1 Large Scale Malicious Code: A Research Agenda N. Weaver, V. Paxson, S. Staniford, R. Cunningham.

1

Large Scale Malicious Code: A Research Agenda

N. Weaver, V. Paxson, S. Staniford,R. Cunningham

2

Contents

● Overview● Worms: Type, Attackers, Enabling Factors● Existing Practices and Models● Cyber CDC● Vulnerability Prevention Defenses● Automatic Detection of Malicious Code● Automated Response to Malicious Code● Aid to Manual Analysis of Malicious Code● Aid to Recovery● Policy Considerations● Validation and Challenging Problems● Conclusion

3

Motivation and Goal

● Networking infrastructure is essential to many activities– Address the “worm threat”

● Establish taxonomy for worms● Motivate Cyber “CDC”● Establish a road map for research efforts

4

Challenges

● Prevention– i.e. Non-executable stacks

● Avoidance– i.e. Filter ports

● Detection– i.e. Network telescopes

● Recovery– i.e. Fix vulnerability

5

Challenges

● Spread speed is faster than human reaction time● Further generations of worms address previous

counter measurements– Smart guys behind the scene

● Monocultures in today Internet● People are not sensitive to security

6

Contents


7

Taxonomy

● Activation techniques– Human– Scheduled process– Self

● Propagation strategies– Scanning– Pre-generated Target Lists– Externally Generated Target Lists– Internal Target Lists– Passive

● Propagation carriers– Self, Embedded

8

Taxonomy

• Motivation and Attackers– Pride and Power– Commercial Advantage– Extortion, – Random Protest– Political Protest– Terrorism– Cyber Warfare

• Payloads– None– Opening Backdoors– Remote DOS– Receive Updates– Espionage– Data Harvesting– Data Damage– Hardware Damage– Coercion

9

Ecology of Worms

● Application Design● Buffer Overflows● Privileges

– Mail worms● Application Deployment● Economic Factors● Monocultures

10

Contents


11

Cooperative Information Technology Org.

● CERT/CC– Human analysis and aggregation

● IIAP– Human-time analysis

● ISAC– Practices and background

● FIRST● Public Mailing Lists

12

Commercial Entities

● Anti-virus Companies– Computer Anti-Virus Researchers Organization

(CARO)● Network based IDS Vendors● Centralized Security Monitoring● Training Organizations● Limited Scope of Commercial Response

– Worm has yet to cause significant damage– No clear way to generate additional revenue

13

Contents


14

Cyber CDC

● Identify outbreaks– Develop mechanism for gathering information– Sponsor research in automated detection

● Rapidly analyzing pathogens– Develop analysis tools– Understand the harm and spread of pathogens

● Fighting Infections– Deploy agent that detect, terminate or isolate worms

15

Cyber CDC

● Anticipating new vectors– Analyze the threat potential of new applications

● Proactively devising detectors for new vectors– Develop analysis modules for IDS

● Resisting future threats– Foster research into resilient application design

paradigms● How open?

16

Contents


17

Vulnerability Prevention Defenses

● Grading potentials– A: high potential, lower cost– B: medium potential or significant cost– C: low potential but high risk

18


● Programming Languages and Compilers

– Safe C Dialects (C, active area)● Enforcing type and memory safety● Ccured / Cyclone● [future] extending to C++

– Software Fault Isolation (C, active area)● Memory safe sandboxes● Lack of availability of SFI-based systems

– StackGuard (C, active area)● Compiler calling-convention● Works well against conventional stack attacks

19

Vulnerability

● Programming Languages and Compilers– Nonexecutable Stacks and Heaps w/ Randomized

Layouts (B, mostly engineering)● Randomizing layout● Guard pages, exception when accessed● No attempt to build such a complete system

– Monitoring for Policy- and Semantics-Enforcement (B, opportunities for worm specific monitoring)

● System call patterns (“mimicry” attack)● Static analysis● [future] increase performance and precision

20

Vulnerability

● Automatic vulnerability analysis (B, highly difficult, active area)– Discover buffer overflow in C– Sanitized integers from untrusted source– User-supplied pointers for kernel– [future] assemply level– [future] specific patterns of system calls

21


● Privilege Issues– Fine-grained Access Control (C, active area)

● [future] integrating into commodity OS– Code Signing (C, active area)

● Publi-key authentication– Privilege Isolation (C, some active research, difficult)

● Mach kernel

22

Vulnerability

● Protocol Design– Design Principles (A, difficult, low cost, high reward)

● Open problem– Proving Proto Properties (A, difficult, high reward)

● Worm resistant properties -> verify● [future] interpreter detects violation of protocol

– Distributed Minable Topology (A, hard but critical)● Match subset, not the entire list

– Network Layout (C, costly)● Never co-occur (i.e. strictly client / server)

23

Vulnerability

● Network Provider Practices– Machine Removal (C, already under development)

● No standard protocol● Implementation Diversity

– Monoculture is a dangerous phenomena

24

Vulnerability

● Synthetic Polycultures– Synthetic polycultures (C, difficult, may add

unpredictability)● [future] techniques to develop synthetic polycultures● [future] Code obfuscation

● Economic and Social– Why is Security Hard (B, active area of research)

● [future] understanding of why practices remain so poor

25

Contents


26

Automatic Detection of Malicous Code

● Host-based detectors– Host-based Worm Detection (A, Critical)

● Contagion worms● IDS

– Existing Anti-virus Behavior Blocking (A, Critical)● Behavior blocking (usability and false positives)

– Wormholes / honeyfarms (A, Low Hanging Fruit)● Excellent detector / machine cost● Must target the cultured honepots...

27

Detection

● Network-level detectors– Edge Network Detection (A, critical, powerfull)

● Large number of scans– Backbone Level Detection (B, hard, difficult to deplay)

● Routing is highly asymmetric● Correlation of Results

– Centralized (B, Some commercial work)– Distributed (A, powerful, flexible)– Worm Traceback (A, high risk, high payoff)

● No attention to date in research community● [future] Network telescopes

28

Automated Response to Malicious Code

● Host-Based (B, overlaps with personal firewall)

– Open question

● Edge Network (A, poweful, flexible)

– [future] Filter traffic (side effects...)

● Backbone/ISP Level (B, difficult, deployment issues)

– [future] Limitation of outbound scanning

● National Boundaries (C, too coarse grained)

● Graceful Degradation and Containment (B, mostly engineering)

– [future] Quarantine sections

29

Aids to Manual Analysis of Malicious Code● Collaborative Code Analysis Tool (A, scaling is

important, some ongoing research)● Higher Level Analysis (B, important, Halting

problem imposes limitations● Hybrid Static-Dynamic Analysis (A, hard but

valuable)● Visualization (B, mostly educational value)

– [future] Real-time analysis– [future] what information might be gathered

30

Aids to Recovery

● Anti-worms (C, impractical, illegal)● Patch distribution in a hostile environment (C,

already evolving commercially)● Updating in a hostile environment (C, hard

engineering, already evolving)– Metamorphic code to insert a small bootstrap

program

31

Policy considerations

● Privacy and Data Analysis● Obscurity● Internet Sanitation

– Scan limiters● The “Closed” Alternative

– Apply topological restrictions

32

Contents


33

Challenging Problems

● Common evaluation framework– DARPA IDS evaluation– Finding proper level of abstraction for analysis– Limit resource available to attacker

● Milestones for detection– Sensitivity to presence– False positive– Distortion resistant

34

Challenging Problems

● Milestones for analysis– Strategize vs. Understanding– State of practice: Identifying vs. Reverse engineering– Metrics: accuracy, completeness, speed, usability– Milestone: progressively bigger variety of worms

● Detecting targeted worms● Tools for validating defenses

– Worm Simulation Environment– Internet Wide Worm Testbed (A, essential)– Testing in the Wild (A, essential)

35

Contents


36

Conclusions

● Worms are a significant thread● Limited number of strategies● Inadequate defensive infrastructure● Cyber CDC

– Prevention role● Huge potential damage

37

Problems

● Build tomorrows security system based on todays worm technologies– Will always be one step behind– Reactive

● Need to address root cause instead of patching things– Prevention

38

?

Date post:	22-Dec-2015
Category:	Documents
View:	214 times
Download:	1 times

1 Large Scale Malicious Code: A Research Agenda N. Weaver, V. Paxson, S. Staniford, R. Cunningham.

Documents