Scargos: Towards Automatic Vulnerability Distribution

Florian Rhinow, Michael Clear

Abstract

Recent work has suggested automated approaches to vulnerability distribution, but their usage has been limited to local networks and memory corruption detection techniques and has precluded custom vulnerability response processes. We present Scargos, a novel approach to automate the distribution and verification of vulnerabilities across the internet, while allowing for automatic, custom countermeasures without the need to trust a central authority. By leveraging collaborative detection, vulnerability reports can be contributed by anybody and are announced to an open network by using packet-based self-certifying alerts (SCA), which are a proof of the existence of a vulnerability by capturing the original, unmodified attack. We show that our approach allows for detection of previously unknown attacks, while an entire life cycle including distribution and verification is achieved on average in under 2 seconds.

References

  1. Bailey, M., Cooke, E., Jahanian, F., Watson, D., and Nazario, J. (2005). The blaster worm: Then and now. Security & Privacy, IEEE, 3(4):26-31.
  2. Bilge, L. and Dumitras, T. (2012). Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 833-844. ACM.
  3. Bosman, E., Slowinska, A., and Bos, H. (2011). Minemu: The worlds fastest taint tracker. In Recent Advances in Intrusion Detection, pages 1-20. Springer.
  4. Clause, J., Li, W., and Orso, A. (2007). Dytan: a generic dynamic taint analysis framework. In Proceedings of the 2007 international symposium on Software testing and analysis, pages 196-206. ACM.
  5. Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Shannon, C., and Brown, J. (2004). Can we contain internet worms. In Proceedings of the 3rd Workshop on Hot Topics in Networks (HotNets-III). Citeseer.
  6. Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., and Barham, P. (2005). Vigilante: End-to-end containment of internet worms. In ACM SIGOPS Operating Systems Review, pages 133-147. ACM.
  7. Crandall, J. R. and Chong, F. T. (2004). Minos: Control data attack prevention orthogonal to memory model. In Microarchitecture, 2004. MICRO-37 2004. 37th International Symposium on, pages 221-232. IEEE.
  8. Cui, W., Paxson, V., Weaver, N., and Katz, R. H. (2006). Protocol-independent adaptive replay of application dialog. In NDSS.
  9. Faulhaber, J., Lambert, J., Probert, D., Srinivasan, H., Felstead, D., Lauricella, M., Rains, T., and Stewart, H. (2011). Microsoft security intelligence report. Technical Report 11, Microsoft Corporation, Redmond, WA 98052-6399.
  10. Kohlrausch, J. (2009). Experiences with the noah honeynet testbed to detect new internet worms. In IT Security Incident Management and IT Forensics, 2009. IMF'09. Fifth International Conference on, pages 13- 26. IEEE.
  11. Kontaxis, G., Polakis, I., Antonatos, S., and Markatos, E. P. (2010). Experiences and observations from the noah infrastructure. In Computer Network Defense (EC2ND), 2010 European Conference on, pages 11- 18. IEEE.
  12. Kreibich, C. and Crowcroft, J. (2004). Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Computer Communication Review, 34(1):51-56.
  13. Newsome, J. and Song, D. (2005). Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Network and Distributed System Security Symposium (NDSS 2005).
  14. Portokalidis, G., Slowinska, A., and Bos, H. (2006). Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. In ACM SIGOPS Operating Systems Review, pages 15-27. ACM.
  15. Provos, N. (2003). Honeyd-a virtual honeypot daemon. In 10th DFN-CERT Workshop, Hamburg, Germany, volume 2.
  16. Provos, N. and Holz, T. (2009). Virtual honeypots: from botnet tracking to intrusion detection. AddisonWesley Professional, third edition.
  17. Suh, G. E., Lee, J. W., Zhang, D., and Devadas, S. (2004). Secure program execution via dynamic information flow tracking. In ACM SIGPLAN Notices, pages 85- 96. ACM.
  18. Sullivan, B. (2004). Sasser infections begin to subside. NBC News. http://www.nbcnews.com/id/4890780/ns/ technology and science-security/t/sasser-infectionsbegin-subside/#.UhANu3byrUI.
  19. Venkataramani, G., Doudalis, I., Solihin, Y., and Prvulovic, M. (2008). Flexitaint: A programmable accelerator for dynamic taint propagation. In High Performance Computer Architecture, 2008. HPCA 2008. IEEE 14th International Symposium on, pages 173-184. IEEE.
  20. Willems, C., Holz, T., and Freiling, F. (2007). Toward automated dynamic malware analysis using cwsandbox. Security & Privacy, IEEE, 5(2):32-39.
Download


Paper Citation


in Harvard Style

Rhinow F. and Clear M. (2015). Scargos: Towards Automatic Vulnerability Distribution . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 369-376. DOI: 10.5220/0005566203690376


in Bibtex Style

@conference{secrypt15,
author={Florian Rhinow and Michael Clear},
title={Scargos: Towards Automatic Vulnerability Distribution},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},
year={2015},
pages={369-376},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005566203690376},
isbn={978-989-758-117-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - Scargos: Towards Automatic Vulnerability Distribution
SN - 978-989-758-117-5
AU - Rhinow F.
AU - Clear M.
PY - 2015
SP - 369
EP - 376
DO - 10.5220/0005566203690376