CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Vulnerability-Driven Network Filters for Preventing Known Vulnerability Attacks

Helen J. Wang - Microsoft Research

Mar 30, 2005

Size: 214.5MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube


Software patching has not been an effective first-line defense
preventing large-scale worm attacks, even when patches had long been
available for their corresponding vulnerabilities. Generally, people
have been reluctant to patch their systems immediately, because patches
are perceived to be unreliable and disruptive to apply. To address this
problem, we propose a first-line worm defense in the network stack,
using shields -- vulnerability-specific, exploit-generic network filters
installed in end systems once a vulnerability is discovered, and before
the patch is applied. These filters examine the incoming or outgoing
traffic of vulnerable applications, and drop or correct traffic that
exploits vulnerabilities. Shields are less disruptive to install and
uninstall, easier to test for bad side effects, and hence more reliable
than traditional software patches. Further, shields are resilient to
polymorphic or metamorphic variations of exploits

In the Shield project, we're showing that this concept is feasible by
implementing a prototype Shield framework that filters traffic at the
transport layer. We have designed a safe and restrictive language to
describe vulnerabilities as partial state machines of the vulnerable
application. The expressiveness of the language has been verified by
encoding the signatures of a number of known vulnerabilities. Our
evaluation provides evidence of Shield's low false positive rate and
impact on application throughput. An examination of a sample set of
known vulnerabilities suggests that Shield could be used to prevent
exploitation of a substantial fraction of the most dangerous ones.

About the Speaker

Helen J. Wang is a researcher in the Systems and Networking research
group at Microsoft Research, Redmond, WA. Her research interests are in
system/network security, networking, protocol architectures,
mobile/wireless computing, and wide-area large scale distributed system
design. She received her Ph.D. degree from the Computer Science
department of U. C. Berkeley in December, 2001. Her Ph.D. thesis was on
\"Scalable, robust wide-area control architecture for integrated
communications\". Helen obtained her Bachelor of Science in Computer
Science from U. T. Austin, and Master of Science in Computer Science
from U. C. Berkeley.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...


The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.