Backtracking Intrusions. Introduction Rapidly increasing frequency of computer intrusions Common routines for system administrators (1)Understand how.

Slides:



Advertisements
Similar presentations
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Advertisements

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Backtracking Intrusions Sam King & Peter Chen CoVirt Project, University of Michigan Presented by:
Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
Monitoring Security With Standard SAP Tools Session Code 805 Sandi McKinney.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.
Guide To UNIX Using Linux Third Edition
Introduction to Unix (CA263) Introduction to Shell Script Programming By Tariq Ibn Aziz.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
MIT Libraries’ FileMaker Use Policy as an example local DLC policy.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
1 AutoBash: Improving Configuration Management with Operating System Causality Analysis Ya-Yunn Su, Mona Attariyan, and Jason Flinn University of Michigan.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
CSC 322 Operating Systems Concepts Lecture - 4: by Ahmed Mumtaz Mustehsan Special Thanks To: Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
Live Forensics Investigations Computer Forensics 2013.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
1 Higher Computing Topic 8: Supporting Software Updated
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
Chapter 1 Introduction 1.1 What is an operating system
Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 6 System Calls OS System.
Process Control. Module 11 Process Control ♦ Introduction ► A process is a running occurrence of a program, including all variables and other conditions.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities Crispin Cowan, Steve Beattie, Chris Wright, and Greg Kroah-Hartman In USENIX Security.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
IS493 INFORMATION SECURITY TUTORIAL # 1 (S ) ASHRAF YOUSSEF.
Intrusion Detection System
 Introduction  Tripwire For Servers  Tripwire Manager  Tripwire For Network Devices  Working Of Tripwire  Advantages  Conclusion.
Silberschatz, Galvin and Gagne ©2011 Operating System Concepts Essentials – 8 th Edition Chapter 2: The Linux System Part 2.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
WHY AN OPERATING SYSTEM (OS) OS interacts with hardware and manages programs. Programs not expected to know which hardware they will run on. Must be possible.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Security (part 1) CPS210 Spring Current Forensic Methods  Manual inspection of existing logs  System, application logs  Not enough information.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Security Methods and Practice CET4884
Chapter 9 Intruders.
Working at a Small-to-Medium Business or ISP – Chapter 8
Chapter 2: System Structures
KERNEL ARCHITECTURE.
Backtracking Intrusions
Backtracking Intrusions
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
A Real-time Intrusion Detection System for UNIX
Chapter 2: The Linux System Part 2
SECURITY IN THE LINUX OPERATING SYSTEM
Chapter 9 Intruders.
Advanced UNIX progamming
Security.
Operating System Concepts
Crisis and Aftermath Morris worm.
Presentation transcript:

Backtracking Intrusions

Introduction Rapidly increasing frequency of computer intrusions Common routines for system administrators (1)Understand how an intruder gained access to the system (2)Identify the damage inflicted on the system (3)Fix the vulnerability; undo the damage This paper presents BackTracker, a tool for (1)

How to detect an intrusion TripWire Detect a modified system file Firewall Detect port scans, denial-of-service attacks Sandboxing tool Notice unusual patterns of system calls

Find how the compromise took place System/network logs and disk states Unexpected output Deleted or forgotten attack toolkits on disk File modification dates Limitations Logs show only application-specific info (HTTP, login) Show little about what occurred after the initial compromise

Find how the compromise took place More limitations Network logs may contain encrypted data Disk images may contain useful info about the final state, not a complete history of what transpired during the attack

BackTracker Identifies chains of events, leading to a quicker identification of the vulnerability Logs system calls Induces dependencies between OS objects (e.g., processes, files) Provides helpful info for most attacks Two components Online: event logging Offline: event visualization

Design of Backtracker Goal: reconstruct a timeline of events that occur in an attack Example Apache web server (httpd) creates a shell (bash), downloads an executable, and runs the executable using a different group identity

Process File Socket Detection point Fork event Read/write event

Alternatives Application-level logs Provide no information about attacker’s own programs Network-level logs Useless for encrypted data stream Low-level event logs Useful information cannot be extracted quickly

BackTracker Monitors OS-level objects Files Filenames Processes Events (system calls)

Objects BackTracker analyzes processes, files, and filenames Process Identified by a PID and a version number Tracked from fork() to exit()/execve() File object Identified by a device, an inode number, and a version number Tracked across rename operations

Objects Filename object Directory data Identified uniquely by an absolute path

Potential Dependency-Causing Events A dependency relationship is specified by three parts Source object Sink object Time interval Source  Sink An event starts when the system call is invoked and ends when the system call returns

Process/Process Dependencies One process can affect another by Creating it via fork() (parent  child) Sharing memory with it via clone() (parent  child) Signaling it

Process/File Dependencies Process  file Write-like system calls (chown, chmod, utime) Mapping a file write-only File  process Read-like system calls (fstat, open, chdir, unlink, execve) Mapping a file read-only Process  file Mapping a file read-write

Process/File Dependencies A child process inherits its parent’s dependencies

Process/Filename Dependencies Examples Delete a configuration file, so a system falls back to the insecure default configuration Swap names of current and backup password files Filename  process System calls that include a filename argument open, creat, link, unlink, mkdir, rename, rmdir, stat, chmod Readdir

Process/Filename Dependencies Process  filename System calls that modify a filename argument creat, link, unlink, rename, mkdir, rmdir, mount

Dependency Graphs How to select the objects and events in the graph that relate to the attack Assume that the administrator can identify at least one detection point Modified, extra, or deleted file Suspicious or missing process GraphGen reads a log of events in reverse time order Uses a time threshold to determine whether an event is relevant to an object

Dependencies Tracked by Current Prototype Affecting an object vs. controlling an object BackTracker focuses on high-control events Process creation through fork or clone Load and store to shared memory Read and write of files and pipes Receiving data from a socket Execve of files Load and store to mmap’ed files Opening a file

Dependencies Tracked by Current Prototype Examples of low-control events Changing a file’s access time Creating a filename in a directory Tend to generate lots of noise in the dependency graph An attacker may run a CPU-intensive program to trigger a race condition Fortunately, it is difficult to attack solely by using low-control events

Implementation Structure for Logging Events and Objects Run target OS (Linux ) and application inside a VM Have the VM monitor call a kernel procedure at appropriate times Reasons to use a VM-based structure Prevent intruders in the VM from interfering with logging Use ReVirt to replay attacks 14-35% overhead for kernel-intensive loads

Implementation Structure for Logging Events and Objects The VM monitor notifies EventLogger whenever a guest application invokes or returns from a syscall, or when a guest application exits EventLogger is compiled with headers from the guest kernel and reads guest’s physical memory to determine events EventLogger code is ~1,300 lines

Implementation Structure for Logging Events and Objects An design alternative Run EventLogger without VM Store the log on a remote machine Use a protected file on the local computer

Prioritizing Parts of a Dependency Graph Dependency graphs for a busy system are too large Ways to filter a dependency graph Ignore certain objects /var/run/utmp causes a new login session to depend on all prior login sessions /etc/mtab.bash_history

Prioritizing Parts of a Dependency Graph More ways to filter a dependency graph Filter out low-control events Hide read-only files Often are default configuration or header files Filter out helper processes (/etc/bashrc) They tend to form cycles in the graph and take input form read-only files Choose several detection points, then take the intersection of the dependency graphs

Evaluation Used a honeypot machine (Red Hat 7.0) Vulnerable to OpenSSL and sendmail exploits Without filtering EventLogger logged ~160K objects and ~1.2 million events Dependency graph contained ~5,200 objects and ~10,000 events After filtering Reduced the graph to 24 objects and 28 events

Evaluation httpd  bash  wget  /tmp/bind  bind  /bin/lo gin BackTracker can also separate two intermingled attacks from a single log BackTracker can still function well with SPECweb99 running in the background EventLogger slows the system by 9% Log grows at 1.2 GB/day 3 hours to process the log

Process File Socket Detection point Fork event Read/write event

Process File Socket Detection point Fork event Read/write event

Attacks Against Backtracker An intruder can attack lower layers with events not monitored by BackTracker Kernel modules /dev/kmem Disabled in VM Use low-control events to break the chain of events Use hidden channels to steal passwords Use innocent processes to inflate the graph

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.