A Recursive Session Token Protocol for use in Computer Forensics and TCP Traceback Brian Carrier

1
A Recursive Session Token Protocol for use in
Computer Forensics and TCP Traceback- Brian
Carrier Clay Shields

• Pallavi Phene
• phene_at_cs.uh.edu
• 21st March, 2003

2
Motivation
H0
H1
H2
Hn-1
Hn
C0
C1
Cn-1
Figure 1 Connection Chain example between host
H0 Hn.
3
Motivation (contd)

• Technique to address stone stepping
• Administrative hop-by-hop traceback not effective
• Insufficient resources
• Insufficient knowledge about the connection
• Lack of trust in the requesting party

4
Outline

• Connection Chain Traceback
• Identification (ident) Protocol
• Session Token Protocol (STOP)
• Implementation
• Performance Results
• Conclusion
• References

5
Connection Chain Traceback

• Network Based Solutions
• Analysis of Content-Based Thumbprints
• Timing Analysis of user idle times
• Analysis of TCP Sequence s
• Host Based Solutions
• Caller ID systems

6
Identification Protocol

• RFC 1413
• Allows server to identify client-side user name
• TCP Port for ident protocol ? 113
• Terminology
• CL_PORT ? client side TCP port
• SV_PORT ? server side TCP port

7
ident Operation
2) Detect attack or intrusion
6) Determine which process has connection from
ltCL_PORTgt to ltSV_PORTgt
3) Initiate identification traceback
8
Limitations of ident Protocol

• Invasive
• Daemon can return the username of any service
  (even if it did not originate the message)
• Enhancements return random token, or encrypt
  user id

9
Session TOken Protocol

• Extension of ident protocol
• Developed for investigation of stepping-stone
  chains while maintaining privacy

10
Basic Operation of STOP
Save application-level data about process and
user when connection is established
STOP Daemon
Token must be presented to system administrator
for authorization to obtain actual user
information
11
Protocol Design Goals

• Backward compatibility
• Authentication of requester
• Ability to request additional data storage
• Ability to request path trace
• Configurable to satisfy system security policy
• Efficient implementation
• Allow request from hosts outside the contention
  chain

12
Protocol Design

• Modification of ident Messages
• Modify Request Message
• to provide more options
• Modify Response Message
• to protect privacy

13
Request Message Modification Request Type

• ID
• Save username, return random token
• Same operation as ident protocol
• ID_REC
• Save username, return random token
• Repeat recursively to the host that user logged
  in from
• Requires random session identifier to identify
  cycles in the recursion
• SV
• Save username and additional information
• SV_REC
• Hybrid of SV and ID_REC

14
Ident Response Message

• Message format
• ltCL_PORTgt , ltSV_PORTgt ltRESPONSE-TYPEgt
  ltADDITIONAL_INFORMATIONgt
• ltADDITIONAL_INFORMATIONgtspecifies
• O.S. user id when the user is identified or
• random token (unformatted character string) to
  protect privacy when OTHER is specified
• Error message (INVALID_PORT, NO_USER,
  HIDDEN_USER, UNKNOWN_ERROR) when user is not
  identified

15
Response Message Modification

• Instead of Operating system name, STOP always
  returns OTHER
• HIDDEN_USER will not be used as an error
  message
• Only printable ASCII allowed in the random token

16
ltrequestgt ltport-pairgt "" ltrequest-typegt ""
ltipgtltEOLgt ltport-pairgt ltintegergt ","
ltintegergt ltrequest-typegt "ID" "ID REC" ""
ltsidgt "SV" "SV REC" "" ltsidgt ltipgt
ltbytegt"."ltbytegt"."ltbytegt"."ltbytegt ltsidgt
ltintgt ltEOLgt CR LF ltreplygt ltport-pairgt ""
ltreply-textgt ltEOLgt ltreply-textgt ltident-replygt
lterror-replygt ltident-replygt "USERID" ""
"OTHER" "," ltcharsetgt "" ltuser-tokengt lterror-re
plygt "ERROR" "" lterror-typegt lterror-typegt
"INVALID-PORT" "UNKNOWN-ERROR" "NO-USER"
lterror-tokengt ltcharsetgt "US-ASCII" as
defined in RFC 1340 ltuser-tokengt
1512lttoken-charactersgt lterror-tokengt
"X"163lttoken-charactersgt ltbytegt integer
values 0 to 28 in ASCII ltintgt integer values
0 to 232 in ASCII lttoken-charactersgt All
printable ASCII except ""
Figure 2 STOP Protocol Grammar
17
STOP Daemon properties

• Return a cryptographically secure random token
  for all established connections
• When ID option selected return actual username
• Return error message for request of TCP sessions
  that were not initiated by the local host

18
Saving Process State

• Provide options for what process and system data
  to save for SV or SV_REC requests
• Example of process data

• Process name PID
• Parent PID
• Real effective UID
• Process start time priority
• Terminal device
• List of open sockets, files, pipes

• Host name
• Boot time
• Operating System, version, kernel date and build
• Address of machine that sent the request
• Address and port of remote end of socket
• Address and port of local end of socket
• Type and time of request
• Entries from utmp for all users mentioned in the
  report

19
Recursion

• Generation of tokens along an entire path of
  hosts
• Send original reply token to the requester
• Save tokens from recursive requests along with
  original reply token
• Recursive request contains a random session
  identifier to prevent cycles and denial of
  service situations
• Process only one request of type ID_REC or SV_REC
  from the same host with the same session
  identifier for the last 120s.

20
Security Analysis

• If host Hi is compromised and the daemon on Hi is
  killed then the path can be traced back to only
  Hi
• If the daemon is tampered then either it
• Does not save any data or
• Does not send recursive requests or
• Saves false user and recursive data
• In any case, data provided by STOP will have to
  be verified

21
Implementation

• Implemented by modifying the open source version
  of ident daemon called oidentd
• Run-time options
• Always return random tokens instead of errors
• Always return UNKNOWN_ERROR
• Select data to be saved for SV and SV_REC
• Restrict the number of active lookups
• Built on Solaris 2.7, OpenBSD 2.8 and Debian
  Linux 2.2

22

• Resolved all pipes and sockets for a process and
  recursively for its parent
• For SV and SV_REC requests, data is stored and
  its hashed value is returned as the random token

23
Performance Results Request Processing Time

• Simple Process Tree

Hi
SCHED
INIT
SSHD
Hi-1
SSHD
CSH
Table I Average Lookup Time for 6 Unique
Processes
TELNET
Hi1
Figure 3 Process Tree with 6 unique processes
24

• Complex Process Environment

4 SCHED
Hi
Figure 4 Process Tree with 14 unique processes
3 INIT
Hi-1
2 P3
14 P1
13 P2
Hi1
1 P4
12 P5
11 P8
7 P7
10 P6
6 P10
9 P9
Inheritance Uni-directional Pipe Internet Socket
5 P12
8 P14
25
Table II Average Lookup Time for 14 Unique
Processes
26
Performance Results System Performance
Table III System Performance Data
27
Figure 5 STOP Overhead
28
Conclusion

• STOP facilitates tracing of attacker who is using
  a series of hosts
• STOP protects users privacy by returning only
  random token
• Effective when many hosts are running it in a
  tightly constrained environment
• STOP can be used in parallel with other traceback
  techniques to provide application level data to
  investigators
• STOP may not solve TCP connection-chain
  traceback in all situations

29
References

• B. Carrier and C. Shields, "A Recursive Session
  Token Protocol For Use in Computer Forensics and
  TCP Traceback", Proceedings of the IEEE INFOCOM
  2002, June, 2002, New York
• RFC 1413 - Identification Protocol, February
  1993,
• www.rfc-editor.org/rfc/rfc1413.txt