1 / 38

Large Scale Malicious Code: A Research Agenda

N. Weaver, V. Paxson, S. Staniford, R. Cunningham. Large Scale Malicious Code: A Research Agenda. Contents. Overview Worms: Type, Attackers, Enabling Factors Existing Practices and Models Cyber CDC Vulnerability Prevention Defenses Automatic Detection of Malicious Code

Download Presentation

Large Scale Malicious Code: A Research Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. N. Weaver, V. Paxson, S. Staniford, R. Cunningham Large Scale Malicious Code: A Research Agenda

  2. Contents • Overview • Worms: Type, Attackers, Enabling Factors • Existing Practices and Models • Cyber CDC • Vulnerability Prevention Defenses • Automatic Detection of Malicious Code • Automated Response to Malicious Code • Aid to Manual Analysis of Malicious Code • Aid to Recovery • Policy Considerations • Validation and Challenging Problems • Conclusion

  3. Motivation and Goal • Networking infrastructure is essential to many activities • Address the “worm threat” • Establish taxonomy for worms • Motivate Cyber “CDC” • Establish a road map for research efforts

  4. Challenges • Prevention • i.e. Non-executable stacks • Avoidance • i.e. Filter ports • Detection • i.e. Network telescopes • Recovery • i.e. Fix vulnerability

  5. Challenges • Spread speed is faster than human reaction time • Further generations of worms address previous counter measurements • Smart guys behind the scene • Monocultures in today Internet • People are not sensitive to security

  6. Contents • Overview • Worms: Type, Attackers, Enabling Factors • Existing Practices and Models • Cyber CDC • Vulnerability Prevention Defenses • Automatic Detection of Malicious Code • Automated Response to Malicious Code • Aid to Manual Analysis of Malicious Code • Aid to Recovery • Policy Considerations • Validation and Challenging Problems • Conclusion

  7. Taxonomy • Activation techniques • Human • Scheduled process • Self • Propagation strategies • Scanning • Pre-generated Target Lists • Externally Generated Target Lists • Internal Target Lists • Passive • Propagation carriers • Self, Embedded

  8. Motivation and Attackers Pride and Power Commercial Advantage Extortion, Random Protest Political Protest Terrorism Cyber Warfare Payloads None Opening Backdoors Remote DOS Receive Updates Espionage Data Harvesting Data Damage Hardware Damage Coercion Taxonomy

  9. Ecology of Worms • Application Design • Buffer Overflows • Privileges • Mail worms • Application Deployment • Economic Factors • Monocultures

  10. Contents • Overview • Worms: Type, Attackers, Enabling Factors • Existing Practices and Models • Cyber CDC • Vulnerability Prevention Defenses • Automatic Detection of Malicious Code • Automated Response to Malicious Code • Aid to Manual Analysis of Malicious Code • Aid to Recovery • Policy Considerations • Validation and Challenging Problems • Conclusion

  11. Cooperative Information Technology Org. • CERT/CC • Human analysis and aggregation • IIAP • Human-time analysis • ISAC • Practices and background • FIRST • Public Mailing Lists

  12. Commercial Entities • Anti-virus Companies • Computer Anti-Virus Researchers Organization (CARO) • Network based IDS Vendors • Centralized Security Monitoring • Training Organizations • Limited Scope of Commercial Response • Worm has yet to cause significant damage • No clear way to generate additional revenue

  13. Contents • Overview • Worms: Type, Attackers, Enabling Factors • Existing Practices and Models • Cyber CDC • Vulnerability Prevention Defenses • Automatic Detection of Malicious Code • Automated Response to Malicious Code • Aid to Manual Analysis of Malicious Code • Aid to Recovery • Policy Considerations • Validation and Challenging Problems • Conclusion

  14. Cyber CDC • Identify outbreaks • Develop mechanism for gathering information • Sponsor research in automated detection • Rapidly analyzing pathogens • Develop analysis tools • Understand the harm and spread of pathogens • Fighting Infections • Deploy agent that detect, terminate or isolate worms

  15. Cyber CDC • Anticipating new vectors • Analyze the threat potential of new applications • Proactively devising detectors for new vectors • Develop analysis modules for IDS • Resisting future threats • Foster research into resilient application design paradigms • How open?

  16. Contents • Overview • Worms: Type, Attackers, Enabling Factors • Existing Practices and Models • Cyber CDC • Vulnerability Prevention Defenses • Automatic Detection of Malicious Code • Automated Response to Malicious Code • Aid to Manual Analysis of Malicious Code • Aid to Recovery • Policy Considerations • Validation and Challenging Problems • Conclusion

  17. Vulnerability Prevention Defenses • Grading potentials • A: high potential, lower cost • B: medium potential or significant cost • C: low potential but high risk

  18. Vulnerability Prevention Defenses • Programming Languages and Compilers • Safe C Dialects (C, active area) • Enforcing type and memory safety • Ccured / Cyclone • [future] extending to C++ • Software Fault Isolation (C, active area) • Memory safe sandboxes • Lack of availability of SFI-based systems • StackGuard (C, active area) • Compiler calling-convention • Works well against conventional stack attacks

  19. Vulnerability • Programming Languages and Compilers • Nonexecutable Stacks and Heaps w/ Randomized Layouts (B, mostly engineering) • Randomizing layout • Guard pages, exception when accessed • No attempt to build such a complete system • Monitoring for Policy- and Semantics-Enforcement (B, opportunities for worm specific monitoring) • System call patterns (“mimicry” attack) • Static analysis • [future] increase performance and precision

  20. Vulnerability • Automatic vulnerability analysis (B, highly difficult, active area) • Discover buffer overflow in C • Sanitized integers from untrusted source • User-supplied pointers for kernel • [future] assemply level • [future] specific patterns of system calls

  21. Vulnerability Prevention Defenses • Privilege Issues • Fine-grained Access Control (C, active area) • [future] integrating into commodity OS • Code Signing (C, active area) • Publi-key authentication • Privilege Isolation (C, some active research, difficult) • Mach kernel

  22. Vulnerability • Protocol Design • Design Principles (A, difficult, low cost, high reward) • Open problem • Proving Proto Properties (A, difficult, high reward) • Worm resistant properties -> verify • [future] interpreter detects violation of protocol • Distributed Minable Topology (A, hard but critical) • Match subset, not the entire list • Network Layout (C, costly) • Never co-occur (i.e. strictly client / server)

  23. Vulnerability • Network Provider Practices • Machine Removal (C, already under development) • No standard protocol • Implementation Diversity • Monoculture is a dangerous phenomena

  24. Vulnerability • Synthetic Polycultures • Synthetic polycultures (C, difficult, may add unpredictability) • [future] techniques to develop synthetic polycultures • [future] Code obfuscation • Economic and Social • Why is Security Hard (B, active area of research) • [future] understanding of why practices remain so poor

  25. Contents • Overview • Worms: Type, Attackers, Enabling Factors • Existing Practices and Models • Cyber CDC • Vulnerability Prevention Defenses • Automatic Detection of Malicious Code • Automated Response to Malicious Code • Aid to Manual Analysis of Malicious Code • Aid to Recovery • Policy Considerations • Validation and Challenging Problems • Conclusion

  26. Automatic Detection of Malicous Code • Host-based detectors • Host-based Worm Detection (A, Critical) • Contagion worms • IDS • Existing Anti-virus Behavior Blocking (A, Critical) • Behavior blocking (usability and false positives) • Wormholes / honeyfarms (A, Low Hanging Fruit) • Excellent detector / machine cost • Must target the cultured honepots...

  27. Detection • Network-level detectors • Edge Network Detection (A, critical, powerfull) • Large number of scans • Backbone Level Detection (B, hard, difficult to deplay) • Routing is highly asymmetric • Correlation of Results • Centralized (B, Some commercial work) • Distributed (A, powerful, flexible) • Worm Traceback (A, high risk, high payoff) • No attention to date in research community • [future] Network telescopes

  28. Automated Response to Malicious Code • Host-Based (B, overlaps with personal firewall) • Open question • Edge Network (A, poweful, flexible) • [future] Filter traffic (side effects...) • Backbone/ISP Level (B, difficult, deployment issues) • [future] Limitation of outbound scanning • National Boundaries (C, too coarse grained) • Graceful Degradation and Containment (B, mostly engineering) • [future] Quarantine sections

  29. Aids to Manual Analysis of Malicious Code • Collaborative Code Analysis Tool (A, scaling is important, some ongoing research) • Higher Level Analysis (B, important, Halting problem imposes limitations • Hybrid Static-Dynamic Analysis (A, hard but valuable) • Visualization (B, mostly educational value) • [future] Real-time analysis • [future] what information might be gathered

  30. Aids to Recovery • Anti-worms (C, impractical, illegal) • Patch distribution in a hostile environment (C, already evolving commercially) • Updating in a hostile environment (C, hard engineering, already evolving) • Metamorphic code to insert a small bootstrap program

  31. Policy considerations • Privacy and Data Analysis • Obscurity • Internet Sanitation • Scan limiters • The “Closed” Alternative • Apply topological restrictions

  32. Contents • Overview • Worms: Type, Attackers, Enabling Factors • Existing Practices and Models • Cyber CDC • Vulnerability Prevention Defenses • Automatic Detection of Malicious Code • Automated Response to Malicious Code • Aid to Manual Analysis of Malicious Code • Aid to Recovery • Policy Considerations • Validation and Challenging Problems • Conclusion

  33. Challenging Problems • Common evaluation framework • DARPA IDS evaluation • Finding proper level of abstraction for analysis • Limit resource available to attacker • Milestones for detection • Sensitivity to presence • False positive • Distortion resistant

  34. Challenging Problems • Milestones for analysis • Strategize vs. Understanding • State of practice: Identifying vs. Reverse engineering • Metrics: accuracy, completeness, speed, usability • Milestone: progressively bigger variety of worms • Detecting targeted worms • Tools for validating defenses • Worm Simulation Environment • Internet Wide Worm Testbed (A, essential) • Testing in the Wild (A, essential)

  35. Contents • Overview • Worms: Type, Attackers, Enabling Factors • Existing Practices and Models • Cyber CDC • Vulnerability Prevention Defenses • Automatic Detection of Malicious Code • Automated Response to Malicious Code • Aid to Manual Analysis of Malicious Code • Aid to Recovery • Policy Considerations • Validation and Challenging Problems • Conclusion

  36. Conclusions • Worms are a significant thread • Limited number of strategies • Inadequate defensive infrastructure • Cyber CDC • Prevention role • Huge potential damage

  37. Problems • Build tomorrows security system based on todays worm technologies • Will always be one step behind • Reactive • Need to address root cause instead of patching things • Prevention

  38. ?

More Related