Sting: An Automatic Defense System against Zero-Day Worm
Attacks
[Overview] [Publications] [Back to
BitBlaze]
Worms such as CodeRed and SQL Slammer exploit software
vulnerabilities to self-propagate. They can compromise millions of
hosts within hours or even minutes and have caused billions of
dollars in estimated damage. How can we design and develop effective
defense mechanisms against such fast, large scale worm attacks?
We have designed and developed Sting, a new automatic defense
system that aims to be effective against even zero-day exploits
and protect vulnerable hosts and networks against fast worm
attacks. Sting proposes novel approaches and techniques to enable
three key steps for effective automatic defense:
- Exploit Detection: Automatically detect new exploits
quickly and accurately for previously unknown vulnerabilities
using techniques such as dynamic taint analysis.
Dynamic Taint Analysis for Automatic Detection, Analysis,
and Signature Generation of Exploit Attacks on Commodity
Software (NDSS05) [conference
version, full
version]
- Vulnerability Diagnosis: Automatically perform
in-depth diagnosis and identify root cause of the
vulnerability.
-
Anti-body Generation: Automatically generate effective
anti-bodies for layered defense.
-
Vulnerability Signature Generation: Automatically
generate vulnerability signatures as a first-line of
defense.
-
Hardened Binary Generation: Automatically generate
hardened binaries as a second-line of defense.
The central theme of Sting's approach is semantics-based
which focuses on the root cause, the vulnerability being
exploited. As an end-to-end system achieving the above three key
steps, Sting can detect, diagnose, and generate effective
anti-bodies for a new exploit extremely fast, often within
minutes or seconds. The anti-bodies can then be disseminated to
protect other hosts and networks from further attacks in a worm
outbreak.
- Sweeper: a Lightweight End-to-End
System for Defending against Fast Worms.
- Joseph Tucek, James Newsome, Shan Lu, Chengdu Huang,
Spiros Xanthos, David Brumley, Yuanyuan Zhou, and Dawn Song.
In Proceedings of European Conference on Computer Systems
(EuroSys), Mar 2007.
- Towards Automatic
Generation of Vulnerability Signatures
- David Brumley, James Newsome, Dawn Song, Hao Wang, and
Somesh Jha. In the Proceedings of the IEEE Symposium on
Security and Privacy, May 2006.
- Vulnerability-Specific
Execution Filtering for Exploit Prevention on Commodity
Software
- James Newsome, David Brumley, and Dawn Song. In the
Proceedings of the 13th Annual Network and Distributed
Systems Security Symposium (NDSS), 2006.
- Dynamic Taint Analysis for Automatic Detection, Analysis,
and Signature Generation of Exploit Attacks on Commodity
Software (short
version)
- James Newsome and Dawn Song. In Network and Distributed
Systems Security Symposium, Feb 2005.
- Sting: an End-to-End
Self-healing System for Defending against Zero-day Worm
Attacks on Commodity Software.
- James Newsome, David Brumley, and Dawn Song. Technical
Report CMU-CS-05-191.
- Sting: an
End-to-End Self-healing System for Defending against Internet
Worms .
- David Brumley, James Newsome, and Dawn Song. Book chapter
in "Malware Detection and Defense", Editors Christodorescu,
Jha, Maughn, Song, 2007.
Back to BitBlaze