Vulnerability-Driven Network Filters for Preventing Known Vulnerability Attacks

Mar 30, 2005

Download: MP4 Video Size: 214.5MB  
Watch on YouTube

Abstract

Software patching has not been an effective first-line defense
preventing large-scale worm attacks, even when patches had long been
available for their corresponding vulnerabilities. Generally, people
have been reluctant to patch their systems immediately, because patches
are perceived to be unreliable and disruptive to apply. To address this
problem, we propose a first-line worm defense in the network stack,
using shields -- vulnerability-specific, exploit-generic network filters
installed in end systems once a vulnerability is discovered, and before
the patch is applied. These filters examine the incoming or outgoing
traffic of vulnerable applications, and drop or correct traffic that
exploits vulnerabilities. Shields are less disruptive to install and
uninstall, easier to test for bad side effects, and hence more reliable
than traditional software patches. Further, shields are resilient to
polymorphic or metamorphic variations of exploits

In the Shield project, we're showing that this concept is feasible by
implementing a prototype Shield framework that filters traffic at the
transport layer. We have designed a safe and restrictive language to
describe vulnerabilities as partial state machines of the vulnerable
application. The expressiveness of the language has been verified by
encoding the signatures of a number of known vulnerabilities. Our
evaluation provides evidence of Shield's low false positive rate and
impact on application throughput. An examination of a sample set of
known vulnerabilities suggests that Shield could be used to prevent
exploitation of a substantial fraction of the most dangerous ones.