UBC Theses and Dissertations

UBC Theses Logo

UBC Theses and Dissertations

A virtual testbed to evaluate worm defense techniques Hao, Shuang 2007

Your browser doesn't seem to have a PDF viewer, please download the PDF to view this item.

Notice for Google Chrome users:
If you are having trouble viewing or searching the PDF with Google Chrome, please download it here instead.

Item Metadata

Download

Media
831-ubc_2007-0428.pdf [ 3.55MB ]
Metadata
JSON: 831-1.0052064.json
JSON-LD: 831-1.0052064-ld.json
RDF/XML (Pretty): 831-1.0052064-rdf.xml
RDF/JSON: 831-1.0052064-rdf.json
Turtle: 831-1.0052064-turtle.txt
N-Triples: 831-1.0052064-rdf-ntriples.txt
Original Record: 831-1.0052064-source.json
Full Text
831-1.0052064-fulltext.txt
Citation
831-1.0052064.ris

Full Text

A Virtual Testbed to Evaluate Worm Defense Techniques Shuang Hao B.Sc, Tsinghua University, 2002 M.Sc, Tsinghua University, 2005 A THESIS SUBMITTED IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE DEGREE OF Master of Science in The Faculty of Graduate Studies (Computer Science) The University Of British Columbia October, 2007 © Shuang Hao 2007 Abstract T h e r a p i d l y g r o w i n g a m o u n t of m a l i c i o u s sof tware ( such as w o r m s ) o n the In terne t causes s igni f icant s e c u r i t y p r o b l e m s i n en terpr i se n e t w o r k s a n d has b e e n a t t r a c t i n g i n c r e a s i n g re search a t t e n t i o n . M a n y m e t h o d s have b e e n p r o -p o s e d to detect , t h r o t t l e or e v e n p r e v e n t t h e s p r e a d i n g o f m a l w a r e . H o w -ever, m o s t o f the re search e x p e r i m e n t s to e v a l u a t e t h e effectiveness of these defense m e c h a n i s m s are b a s e d o n off- l ine t e s t ing , s y n t h e t i c d a t a or m a t h e -m a t i c a l m o d e l l i n g , w h i c h are u n a b l e to c o n v i n c i n g l y v a l i d a t e the eff ic iency of the defense sy s t ems . B e t t e r e v a l u a t i o n t e s tbeds w i t h l ive w o r m s m i x e d w i t h rea l i s t i c traff ic are r e q u i r e d to h e l p fac i l i ta te re search o n m a l w a r e defenses. I n th i s thes is we focus o n d e v e l o p i n g a t e s t b e d w h i c h p r o v i d e s a n e m u l a -t i o n o f rea l i s t i c traff ic c o n d i t i o n s for n e t w o r k a n d s e c u r i t y researchers . T h e s y s t e m is c o n s t r u c t e d u s i n g v i r t u a l hosts , w h i c h m a k e s the t e s t b e d sca lab le a n d flexible. N e t w o r k traff ic is co l l e c t ed f r o m a r e a l en terpr i s e n e t w o r k a n d t h e n r e p l a y e d i n the v i r t u a l env i ronment . ' I n the m e a n t i m e , v u l n e r a b l e ser-v ices o n the v i r t u a l hosts a l low a c t u a l m a l w a r e to c o m p r o m i s e i n d i v i d u a l hosts a n d flood the v i r t u a l n e t w o r k . O u r use o f v i r t u a l i z a t i o n t e c h n o l o g y enables a n a l l - sof tware i m p l e m e n t a -t i o n . It g r a n t s fast a n d c o n v e n i e n t g e n e r a t i o n , s t a r t u p a n d s h u t d o w n of the t e s t b e d . T h e d a t a - l i n k layer v i r t u a l i z a t i o n a n d the p o r t - b a s e d f o r w a r d i n g V L A N s t r i c t l y conf ine the re leased m a l w a r e w i t h i n the t e s t i n g e n v i r o n m e n t . T h e v i r t u a l s m a r t swi tches p r o v i d e a p l a t f o r m for researchers to e v a l u a t e t h e s e c u r i t y a n d u s a b i l i t y of t h e i r p r o t e c t i o n a r c h i t e c t u r e a g a i n s t w o r m s . i i Table of Contents Abstract • • • ii Table of Contents iii List of Figures v Acknowledgements vi 1 Introduction 1 1.1 Motivation T 1.2 Contribution 5 1.3 Organization 8 2 Background & Related Work 9 2.1 Worms and Their Behaviors 9 2.2 Worm Mitigation Techniques 12 2.3 Other Evalation Testbeds 13 2.3.1 vGround . 14 2.3.2 DETER , . . . 15 2.3.3 Flexlab , .16 3 A Testbed to Validate New Enforcement Architectures . . 18 3.1 Enforcing Fine-grained Security Policies 18 3.2 Virtualization Implementation 20 3.2.1 Virtual Machines 20 3.2.2 Virtual Network 22 3.3 Testbed Structure 24 3.4 Deployment of Defense Systems 26 4 Design Details 29 4.1 Key Technologies • • • 29 • 4.1.1 Virtualization (Xen) 29 iii Table of Contents 4.1.2 Iptables & Ebtables • • 30 4.1.3 Implementation Infrastructure (Emulab) 32 4.2 Background Traffic Replay 33 4.2.1 Data Collection 33 4.2.2 Packets Replay 34 4.2.3 Synchronization for Causality 36 4.3 Isolated Details 37 4.3.1 Data-Link Layer Virtualization 38 4.3.2 V L A N Technique 39 4.3.3 Remote Control 39 4.4 Resource Allocation 41 4.4.1 Time Dilation 41 4.4.2 Parameter Setting 41 5 E v a l u a t i o n 43 5.1 Experiment Setting 43 5.2 Experiment Results 47 6 C o n c l u s i o n & F u t u r e W o r k 52 B i b l i o g r a p h y 54 List of Figures 1.1 A n e x a m p l e t e s t b e d for w o r m research 2 1.2 I n f e c t i o n t r a c e tree . 4 2.1 S c h e m e o f D E T E R t e s t b e d [15] 15 2.2 S c h e m e o f F l e x l a b t e s t b e d [28] 17 3.1 A s y s t e m v i r t u a l m a c h i n e [29] 21 3.2. A v i r t u a l i z e d n e t w o r k 22 3.3 T o p o l o g y of the w o r m e x p e r i m e n t 25 4.1 T r a v e r s a l s c h e m e of n e t w o r k filters [1] - 3 1 4.2 R e p l a y s c h e m e 35 4.3 S y n c h r o n i z a t i o n for c a u s a l i t y 37 4.4 S t r u c t u r e o f the w o r m e x p e r i m e n t w i t h r e m o t e c o n t r o l . . . . 40 5.1 D A R P A s i m u l a t e d n e t w o r k [9] 44 5.2 D A R P A n e t w o r k t o p o l o g y [9] 45 5.3 S ta t i s t i c s o f d a i l y T C P services [9] 46 5.4 R e p l a y i n g b e t w e e n 2 m a c h i n e s 48 5.5 R e p l a y i n g b e tw e en 2 m a c h i n e s w i t h t d f = 1 0 . 0 49 5.6 R e p l a y i n g i n the w h o l e D A R P A n e t w o r k 50 \ v Acknowledgements I w o u l d l ike to express m y g r a t i t u d e to a l l those w h o have offered m e h e l p i n c o m p l e t i n g th i s thesis . E s p e c i a l l y , I owe the greatest t h a n k s t o m y s u -p e r v i s o r s , D r . W i l l i a m A i e l l o a n d D r . N o r m a n H u t c h i n s o n , w h o p r o v i d e d m e w i t h exce l lent g u i d a n c e a n d s u p p o r t i n the ent i re process o f th i s the-sis p r o j e c t . I w a n t to t h a n k D r . A n d r e w W a r f i e l d for g i v i n g m e i n s i g h t f u l c o m m e n t s o n th i s w o r k , a n d b e i n g m y s e c o n d reader . I w o u l d l ike also to t h a n k a l l the m e m b e r s of t h e s y s t e m l a b for t h e i r c o n s t r u c t i v e suggest ions . W i t h o u t t h e i r he lp , th i s w o r k w o u l d n o t b e d o n e . I t h a n k a l l m y fr i ends at the U n i v e r s i t y o f B r i t i s h C o l u m b i a , w h o m a k e m y life a n d s t u d y at V a n c o u v e r r e a l l y h a p p y . M o s t i m p o r t a n t l y , I w a n t to t h a n k m y f a m i l y f r o m the b o t t o m of m y h e a r t . T h e y a lways e n c o u r a g e m e to p u r s u e m y d r e a m a n d t h e i r s u p p o r t is the p o w e r for m e to f in ish th i s thesis . v i Chapter 1 Introduct ion 1.1 Motivation W o r m s pose a s igni f icant t h r e a t to e x i s t i n g a n d f u t u r e n e t w o r k i n g in fras -t r u c t u r e , as t h e y c a n infect h u n d r e d s or t h o u s a n d s of hosts i n a v e r y s h o r t p e r i o d o f t i m e . M a l i c i o u s m o b i l e codes , e spec ia l l y w o r m s , have a t t r a c t e d i n c r e a s i n g a t t e n t i o n . It cost a f o r t u n e t o c leanse the i n f e c t e d hosts a n d the t a i n t e d n e t w o r k s . E s p e c i a l l y in f ec t ed enterpr i ses suffer m u c h f r o m the m a l i c i o u s b e h a v i o r s o f w o r m s , s ince the L A N s ( L o c a l A r e a N e t w o r k ) are c o m p l e x a n d the o p e r a t i n g s y s t e m s a n d software o n d e s k t o p s are u s u a l l y d iverse . T h e b r e a k o u t o f a w o r m i n a n enterpr i se c a n cause m i l l i o n s of d o l -lars of d a m a g e . M o r e o v e r , ac t ive w o r m s c a n p o t e n t i a l l y s p r e a d across the In terne t w i t h i n seconds [30], therefore m a n u a l d e t e c t i o n a n d p r e v e n t i o n is i m p o s s i b l e . M a n y a u t o m a t i c m e t h o d s have b e e n p r o p o s e d to i d e n t i f y a n d c o n t r o l the s p r e a d i n g of w o r m s . T h e m o s t d a n g e r o u s w o r m s are those n e w l y re leased ones , s ince at t h a t t i m e the a n t i - v i r u s c o m m u n i t y k n o w s l i t t l e a b o u t w h i c h v u l n e r a b i l i t y the w o r m s w o u l d exp lo i t a n d w h a t p a y l o a d the w o r m s c a r r y . I n o r d e r to d e a l w i t h n o v e l w o r m s , p e o p l e have b e e n t r y i n g t o a n a l y z e the n e t w o r k b e h a v i o r s o f the w o r m s . P r o v i d i n g a defense aga ins t m a l i c i o u s sof tware requ ires us t o w a l k a fine 1 Chapter 1. Introduction line between security and usability. A security policy may be so strict that it adversely effects the usability/availability of the system. The extreme case is when all packets on the network are dropped, thus no attack attempt is possible. However, this is equivalent to the network being cut off. An event, incorrectly identified by the defense system as being an intrusion when none has occurred, is called a false positive [13]. On the other hand, a relaxed security policy may be unable to detect the malicious traffic. For example, if it allows all the traffic through, the policy will guarantee the usability of the network, but the worms are free to spread in the network. A false negative [13] is an event where the defense system fails to identify an attack when one has in fact occurred. Due to the complexity and diversity of the systems and networks, it is impossible to build a flawless system or design omnis-cious anti-worm software. Therefore researchers are continuously seeking a good tradeoff between security and usability, i.e., struggling to detect the new worms' spreading in their early stages while doing little harm to legal communication in the network. Figure 1.1: An example testbed for worm research 2 Chapter 1. Introduction A typical testbed setup is shown in Figure 1.1. The hosts indicated by English characters, numbers and Roman numerals belong to different network segments respectively. The defense systems isolate those parts of the network. When an infected machine (indicated as the bold ellipse) sends out packets carrying a malicious payload, the defense systems are expected to detect the abnormality of the traffic and deploy the appropriate response. Afterwards, the dropped and allowed packets could be counted to measure the accuracy of the defense systems: Security researchers would like testbeds that contain authentic network traffic and provide a flexible playground to investigate the effect of the defense systems. A lot of mathematical models have been proposed to characterize the propagation of worms [18, 21, 30]. They provide a theoretical view to help us understand the worms' nature and defend against their spreading. However, those models are not very suitable to evaluate the defense algorithms, since the concrete worms might behave differently depending on the exploited vulnerabilities and running hardware systems. Another problem for testing on the synthetic worms' propagation models is their lack of actual background traffic. People hope to accurately test the rates of false positives and false negatives with the mixture of the worms' spreading and the normal traffic. Many platforms, such as Emulab and PlanetLab, have been constructed to facilitate network and system research. Although they provide full system privilege and easy network configuration, the security experiments might cause chaos if real worms were released in the environment and the normal connections created by the users do not reflect the actual traffic in real enterprise LANs. An alternative scheme is to do the evaluation offline. Background traffic 3 Chapter 1. Introduction and worm propagation could be collected separatedly and the two sets of data can be mixed later for test. However, during the evaluation, the actions of the defense system w i l l break the recorded infection trace. (b) infection trace in a protected network Figure 1.2: Infection trace tree Suppose the infection trace we collect from an unprotected network is as shown in Figure 1.2 (a). A is the seed infected machine. Then B, C, D are compromised (at time t{). Consequently B w i l l infect E and F next (at time £2)- If the attack from A to B is successfully blocked by the defense methods, then it is hard to estimate when B and its subnodes E and F w i l l be compromised in the environment w i th the defense system deployed. A t 4 Chapter 1. Introduction least B will not be infected at time t\, and maybe later the 3 machines will all be attacked by machine D as shown in Figure 1.2 (b). This example demonstrates that the nodes' states and malicious traffic in a protected net-work are difficult to be reconstructed from those in an unprotected network. Therefore offline evaluation is unappropriate to test the anti-worm defense mechanisms. Our goal is to construct an experimental testbed, where actual worms will be released and mixed with the background traffic sampled from a real enterprise L A N . Our intention is to provide security researchers an effective platform to investigate the security vs. usability of tradeoff in the anti-worm defense mechanisms. A testbed with authentic traffic and real vulnerable systems will surely facilitate the development of research against worm at-tacks. 1.2 Contribution In this thesis we explore constructing such a security testbed, based on the technique of virtualization, i.e., an all-software implementation. The released worms have the illusion that they reside in the actual vulnerable systems and propagate on the real network. Obviously, people could build up a testing sandbox with several phys-ical machines. However, the scheme of using direct physical machines is fundamentally hard for several reasons: • The experiments suffer from the hardware restrictions. Most changes in the experimental configuration will place extra requirements on the 5 Chapter 1. Introduction hardware. For example, if a machine is set to connect multiple network segments, we have to open its box and manually install the correspond-ing number of network devices; • The scale of the experiment is limited by the number of available physical nodes. It is no problem to build up a network with 10 or 20 machines, but a large network with hundreds of nodes is hard to construct; • Once the machines are infected, it is a time-consuming work to cleanse the systems of worms. In the worst case, we might need to reinstall the systems.to start a new experiment; • There are two monitoring modes for the experiment. 1) Users monitor the experiment at the isolated testbed network, i.e., to operate on the individual test nodes. Such setup brings no security problems; 2) In the case where the monitor is not collocated in the isolated testbed network, a network connection is required out of the testbed. This configuration substantially increases the difficulty of guaranteeing that the malware remains contained within the testbed. In order to overcome the problems listed above, this thesis represents an initial step toward the construction of an environment for safely evaluating active defenses against Internet worms in enterprise networks. Our proto-type system uses a single physical host running the Xen virtual machine monitor to emulate a medium-sized enterprise network containing tens of hosts. Our system allows live, recorded background traffic to be replayed 6 Chapter 1. Introduction with high-fidelity while live attack traffic is issued against hosts in virtual machines. Our work makes the following contributions: 1. We build a complete system in which hosts under attack are isolated in virtual machines on a completely virtualized Layer 2 network. This is a simple, architectural solution to the containment of malicious traffic. 2. Taking advantage of previous work on the time dilation of virtual machines, we demonstrate that background traffic, recorded from a real enterprise network, can be replayed with very high fidelity, and that as a consequence our testbed forms an excellent base for achieving repeatable results in testing defense mechanisms. Meanwhile, our design is also aiming to achieve the following potential features in the future, and we discuss those rough ideas in the thesis. • The testbed is easy to configure. The different system images could be loaded to boot hundreds of virtual hosts within a few minutes.. After the experiment is finished, the tear-down of the virtual hosts will automatically remove the worms too; • The network can contain smart virtual switches which are designed to run the defense algorithms under test. An arbitrary number of virtual NICs can be assigned in each smart switch to connect the virtual end hosts; • The worms are strictly confined within the testing environment. The virtual environment is like an isolated island to the physical machines. Chapter 1. Introduction Moreover, it is possible for users to remotely control the testbed, while the experimental traffic is unable to leak to the outside world. 1.3 Organization This thesis presents the design of our testbed system and the technical details of its implementation. The remainder of the thesis is organized as follows. Chapter 2 presents a survey of related work and introduces the background knowledge. In Chap-ter 3, we state the basic idea and structure of the testbed for validating the enforcement architecture. We further demonstrate the detailed implemen-tation in Chapter 4. Chapter 5 contains the experimental evaluation of our testbed. Finally we draw conclusions in Chapter 6 with some discussions of future work. 8 Chapter 2 Background & Related Work Malicious mobile codes are currently prevalent on the internet, which is a problem for both individuals and enterprises. Worms are notorious among various kinds of malicious mobile codes, due to their wild breakouts. The ex-isting worms have been carefully studied by security researchers, and many defense mechanisms have been proposed to protect the computers and net-works. However, it is still an unsolved problem to stop the zero-day worms. There exist several testbeds for researchers to investigate worms' behaviors or to evaluate the counter-worm methods. In this chapter, we will briefly introduce some representative worms and the mitigation techniques against them. 2.1 Worms and Their Behaviors A computer worm is a program that self-propagates across a network ex-ploiting security or policy flaws in widely-used services [33]. A distinguishing feature of worms is that they spread and compromise machines without hu-man interaction, which makes them propagate very quickly on the network and allows them to easily infect hundreds or even thousands of vulnerable machines. Typically, a worm's life cycle includes the following phases. 9 Chapter 2. Background & Related Work • Probing: In order to infect machines in a network, a worm needs to first identify the existence of other machines. The.simplest way is to randomly scan the IP addresses. Even though the randomly created addresses might not be assigned to any machine or the scanned machine may not be vulnerable to the worms, the automatic activation still makes the worms spread very quickly. Recently, some worms begin to utilize localized scanning, i.e., scanning the addresses in the same network segment with high probability and scanning randomly otherwise. There exist several potentially highly virulent scanning techniques [30], including hit-list scanning, where the worm authors collect a list of IP addresses beforehand and the worms will first try to attack the listed addresses and permutation scanning, where a worm is able to detect that a host is already infected and will not continue to scan the duplicated addresses. . • Exploitation: Once the worms detect a machine running vulnerable services, usually they will launch overflow attacks (e.g., the attack methods of the first worm Morris and recent CodeRed [8]) to compro-mise the machine. If the programmers did not make careful bounds checking, the worms are able to override part of the normal codes and make the program execute the malicious instructions. Then the innocent machine will be infected by the worms. • Propagation: A compromised machine will continue to infect others. Some worms need human interaction to be activated, e.g., Nimda[7] is activated after the machine is rebooted by the users. As the worms' 10 Chapter 2. Background & Related Work p r o p a g a t i o n d e p e n d s o n users' b e h a v i o r , the s p r e a d i n g s p e e d is c o m -p a r a t i v e l y s low. T h e fastest w o r m s are se l f -ac t ivated , s u c h as C o d e R e d [8], w h i c h s tar t s to s p r e a d m a l i c i o u s codes as s o o n as it exp lo i t s a v u l -n e r a b l e m a c h i n e . • A t t a c k s : W o r m s are ab le to execute m a l i c i o u s ta sks o n the in fec t ed m a c h i n e s , i n c l u d i n g theft of p r i v a t e i n f o r m a t i o n , i n s t a l l i n g b a c k d o o r s , l a u n c h i n g D D o S a t tacks , s p r e a d i n g s p a m etc . E v e n t h o u g h researchers a t t e m p t to des ign secure sys t ems , there s t i l l exist a lot of p o t e n t i a l v u l n e r a b i l i t i e s w i t h i n c u r r e n t o p e r a t i n g s y s t e m s a n d software, w h i c h presents e x p l o i t a t i o n for f u t u r e w o r m s . T h e r a p i d deve l -o p m e n t o f n e t w o r k s ( i n c l u d i n g t h e i r b a n d w i d t h a n d scale) aggravates the p r o p a g a t i o n o f w o r m s . O n J u l y 19, 2001, m o r e t h a n 359,000 c o m p u t e r s c o n n e c t e d to the Inter-net were in fec t ed w i t h the C o d e R e d ( C R v 2 ) w o r m i n less t h a n 14 h o u r s . T h e cost of t h i s e p i d e m i c , i n c l u d i n g s u b s e q u e n t s t r a i n s o f C o d e R e d , is es-t i m a t e d to be i n excess of $2.6 b i l l i o n [27]. It w i l l e x p l o i t a buffer-overf low v u l n e r a b i l i t y i n M i c r o s o f t ' s IIS w e b servers . A b a c k d o o r w i l l b e i n s t a l l e d once a m a c h i n e is in f ec t ed b y C o d e R e d . W i t h p r o b a b i l i t y 1/8, C o d e R e d p r o b e s r a n d o m I P addresses; the rest of the t i m e s c a n n i n g the l o c a l n e t w o r k w i t h t h e s a m e class A or B addresses . S l a m m e r ( a . k . a . S a p p h i r e ) was the fastest c o m p u t e r w o r m i n h i s tory . A s it b e g a n s p r e a d i n g f r o m 05:30 U T C o n S a t u r d a y , 25 J a n u a r y 2003, the w o r m in fec t ed m o r e t h a n 90 p e r c e n t o f v u l n e r a b l e hosts w i t h i n 10 m i n u t e s [26]. It s i m p l y sends a packe t to U D P p o r t 1434 t o e x p l o i t the buffer-overf low 11 Chapter 2. Background &i Related Work vulnerability on SQL servers. Despite the fact that Slammer also adopts a random scanning strategy, its one-packet attack and small size (404 bytes) allows fast spreading speed. 2.2 Worm Mitigation Techniques The outbreaks of worms cause much trouble to both individual and en-terprises machines and cause significant networks congestion. Security re-searchers pay a lot of effort to study techniques against worms and many defense mechanisms have been proposed to identify and control their spread-ing. Roughly they can be divided into 3 strategies: Proactive Protection, Reactive Defense and Local Containment [17]. Proactive protection aims to protect the system by reducing the pos-sibility for a worm to exploit a given vulnerability. Such methods include sandboxing, privilege separation, system call monitoring, etc [17]. Regard-less of specific worms' exploitation, proactive protection tries to enhance the overall security. For example, since most worms take advantage of unchecked buffers, an effective counter method is to randomly change the addresses of the stack or heap, which will make the worms confused about the internal states of the machines [16, 19, 37]. Proactive protection sometimes com-pletely block the worm attacks, but it is impossible to construct a system or network without any vulnerabilities. Reactive defense needs specific information to prevent worms. Against the known worms, security patches will be applied to eliminate the vulner-ability. The defense systems also try to detect the anomaly in the packets' 12 Chapter 2. Background & Related Work c o n t e n t t o filter the m a l i c i o u s traff ic . If the l e g i t i m a t e states c a n b e c l e a r l y spec i f ied , r eac t ive defense m i g h t b e ab le to s t o p the n o v e l w o r m s ' s p r e a d i n g . L o c a l c o n t a i n m e n t treats e a c h i n d i v i d u a l m a c h i n e as a p o t e n t i a l suspec t r a t h e r t h a n a v i c t i m . T h e defense s y s t e m s m o n i t o r the o u t g o i n g traff ic a n d p r e v e n t the in fec t ed m a c h i n e f r o m a t t a c k i n g the rest o f the n e t w o r k . T h e t h r o t t l i n g schemes d o n o t focus o n e x t i n g u i s h i n g the w o r m s , b u t o n - g r e a t l y s l o w i n g t h e i r s p r e a d i n g s p e e d [25, 31, 36]. T h e eff ic iency o f t h r o t t l i n g h i g h l y d e p e n d s o n the d e p l o y m e n t r a t i o [17]. If t h e defense s y s t e m s c a n be i d e a l l y d e p l o y e d i n the ent i re n e t w o r k , the o u t b r e a k of w o r m s are ab le to b e g r e a t l y c o n t a i n e d . 2.3 Other Evalation Testbeds T h e r e exist severa l l i m i t s t h a t e n c u m b e r the e v a l u a t i o n for s e c u r i t y m e c h a -n i s m s . • L a c k o f r e p r e s e n t a t i v e d a t a : T h e traffic , t o p o l o g y a n d p r o t o c o l s o n the n e t w o r k s are t o o c o m p l i c a t e d to c o n s t r u c t r e a s o n a b l e ar t i f i c i a l d a t a . O n t h e o t h e r h a n d , few enterpr i ses or I S P share t h e i r d a t a w i t h the p u b l i c , d u e to p r i v a c y c o n c e r n s . • D e f i c i e n c y o f m a l w a r e s i m u l a t i o n : R e s e a r c h e r s h a v e t r i e d to v a l i d a t e the s e c u r i t y m e c h a n i s m s b y m a t h e m a t i c a l m o d e l s o f t h e w o r m s p r e a d -i n g . H o w e v e r , t h e o r e t i c a l a n a l y s i s is n o t c o n v i n c i n g f r o m the s y s t e m v i e w a n d the e v a l u a t i o n resul t s are s o m e t i m e s vague . • P r o b l e m of e v a l u a t i o n i n the r e a l w o r l d : E v a l u a t i o n c a n be p r o c e s s e d 13 Chapter 2. Background k, Related Work i n t h e r e a l n e t w o r k w i t h a u t h e n t i c traff ic a n d m a l w a r e s p r e a d i n g (if there exists a n y ) . T h e p r o b l e m s of s u c h test i n c l u d e 1) T h e u n m a t u r e defense s y s t e m m i g h t h i n d e r the l e g i t i m a t e traffic; 2) T h e t e s t i n g p r o -c e d u r e c a n n o t be r e p e a t e d , w h i c h m a k e s t h e e v a l u a t i o n resul t s h a r d to be veri f ied; 3) T h e test n e t w o r k m i g h t n o t h a v e t a r g e t w o r m s , a n d the m a l i c i o u s codes c a n n o t be re leased to infect the rea l i s t i c users . H o w to c l e a r l y e v a l u a t e a defense s y s t e m is s t i l l a d i l e m m a for s e c u r i t y researchers . S e v e r a l t e s tbeds h a v e b e e n c o n s t r u c t e d to fac i l i ta te re search i n t o a n t i - w o r m s . 2.3.1 vGround v G r o u n d [22] is a v i r t u a l i z e d e n v i r o n m e n t t o inves t iga te w o r m s ' b e h a v i o r s . T h e d e s i g n i n g i n t e n t i o n is to observe , r e c o r d a n d a n a l y z e the e x p l o i t a t i o n p a t t e r n s o f w o r m s . V i r t u a l m a c h i n e s r u n n i n g r e a l - w o r l d o p e r a t i n g s y s t e m s a n d a p p l i c a t i o n p r o g r a m s c a n be c r e a t e d a n d t o r n d o w n easily. V i r t u a l e n d nodes , swi tches a n d r o u t e r s f o r m the v i r t u a l n e t w o r k s , w h e r e the m a l i c i o u s w o r m codes w i l l be re leased a n d p r o p a g a t e . T h e p l a y g r o u n d p r o v i d e s a c o n v e n t i o n a l w a y to i d e n t i f y the p r o b i n g b e h a v i o r of w o r m s . T h e t e c h n i q u e of U s e r - M o d e L i n u x ( U M L ) [10] is c h o s e n to s u p p o r t the v i r t u a l e n v i r o n m e n t , w h i c h m a y c o n t a i n severa l h u n d r e d s of v i r t u a l hos t s i n a s ingle p h y s i c a l m a c h i n e . L i n k - l a y e r n e t w o r k v i r t u a l i z a t i o n m a k e s the p l a y g r o u n d as a n i so la t ed s a n d b o x a n d prevent s the w o r m s f r o m l e a k i n g t o the o u t s i d e w o r l d . H o w e v e r , the o n l y n e t w o r k traff ic i n the t e s t b e d is w o r m s ' p r o p a g a t i o n . 14 Chapter 2. Background & Related Work T h e b a c k g r o u n d traff ic n o t s i m u l a t e d o r r e p l a y e d i n v G r o u n d , s ince t h e c o n c e r n focuses o n the m a l i c i o u s packe t s c o n t a i n i n g w o r m s ' p a y l o a d . T h e l a c k o f b a c k g r o u n d d a t a m a k e s v G r o u n d n o t s u i t a b l e to e v a l u a t e n e w defense m e c h a n i s m s . 2.3.2 D E T E R T h e D E T E R t e s t b e d is d e s i g n e d for m e d i u m - s c a l e r e p e a t a b l e e x p e r i m e n t s i n c o m p u t e r s e c u r i t y [15]. Internet ISI Cluster FW User files 'User' S e r v e r PC PC Boss' Server PC Cisco and Nortel switch UCB Cluster Control Network PC PC l l P s e c WJ Ul j M I j' •*7*7i F o u n d r y a n d N o r t e l F i g u r e 2.1: S c h e m e o f D E T E R t e s t b e d [15] T h e t e s t b e d is i m p l e m e n t e d i n E m u l a b [2], w h e r e users h a v e r o o t p r i v i -lege o n a c lus ter o f p h y s i c a l m a c h i n e s . A s s h o w n i n F i g u r e 2.1, O S images a n d file s y s t e m s c a n be eas i ly l o a d e d f r o m a ' U s e r ' Server . T h e test n o d e s are c o n n e c t e d b y swi tches to c o n s t r u c t the e x p e r i m e n t a l n e t w o r k s . T h e 15 Chapter 2. Background & Related Work d e p l o y m e n t o f r e a l - w o r l d m a c h i n e s to e v a l u a t e defense s y s t e m s offers h i g h f ide l i ty t o s e c u r i t y researchers . I n o r d e r to e n a b l e r e m o t e access a n d conf ine the m a l i c i o u s codes w i t h i n the t e s t b e d e n v i r o n m e n t , s evera l g u a r d m e t h o d s are d e p l o y e d i n D E T E R , i n c l u d i n g p l a c i n g f irewalls a n d i n t r u s i o n d e t e c t i o n s y s t e m s o n the o u t g o i n g p a t h to m o n i t o r a n d fi lter the traff ic . T h e p u r p o s e of D E T E R is to p r o v i d e a f lexible a n d safe e x p e r i m e n t e n v i r o n m e n t to test the defense m e c h a n i s m s aga ins t the d a n g e r o u s m a l w a r e s . D E T E R is a g e n e r a l p r o t o t y p e for s e c u r i t y e x p e r i m e n t s . It does n o t spec i fy the d e t a i l e d i m p l e m e n t a t i o n s u c h as b a c k g r o u n d r e p l a y or a l l o c a t i o n of defense sys tems . W i t h o u t v i r t u a l i z a t i o n t e c h n i q u e s , t h e p h y s i c a l hosts w i l l b e c o m p r o m i s e d b y w o r m s , w h i c h aggravates the s e c u r i t y p r o b l e m s . T h e c o n t r o l n e t w o r k is a w e a k p o i n t t o b e p o t e n t i a l l y a t t a c k e d b y w o r m s . T h e e x p e r i m e n t s also suffer f r o m the h a r d w a r e re s t r i c t i ons , s u c h as t h e n u m b e r of p h y s i c a l n e t w o r k devices are fixed o r the swi tches are n o t p r o g r a m m a b l e b y users. 2.3.3 Flexlab F l e x l a b [28] tr ies to c o m b i n e the a d v a n t a g e s o f P l a n e t L a b ( w i t h r e a l n e t w o r k c o n d i t i o n s ) a n d E m u l a b ( w i t h r o o t pr iv i l ege o n the m a c h i n e s ) . A s s h o w n i n F i g u r e 2.2, the r o u g h i d e a is to m o n i t o r the traff ic i n P l a n -e t L a b ( i n d i c a t e d as n e t w o r k m o d e l p a r t ) , a n d t h e n s e t u p the c o r r e s p o n d i n g a p p l i c a t i o n services i n E m u l a b to r e p l a y t h e traff ic w i t h t h e s a m e s t a t i s t i c a l c h a r a c t e r i s t i c s , s u c h as packe t loss a n d la tency . M e a n w h i l e , E m u l a b g r a n t s c o m p l e t e c o n t r o l over the e x p e r i m e n t . H o w e v e r , F l e x l a b does n o t s u p p o r t t o r u n m a l w a r e , i.e. the e m u l a t i o n 16 Chapter 2. Background <fc Related Work Figure 2.2: Scheme of Flexlab testbed [28] of worm propagation is not embedded in the system. Therefore, Flexlab is insufficient for security experiments. Anti-worm researchers look forward to an evaluation environment with realistic network conditions and malware propagation. Our testbed is de-signed to fill up the requirement. 17 Chapter 3 A Tes tbed to Va l ida t e N e w Enforcement Arch i t ec tu re s In th is c h a p t e r , we present the b a s i c s t r u c t u r e of o u r t e s t b e d w i t h the t ech-n o l o g y o f v i r t u a l i z a t i o n . T h e o v e r a l l g o a l o f the e v a l u a t i o n s y s t e m is t o v a l i d a t e t h e e n f o r c e m e n t a r c h i t e c t u r e s . A n e x a m p l e o f a gener i c t e s t b e d is s h o w n i n F i g u r e 1.1, w h e r e the defense s y s t e m s m a k e j u d g e m e n t s a b o u t w h e t h e r the traff ic i n the n e t w o r k is n o r m a l or a p a r t of a w o r m s ' a t t a c k . T h e d e t e c t i n g a c c u r a c y a n d the t h r o t t l i n g i m p a c t are g o o d m e a s u r e s o f the defense a b i l i t y o f the a n t i - w o r m s y s t e m . 3.1 Enforcing Fine-grained Security Policies T h e c o n v e n t i o n a l f irewalls are w i d e l y u s e d to p r o t e c t a n enterpr i se n e t w o r k . T h e y focus o n p r o v i d i n g p e r i m e t e r defenses a n d the i n t e r n a l l o c a l n e t w o r k is i s o l a t e d f r o m the o u t s i d e in terne t . It is a l r e a d y h a r d e n o u g h for the n e t w o r k a d m i n i s t r a t o r s t o set firewall rules , m a k e p r o p e r c o n f i g u r a t i o n a n d u p d a t e software. M o r e o v e r , w o r m s m i g h t be i n t r o d u c e d b y m o b i l e devices , s u c h as l a p t o p s , in to the l o c a l n e t w o r k . In case t h a t a hos t is in fec ted , the firewall is n o t effective to p r o t e c t the o t h e r m a c h i n e s f r o m t h e w o r m a t t a c k s . 18 Chapter 3. A Testbed to Validate New Enforcement Architectures A t e c h n i q u e u s e d to o v e r c o m e t h i s p r o b l e m is to w a t c h a l l t h e i n d i v i d u a l m a c h i n e s [36]. O u r a s s u m p t i o n [12] is t h a t a n in fec t ed m a c h i n e w i l l t r y to c o n n e c t to different m a c h i n e s as fast as poss ib le . B u t a n u n i n f e c t e d m a c h i n e has a dif ferent b e h a v i o r : t h e c o n n e c t i o n s are m a d e at a lower ra te a n d are l o c a l l y c o r r e l a t e d . M o n i t o r i n g o n the n e t w o r k c a n detect the a b n o r m a l traff ic . T h e m a j o r i t y of the c o m m u n i c a t i o n i n en terpr i se n e t w o r k s uses the server-c l i ent m o d e l . T h e server s ide u s u a l l y uses the f ixed p o r t n u m b e r s (a .k .a . w e l l - k n o w n p or t s ) for the c l ients to i n i t i a t e the c o n n e c t i o n s . In [25], the c o u p l i n g i n f o r m a t i o n of servers , c l ients a n d p o r t s are e x t r a c t e d b y c lus-ter m e t h o d s . If a host s u d d e n l y sends m a n y requests to the addresses a n d p o r t s w h i c h s c a r c e l y a p p e a r i n its c o n n e c t i o n h i s tory , a n a lert w i l l be set o n t h a t host to i n d i c a t e a suspect . B u t s o m e a p p l i c a t i o n p r o g r a m s w i l l use t e m p o r a r i l y c o n s t r u c t e d p o r t s for c o m m u n i c a t i o n (ca l l ed e p h e m e r a l p o r t s ) . F o r e x a m p l e , F T P is a serv ice i n t h a t it u t i l i zes two p o r t s , a ' d a t a ' p o r t a n d a . ' c o m m a n d ' p o r t ( a . k . a the c o n t r o l p o r t ) [3]. T r a d i t i o n a l l y , o n the server s ide the c o m m a n d p o r t is 21 a n d d a t a p o r t is 20. B u t w h e n c o m m u n i c a t i n g i n the pass ive m o d e , the server sends its d a t a p o r t to the c l ient a n d the c l ient s ide w i l l i n i t i a t e the c o n n e c t i o n . T h e d a t a p o r t is spec i f i ed i n the c o m m a n d c h a n n e l r a t h e r t h a n b e i n g f ixed i n a d v a n c e . T h e s e c u r i t y m e c h a -n i s m i n [25] c u r r e n t l y c o u l d n o t corre la te the traff ic u s i n g e p h e m e r a l p o r t s w i t h the c o r r e s p o n d i n g c o m m a n d traff ic . If a f i n e - g r a i n e d s e c u r i t y p o l i c y is d e v e l o p e d to t r a c k the states o f the c o n n e c t i o n s u s i n g e p h e m e r a l p o r t s , it has the p o t e n t i a l to g r e a t l y i m p r o v e the d e t e c t i n g a c c u r a c y . I n o r d e r to m o n i t o r i n d i v i d u a l hosts a n d i m p l e m e n t the f i n e - g r a i n e d 19 Chapter 3. A Testbed to Validate New Enforcement Architectures pol i c i e s , we n e e d to a t t a c h the defense s y s t e m s close to e a c h e n d host to i n s p e c t the o u t g o i n g i l l e g i t i m a t e traff ic . T h e u n d e r l y i n g h a r d w a r e dev ices are a s s u m e d to h a v e sufficient p r o c e s s i n g a b i l i t y to a n a l y z e the packets ( in layer 3) a n d are c h e a p e n o u g h to be w i d e l y d e p l o y e d i n a l o c a l n e t w o r k . R o u t e r s h a v e great p r o c e s s i n g ab i l i ty , b u t t h e y are u s u a l l y c o n f i g u r e d o n l y at the m a i n p a s s a g e w a y o f a l o c a l n e t w o r k a n d it is i m p r a t i c a l to c o n n e c t e a c h m a c h i n e w i t h a s ingle r o u t e r . S w i t c h e s are a l r e a d y u n i v e r s a l l y d e p l o y e d i n the n e t w o r k to l i n k m a c h i n e s or subne t s , b u t m o s t o f t h e m d e a l w i t h layer 2 d a t a on ly . It is n a t u r a l to d e v e l o p a k i n d o f s m a r t s w i t c h w i t h the a b i l i t y to proces s the p a c k e t s at layers 3 & 4. A c c o r d i n g l y o u r t e s t b e d is r e q u i r e d to eas i ly s u p p o r t these layer 3 s m a r t swi tches w h i c h e m b e d t h e w o r m defense sy s t ems . 3.2 Virtualization Implementation D u e t o t h e p r o b l e m s s t a t e d i n S e c t i o n 1.2, it is h a r d t o c o n s t r u c t a s e c u r i t y t e s t b e d w i t h p h y s i c a l m a c h i n e s . S y s t e m v i r t u a l m a c h i n e s , i.e., v i r t u a l i z i n g sof tware e m u l a t i n g h a r d w a r e a b s t r a c t i o n s [29], is a n a t u r a l cho ice to s u p p o r t s u c h a t e s t b e d . 3.2.1 Virtual Machines A v i r t u a l m a c h i n e ( V M ) is i m p l e m e n t e d b y a d d i n g a layer o f sof tware to a r e a l m a c h i n e t o s u p p o r t the d e s i r e d v i r t u a l m a c h i n e ' s archi tec ture[29] . It p r o v i d e s users the i l l u s i o n t h a t a n o p e r a t i n g s y s t e m or a p p l i c a t i o n r u n s o n the r e a l h a r d w a r e . A t y p i c a l s t r u c t u r e o f a v i r t u a l m a c h i n e is as s h o w n i n 20 Chapter 3. A Testbed to Validate New Enforcement Architectures F i g u r e 3.1. F i g u r e 3.1: A s y s t e m v i r t u a l m a c h i n e [29] T h e u n d e r l y i n g p l a t f o r m is c a l l e d the host , w h i c h p r o v i d e s h a r d w a r e i n -terfaces to the u p p e r layers o f software. T h e v i r t u a l i z i n g software, u s u a l l y re ferred to as t h e v i r t u a l m a c h i n e m o n i t o r ( V M M ) or h y p e r v i s o r , is set be -tween t h e p h y s i c a l h a r d w a r e a n d the c o n v e n t i o n a l s y s t e m software. O n t o p of the V M M resides the guest o p e r a t i n g s y s t e m s a n d processes , w h i c h p r o -v i d e the d e s i r e d f u n c t i o n a l i t y to the users . T h e V M M fills t h e g a p b e t w e e n t h e h a r d w a r e p l a t f o r m a n d guest s y s t e m software, as s h o w n i n the r i g h t p a r t of F i g u r e 3.1, so the guest s y s t e m s are u n a w a r e o f the e m u l a t e d v i r t u a l i z i n g sof tware a n d execute as i n the a c t u a l h a r d w a r e . M u l t i p l e guest o p e r a t i n g s y s t e m s c a n r u n s i m u l t a n e o u s l y o n o n e p h y s i c a l host a n d share the u n d e r l y i n g h a r d w a r e resources . T h e V M M e m u l a t e s m a n y k i n d s o f resources , i n c l u d i n g c p u , m e m o r y s torage , n e t w o r k i n g , I / O , etc. , to s u p p o r t the guest sy s t ems . S o m e o f the e m u l a t e d resources c a n n o t exceed the l i m i t o f the p h y s i c a l h a r d w a r e , s u c h as the t o t a l ava i lab le cpu ' s cyc les or the m e m o r y size; w h i l e o t h e r v i r t u a l dev ices w o n ' t be affected 21 Chapter 3. A Testbed to Validate New Enforcement Architectures by such restrictions, e.g., we are able to attach many NICs in the virtual machine. This flexible resource allocation allows us to scale the virtual machines to fit our experiment. With our concerns for security evaluation, we could create different versions of Windows, Linux or Mac systems with worm-exploitable vulnerabilities, and load the needed images into the virtual machines for evaluation. 3.2.2 Virtual Network Since our research target is worm spreading, a virtual network environment, including cables, end hosts and routers, is required to support the exper-iment. Due to efficiency and security considerations, we implement the data-link layer in the virtualization network, which is similar to that in [22]. An example network configuration is demonstrated in Figure 3.2. Virtual Host 1 f \ Virtual Host 2 Virtual Router 11.1.1.2 — 11.1.1.3 - 11.1.1.1 12.1.1.1 Virtual Host 3 12.1.1.2 Virtual Host 4 12.1.1.3 VMM 1 real network device ; real network device VMM 2 Figure 3.2: A virtualized network The blank boxes are virtual machines, which are located in different physical machines. The virtual network will allow the virtual hosts, such as Virtual Host 1 (VH1), Virtual Host 2 (VH2) and Virtual Host 3 (VH3) to communicate with each other. Each virtual machine has one or several virtual NICs, indicated by the striped boxes. First, we demonstrate how 22 Chapter 3. A Testbed to Validate New Enforcement Architectures to c o n n e c t the v i r t u a l m a c h i n e s h o s t e d i n o n e p h y s i c a l m a c h i n e . T h e l i n k -layer v i r t u a l i z a t i o n is i m p l e m e n t e d b y a t t a c h i n g t h e v i r t u a l n e t w o r k dev ices to the l i n u x br idges , w h i c h are i n d i c a t e d b y the b l a c k boxes . T h e l i n u x b r i d g e s are layer 2 dev ices w h i c h w i l l f o r w a r d a l l r e c e i v e d f rames t o a l l b u t the i n c o m i n g p o r t . T h e y f u n c t i o n as r e a l - w o r l d cables to l i n k the n e t w o r k dev ices toge ther , so the E t h e r n e t d a t a c a n be t r a n s f e r r e d f r o m one e n d to the o t h e r . A s s h o w n i n F i g u r e 3.2, a d a t a - l i n k p a t h is t h e n c o n s t r u c t e d f r o m V H 1 a n d V H 2 t o the v i r t u a l r o u t e r , so a l l v i r t u a l m a c h i n e s w i t h I P addresses i n the s a m e s u b n e t c a n access e a c h o t h e r . D u r i n g the f o r w a r d i n g process , packe t s w i l l n o t t raverse u p to the I P layer , w h i c h is m o r e efficient as r e s o l v i n g the headers of a d v a n c e d p r o t o c o l s is n o t necessary. A l t h o u g h it is pos s ib l e to s u p p o r t h u n d r e d s of guest s y s t e m s i n o n e s ingle p h y s i c a l m a c h i n e , the v i r t u a l m a c h i n e s are s o m e t i m e s l o c a t e d i n different p h y s i c a l hosts d u e to re source l i m i t a t i o n s or s p e c i a l r e q u i r e m e n t s . I n o r d e r to c o m m u n i c a t e b e t w e e n v i r t u a l hosts i n different p h y s i c a l m a c h i n e s , the h a r d w a r e n e t w o r k dev ices ( s h o w n as g r i d boxes) c o n n e c t the i n t e r n a l v i r t u a l n e t w o r k a n d the o u t s i d e a c t u a l - w o r l d cable . S i n c e n o I P addresses are a s s igned to the p h y s i c a l n e t w o r k devices , the d a t a - l i n k layer v i r t u a l i z a t i o n is m a i n t a i n e d . B y th i s m e a n s , the v i r t u a l m a c h i n e s i n the s a m e s u b n e t b u t o n different p h y s i c a l m a c h i n e s c a n c o m m u n i c a t e w i t h e a c h o t h e r . If t h e r e are m o r e t h a n one n e t w o r k s egment i n the e x p e r i m e n t , we n e e d to b r i n g u p v i r t u a l r o u t e r s , a n d t h e y w i l l f u n c t i o n as t h e r e a l - w o r l d r o u t e r s to t r a n s l a t e the p a c k e t s at layer 3. T h e n the v i r t u a l hos t s i n different p h y s i c a l m a c h i n e s a n d i n different s u b n e t s r e s p e c t i v e l y are ab le to t a l k to e a c h o ther . T h e s i m u l a t e d n e t w o r k a l lows the v i r t u a l hosts to s e n d packe t s t h r o u g h 23 Chapter 3. A Testbed to Validate New Enforcement Architectures the TCP-IP stack, traverses the data through the intermediate network and eventually makes the packets arrive at the destination. The virtual hosts are unaware of the underlying software-implemented connections. We can manipulate the MAC addresses, IP addresses and routing tables of the end hosts, deploy various routing algorithms on the virtual routers, and thereby configure whatever network topology is necessary to facilitate a good experiment. 3.3 Testbed Structure Currently we assume that the testbed is a closed environment, i.e., there are no network connections to the outside world and users are required to be physically at the testbed to use it. We will remove this restriction .in Section 4.3. Our implementation is illustrated by the small-scale example in Figure 3.3. The worm experiments actually run in the virtual hosts and the virtual networks, and are supposed to be contained in our test environment. There are 3 physical machines in our example. The dotted boxes repre-sent physical hosts. The solid rectangles with 'VM' are the virtual machines supported above the hardware. The black boxes are the standard linux bridges which connect the virtual hosts (including the virtual switches and virtual routers). They, not only act as virtual cables for network connec-tions, but play an important role for replaying the background traffic as well. That is the reason why each linux bridge is only attached to 2 virtual network devices in our architecture. The virtual switches (as shaded boxes in Figure 3.3) are not prerequisite to allow the packets going through the 24 Chapter 3. A Testbed to Validate New Enforcement Architectures nodeA 11.1.1.2 V M ethO I V M 11.1.1.4 virtual switch V M 11.1.1.5 nodeB ethO 11.1.1.1 virtual router 12.1.1.1 ethO V M 12.1.1.2 V M 12.1.1.3 • virtual • • switch I nodeC F i g u r e 3.3: T o p o l o g y o f the w o r m e x p e r i m e n t n e t w o r k , s ince l i n u x b r i d g e s are e n o u g h to g lue a l l t h e v i r t u a l hosts ( i n c l u d -i n g the v i r t u a l r o u t e r ) toge ther . W e b u i l d u p th i s k i n d o f s p e c i a l v i r t u a l m a c h i n e s for the e m b e d e d defense s y s t e m to filter the traff ic i n the v i r t u a l e n v i r o n m e n t . In F i g u r e 3.3, we ass ign 2 n e t w o r k segments to c o n s t r u c t the v i r t u a l n e t w o r k s , 11.1.1 .* a n d 12.1.1.*. T h e r e is a v i r t u a l r o u t e r i n n o d e C to c o n -n e c t , those 2 v i r t u a l s u b n e t w o r k s . D u e to the v i r t u a l i z e d i m p l e m e n t a t i o n , the v i r t u a l hos t s c o u l d be p l a c e d o n a n y p h y s i c a l m a c h i n e s , as l o n g as we conf igure the r o u t i n g tab les a n d the u n d e r l y i n g b r i d g e c o n n e c t i o n s correc t ly . E a c h v i r t u a l host a t taches to a b r i d g e w h i c h leads to a v i r t u a l s w i t c h . S i n c e the b r i d g e s w i l l r e c o r d the M A C addresses o n t h e i r s ides a n d f o r w a r d the 25. Chapter 3. A Testbed to Validate 'New Enforcement Architectures p a c k e t s to the c o r r e s p o n d i n g p o r t s , a n i n d i v i d u a l v i r t u a l host w i l l o n l y re-ce ive t h e packe t s sent to its address , a n d is u n a b l e t o e a v e s d r o p o n traff ic d e s t i n e d to o thers . O n c e the w o r m codes are p u t i n s o m e of t h e v i r t u a l hosts , t h e y w i l l b e g i n to p r o p a g a t e o n t h e i r o w n i n the v i r t u a l n e t w o r k a n d infect the v u l n e r a b l e sys tems . T h e d u m p e d b a c k g r o u n d traff ic is i n j e c t e d f r o m the l i n u x b r i d g e s . T h e n the defense m e c h a n i s m s r u n n i n g i n the v i r t u a l swi tches w i l l t ake care to m o n i t o r a n d fi lter the traff ic 3.4 Deployment of Defense Systems A l l o u r effort is c o n s t r u c t i n g a c o n v e n i e n t a n d rea l i s t i c e n v i r o n m e n t to eval -u a t e the defense a b i l i t y o f a n a n t i - w o r m s y s t e m . U n l i k e the c o n v e n t i o n a l f i r ewa l l -based defense sys tems , the s w i t c h - b a s e d m e c h a n i s m (as s t a t e d i n S e c t i o n 3.1) a i m s to i so late e a c h e n d host f r o m the rest o f the n e t w o r k . T h e r o u g h i d e a is t h a t o n c e a n i n d i v i d u a l m a c h i n e is c o n v i c t e d o f s e n d i n g a b n o r -m a l traff ic , the packe t s f r o m t h a t m a c h i n e w i l l b e t h r o t t l e d o r e v e n b l o c k e d . I n o r d e r to d e v e l o p s u c h a defense m e c h a n i s m , we n e e d s m a r t swi tches p l a c e d b e t w e e n e a c h c o r r e s p o n d i n g e n d host a n d the rest o f the n e t w o r k . S i n c e s m a r t swi tches are the k e y e lements o f o u r defense t e c h n o l o g y , we n e e d to d e c i d e h o w to i m p l e m e n t t h e m i n the e v a l u a t i o n t e s t b e d . T h e v i r -t u a l swi tches (the s h a d o w e d boxes i n F i g u r e 3.3) are i m p l e m e n t e d w i t h fu l l v i r t u a l m a c h i n e s , w h i c h r u n the t y p i c a l o p e r a t i n g s y s t e m s a n d a p p l i c a t i o n p r o g r a m s . M u l t i p l e v i r t u a l n e t w o r k c a r d s are a s s igned i n s u c h swi tches , e a c h of w h i c h c o n n e c t s a v i r t u a l e n d host v i a the l i n u x l o g i c a l b r i d g e . I n o r d e r to m a i n t a i n the d a t a - l i n k layer v i r t u a l i z e d n e t w o r k , a v i r t u a l w i r e is c o n -26 Chapter 3. A Testbed to Validate New Enforcement Architectures s t r u c t e d w i t h the v i r t u a l swi tches , i.e., a b r i d g e is g e n e r a t e d i n e a c h v i r t u a l . s w i t c h to c o n n e c t i ts v i r t u a l N I C s as wel l . T h e n the p a c k e t s w i l l t raverse the swi tches a n d be f o r w a r d e d to the d e s t i n a t i o n . T h e v i r t u a l s m a r t swi tches h a v e the fo l l owing c a p a b i l i t i e s , w h i c h m a k e s t h e m fit the p u r p o s e of s e c u r i t y e v a l u a t i o n . • S i n c e the v i r t u a l swi tches are s t a n d a r d v i r t u a l m a c h i n e s , t h e y p r o v i d e a f lexible p l a t f o r m to i n s t a l l the user -spec i f i ed defense sy s t ems . M a n y a p p l i c a t i o n p r o g r a m s a n d l ibrar i e s are ava i lab le for users to fi lter the 'packets. T h e s t r a i g h t f o r w a r d m e t h o d is to s e t u p f irewal l rules to fi lter the traff ic , a n d researchers are e n c o u r a g e d to d e v e l o p t h e i r o w n defense a l g o r i t h m s ; • W h e n l i s t e n i n g o n . t h e b r i d g e w i t h i n a s w i t c h , a l l the p a s s i n g traff ic f r o m the e n d hosts l i n k e d to t h a t s w i t c h c a n be c a p t u r e d . T h e swi tches are ab le t o m o n i t o r the packe t s a n d r u n a r b i t r a r i l y c o m p l i c a t e d a lgo-r i t h m s to a n a l y z e the traffic; • B e c a u s e the n u m b e r o f n e t w o r k dev ices c r e a t e d i n a v i r t u a l m a c h i n e has n o h a r d l i m i t a t i o n ( t h e o r e t i c a l l y ) , we c a n conf igure the v i r t u a l n e t w o r k a n d c o n n e c t e a c h v i r t u a l s w i t c h to as m a n y e n d hosts as nec-es sary . U s e r s are t h u s ab le to co l lect the packe t s o f s evera l i n t e r e s t e d e n d hosts i n a s ingle v i r t u a l s w i t c h a n d d o t h e j u d g e m e n t b a s e d o n . the o v e r a l l traff ic , as l o n g as those v i r t u a l hos t s are c o n n e c t e d to the s a m e s w i t c h . W e a s s u m e t h a t t h e a n t i - w o r m s y s t e m o n different ' s m a r t ' swi tches w i l l 27 Chapter 3. A Testbed to Validate New Enforcement Architectures not communicate w i th each other to detect and thrott le the worms. Such distr ibuted defense system is not the focus of our work. 28 Chapter 4 Des ign Deta i l s I n th i s c h a p t e r , we f u r t h e r i n t r o d u c e the features o f the v i r t u a l t e s t b e d a n d e x p l a i n the des ign deta i l s , i n c l u d i n g the m e t h o d s t o c a p t u r e the packets , to r e p l a y the b a c k g r o u n d traff ic , t o p r e v e n t w o r m leakage a n d to a l l oca te the resource for the d o m a i n s , etc. A l l the des ign c o n s i d e r a t i o n s are m a i n l y b a s e d o n the v i r t u a l i n f r a s t r u c t u r e . 4.1 Key Technologies 4.1.1 Virtualization (Xen) A n u m b e r o f v i r t u a l m a c h i n e s y s t e m s have b e e n d e v e l o p e d , w h i c h are ab le to v i r t u a l i z e the h a r d w a r e , so t h a t severa l o p e r a t i n g s y s t e m s c a n share i t . S u c h sof tware p r o d u c t s i n c l u d e V M w a r e [11], D e n a l i [34], X e n [14] a n d U s e r -M o d e L i n u x ( U M L ) [10]. W e choose X e n to s u p p o r t o u r t e s t b e d , however the ideas c a n be a p p l i e d b y u s i n g a n y o t h e r v i r t u a l i z a t i o n t echno logy . T h e reasons for u t i l i z i n g X e n i n c l u d e 1) C o m p a r e d w i t h o t h e r v i r t u a l -i z a t i o n t e c h n i q u e s , X e n achieves h i g h p e r f o r m a n c e o n the x86 a r c h i t e c t u r e . T h e p e r f o r m a n c e o f guest s y s t e m s over X e n is p r a c t i c a l l y e q u i v a l e n t to the p e r f o r m a n c e o f the base l ine l i n u x [14]; 2) X e n ' s m o t i v a t i o n is to r u n a m o d -29 Chapter 4. Design Details erate n u m b e r of f u l l - f e a t u r e d o p e r a t i n g sys tems , w h i c h fits o u r d e s i g n to e m u l a t e a l arge n e t w o r k w i t h v a r i o u s o p e r a t i n g s y s t e m s a n d i m p l e m e n t the p r o g r a m m a b l e ' s m a r t ' switches . 3) T h e u n d e r l y i n g X e n h y p e r v i s o r a l lows severa l o p t i o n s to m a n a g e t h e n e t w o r k c o n n e c t i o n s . O n e o f t h e m is to r u n the n e t w o r k s w i t h l og i ca l e therne t br idges . S u c h a c o n f i g u r a t i o n is c r i t i c a l for us to i m p l e m e n t the d a t a - l i n k layer c o n n e c t i o n s a n d r e p l a y the b a c k -g r o u n d traffic; 4) U n m o d i f i e d guest o p e r a t i n g s y s t e m s are e n a b l e d to r u n w i t h i n X e n v i r t u a l m a c h i n e s , s t a r t i n g w i t h X e n 3.0. T h e r e f o r e w i t h o u t m a k i n g a n y changes i n the guest sy s t ems , p e o p l e c a n p e r f o r m tests o n the w o r m s e x p l o i t i n g v u l n e r a b i l i t i e s i n different U n i x - l i k e s y s t e m s a n d M i c r o s o f t W i n d o w s . In X e n , t h e t e r m guest o p e r a t i n g s y s t e m refers to o n e o f the O S e s t h a t X e n c a n host a n d we use the t e r m d o m a i n to refer to a r u n n i n g v i r t u a l m a c h i n e w i t h i n w h i c h a guest O S executes [14]. A s p e c i a l d o m a i n , n a m e d d o m a i n O , is c r e a t e d i n X e n to c o n t r o l a n d m a n a g e the o t h e r d o m a i n s . I n . d o m a i n O , we c a n conf igure , create , t e r m i n a t e , a n d m o n i t o r the v i r t u a l m a -chines , a n d spec i fy w h a t re source are a l l o c a t e d to e a c h d o m a i n . 4.1.2 Iptables & Ebtables L i n u x s y s t e m s p r o v i d e a set o f h o o k s w i t h i n the k e r n e l for i n t e r c e p t i n g a n d m a n i p u l a t i n g n e t w o r k packets . T h e fi lter f r a m e w o r k at the I P layer is I p t a -bles [4]; w h i l e t h a t at the E t h e r n e t layer is E b t a b l e s [1]. W e c a n u t i l i z e e i ther t e c h n o l o g y to i m p l e m e n t the c a n d i d a t e defense a l g o r i t h m s a n d c o n t r o l the v i r t u a l n e t w o r k . E b t a b l e s w o r k s o n the l o g i c a l br idges . K e r n e l m o d u l e codes , c a l l e d 30 Chapter 4. Design Details cha ins , are a t t a c h e d to the different h o o k s i n the b r i d g e to process the p a c k -ets, i n c l u d i n g B R O U T I N G , P R E R O U T I N G , I N P U T , F O R W A R D , O U T -P U T a n d P O S T R O U T I N G cha ins , as s h o w n i n F i g u r e 4 .1(a) . Routing LOCAL PROCESS FILTER BROUTE BROUTING TT ( NAT "1 s PREROUTING y FILTER 3 T (a) ebtables chains POSTROUTING ( ™ 1 { OUTPUT J FORWARD l ~ ^ ~ [ - O H W A H O } ^ P O S T B O U r i N G ) ^ P O S T R C T j T i r i H j (b) iptables chains F i g u r e 4.1: T r a v e r s a l s c h e m e o f n e t w o r k fi lters [1] T h e packe t s w i l l go t h r o u g h different c h a i n s b a s e d o n t h e i r d e s t i n a t i o n M A C addresses . In o u r t e s t b e d , we focus o n the I N P U T , F O R W A R D a n d O U T P U T c h a i n s . A f t e r the i n c o m i n g f rames pass the B R O U T I N G a n d P R E R O U T I N G cha ins , i f t h e b r i d g e dec ides the f r a m e is d e s t i n e d for the l o c a l c o m p u t e r , the f r a m e w i l l go t h r o u g h the I N P U T c h a i n . A t t a c h i n g to the I N P U T c h a i n s a l lows us t o filter the f rames d e s t i n e d for the b r i d g e before t h e y are p a s s e d u p to the n e t w o r k layer . O t h e r w i s e , t h e b r i d g e w i l l f o r w a r d 31 Chapter 4. Design Details the f rames to o t h e r m a c h i n e s a n d m a k e t h e m go t h r o u g h the F O R W A R D c h a i n , w h e r e we c a n fi lter the b r i d g e d frames . L o c a l l y c r e a t e d f r a m e s w i l l , after t h e b r i d g i n g d e c i s i o n , t raverse the O U T P U T c h a i n , w h i c h a l lows us to fi lter the f r a m e s o r i g i n a t i n g f r o m the b r i d g e b o x . I p t a b l e s fi lters packe t s at the n e t w o r k layer . ' I t has the s i m i l a r c h a i n s to process the packets , as s h o w n i n F i g u r e 4 .1 (b) . O u r focuses are s t i l l the t h r e e b a s i c c h a i n s ( I N P U T , O U T P U T , a n d F O R W A R D ) , a n d the users c a n spec i fy the fi lter rules b a s e d o n the source or d e s t i n a t i o n addresses , a p p l i c a t i o n - l a y e r p r o t o c o l s a n d w o r k i n g n e t w o r k dev ices , etc . O n e o f the i m p o r t a n t features b u i l t o n t o p o f Ip tab le s is c o n n e c t i o n t r a c k i n g . It a l lows the k e r n e l to keep t r a c k of a l l l o g i c a l n e t w o r k c o n n e c t i o n s or sessions. T h e n e t w o r k c o n n e c t i o n s w i t h p r o t o c o l s u s i n g e p h e m e r a l p o r t s c o u l d be t r a c e d b y the defense s y s t e m s to i m p l e m e n t the fine-grained s e c u r i t y po l i c i e s s t a t e d i n S e c t i o n 3.1. T h e f u n c t i o n a l i t i e s of Ip tab le s a n d B b t a b l e s are c o n v e n i e n t for users to conf igure t h e i r o w n s m a r t switches . 4.1.3 Implementation Infrastructure (Emulab) I n o r d e r to c o n s t r u c t o u r t e s t b e d , severa l p h y s i c a l m a c h i n e s c o n n e c t e d w i t h i n a l o c a l n e t w o r k are r e q u i r e d . E m u l a b [35] p r o v i d e s s u c h a e n v i r o n m e n t : f u l l y - p r i v i l e g e d m a c h i n e n o d e s a n d a n e a s i l y - c o n f i g u r e d n e t w o r k . T h e r e are o t h e r s y s t e m a n d n e t w o r k e m u l a t o r s , s u c h as M o d e l n e t ( w h i c h e m p h a -sizes s c a l a b i l i t y ) [32] a n d P l a n e t L a b ( w h i c h e m p h a s i z e s services) [5], b u t we choose to use E m u l a b for the f o l l o w i n g reasons . 1) E m u l a b p r o v i d e s rea l i s t i c m a c h i n e s for users . U s e r s are g r a n t e d r o o t p r i v i l e g e to i n s t a l l software, m a n i p u l a t e kernels a n d conf igure the h a r d w a r e . 32 Chapter 4. Design Details T h e d e t a i l e d h a r d w a r e s e t t i n g is d e s c r i b e d i n [2]. It is n o t e d t h a t each n o d e has 5 Inte l E t h e r E x p r e s s P r o G i g E E t h e r n e t n e t w o r k in ter face c a r d s . F o u r o f t h e m c a n be c o n f i g u r e d b y users to f o r m e x p e r i m e n t a l n e t w o r k s , the r e m a i n i n g one is re served for r e m o t e c o n t r o l b y E m u l a b . 2) E m u l a b a l lows users to create t h e i r o w n c u s t o m O S images . U s e r s c a n t h e n spec i fy to l o a d t h e m in to the n o d e s a u t o m a t i c a l l y w h e n a n e x p e r i m e n t is c r e a t e d . It is c o n v e n i e n t for us t o . c o n f i g u r e the p h y s i c a l m a c h i n e s r u n n i n g X e n a n d to a d j u s t t h e scale of the t e s t b e d . 3) U s e r s spec i fy the N S scr ip t s to conf igure the e x p e r i m e n t a l n e t w o r k s i n E m u l a b . H i g h - s p e e d N o r t e l swi tches are d e p l o y e d to c o n n e c t the e n d nodes a u t o m a t i c a l l y . 4.2 Background Traffic Replay R e a l i s t i c b a c k g r o u n d traff ic is c r i t i c a l to a c c u r a t e l y e v a l u a t e the u s a b i l i t y vs . s e c u r i t y o f a n a n t i - w o r m m e c h a n i s m , s ince t h e u n d e r l y i n g i n t u i t i o n o f d e t e c t i o n is to f i n d o u t a g o o d feature to d i s t i n g u i s h n o r m a l traff ic f r o m m a l i c i o u s traff ic . W e w i l l first c a p t u r e the traff ic i n a r e a l - w o r l d l o c a l a r e a n e t w o r k ( L A N ) a n d t h e n injec t these n e t w o r k d a t a i n t o t h e t e s t b e d . 4.2.1 Data Collection T h e p c a p ( P a c k e t C a p t u r e ) l i b r a r y p r o v i d e s a n efficient w a y to c a p t u r e the c o m p l e t e p a c k e t d a t a t r a n s f e r r e d .on the wire . T h e L i n u x v e r s i o n o f p c a p , l i b p c a p [6], u t i l i zes t h e B S D P a c k e t F i l t e r ( B P F ) [24] to rece ive a n d s e n d r a w l i n k - l a y e r p a c k e t s a n d filter the packe t s at the k e r n e l level . T h a t u t i l i t y 33 Chapter 4. Design Details fits o u r p u r p o s e o f r e p l a y i n g the b a c k g r o u n d traff ic . T h e p a c k e t s d u m p e d v i a p c a p are a b s o l u t e copies o f the l i n k - l a y e r d a t a f r o m the n e t w o r k devices , e.g., a T C P packe t i n c l u d i n g the E t h e r n e t header , I P h e a r d e r , T C P h e a d e r a n d the c o r r e s p o n d i n g a p p l i c a t i o n d a t a . M o r e o v e r , p c a p w i l l e n c a p s u l a t e the packe t w i t h its o w n h e a d e r , w h e r e s o m e i m p o r t a n t i n f o r m a t i o n , s u c h as the packe t c a p t u r i n g t i m e , is r e c o r d e d . T o co l lect the b a c k g r o u n d traff ic , we w i l l l i s ten o n a n enterpr i se L A N to d u m p the . p a s s i n g packet s . I n o r d e r t o m a p the t o p o l o g y o f a r e a l n e t w o r k i n t o the v i r t u a l e n v i r o n m e n t , it is r e q u i r e d to k n o w the list o f host addresses a n d h o w t h e y are c o n n e c t e d b y swi tches a n d router s . H o w e v e r , d u e to the p r i v a c y c o n s i d e r a t i o n , the I P a n d M A C addresses i n the en terpr i sze n e t w o r k m i g h t be r e p l a c e d b y ar t i f i c i a l ones , a n d the content at the a p p l i c a t i o n - l a y e r w i l l be c h a n g e d to r a n d o m bytes w h i l e b e i n g kept the s a m e l e n g t h . B e s i d e s the b i n a r y f o r m a t , a n o t h e r w a y o f s t o r i n g the traff ic t r a c e is to r e c o r d t h e m i n p l a i n text . T h e r e q u i r e d c o m p o n e n t s i n c l u d e p r o t o c o l s , addresses , p o r t s (if the packe t s are T C P or U D P ) a n d t i m e s t a m p s . D u r i n g the r e p l a y i n g process , the w h o l e packe t s are r e c o n s t r u c t e d f o r m the text d a t a t race . C o m p a r e d w i t h t c p d u m p d a t a , the t races i n t ex t f o r m a t n e e d m o r e t i m e i n the user - l eve l to p r e p r o c e s s the packet s , so we prefer the d a t a c o l l e c t i o n w i t h t c p d u m p [6] i n th i s thesis . 4.2.2 Pa cke t s R e p l a y T h e t c p d u m p f o r m a t d a t a c a n be d i r e c t l y sent o u t f r o m the n e t w o r k dev ices to the cables . If i n e a c h v i r t u a l hos t we r e p l a y the c o r r e s p o n d i n g packe t s w i t h the s a m e s o u r c e I P addres s as t h a t of the host , the o v e r a l l b a c k g r o u n d 34 Chapter 4. Design Details traff ic w i l l a p p e a r i n the v i r t u a l n e t w o r k a n d b e r e a d y for b e i n g a n a l y z e d b y the defense s y s t e m u n d e r test. H o w e v e r , the v i r t u a l hosts r u n v a r i o u s k i n d s o f o p e r a t i n g sys tems , so different p r o g r a m s w o u l d n e e d to be d e v e l o p e d for different sy s t ems . In o r d e r to a v o i d m a k i n g changes i n the v i r t u a l hosts , we m o v e the r e p l a y i n g f u n c t i o n a l i t i e s i n t o the v i r t u a l m a c h i n e m o n i t o r . In F i g u r e 3.3, the packe t s are i n j e c t e d in to the l o g i c a l b r i d g e s close to the v i r t u a l hosts , i n s t e a d o f i n the n o d e s themse lves . A m o d i f i e d r e p l a y i n g p r o g r a m i n X e n ' s h y p e r v i s o r c a n h a n d l e a l l the r e p l a y i n g events . T h e w h o l e d a t a t race w i l l b e sp l i t b a s e d o n the s o u r c e I P addresses a n d e a c h o f the spl i t d u m p files w i l l b e r e p l a y e d o n the c o r r e s p o n d i n g b r i d g e . F o r e x a m p l e , i n F i g u r e 4.2 the packe t s f r o m V M A are sent o u t at the l og i ca l b r i d g e w h i c h is c o n n e c t e d t o its d o m a i n . L a y e r 2 b r i d g e s f o r w a r d the p a c k e t s b a s e d o n the d e s t i n a t i o n M A C addresses . T h e n the r e p l a y e d traff ic w i l l t raverse the v i r t u a l n e t w o r k , go t h r o u g h the s m a r t swi tches a n d a r r i v e at the d e s t i n a t i o n V M B. Drop VM B Bridge 2 Smart Virtual Switch Defense System VM A Destination Source F i g u r e 4.2: R e p l a y s c h e m e • If the r e p l a y e d packe t s h i t V M B, B m i g h t genera te repl ies for s o m e reques t packe t s . B u t the r e p l i e d packe t s f r o m V M B are i n the d u m p file as we l l a n d w i l l be r e p l a y e d at b r i d g e 2. T h e n the r e p l a y e d p a c k e t s f r o m V M A c a n n o t be a c t u a l l y rece ived b y B. I n o r d e r to solve t h a t p r o b l e m , we e n a b l e the E b t a b l e s f u n c t i o n to d r o p the r e p l a y e d packe t s f r o m V M A at the 35 Chapter 4. Design Details b r i d g e close t o V M B. A s the r e p l a y e d packe t s w i l l pass E b t a b l e s ' O U T P U T c h a i n at the s e n d i n g b r i d g e , b u t go t h r o u g h the F O R W A R D c h a i n at the r e c e i v i n g b r i d g e , i f we set the E b t a b l e s rules as A C C E P T at O U T P U T c h a i n a n d D R O P at F O R W A R D c h a i n for e a c h b r i d g e , a l l the packe t s to the e n d hosts w i l l be d r o p p e d at the br idges . It is n o t i c e d t h a t the l ive traff ic b e t w e e n v i r t u a l hos t s are b l o c k e d b y the E b t a b l e s ru les as wel l , w h i c h d i sables the r e a l w o r m s s p r e a d i n g i n the t e s t b e d . S o we n e e d to d i s t i n g u i s h b e t w e e n t h e r e p l a y e d traff ic a n d l ive traff ic . T h e s o l u t i o n is to c h a n g e s o m e u n u s e d b i t s i n the d u m p e d packet s ' headers t o a spec i f i ed va lue . O n c e E b t a b l e s detec t s s u c h m a r k e d b i t s i n the packet s , t h e y w i l l n o t be f o r w a r d e d at the b r i d g e . T h e r e f o r e , the r e p l a y e d p a c k e t s c a n n o t r e a c h the e n d hosts , b u t the l ive traff ic b e t w e e n the v i r t u a l m a c h i n e s w i l l c o m e t h r o u g h the n e t w o r k w i t h o u t p r o b l e m . 4.2.3 Synchronization for Causality T h e r e p l a y e d packe t s w i l l be a n a l y z e d b y the defense sys tems , so it is i m -p o r t a n t to keep the packe t c a u s a l i t y o f the c o n n e c t i o n . T h e sequence o f the packe t s s h o u l d be m e s s e d b y the r e p l a y i n g process , e.g., the reques t packe t s i n a c o n n e c t i o n s h o u l d n o t a p p e a r i n the t e s t b e d before the c o r r e s p o n d i n g r e p l y packets . I n o r d e r to s y n c h r o n i z e the packet s , we m o n i t o r the traff ic o n the b r i d g e s d u r i n g r e p l a y i n g . A s s h o w n i n F i g u r e 4.3, we d e m o n s t r a t e the c o m m u n i c a t i o n b e t w e e n a h o s t - p a i r A a n d B, w h e r e the packe t s f r o m A are l a b e l l e d w i t h E n g l i s h c h a r a c t e r s , a n d those f r o m B are i n d i c a t e d b y n u m b e r s . T h e first packe t x is r e a d i n at b o t h br idges . A t the s ide o f A, the r e p l a y i n g process finds o u t 36 Chapter 4. Design Details Host A Host B F i g u r e 4.3: S y n c h r o n i z a t i o n for c a u s a l i t y x o r i g i n a t e d f r o m A, so the packet is d i r e c t l y sent o u t t o the n e t w o r k . T h e b r i d g e at B a n a l y z e s the r e c e i v e d packet a n d f igures o u t t h a t x is d e s t i n e d to B. T h e n t h e p r o g r a m w i l l l i s t en o n the b r i d g e to w a i t for the i n c o m i n g packe t x f r o m A. O n c e the b r i d g e at B receives x, it w i l l c o n t i n u e t o process the n e x t p a c k e t . A f t e r the r e c o r d e d t i m e i n t e r v a l , packe t 1 w i l l be sent at the b r i d g e close to B. M e a n w h i l e , the b r i d g e at A is w a i t i n g for packe t 1 to a p p e a r o n the n e t w o r k . T h i s i s sue -and-wa i t proces s w i l l r e p e a t i n t u r n at the b r i d g e s o f b o t h sides. T h e r e f o r e t h e traff ic t race 'x, 1, 2, y, 3, z1 is c o r r e c t l y r e p l a y e d i n the v i r t u a l n e t w o r k . 4.3 Isolated Details N o w t h a t the a c t u a l w o r m s are re leased i n o u r t e s t b e d , the s i m p l e s t w a y to g u a r a n t e e n o leakage o f m a l i c i o u s codes t o the o u t s i d e r e a l w o r l d is to m a k e 37 Chapter 4. Design Details the t e s t b e d i so la t ed f r o m o t h e r n e t w o r k s a n d r u n the e x p e r i m e n t s at the desk. H o w e v e r , users h o p e to r e m o t e l y access a n d c o n t r o l the e x p e r i m e n t s . I n t h i s s ec t ion , we inves t iga te the m e t h o d s t o s t r i c t l y conf ine the w o r m s i n the t e s t b e d w i t h r e m o t e c o n n e c t i o n e n a b l e d . 4.3.1 Data-Link Layer Virtualization W i t h i n o u r t e s t b e d the r e a l w o r m s res ide i n the v i r t u a l m a c h i n e s a n d t r y to infect the o t h e r v u l n e r a b l e hosts . I n case t h a t the p h y s i c a l m a c h i n e s r u n n i n g X e n were access ible b y n e t w o r k c o n n e c t i o n f r o m the v i r t u a l m a c h i n e s , t h e y c o u l d be a t t a c k e d or e v e n c o m p r o m i s e d as wel l . T h e des ign o f the v i r t u a l n e t w o r k ( in S e c t i o n 3.2.2) m a k e s sure t h a t w i l l n o t h a p p e n . T h e v i r t u a l n e t w o r k s are i m p l e m e n t e d at the E t h e r n e t layer . T h e t r a n s -p o r t n e t w o r k devices , i n c l u d i n g l o g i c a l br idges , s m a r t v i r t u a l swi tches a n d p h y s i c a l N I C s for the e x p e r i m e n t a l n e t w o r k s , d o n o t have I P addresses , so t h e y w i l l f o r w a r d the f rames o n l y b a s e d o n the M A C addresses . S o far n o M A C - b a s e d w o r m s have b e e n d i s c o v e r e d , i.e., t h e w o r m s w i l l s c a n the I P a d d r e s s space a n d e x p l o i t the v u l n e r a b i l i t y o f the a p p l i c a t i o n services . T h e r e f o r e the a b o v e m e n t i o n e d p h y s i c a l a n d v i r t u a l dev ices w i l l n o t f o r w a r d the packe t s u p to the a p p l i c a t i o n layer . E s p e c i a l l y , the s c a n n i n g w o r m s are n o t aware the ex i s tence o f the u n d e r l y i n g p h y s i c a l m a c h i n e s n o r are t h e y ab le to e s t a b l i s h n e t w o r k c o n n e c t i o n s w i t h t h e m . T h e w o r m s , w h i c h l a u n c h n e t w o r k a t tacks , are u n a b l e to infect the s u p p o r t i n g p h y s i c a l m a c h i n e s i n the t e s t b e d . 38 Chapter 4. Design Details 4.3.2 VLAN Technique T h e r e are m a n y different e x p e r i m e n t s r u n n i n g i n E m u l a b , a n d it w i l l cause d i sas ter i f t h e w o r m traff ic i n o u r t e s t b e d c o u l d r e a c h the p h y s i c a l m a c h i n e s i i i o t h e r e x p e r i m e n t s . T h e t e c h n i q u e of V L A N ( v i r t u a l L A N ) a l lev iates s u c h worr ies . T h e u n -d e r l y i n g n e t w o r k s i n E m u l a b are c o n s t r u c t e d b y p h y s i c a l ( N o r t e l ) swi tches a t t a c h e d w i t h e n d p h y s i c a l hosts . T h e m a c h i n e s i n one e x p e r i m e n t w i l l b e h a v e as i f c o n n e c t e d to the s a m e l i n k layer n e t w o r k , s ince the p h y s i c a l swi tches w i l l f o r w a r d packe t s o n l y to those p o r t s spec i f i ed i n the e x p e r i m e n -t a l V L A N . T h e r e f o r e , the traff ic i n one e x p e r i m e n t ' s V L A N w i l l n o t a p p e a r i n o thers . E v e n i f the t e s t b e d are l o c a t e d o n m o r e t h a n one p h y s i c a l m a c h i n e , w h e r e the m a l i c i o u s traff ic goes t h r o u g h the r e a l - w o r l d wires , it is i m p o s s i b l e for the w o r m s to r e a c h the p h y s i c a l m a c h i n e s i n o t h e r e x p e r i m e n t s . 4.3.3 Remote Control T h e r e m o t e c o n t r o l is a p o t e n t i a l p a t h for w o r m s t o l eak t o t h e o u t s i d e w o r l d . E m u l a b d e p l o y s the f irewalls to i so late the t e s t b e d e n v i r o n m e n t f r o m t h e o u t s i d e n e t w o r k . H o w e v e r , i n o r d e r to b l o c k v a r i o u s k i n d s o f m a l i c i o u s w o r m s , the f irewalls have to b e u p d a t e d w i t h the w o r m s ' s i gna tures . O u r des ign f u n d a m e n t a l l y solves the s e c u r i t y p r o b l e m of e n a b l i n g r e m o t e access to the t e s t b e d . In E m u l a b , each p h y s i c a l m a c h i n e has a s e p a r a t e N I C for r e m o t e c o n t r o l . W e t a k e a d v a n t a g e o f th i s a r c h i t e c t u r e . O u r c o n f i g u r a t i o n is t h a t the N I C c o n n e c t e d to the e x p e r i m e n t a l n e t w o r k is n o t a s s igned a n y I P address ; w h i l e 39 Chapter 4. Design Details the N I C for r e m o t e c o n t r o l w i l l have its I P addres s . M o r e o v e r , the c o n t r o l N I C does n o t a t t a c h w i t h a n y o t h e r n e t w o r k dev ices i n X e n . T h e r e f o r e the w o r m s have to b y p a s s the p h y s i c a l m a c h i n e s i n o r d e r to a t t a c k the r e m o t e user v i a the c o n t r o l N I C . A s l o n g as the p h y s i c a l m a c h i n e s are n o t c o m p r o m i s e d ( s ta ted i n S e c t i o n 4.3.1), the r e m o t e c o n t r o l n e t w o r k is secure . T h e c o m p l e t e s t r u c t u r e o f o u r t e s t b e d is s h o w n i n F i g u r e 4.4, w h e r e the n e t w o r k dev ices of e'th2 are for the c o n t r o l n e t w o r k . nodeA r V M V M 11.1.1.2 11.1.1.3 eth2 ethO 156.1.1.3 ethO eth2 156.1.1.3 V M 11.1.1.4 virtual switch V M 11.1.1.5 ethO eth2 • 156.1.1.3 11.1.1.1 virtual router 12.1.1.1 V M 12.1.1.2 V M 12.1.1.3 • virtual • I switch I nodeB nodeC F i g u r e 4.4: S t r u c t u r e of the w o r m e x p e r i m e n t w i t h r e m o t e c o n t r o l 40 Chapter 4. Design Details 4.4 Resource A l l o c a t i o n S i n c e tens o r h u n d r e d s o f v i r t u a l hosts are s u p p o r t e d i n e a c h p h y s i c a l m a -ch ine , we n e e d to r e a s o n a b l y a l l oca te the resources for the d o m a i n s to m a k e the t e s t b e d r u n n o r m a l l y . 4.4.1 Time Dilation W e execute a n user- leve l process for r e p l a y i n g the traff ic b e t w e e n e a c h p a i r o f hosts . S u p p o s e t h e n u m b e r o f e n d hosts is 7Y, t h e n t h e r e are 0(N2) r e p l a y i n g processes . If the scale of the e x p e r i m e n t is t o o large a n d the ava i lab le p h y s i c a l m a c h i n e s are n o t e n o u g h , the traff ic w i l l n o t be r e p l a y e d a c c u r a t e l y a n d s o m e packe t s w i l l be lost . I n o r d e r to r e d u c e the C P U b u r d e n for p r o c e s s i n g the packets , we s low d o w n the traff ic r e p l a y i n g s p e e d i n d o m a i n O . C o r r e s p o n d i n g l y , the t i m e passage i n the e n d hosts a n d the s m a r t swi tches s h o u l d be s lowed d o w n w i t h the s a m e fac tor as we l l . S o we e n a b l e the t i m e d i l a t i o n [20] i n X e n ' s guest d o m a i n s . A f t e r b e i n g spec i f ied a t i m e d i l a t i o n fac tor ( T D F ) , the t i cks i n the d o m a i n s w i l l b e c o m e T D F t i m e s t h a t i n the r e a l w o r l d . A s we set t h e T D F s o f r e p l a y i n g processes a n d i n guest d o m a i n s as t h e s a m e , the guest d o m a i n s ( i n c l u d i n g the v i r t u a l e n d hosts a n d the v i r t u a l switches) feel n o dif ference a b o u t the n e t w o r k events n o m a t t e r w h e t h e r the t i m e d i l a t i o n is e n a b l e d or no t . 4.4.2 Parameter Setting W e a s s u m e t h a t users w i l l c o n s t r u c t o n e s m a r t v i r t u a l s m a r t s w i t c h o n e a c h p h y s i c a l hos t . S u p p o s e there are a t o t a l o f K p h y s i c a l m a c h i n e s i n v o l v e d i n .41 Chapter 4. Design Details the t e s t b e d , n& is the n u m b e r of v i r t u a l m a c h i n e s i n p h y s i c a l host k a n d ki i n d i c a t e s the i t h v i r t u a l host i n it (i < n^). W i t h i n the p h y s i c a l m a c h i n e k, the r e q u i r e d C P U resource for e a c h v i r t u a l e n d host is the C P U resource for the s m a r t v i r t u a l s w i t c h is s^; a n d the C P U resource for X e n ( d o m a i n O ) is X/- . F u r t h e r , a s s u m e the t o t a l ava i lab le C P U p o w e r o n m a c h i n e k is ck. U s u a l l y , 2~27=i hki + Sk + %k > Ck, i-e., the r e q u i r e d resource is greater t h a n the ava i lab le resource . If we set the t i m e d i l a t i o n fac tor i n m a c h i n e k as Tfc i n the b e l o w f o r m u l a , the d o m a i n s i n m a c h i n e k w i l l h a v e e n o u g h C P U resource . rn YH=I hki + s k + x k J-k = I n o r d e r to m a k e the t i m e passage o n different p h y s i c a l m a c h i n e s con- ' s istent , we set the t i m e d i l a t i o n fac tor o f the t e s t b e d as the m a x i m u m r a t i o for a l l p h y s i c a l m a c h i n e s , T = maxfcTfc. S u c h s e t t i n g w i l l ensure t h a t e a c h d o m a i n has sufficient C P U resources . 42 i Chapter 5 E v a l u a t i o n I n o r d e r to e v a l u a t e the effectiveness o f o u r t e s t b e d , we test the a c c u r a c y of the r e p l a y i n g p r o c e d u r e . T h e d u m p e d r e a l - w o r l d traff ic r e o c c u r s i n the v i r t u a l n e t w o r k . Spec i f i ca l ly , the e x p e r i m e n t s are p e r f o r m e d w i t h two m a i n goals: to ver i fy 1) r e p l a y i n g p r o c e d u r e m a i n t a i n s the packet s ' s tat i s t ics . 2) t h e t i m e d i l a t i o n w i l l n o t i m p a c t the f ide l i ty o f t h e b a c k g r o u n d traff ic . W e first d e s c r i b e the e x p e r i m e n t a l s e t t i n g i n S e c t i o n 5.1. T h e e v a l u a t i o n resul t s are t h e n p r e s e n t e d i n S e c t i o n 5.2. 5.1 Experiment Setting S i n c e the r a w packe t s o n t h e n e t w o r k revea l the t o p o l o g y i n f o r m a t i o n a n d the a p p l i c a t i o n d a t a , few enterpr i ses or o r g a n i z a t i o n s are w i l l i n g to s h a r e t h e i r L A N ' s i n t e r n a l traff ic d u e to t h e a b o v e m e n t i o n e d p r i v a c y c o n c e r n s . F o r t u n a t e l y , the a p p e a r a n c e of the D A R P A d a t a set a l l ev ia tes the p r o b l e m of l a c k i n g d a t a for s e c u r i t y e x p e r i m e n t s . T h e 1999 D A R P A I n t r u s i o n D e t e c t i o n E v a l u a t i o n P r o g r a m [23] was p r e -p a r e d a n d m a n a g e d b y M I T L i n c o l n L a b s . T h e p u r p o s e was to e v a l u a t e r e se arc h i n i n t r u s i o n d e t e c t i o n . L i n c o l n L a b s set u p a n e n v i r o n m e n t to ac-q u i r e n i n e weeks o f r a w T C P d u m p d a t a for a l o c a l - a r e a n e t w o r k ( L A N ) 43 Chapter 5. Evaluation s i m u l a t i n g a t y p i c a l U . S . A i r F o r c e L A N . A s show i n F i g u r e 5.1, h u n d r e d s of different t y p e s o f users , i n c l u d i n g p r o g r a m m e r s , w o r k e r s , m a n a g e r s a n d s y s t e m a d m i n i s t r a t o r s , etc . , were e m u l a t e d i n the L A N . T h e n e t w o r k traff ic i n v o l v e d over 20 k i n d s o f services , i n c l u d i n g dns , finger, f tp , h t t p , p i n g , p o p , s n m p a n d te lnet . T h e r e f o r e the c h a r a c t e r i s t i c s of the a u t o m a t i c a l l y c r e a t e d traff ic represent those of rea l i s t i c traff ic . E s p e c i a l l y , the a p p l i c a t i o n services , s u c h as e m a i l , f tp a n d web, are close to the r e a l - w o r l d c o m m u n i c a t i o n . T h e c o n t e n t s o f t h e packe t s are m a i n l y co l l e c t ed b y 2 ways: o n e is f r o m p u b l i c d o c u m e n t s , a n d the o t h e r is f r o m s y n t a x s tat i s t ics . F i g u r e 5.1: D A R P A s i m u l a t e d n e t w o r k [9] F i g u r e 5.2 shows the n e t w o r k s t r u c t u r e o f the 1999 D A R P A i n t r u s i o n de-t e c t i o n e v a l u a t i o n p r o g r a m . T h e n e t w o r k s are p a r t i t i o n e d as 2 p a r t s : ins ide a n d o u t s i d e . T h e a ir force L A N is e m u l a t e d i n the ins ide n e t w o r k , w h e r e 4 m a c h i n e s are set u p as a t t a c k i n g targets w i t h O S o f L i n u x 2.0.27, S u n O S 44 Chapter 5. Evaluation 4.1.4, S u n S o l a r i s 2.5.1 a n d W i n d o w s N T 4.0 respect ive ly . M e a n w h i l e , a g a t e w a y is d e p l o y e d to e m u l a t e h u n d r e d s o f i n t e r n a l m a c h i n e s . In o r d e r to s i m u l a t e the o u t s i d e traffic , one m a c h i n e e m u l a t e s the traff ic o f the o u t s i d e n e t w o r k ; a n o t h e r m a c h i n e is u s e d to s i m u l a t e w e b services . A l t h o u g h one s ign i f i cant f ea ture o f D A R P A e v a l u a t i o n p r o g r a m is t h a t p a r t o f the d a t a c o n t a i n v a r i o u s t y p i c a l n e t w o r k a t tacks , for the p u r p o s e o f v a l i d a t i n g the fidelity o f o u r r e p l a y m e c h a n i s m it is sufficient to r u n t h e e x p e r i m e n t o n the a t t a c k free d a t a set. INSIDE (Eyrie AF Base) CISCO ROUTER INSIDE SNIFFER Solaris NT Linux SunOS | 4* • ^ OUTSIDE (Interneti 1000'S OF EMULATED ^WORKSTATIONS I AND WEB SITES OUTSIDE SNIFFER FILE SYSTEM DUMPS SNIFFER DATA F i g u r e 5.2: D A R P A n e t w o r k t o p o l o g y [9] W e s h o w t h e average T C P c o n n e c t i o n s d u r i n g one d a y i n F i g u r e 5.3. E v e r y d a y , a b o u t 4 4 1 M bytes o f d a t a were t r a n s f e r r e d o n the s i m u l a t e d net-w o r k . T h e r u n n i n g t i m e is r o u g h l y f r o m 8:00 a m to 6:00 p m . T h e m a j o r p r o t o c o l s i n c l u d e T C P ( 3 8 4 M bytes ) , U D P ( 2 6 M bytes ) a n d I C M P ( 9 8 K bytes ) . H o w e v e r , o u r r e p l a y i n g focuses o n the i n t e r n a l c o m m u n i c a t i o n , so 45 Chapter 5. Evaluation we d i s c a r d e d the s i m u l a t e d o u t s i d e traff ic i n D A R P A d a t a t race . T h e n the size of the d u m p file w i l l r e d u c e t o 10% of its o r i g i n a l size. S i n c e o u r e x p e r i m e n t o n l y r e p l a y e d the i n t e r n a l traff ic i n the D A R P A d a t a , we j u s t r e c o n s t r u c t e d the 28 i n t e r n a l m a c h i n e s i n o u r t e s t b e d , a n d d i d n ' t s i m u l a t e the o u t s i d e In terne t (as s h o w n i n F i g u r e 5.1). 100000 > Q 10000 LU EL CO Z F o L U z o o 1000 10 1 M l : | | | http smtp ftp- telnet finger ftp pop3 time ssh ire ident data F i g u r e 5.3: S t a t i s t i c s o f d a i l y T C P services [9] D u e t o the f u n c t i o n of ga teways , the m a c h i n e s w i t h different I P addresses d o n o t h a v e d i s t i n g u i s h e d M A C addresses i n t h e D A R P A d a t a t race . S o we m a n u a l l y c o n s t r u c t e d a m a p p i n g be tween M A C a n d I P addresses , a n d c h a n g e d the c o r r e s p o n d i n g M A C addresses i n t h e d u m p files. A s s t a t e d i n S e c t i o n 4.2.2, we m a r k the s o u r c e M A C addresses i n the d u m p files to b e e n d e d w i t h b y t e 0x22, w h i l e the i n d i v i d u a l v i r t u a l hosts ' M A C addresses are e n d e d w i t h b y t e O x d b . T h e r e f o r e the E b t a b l e s f u n c t i o n o n the i n t e r m e d i a t e v i r t u a l swi tches w i l l n o t f o r w a r d the r e p l a y e d packet s , b u t a l l ow the l ive traff ic t h r o u g h . F o r s i m p l i c i t y , r i g h t n o w we r u n a l l the e x p e r i m e n t s o n a s ingle test 4G Chapter 5. Evaluation n o d e i n E m u l a b . T h e m a c h i n e i n U B C E m u l a b has I n t e l ( R ) P e n t i u m ( R ) 4 C P U 3 . 2 0 G H z a n d 5 1 2 M bytes m e m o r y . W e set the m i n i m u m m e m o r y size for d o m a i n O to 1 9 6 M bytes a n d the m e m o r y size o f v i r t u a l s m a r t s w i t c h to 1 2 8 M bytes . T h e m e m o r y a l l o c a t e d for e a c h v i r t u a l e n d hos t is 1 6 M bytes , s ince the e n d hosts d o n o t r e q u i r e t o o m u c h resource for the r e p l a y i n g test. 5.2 Experiment Results W e first focus o n the traf f ic r e p l a y i n g b e t w e e n 2 m a c h i n e s . W e chose the hosts w i t h I P addresses o f 172.16.112.20 a n d 172.16.112.100 i n the D A R P A . d a t a set as a c o m m u n i c a t i o n p a i r . T h e c o n n e c t i o n o f these 2 hosts is s i m -i lar to t h e c o n f i g u r a t i o n i n F i g u r e 4.2. H o s t A a n d B are set w i t h 2 I P addresses , a n d the d u m p e d packets are r e p l a y e d at b r i d g e 1 a n d 2 respec-t ive ly . W e m o n i t o r e d t h e r e p l a y e d packe t s i n the v i r t u a l s w i t c h t o c o m p a r e the t h r o u g h p u t w i t h the o r i g i n a l d a t a t race . T h e t h r o u g h p u t o f t h e o r i g i n a l D A R P A d a t a is s h o w n i n F i g u r e 5.4(a), w h i c h has the p e a k o f a r o u n d 140 packe t s p e r s e c o n d . If we s i m p l y r e p l a y the packe t s regardless o f the causa l i ty , the t h r o u g h p u t o n the n e t w o r k w i l l be q u i t e dif ferent . It w i l l t ake a l o n g t i m e t o r e p l a y w i t h a lower r a t e as s h o w n i n F i g u r e 5 .4(b) . It is o b v i o u s t h a t r e p l a y i n g t i m e is g r e a t l y d e l a y e d , a n d the p e a k t h r o u g h p u t (37 packe t s p e r second) is decreased . W h e n we c o r r e c t l y m a i n t a i n the packet s ' sequence b y w a i t i n g the o p p o n e n t s ' packet s , the t h r o u g h p u t ( s h o w n i n F i g u r e 5.4(c)) m a t c h e s t h a t i n the D A R P A d a t a t race . A s l o n g as the p r o c e s s o r has e n o u g h a b i l i t y to p r o c e e d the d u m p e d packets , the r e p l a y e d traff ic w i l l have the s i m i l a r s t a t i s t i c a l c h a r a c t e r i s t i c s 47 Chapter 5. Evaluation no 120 100 8 80 o. 60 40 20 20 40 60 80 time(s) (a) original D A R P A data trace 100 120 40 30 CD ^ 20 10 0 0 100 300 400 200 time(s) (b) replaying traffic without causality synchronization 140 120 100 0) o u o. 60 40 20 0. ^ 20 40 60 80 time(s) (c) replaying traffic with tdf=1.0 100 120 Figure 5.4: Replaying between 2 machines 48 Chapter 5. Evaluation as the o r i g i n a l traff ic . N e x t we test the effect o f t i m e d i l a t i o n o n the r e p l a y i n g process . T h e r e p l a y i n g s p e e d is s lowed d o w n b y a fac tor o f 10, a n d m e a n w h i l e the t i m e passage i n the v i r t u a l s w i t c h is s lowed b y the the s a m e factor . T h e t h r o u g h -p u t m e a s u r e m e n t i n the v i r t u a l s w i t c h is s h o w n i n F i g u r e 5.5. T h e resul t is s t i l l cons i s t ent w i t h t h a t i n D A R P A d a t a t race , so t h i s verifies t h a t f r o m the p o i n t of v i e w o f the v i r t u a l m a c h i n e s , the r e p l a y i n g s p e e d is n o t c h a n g e d after t i m e d i l a t i o n . 140 20 | | °0 20 40 , 60 80 100 120 time(s) F i g u r e 5.5: R e p l a y i n g b e t w e e n 2 m a c h i n e s w i t h t d f = 1 0 . 0 W e s i m u l a t e d the w h o l e l o c a l n e t w o r k w i t h 28 hosts spec i f i ed i n the D A R P A 99 t r a c e as wel l . A l l the v i r t u a l hosts are c o n n e c t e d to t h e s ingle v i r t u a l s w i t c h . A segment of the d a t a t race is s h o w n i n F i g u r e 5.6(a) . A s the n u m b e r o f r e p l a y i n g processes h a v e b e e n d r a m a t i c a l l y i n c r e a s e d c o m p a r e d t o the p r e v i o u s e x p e r i m e n t , the resources are n o t e n o u g h to ex-ecute the r e p l a y i n g processes . W h e n we r e p l a y e d the packe t s w i t h a s m a l l T D F , e.g., set T D F as 3, the l a c k o f resources w o u l d cause m u c h d e l a y as 49 Chapter 5. Evaluation 120 100 80 o g 60 Q. 40 20 200 400 600 800 time(s) (a) original D A R P A data trace 80 60 g 40 20 0 200 400 600 time(s) (b) Replaying traffic with tdf=3.0 800 120 100 80 o a> S 60 Q. 40 20 0 n 0 200 400 600 time(s) (c) Replaying traffic with tdf=10.0 800 Figure 5.6: Replaying in the whole DARPA network Chapter 5. Evaluation s h o w n i n F i g u r e 5 .6(b) , i.e the p r o c e s s i n g of r e p l a y i n g p a c k e t s c a n n o t c o p e w i t h the o r i g i n a l traff ic speed . W h e n we i n c r e a s e d the T D F to 10, the p r o -cess ing a b i l i t y w o u l d h a n d l e the r e p l a y i n g speed . T h e resul t b e c a m e b e t t e r i n F i g u r e 5 .6(b) . T h e m e t h o d of t i m e d i l a t i o n is effective t o a l l ev ia te the resource l i m i t a t i o n . H o w e v e r , a s ide effect is t h a t the e x p e r i m e n t w i l l r u n T D F t i m e s longer . O u r e x p e r i m e n t s v a l i d a t e t h a t the r e p l a y i n g m e c h a n i s m w i l l m a i n t a i n . the f ide l i ty o f the b a c k g r o u n d traff ic . E v e n w i t h t i m e d i l a t i o n , the s ta t i s t i cs of the traff ic w i l l a p p e a r the s a m e f r o m the v i e w of the . v i r t u a l m a c h i n e s . 51 Chapter 6 C o n c l u s i o n & Fu tu re W o r k I n t h i s thesis we p r o p o s e d a v i r t u a l t e s t b e d to fac i l i ta te the e v a l u a t i o n o f the u s a b i l i t y vs . s e c u r i t y o f a n t i - w o r m a l g o r i t h m s . O u r m a i n c o n t r i b u t i o n s i n -c l u d e (1) T h e v i r t u a l i z e d i m p l e m e n t a t i o n a l lows the scale of t h e e x p e r i m e n t to be e x p a n d e d o r r e d u c e d w i t h o u t h a r d l i m i t a t i o n , e.g., tens or h u n d r e d s o f v i r t u a l m a c h i n e s c a n b e set u p i n a s ingle p h y s i c a l host; (2) W e m a i n -t a i n the h i g h f ide l i ty o f the b a c k g r o u n d traff ic b y d e l i b e r a t e l y r e p l a y i n g the d u m p e d packets ; (3) S i n c e the r e a l - w o r l d o p e r a t i n g s y s t e m s a n d a p p l i c a t i o n p r o g r a m s r u n i n the v i r t u a l m a c h i n e s , we c a n i n t r o d u c e the rea l i s t i c w o r m . codes i n t o the v i r t u a l e n v i r o n m e n t a n d m i x t h e m w i t h b a c k g r o u n d traff ic for tes t ing; (4) T h e b e h a v i o r s of the layer 3 swi tches are a c c u r a t e l y e m u l a t e d , so researchers c a n e v a l u a t e s w i t c h - b a s e d s e c u r i t y po l i c i e s i n o u r t e s t b e d ; (5) T h e m a l i c i o u s traff ic is s t r i c t l y c o n f i n e d w i t h i n the t e s t b e d . O u r w o r k is s t i l l a n o n g o i n g p r o j e c t , a n d we p l a n to addres s severa l f u t u r e d i r e c t i o n s . F i r s t , the m i x t u r e of l ive a n d r e p l a y e d traff ic m a y cause s o m e p r o b l e m s . F o r e x a m p l e , i n a T C P session, "the p o r t n u m b e r s m a y conf l ic t i n the two different t y p e s o f traff ic . If s o m e defense s y s t e m s t r a c e the c o n n e c t i o n b a s e d o n the p o r t n u m b e r s , s u c h conf l ic t s w i l l m a k e the defense s y s t e m b e c o m e confused . T h e r e f o r e , the r e p l a y i n g m e c h a n i s m needs f u r t h e r 52 Chapter 6. Conclusion & Future Work a d j u s t m e n t w h e n b e i n g c o m b i n e d w i t h w o r m p r o p a g a t i o n . S e c o n d , c u r r e n t l y we j u s t b u i l t u p the t e s t b e d o n a s ingle p h y s i c a l m a c h i n e . I n p r i n c i p l e the v i r t u a l m a c h i n e s c a n b e l o c a t e d o n severa l different p h y s i c a l hosts . T h e e m e r g i n g p r o b l e m s are h o w to r e a s o n a b l y ass ign the v i r t u a l m a c h i n e s in to the g i v e n p h y s i c a l m a c h i n e s a n d w h e t h e r users c a n c h a n g e the a s s i g n m e n t d u r i n g the e x p e r i m e n t ; F i n a l l y , i n o r d e r to ver i fy the effectiveness o f o u r t e s t b e d , we n e e d to d e p l o y s o m e defense s y s t e m s i n o u r t e s t b e d a n d c o m p a r e t h e i r defense abi l i t i es . B a s i c a l l y , the f u t u r e d i r e c t i o n is to m a k e the t e s t b e d m o r e f lexible a n d re l iab le to e v a l u a t e t h e w o r m defense sy s t ems . 53 B i b l i o g r a p h y [1] E b t a b l e s . ht tp: / /ebtables . sourceforge .net / . [2] E m u l a b . http://www.emulab.net/. [3] F t p rfc . h t tp : / / r f c .ne t / r f c959 .h tml . [4] Ip tab le s . ht tp: / /www.netf i l ter .org/ . [5] P l a n e t l a b . http:/ /www.planet- lab.org/ . [6] T c p d u m p . http://www.tcpdump.org/. [7] C E R T . C E R T a d v i s o r y ca-2001-26 n i m d a w o r m : http://www.cert. org/advisories/ca-2001-26.html. [8] e E y e D i g i t a l Secur i ty . http://www.eeye.com/html/research/ advisories/al20010717.html. [9] M I T L i n c o l n L a b s , D A P A R i n t r u s i o n d e t e c t i o n e v a l u a t i o n , h t t p : / / www.l l .mit .edu/IST/ideval / . [10] U s e r M o d e L i n u x , http: / /user-mode- l inux.sourceforge.net / . [11] V m w a r e . http://www.vmware.com/. 54 Chapter 6. Conclusion <fe Future Work [12] W i l l i a m A i e l l o , C h a r l e s K a l m a n e k , P a t r i c k M c D a n i e l , S u b h a b r a t a S e n , O l i v e r S p a t s c h e c k , a n d J a c o b u s V a n der M e r w e . A n a l y s i s o f c o m m u n i -ties o f interest i n d a t a n e t w o r k s . I n PAM'05: Proceedings of 6th Passive and Active Measurement Workshop, 2005. [13] J u l i a A l l e n , A l a n C h r i s t i e , W i l l i a m F i t h e n , J o h n M c H u g h , J e d P i c k e l , a n d E d S t o n e r . S t a t e o f the p r a c t i c e o f i n t r u s i o n d e t e c t i o n technolog ies . Carnegie Mellon University, Technical Report CMU/SEI-99-TR-028, 1999. [14] P a u l B a r h a m , B o r i s D r a g o v i c , K e i r F r a s e r , S t e v e n H a n d , T i m H a r r i s , A l e x H o , R o l f N e u g e b a u e r , I a n P r a t t , a n d A n d r e w W a r f i e l d . X e n a n d the ar t of v i r t u a l i z a t i o n . I n SOSP'03: Proceedings of 19th ACM Sym-posium on Operating Systems Principles, 2003. [15] T e r r y B e n z e l , R o b e r t B r a d e n , D o n g h o K i m , C l i f o r d N e u m a n , A n t h o n y J o s e p h , a n d K e i t h S k l o w e r . E x p e r i e n c e w i t h deter: A t e s t b e d for secu-r i t y re search . In TRIDENTCOM'06: Proceedings of 2nd IEEE Confer-ence on testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. [16] S a n d e e p B h a t k a r , R . Sekar , a n d D a n i e l C . D u V a r n e y . - Ef f i c i ent t e ch -n i q u e s for c o m p r e h e n s i v e p r o t e c t i o n f r o m m e m o r y e r r o r exp lo i t s . I n USENIX'05: Proceedings of 14th USENIX Security Symposium, 2005. [1.7] D a v i d B r u m l e y , L i - H a o L i u , P o n g s i n P o o s a n k a m , a n d D a w n S o n g . T a x -o n o m y a n d effectiveness o f w o r m defense s trategies . Carnegie Mellon University, Technical Report CMU-CS-05-156, 2005. 55 Chapter 6. Conclusion & Future Work [18] Z e s h e n g C h e n , L i x i n G a o , a n d K e v i n K w i a t . M o d e l i n g the s p r e a d o f a c t i v e w o r m s . In INFOCOM'03: Proceedings of 26th Annual IEEE Conference on Computer Communications, 2003. [19] S t e p h a n i e F o r r e s t , A n i l S o m a y a j i , a n d D a v i d H . A c k l e y . B u i l d i n g d i -verse c o m p u t e r sys tems . In HotOS'97: Proceedings of 6th workshop on Hot Topics in Operating Systems, 1997. [20] D i w a k e r G u p t a , K e n n e t h Y o c u m , a n d M a r v i n M c N e t t . T o i n f i n i t y a n d b e y o n d : T i m e - w a r p e d n e t o w r k e m u l a t i o n . I n NSDI'06: Proceedings of 3rd Symposium on Networked Systems Design and Implementation, • 2006. [21] H e r b e r t W . H e t h c o t e . T h e m a t h e m a t i c s of in fec t ious diseases. Society for Industrial and Applied Mathematics, 42(4) :599-653 , 2000. [22] X u x i a n J i a n g , D o n g y a n X u , H e l e n J . W a n g , a n d E u g e n e H . S p a f f o r d . V i r t u a l p l a y g r o u n d s for w o r m b e h a v i o r i n v e s t i g a t i o n . I n RAID'05: Pro-ceedings of 8th International Symposium on Recent Advances in Intru-sion Detection, 2005. [23] M a t t h e w V . M a h o n e y a n d P h i l i p K . C h a n . A n a n a l y s i s o f the 1999 d a r p a / l i n c o l n l a b o r a t o r y e v a l u a t i o n . In RAID '03: Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detec-tion, 2003. [24] S t e v e n M c C a n n e a n d V a n J a c o b s o n . T h e b s d p a c k e t filter: A n e w a r c h i t e c t u r e for user- leve l packe t c a p t u r e . I n USENIX'93: Proceedings of the Winter 1993 USENIX Conference, 1993. 56 Chapter 6. Conclusion & Future Work [25] P a t r i c k M c D a n i e l , S h u b h o S e n , O l i v e r S p a t s c h e c k , J a c o b u s V a n der M e r w e , W i l l i a m A i e l l o , a n d C h a r l e s K a l m a n e k . E n t e r p r i s e s ecur i ty : A c o m m u n i t y of interest b a s e d a p p r o a c h . In NDSS'06: Proceedings of - Network and Distributed Systems Security 2006, 2006. [26] D a v i d M o o r e , V e r n P a x s o n , S t e f a n Savage , C o l l e e n S h a n n o n , S t u a r t S t a n i f o r d , a n d N i c h o l a s W e a v e r . Ins ide the s l a m m e r w o r m . I n Proceed-ings of 2003 IEEE Symposium on Security and Privacy, 2003. [27] D a v i d M o o r e , C o l l e e n S h a n n o n , a n d Jef fery B r o w n . C o d e - r e d : a case s t u d y o n the s p r e a d a n d v i c t i m s o f a n in terne t w o r m . I n USENIX'02: Proceedings of the 11th USENIX Security Symposium, 2002. [28] R o b e r t R i c c i , J o n a t h o n D u e r i g , P r a m o d S a n a g a , D a n i e l G e b h a r d t , M i k e H i b l e r , K e v i n A t k i n s o n , J u n x i n g Z h a n g , S n e h a K a s e r a , a n d J a y L e p r e a u . T h e f lex lab a p p r o a c h to rea l i s t i c e v a l u a t i o n o f n e t w o r k e d sys-t ems . I n NSDI'07: Proceedings of the Jfih USENIX Symposium on Networked Systems Design and Implementation, 2007. [29] J a m e s E . S m i t h a n d R a v i N a i r . Virutal Machines: Versatile Platforms for Systems and Processes. E l s e v i e r P r e s s , 2005. [30] S t u a r t S t a n i f o r d , V e r n P a x s o n , a n d N i c h o l a s W e a v e r . H o w to O w n the in terne t i n y o u r spare t i m e . I n USENIX'02: Proceedings of the 11th USENIX Security Symposium, 2002. [31] J a m i e T w y c r o s s a n d M a t t h e w M . W i l l i a m s o n . I m p l e m e n t i n g a n d test-i n g a v i r u s t h r o t t l e . I n USENIX'03: Proceedings of 12th USENIX Se-curity Symposium, 2003. 57 Chapter 6. Conclusion & Future Work [32] A m i n V a h d a t , K e n Y o c u m , K e v i n W a l s h , P r i y a M a h a d e v a n , D e j a n K o s t i c , Jeff C h a s e , a n d D a v i d B e c k e r . S c a l a b i l i t y a n d a c c u r a c y i n a large-sca le n e t w o r k e m u l a t o r . In OSDF02: Proceedings of 5th Sympo-sium on Operating .Systems Designs and Implementation, 2002. [33] N i c h o l a s W e a v e r , V e r n P a x s o n , S t u a r t S t a n i f o r d , a n d R o b e r t C u n n i n g -h a m . A n t a x o n o m y of c o m p u t e r w o r m s . In WORM'03: Proceedings of the 1st ACM Workshop on Rapid Malcode, 2003. [34] A n d r e w W h i t a k e r , M a r i a n n e S h a w , a n d S t e v e n D . C r i b b l e . Sca le a n d p e r f o r m a n c e i n the d e n a l i i s o l a t i o n k e r n e l . In OSDI'02: Proceedings of 5th Symposium on Operating Systems Designs and Implementation, 2002. [35]- B r i a n W h i t e , J a y L e p r e a u , L e i g h Sto l l er , R o b e r t R i c c i , S h a s h i G u -r u p r a s a d , M a c N e w b o l d , M i k e H i b l e r , C h a d B a r b , a n d A b h i j e e t J o g l e k a r . A n i n t e g r a t e d e x p e r i m e n t a l e n v i r o n m e n t for d i s t r i b u t e d sys-t e m s a n d n e t w o r k s . In OSDI'02: Proceedings of 5th Symposium on Operating Systems Designs and Implementation, 2002. [36] M a t t h e w M . W i l l i a m s o n . T h r o t t l i n g v iruses : R e s t r i c t i n g p r o p a g a t i o n to defeat m a l i c i o u s m o b i l e code . I n ACSAC'02: Proceedings of the 18th • Annual Computer Security Applications Conference, 2002. [37] J u n X u , Z b i g n i e w K a l b a r c z y k , a n d R a v i s h a n k a r K . Iyer . T r a n s p a r e n t r u n t i m e r a n d o m i z a t i o n for securi ty . I n SRDS'03: Proceedings of 22nd International Symposium on Reliable Distributed Systems, 2003. 58 

Cite

Citation Scheme:

        

Citations by CSL (citeproc-js)

Usage Statistics

Share

Embed

Customize your widget with the following options, then copy and paste the code below into the HTML of your page to embed this item in your website.
                        
                            <div id="ubcOpenCollectionsWidgetDisplay">
                            <script id="ubcOpenCollectionsWidget"
                            src="{[{embed.src}]}"
                            data-item="{[{embed.item}]}"
                            data-collection="{[{embed.collection}]}"
                            data-metadata="{[{embed.showMetadata}]}"
                            data-width="{[{embed.width}]}"
                            data-media="{[{embed.selectedMedia}]}"
                            async >
                            </script>
                            </div>
                        
                    
IIIF logo Our image viewer uses the IIIF 2.0 standard. To load this item in other compatible viewers, use this url:
https://iiif.library.ubc.ca/presentation/dsp.831.1-0052064/manifest

Comment

Related Items