1. Security Issues in Distributed Heterogeneous Systems Somesh Jha Computer Sciences Department University of Wisconsin Madison, WI 53706

2. General Issues Vulnerability and information-flow analysis –detecting malicious code safety –crashes your machine or wipes data privacy –leaks sensitive information –code executing on malicious host –distributed vulnerability analysis Intrusion Detection –statistical models of user behavior/network traffic –using statistical models for anomaly detection –explaining the anomalies

3. General Issues (Contd) Authentication and Authorization –seamless cross-administrative authentication kerberos passwords time-varying passwords smartcards public keys –but the real question is authorization a person can only buy beer from www.booze.com if he/she is about eighteen years of age

4. Vulnerability and information-flow analysis want to perform these analysis on machine code suitable for COTS will require an analysis infrastructure for machine code collaborators –B. Miller –T. Reps

5. Vulnerability analysis (Safety) use static analysis to discover program behavior that lead to vulnerabilities examples –buffer overflows –unutilized pointers initial success reported by Z. Xu, B. Miller, and T. Reps

6. Information-flow analysis (Privacy) initial work provided discretionary access control we want mandatory access control consider the following – x := y –security-level( y )  security-level( x ) want to perform these forms of analysis on machine code

7. Benign host and malicious code Job foo-bar comes to my host need to make sure that foo-bar does not do anything nasty solution is sandboxing

8. Malicious host and benign code Job foo-bar migrates to host A A is malicious hijack foo-bar and instrument the code to send harmful system calls note: inverse of the previous problem

9. Multi-pronged attack Build a model of the code –static analysis –dynamic analysis replication obfuscation collaborators –Bart Miller –Hong Lin

10. Sandboxing the home machine Job A Malicious HostHome Machine Model of job A

11. Building program models Deterministic models –use static analysis of the code –derive a finite automata with system –calls as the alphabet set statistical models –monitor traffic at the home machines –build a statistical model from the –sequence of system calls Hybrid models

12. Replication Agreement Protocol Replica 1 Replica 2 Replica 3

13. Program obfuscation obfuscate the program so that hard for adversary to reverse engineer inverse of good software engineering practices randomize all system call names randomly permute all the system call parameters randomly insert “benign” calls

14. Distributed vulnerability analysis Existing techniques good at finding local vulnerabilities –see http://www.iss.net we want to find global attacks from local information provided by existing tools

15. Attacking Fidelity break into the DNS Server Fidelity Acquire password access DNS configuration setup web proxy www.gs.com exploit poor passwords access control ignore errors

16. Cross-administrative authentication Various authentication mechanisms –kerberos –hashed passwords –smartcards –public key infrastructures goal: to provide seamless cross-administrative authentication collaborator –Hao Wang

17. Motivating scenario Job A is authenticated using Kerberos on host A Job A runs on host A for a while migrates to host B, where smartcard based authentication is required should job A authenticate again? Has to reauthenticate every time crosses an “authentication boundary”

18. Obvious solution translate results of an authentication mechanism to a common one convert everything to a X.509 certificate translate back X.509 certificates as needed

19. Drawbacks different authentication schemes have different trust models –hashed passwords are weaker than time-varying passwords many technical problems –how is credential expiration/revocation handled? –how is delegation handled?

20. Authorization authentication binds a person to a digital entity such as a credential the real question is authorization is a certain person allowed to perform specific actions on a host

21. Approaches to Authorization examples are –SPKI –Keynote express statements of the following form Miron says (somesh can read files in directory X) support following features –compliance checking –delegation –majority decisions

22. Extensions to authorization infrastructures support revocation –can state negative statements credential extraction problem –given a request r –a set of statements representing the policy P –what credentials does X need so –that request r will be authorized

23. Conclusion all the problems mentioned before are crucial for making security more usable in a distributed heterogeneous setting crucial that we work on it