Grids With FDIA Against AMIIEEE Transactions on Network Science and Engineering10.1109/TNSE.2022.319768210:2(578-591)Online publication date: 1-Mar-2023
  • (2021)Protocol Reverse-Engineering Methods and ToolsComputer Communications10.1016/j.comcom.2021.11.009182:C(238-254)Online publication date: 29-Dec-2021
  • Show More Cited By

Index Terms

  1. Shield: vulnerability-driven network filters for preventing known vulnerability exploits

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Conferences
        SIGCOMM '04: Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
        August 2004
        402 pages
        ISBN:1581138628
        DOI:10.1145/1015467
        • cover image ACM SIGCOMM Computer Communication Review
          ACM SIGCOMM Computer Communication Review  Volume 34, Issue 4
          October 2004
          385 pages
          ISSN:0146-4833
          DOI:10.1145/1030194
          Issue’s Table of Contents
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Sponsors

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 30 August 2004

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. generic protocol analyzer
        2. network filter
        3. patching
        4. vulnerability signature
        5. worm defense

        Qualifiers

        • Article

        Conference

        SIGCOMM04
        Sponsor:
        SIGCOMM04: ACM SIGCOMM 2004 Conference
        August 30 - September 3, 2004
        Oregon, Portland, USA

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)236
        • Downloads (Last 6 weeks)35
        Reflects downloads up to 20 Feb 2025

        Other Metrics

        Citations

        Cited By

        View all
        • (2024)6Subpattern: Target Generation Based on Subpattern Analysis for Internet-Wide IPv6 ScanningIEEE Transactions on Network and Service Management10.1109/TNSM.2024.340086421:4(3692-3710)Online publication date: Aug-2024
        • (2023)Impact Assessment and Defense for Smart Grids With FDIA Against AMIIEEE Transactions on Network Science and Engineering10.1109/TNSE.2022.319768210:2(578-591)Online publication date: 1-Mar-2023
        • (2021)Protocol Reverse-Engineering Methods and ToolsComputer Communications10.1016/j.comcom.2021.11.009182:C(238-254)Online publication date: 29-Dec-2021
        • (2020)A Smart Agent Design for Cyber Security Based on Honeypot and Machine LearningSecurity and Communication Networks10.1155/2020/88654742020Online publication date: 1-Jan-2020
        • (2019)REINAM: reinforcement learning for input-grammar inferenceProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3338958(488-498)Online publication date: 12-Aug-2019
        • (2019)Using Safety Properties to Generate Vulnerability Patches2019 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2019.00071(539-554)Online publication date: May-2019
        • (2019)Detecting Successful Attacks from IDS Alerts Based On Emulation of Remote Shellcodes2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2019.10251(471-476)Online publication date: Jul-2019
        • (2019)A Comprehensive Protection Method for Securing the Organization's Network Against Cyberattacks2019 Cybersecurity and Cyberforensics Conference (CCC)10.1109/CCC.2019.00005(118-122)Online publication date: May-2019
        • (2018)Message Format and Field Semantics Inference for Binary Protocols Using Recorded Network Traffic2018 26th International Conference on Software, Telecommunications and Computer Networks (SoftCOM)10.23919/SOFTCOM.2018.8555813(1-6)Online publication date: Sep-2018
        • (2018)PRETT: Protocol Reverse Engineering Using Binary Tokens and Network TracesICT Systems Security and Privacy Protection10.1007/978-3-319-99828-2_11(141-155)Online publication date: 26-Aug-2018
        • Show More Cited By

        View Options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Login options

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media