Sweeper: A Lightweight End-to-End System for Defending Against Fast Worms
journal contributionposted on 01.01.2007, 00:00 by Joseph Tucek, Shan Lu, Chengdu Huang, Spiros Xanthos, Yuanyuan Zhou, James Newsome, David Brumley, Dawn Song
The vulnerabilities which plague computers cause endless grief to users. Slammer compromised millions of hosts in minutes; a hit-list worm would take under a second. Recently proposed techniques respond better than manual approaches, but require expensive instrumentation, limiting deployment. Although spreading “antibodies” (e.g. signatures) ameliorates this limitation, hosts dependant on antibodies are defenseless until inoculation; to the fastest hit-list worms this delay is crucial. Additionally, most recently proposed techniques cannot provide recovery to provide continuous service after an attack. We propose a solution, called Sweeper, that provides both fast and accurate post-attack analysis and efficient recovery with low normal execution overhead. Sweeper combines several techniques. (1) Sweeper uses lightweight monitoring techniques to detect a wide array of suspicious requests, providing a first level of defense. (2) By leveraging lightweight checkpointing, Sweeper postpones heavyweight monitoring until absolutely necessary — after an attack is detected. Sweeper rolls back and re-executes repeatedly to dynamically apply heavy-weight analysis via dynamic binary instrumentation. Since only the execution involved in the attack is analyzed, the analysis is efficient, yet thorough. (3) Based on the analysis results, Sweeper generates low-overhead antibodies to prevent future attacks of the same vulnerability. (4) Finally, Sweeper again re-executes to perform fast recovery. We implement Sweeper in a real system. Our experimentals with three real-world servers and four real security vulnerabilities show that Sweeper detects an attack and generates antibodies in under 60 ms. We also show that Sweeper imposes under 1% overhead during normal execution, clearly suitable for widespread production deployment (especially as Sweeper allows for partial deployment). Finally, we analytically show that, for a hit-list worm otherwise capable of infecting all vulnerable hosts in under a second, Sweeper contains the extent of infection to under 5%.