posted on 2007-01-01, 00:00authored byJoseph Tucek, Shan Lu, Chengdu Huang, Spiros Xanthos, Yuanyuan Zhou, James Newsome, David Brumley, Dawn Song
The vulnerabilities which plague computers cause endless
grief to users. Slammer compromised millions of hosts in
minutes; a hit-list worm would take under a second. Recently
proposed techniques respond better than manual approaches,
but require expensive instrumentation, limiting
deployment. Although spreading “antibodies” (e.g. signatures)
ameliorates this limitation, hosts dependant on antibodies
are defenseless until inoculation; to the fastest hit-list
worms this delay is crucial. Additionally, most recently proposed
techniques cannot provide recovery to provide continuous
service after an attack.
We propose a solution, called Sweeper, that provides both
fast and accurate post-attack analysis and efficient recovery
with low normal execution overhead. Sweeper combines
several techniques. (1) Sweeper uses lightweight monitoring
techniques to detect a wide array of suspicious requests, providing
a first level of defense. (2) By leveraging lightweight
checkpointing, Sweeper postpones heavyweight monitoring
until absolutely necessary — after an attack is detected.
Sweeper rolls back and re-executes repeatedly to dynamically
apply heavy-weight analysis via dynamic binary instrumentation.
Since only the execution involved in the attack
is analyzed, the analysis is efficient, yet thorough. (3) Based
on the analysis results, Sweeper generates low-overhead antibodies
to prevent future attacks of the same vulnerability.
(4) Finally, Sweeper again re-executes to perform fast recovery.
We implement Sweeper in a real system. Our experimentals
with three real-world servers and four real security vulnerabilities
show that Sweeper detects an attack and generates
antibodies in under 60 ms. We also show that Sweeper
imposes under 1% overhead during normal execution, clearly
suitable for widespread production deployment (especially
as Sweeper allows for partial deployment). Finally, we analytically
show that, for a hit-list worm otherwise capable
of infecting all vulnerable hosts in under a second, Sweeper contains the extent of infection to under 5%.