Software patching has not been an effective first-line defense preventing large-scale worm attacks, even when patches had long been available for their corresponding vulnerabilities. Generally, people have been reluctant to patch their systems immediately, because patches are perceived to be unreliable and disruptive to apply. To address this problem, we propose a first-line worm defense in the network stack, using shields -- vulnerability-specific, exploit-generic network filters installed in end systems once a vulnerability is discovered, and before the patch is applied. These filters examine the incoming or outgoing traffic of vulnerable applications, and drop traffic that exploits vulnerabilities. Shields are less disruptive to install and uninstall, easier to test for bad side effects, and hence more reliable than traditional software patches. Further, shields are resilient to polymorphic or metamorphic variations of exploits.
In this work, we're showing that this concept is feasible by implementing a prototype Shield framework that filters traffic at the transport layer. We have designed a safe and restrictive language to describe vulnerabilities as partial state machines of the vulnerable application. The expressiveness of the language has been verified by encoding the signatures of a number of known vulnerabilities. Our evaluation provides evidence of Shield's low false positive rate and impact on application throughput. An examination of a sample set of known vulnerabilities suggests that Shield could be used to prevent exploitation of a substantial fraction of the most dangerous ones.
Bryan Parno (CMU), Jay Lorch, Helen J. Wang
Today's desktop PCs rely on security software such as anti-virus products and
personal firewalls for protection. Unfortunately, malware authors have
adapted by specifically targeting and disabling these defenses, a practice
exacerbated by the rise in zero-day exploits. In this paper, we present the
design, implementation, and evaluation of a secure execution platform, called
SAV-V, for anti-virus software. Our platform leverages
virtualization to make AV software resilient to zero-day malware attempting to
tamper with it. SAV-V also uses secure logging, a split file system, and fake
shutdowns to allow AV software to detect past infections by zero-day malware
once signatures become available.
Oakland 2006 submission. [pdf]
Presentation at MSR Brownbag with the AV team . [ppt]
In this work, we tackle the problem of automatic data patch or
vulnerability signature generation for an unknown vulnerability, given a
zero-day attack instance. Unlike previous approaches that employ program
analysis, we leverage the knowledge of the data format to generate new
potential attack instances and use a zero-day detector as our oracle. With
such informed probing and feedback loop, we construct vulnerability
signatures. We have implemented a prototype called ShieldGen and experimented
with three known vulnerabilities. The generated signatures have no false
positives, but may admit a small amount of false negatives largely due to the
imprecision of the data format specification. By comparing with the
vulnerability signatures generated by the existing schemes, our signatures
are noticeably superior. We also conducted a detailed vulnerability study on
40 vulnerabilities over the past three years, and estimate ShieldGen to have a
significant coverage with superior signatures to those generated by existing
schemes.
Oakland 2006 submission. [pdf]
Discoverer is a tool that reverse-engineers protocol specifications directly from network traces. It automatically infers both the message format and the protocol state machine. One can use such information to fingerprint protocols, detect tunneling, and guide penetration tests. We have successfully reverse engineered a text protocol (SMTP) and observed promising results on reverse engineering a complex binary protocol (SMB). We are continuing our experiments over a number of protocols as well as the applications of Discoverer.
Xiaofeng Fan, Jon Howell, Collin Jackson (Stanford), Helen J. Wang
Web mashups have created a new generation of wildly popular and
successful web services, marking a paradigm shift in web service
development. In this project, we aim to build up a Mashup OS that
provides OS abstractions over underlying web browser resources and allow
JavaScript gadgets that are mashed up together to share the resources in a
secure and controlled fashion.
Subspace: Secure Cross-Domain Communication for Web Mashups (Submission to WWW 2007) [pdf]
MashupOS: Operating System Abstractions for Client Mashups (position paper submission to HotOS 2007) [pdf]
Cross site scripting (XSS) attacks have surged over the past years on the Web. Existing mitigation is either incomplete or heuristics-based, which lags behind in the arms race with attackers who circumvent known heuristics and find creatives ways for injecting malicious scripts. In XSS-Shield, we target the root cause of the XSS which is unexpected script execution in page. To this end, we introduce the <scriptfree> tag for a web page to create a scriptfree context in which no script is parsed or executed. In addition to advocating the adoption of <scriptfree> in existing browsers, we also prototyped a XSS-Shield system that is <scriptfree>>-capable on the server side to detect XSS attacks. Such a XSS-Shield system can be deployed today to combat XSS attacks.
XSS-Shield powerpoint: [ppt]
Weidong Cui | |
John Dunagan | |
Helen J. Wang | (Project leader) |
Nikita Borisov | (U. C. Berkeley) |
David Brumley | (CMU) |
Pallavi Joshi | (Indian Institute of Technology, Kharagpur) |
Charlie Reis | (U.W. Seattle) |
Justin Ma | (U. C. San Diego) |
Bryan Parno | (CMU) |
Jayanth Kannan | (U.C. Berkeley) |
Michael Locasto | Columbia U. |
Opher Dubrovsky | (ISA PM) |
Saher Esmeir | (Intern from Technion University) |
Chuanxiong Guo | (former MSR-A) |
Dan Simon | MSR-R |
Alf Zugenmaier | (former MSR-C) |
Shield project overview, Jan 4, 2005 "The Shield Project" [ ppt ]
MSR TAB Presentation, October 24, 2005 "The Shield Project Update" [ ppt ]
Microsoft Faculty Summit 2005 "Shield and Friends Troubleshooting Network" [ ppt ]
An internal GAPA talk [ ppt ]
MSR TAB Presentation, October 25, 2004 "Shield: First-Line Worm Defense" [ ppt ]
ACM SIGCOMM 2004 presentation [ pdf ]
MSR Cool Talk Series: "Shield: First-Line Worm Defense" [pdf] [ Recording ] March 25, 2004.
UCSD system and networking seminar: "Shield: First-Line Worm Defense" [pdf] Feb 25, 2004.
December 4, 2006, InformationWeek: Inside Microsoft Labs
August 2006, Microsoft Research News & Highlights: BrowserShield: Helping Make the Web Safe for Surfers
September 4, 2006, eWeek: Microsoft Research Builds 'BrowserShield'. The same article is alos posted at Slashdot, newwin.net, OSNews.com, cgisecurity.com, IT professionals, clipmarks, The NewTech
September 5, 2006, Windows IT Pro: BrowserShield Defends Browsers At Network Borders
September 5, 2006, Ars Technica: Microsoft hefts a heavy mithril BrowserShield
September, 2006, Softpedia: Microsoft Reveals the BrowserShield Research Project
September, 2006, download squad: Microsoft's BrowserShield to nullify malicious sites
March 04, 2004, Seattle Times: Microsoft's researchers display wares at TechFest
June 9, 2004, IDG News Service: Microsoft research targets security, searching.
PC World,
Info World,
Australian Reseller News.com ,
NetworkWorldFusion,
Computer World, PC World Magazine (Australia)
Computer Weekly
June 10, 2004, CNet: "Microsoft Researchers Dream Big",
news.com,
New York Times,
Silicon.com (UK),
ZDNet UK,
CNet Asia,
ZDNet,
June 10, 2004, Vnunet.com: Microsoft 'shield' to fight off worms
June 10, 2004, SearchExchange.com: What Microsoft gets for its $7B R&D budget
June 10, 2004, InternetNews.com, What's Under Wraps at Microsoft?
June 11, 2004, SearchWin2000.com: Microsoft grabs spotlight even when it stands pat
June 13, 2004, CRN: Microsoft Research: Beam Me Up Scotty?
The name of our research project coincides with our company's "shield" security strategy. In fact, our research project started before the Microsoft "shield" initiative. Some of the news articles listed here have drawn some connections between the two, which are inaccurate.
Our work in the News
Links
Vulnerability/Worm Information
PC Virus
PestPatrol
HogWash (IPS using Snort rules)
Symantec Internet Security Threat Report 2003
Trend of Malware Today: Annual Virus Round-up and 2004 Forecast
MSBlast
Worm Information Center
Secure Windows Initiative
Chris Walker's summary
Pat Wickline's Root Cause Analysis site
Soft Patching
IE Vulnerabilities
IIS Vulnerabilities
IIS 5.x Test Suit, webtest.exe
IE Vulnerabilities
IE test cases
Microsoft Security Bulletin
Security Focus
CERT
Snort