Computer Science Department
School of Computer Science, Carnegie Mellon University


Sting: An End-to-End Self-healing System for Defending
against Zero-day Worm Attacks on Commodity Software

James Newsome, David Brumley, Dawn Song

November 2005
Last updated June 2006


Keywords: Sting, worms, exploits, self-healing

Complex computer systems are plagued with bugs and vulnerabilities. Worms such as SQL Slammer and hit-list worms exploit vulnerabilities in computer programs and can compromise millions of vulnerable hosts within minutes or even seconds, bringing down vulnerable critical services.

In this paper, we propose an end-to-end self-healing approach to achieve the following goal: for a large class of vulnerabilities and attacks, we can protect a large fraction of critical services and enable them to be highly available even in the case of a zero-day hit-list worm. Moreover, our techniques do not require access to source code and thus work on COTS software. We achieve this goal by designing an end-to-end self-healing approach: (1) programs use light-weight techniques to efficiently self-monitor the execution behavior and reliably detect a large class of errors and exploits, (2) we use sophisticated techniques to self-diagnose the root cause of detected errors and exploits, (3) programs self-harden to be resilient against further attacks on the same vulnerability, and (4) safely and efficiently self-recover to a safe state. Self-hardening does not result in false positives of legitimate traffic, and adds little performance overhead.

Moreover, our approach allows a community of nodes to efficiently share Self-Verifiable Antibody Alerts (SVAAs), which are produced by the self-diagnosis engine. Nodes can verify that SVAAs fix real vulnerabilities without trusting the SVAA senders, and self-harden quickly and efficiently based upon SVAAs. By employing a new approach of combining proactive protection and reactive anti-body defense, we show for the first time that it is possible to protect vulnerable programs and enable critical services to remain undisrupted even under extremely fast worm attacks such as hit-list worms.

31 pages

Return to: SCS Technical Report Collection
School of Computer Science homepage

This page maintained by