Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.

Published byTracy Kelley Modified over 8 years ago

Similar presentations

Presentation on theme: "1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba."— Presentation transcript:

1 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba

2 2 Server Hijacks by Crackers Internet servers are often “hijacked.” e.g. buffer overflow attacks A cracker sends malicious code into a server as the input and then can take the full control of the server. Preventing all types of attacks is difficult. Most attacks are caused by programming or design errors.  These errors are left in many programs. Only a part of attacks are detected by StackGuard, safe languages, etc. Internet server firewall malicious code hijack!

3 3 The Compacto Operating System Access restrictions can protect servers from attacks. We have developed the Compacto operating system (OS), which provides: Fine-grained access control at the system call level  Issues of system calls are limited by the type or arguments. Access control with user/group ID ( setuid / setgid ) Limited access to directories ( chroot ) Compacto can impose access restrictions on a various range. Application (some processes) Process Code fragment in a process

4 4 Danger of Removing Access Restrictions Servers need different access restrictions for each request. It is necessary to impose/remove access restrictions. Removing access restrictions is dangerous. Crackers can gain higher privileges after removing access restrictions from hijacked servers. But, detecting whether a server is hijacked or not is difficult. server Interne t User A User B request

5 5 Traditional Approach: “Spawn” Spawns a new child process for every request and gives it different access restrictions. The child process just terminates after handling a request. Removing access restrictions is not necessary. Drawbacks Slow Too many processes are spawned. Not compatible with the process pool technique Today’s servers often use a process pool for efficiency.

6 6 Our Approach: Process Cleaning Allows a process to remove access restrictions. But, the process image is cleaned up back to the image stored by checkpointing. Process cleaning achieves the same security as the “Spawn” approach. Benefits Faster than the “Spawn” approach Compatible with the process pool technique current process image stored image (snapshot) overwrite new process image

7 7 Save_state System Call Save_state takes a snapshot of a process at a safe point. Where is considered as a safe point? Before a server communicates with any clients. The snapshot includes the whole state of a process. registers, a memory image, signal handlers, open/close status of files/sockets, etc. The snapshot cannot be compromised. Because it is saved in the kernel address space. pc, sp,… stack, heap … process imagesnapshot image pc, sp,… stack, heap … save

8 8 Restore_state System Call Restore_state restores a safe state of a process saved by save_state. Restoring an instruction pointer Recovers the thread of control Restoring the whole memory image Eliminates malicious code from the memory After restoration, Compacto removes access restrictions from the process. pc’, sp’,… stack’, heap’ … process imagesnapshot image pc, sp,… stack, heap … restore

9 9 How to Use Process Cleaning Request-handling code in typical servers on Compacto looks like the following: save_state(); accept(); if (source == Internet) impose strong access restrictions else if (source == Intranet) impose weak access restrictions handle a request restore_state(); save_state(); accept(); if (source == Internet) impose strong access restrictions else if (source == Intranet) impose weak access restrictions handle a request restore_state(); process cleaning & removing access restrictions

10 10 Implementation Saving/restoring a memory image become a performance bottleneck. Naïve implementation is slow. Our implementation techniques Efficient save of a memory image Compacto saves only modified pages by copy-on-write. Selectable strategy for restoring memory Compacto allows users to select the restoration strategy according to the behavior of a server.

11 11 Page Save by Copy-on-Write Compacto allocates a shadow page at a page fault. All writable pages are write-protected in the save_state system call. The contents of an original page are copied to the shadow page. The shadow page is modified and the original page is left unmodified. kernel move shadow page original page address space page fault map

12 12 Remap/copy Strategies Remap strategy Discards a shadow page and moves the original page back Restores memory fast but may cause extra page faults Copy strategy Copies the contents of an original page back to the shadow page May reduce page faults but may cause extra page copies move original page discard shadow page copy original page shadow page

13 13 Experiment We measured the performance of the Apache web server for 4 types of server constructs. Environments Server: PentiumIII 933MHz, Compacto OS Clients: Celeron 300MHz, FreeBSD 3.4 WebStone benchmark

14 14 Experimental Results Process cleaning is 40% faster than the “Spawn” approach. The overhead of process cleaning is low - 40%. The copy strategy is 8% faster than the remap strategy.

15 15 Concluding Remarks We proposed process cleaning. It prevents hijacked servers from illegally removing access restrictions. It achieves the same security as the traditional “Spawn” approach. Process cleaning achieves great performance improvement against the “Spawn” approach. 40% faster

Download ppt "1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba."

Similar presentations

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
The Kernel Abstraction. Challenge: Protection How do we execute code with restricted privileges? – Either because the code is buggy or if it might be.

The Kernel Abstraction. Challenge: Protection How do we execute code with restricted privileges? – Either because the code is buggy or if it might be.
Kenichi Kourai (Kyushu Institute of Technology) Takeshi Azumi (Tokyo Institute of Technology) Shigeru Chiba (Tokyo University) A Self-protection Mechanism.

Kenichi Kourai (Kyushu Institute of Technology) Takeshi Azumi (Tokyo Institute of Technology) Shigeru Chiba (Tokyo University) A Self-protection Mechanism.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Precept 3 COS 461. Concurrency is Useful Multi Processor/Core Multiple Inputs Don’t wait on slow devices.

Precept 3 COS 461. Concurrency is Useful Multi Processor/Core Multiple Inputs Don’t wait on slow devices.
Page 1 Processes and Threads Chapter 2 2.1 Processes 2.2 Threads 2.3 Interprocess communication 2.4 Classical IPC problems 2.5 Scheduling.

Page 1 Processes and Threads Chapter Processes 2.2 Threads 2.3 Interprocess communication 2.4 Classical IPC problems 2.5 Scheduling.
Scheduler Activations Effective Kernel Support for the User-Level Management of Parallelism.

Scheduler Activations Effective Kernel Support for the User-Level Management of Parallelism.
3.5 Interprocess Communication

3.5 Interprocess Communication
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.

1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
Using Two Queues. Using Multiple Queues Suspended Processes Processor is faster than I/O so all processes could be waiting for I/O Processor is faster.

Using Two Queues. Using Multiple Queues Suspended Processes Processor is faster than I/O so all processes could be waiting for I/O Processor is faster.
Fast and Correct Performance Recovery of Operating Systems Using a Virtual Machine Monitor Kenichi Kourai Kyushu Institute of Technology, Japan.

Fast and Correct Performance Recovery of Operating Systems Using a Virtual Machine Monitor Kenichi Kourai Kyushu Institute of Technology, Japan.
Processes in Unix, Linux, and Windows CS-502 Fall 20071 Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.

Processes in Unix, Linux, and Windows CS-502 Fall Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.

1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Protection and the Kernel: Mode, Space, and Context.

Protection and the Kernel: Mode, Space, and Context.
HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.

HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.

Similar presentations

Ads by Google