1. Backtracking Intrusions
By King & Chen
Presented by:
Sebastian Tomaszewski
Mike DeSantis

2. Backtracker Presentation Agenda
Introduction
Research Problem
Key Ideas / Approaches
Evaluation
Conclusion

3. Backtracker Introduction
This paper discusses a new software tool to aid system administrators in providing system security.
Backtracker’s goal is to reconstruct a timeline of events that occur in an attack, and to generate a visual representation of actions taken by a system intruder. This is a upgrade from previously existing software.

4. Research Problem Identify source of intrusion on a computer system
Analyze sequence of actions taken by intruder
Identify files & processes that have been effected
Minimize system overhead to achieve tracking

5. Research Problem - Importance
Once an attack has occurred:
Identify venerability point that attacker exploited
Fix system venerability that attacker gained access through
Undue damage that attacker inflicted

6. Key Idea – Detection
Identify a ‘detection point’ on one or more levels (ie. file modification, firewall, port scanning, process that is behaving in an unusual or suspicious manner)
Tools providing ability to achieve a detection point: Tripwire, Snort, Coroner’s Toolkit (each is endorsed by Backtracker)

7. Key Idea - Differentiation
Other software package exists, but suffer from limitations:
Limited data & easily disabled logging
Encrypted data used by attacker
Backtracker addresses these limitations and provides many tools to analyze attacking transactions

8. Application - Differentiation
Works by observing OS-level objects (files, filenames, processes) through a compromise between application level and machine level, tracking by process ID and version number
- Application level: Semantically rich, easily disabled by an attacker
- Machine level: Semantically poor, hard to disable by an attacker

9. Key Idea – Graph generation
Generate a dependency graph through OBJECTS:
Log objects and dependency-causing events during runtime.
Save enough information to build a graph that depicts the dependency relationships between all objects seen over that execution.
Backtracker keeps track of a process from the time it is created by a fork or clone system call, to the point where it exits.
Prioritize all parts of the dependency graph for easy of searching for an attacker’s actions

10. Application – Graph Generation [Object definitions]
A file object is identified uniquely by a device, inode number, version number (Backtracker treats pipes as normal files)
A filename object refer to the directory data that maps a name to a file object
A process is identified uniquely by a process ID and version number

11. Application – Graph Generation [Dependency causing events]
One process directly effects the execution of another process object
A process effects or is effected by data or attributes associated with a file object
A process effects or is effected by a filename object
Note: Effecting an object is not the same as controlling an object!

12. Application – Graph Generation [Prioritizing dependency graph]
Dependency graphs for a busy system will be too large to scrutinize each object/event
Ignore certain objects & events:
Ignore all child events from a specific event
Ignore read but not written files in a time period
Ignore helper processes
Choose several detection points to scrutinize

13. Application - Graph Generation
“PTrace Attack” Analysis
Exploits a race condition in Linux PTrace code to gain root access
1) Attacker caused Apache web server (httpd) to create a command shell (bash)
2) Downloaded and unpacked an executable
3) Run the executable using a different group identity

14. Key Idea – Dependency & Event Tracking
A tracking system must examine higher level events instead of low level events to minimize system overhead
Examples of high-level events:
Changing contents of a file
Creating a child process
Examples of low-level events:
Changing a file’s access time
Creating a filename in a directory

15. Application – Dependency & Event Tracking
Backtracker is able to provide useful analysis without tracking low level events even if low level events are used in the attack
Backtracker logs & analyzes:
Process creation through fork or clone
Load and store to shared memory
Read and write of files and pipes
Receive data from a socket
Perform execve of files
Load and store to m-map’ed files
Opening a file
Note: Backtracker produces a 9% running time overhead and 1.2GB of log data per day for an operating system intensive workload

16. Application – Dependency & Event Tracking [In virtual machine environments]
Virtual machine monitor prevents intruders in the guest OS from interfering with event tracking
Virtual machine monitor notifies Backtracker whenever a guest application performs a high level event

17. Evaluation - Introduction
To test Backtracker, a default installation of RedHat 7.0 was setup on a Honeypot machine
RedHat: Vulnerable to several remote and local attacks
Honeypot: Vulnerable to at least two attacks (Apache)
A “Bind” attack was run on this system
Files read but not written are ignored
Ignore files in /root/.bash_history, lastlog, utmp, mtab
Ignore helper processes

18. Evaluation - Results 1) Gain access through httpd (Apache)
2) Downloaded a rootkit using wget
3) Write the rootkit to the file “/tmp/ /bind”

19. Evaluation - Shortcomings
Backtracker can be circumvented by:
Attacking the layers upon which Backtracker’s analysis or logging depend
Using a hidden channel to break the chain of events that Backtracker tracks
An attacker carrying out an attack sequence of steps over a long period of time
Attacking the Virtual machine monitor layer or host OS (Much harder than attacking guest kernel)

20. Conclusion
Data integrity and security is vital as computing becomes more widespread. Backtracker allows system administrators to analyze an attack, and avoid future vulnerability.
An everyday applications of this technology might be for a banking system administration team to protect their clients accounts.
Questions?