Title: Stamping out worms Author: Miguel Castro Abstract: Worms can compromise a large number of hosts very fast. These attacks can have devastating consequences ranging from financial losses to disruptions in critical services. It is crucial that we develop and deploy techniques to prevent these attacks. This is not a new challenge but we still do not have a solution and the problem remains as serious as ever. It is important to do research on systems that can contain worm outbreaks because we are unlikely to remove all bugs from network-facing services. Worm containment must be automatic to have any chance of success because worms spread too fast for humans to respond, for example, the Slammer worm infected more than 90\% of vulnerable hosts in 10 minutes. There has been a lot of research on network level approaches to automatic worm containment but these approaches have fundamental limitations. It is hard to provide guarantees on the rate of false positives and false negatives with these approaches because there is no information about the bugs exploited by worms at the network level. False positives may cause network outages by blocking normal traffic and false negatives allow the worm to escape containment. We believe that automatic containment systems will not be widely deployed unless they have a negligible false positive rate and a low impact on performance. We propose that more research be devoted to host-based containment systems. These systems can analyse infection attempts to reduce both false negatives and false positives. The Vigilante system [SOSP05] provides a step in this direction. It provides an architecture where some hosts run worm detectors and alert other hosts when they detect a worm. Alerted hosts generate filters automatically that block the worm with very low impact on application performance. Vigilante ensures that there are no false positives by design. There are several important areas that need further research to meet this challenge: - More and better software instrumentation techniques to detect infection attempts. These techniques should be applicable to arbitrary programs and should have low false negative and false positive rates. A detection engine with low overhead could be universally deployed to eliminate the need to propagate alerts and it may be possible with hardware support. - Robust automatic protection mechanisms for hosts. These mechanisms should be able to block all variants of polymorphic worms while running all legitimate requests with low overhead. Filter generation with a combination of static analysis and dynamic analysis of infection attempts appears promising but many approaches are possible. - Fast dissemination of alerts. Alert dissemination must be fast because there is a race between alert dissemination and the worm. It is important to combine network-level throttling of worm propagation with fast content distribution mechanisms to win the race against Flash worms. - Techniques to recover compromised hosts. Some hosts will be compromised because worm containment will never be perfect. It is important to prevent this from stopping critical services or causing the loss of important data. Byzantine fault tolerant replication may provide a solution to this problem.