Title: A Recursive Session Token Protocol for use in Computer Forensics and TCP Traceback Brian Carrier
1A Recursive Session Token Protocol for use in
Computer Forensics and TCP Traceback- Brian
Carrier Clay Shields
- Pallavi Phene
- phene_at_cs.uh.edu
- 21st March, 2003
2Motivation
H0
H1
H2
Hn-1
Hn
C0
C1
Cn-1
Figure 1 Connection Chain example between host
H0 Hn.
3Motivation (contd)
- Technique to address stone stepping
- Administrative hop-by-hop traceback not effective
- Insufficient resources
- Insufficient knowledge about the connection
- Lack of trust in the requesting party
4Outline
- Connection Chain Traceback
- Identification (ident) Protocol
- Session Token Protocol (STOP)
- Implementation
- Performance Results
- Conclusion
- References
5Connection Chain Traceback
- Network Based Solutions
- Analysis of Content-Based Thumbprints
- Timing Analysis of user idle times
- Analysis of TCP Sequence s
- Host Based Solutions
- Caller ID systems
6Identification Protocol
- RFC 1413
- Allows server to identify client-side user name
- TCP Port for ident protocol ? 113
- Terminology
- CL_PORT ? client side TCP port
- SV_PORT ? server side TCP port
7ident Operation
2) Detect attack or intrusion
6) Determine which process has connection from
ltCL_PORTgt to ltSV_PORTgt
3) Initiate identification traceback
8Limitations of ident Protocol
- Invasive
- Daemon can return the username of any service
(even if it did not originate the message) - Enhancements return random token, or encrypt
user id
9Session TOken Protocol
- Extension of ident protocol
- Developed for investigation of stepping-stone
chains while maintaining privacy
10Basic Operation of STOP
Save application-level data about process and
user when connection is established
STOP Daemon
Token must be presented to system administrator
for authorization to obtain actual user
information
11Protocol Design Goals
- Backward compatibility
- Authentication of requester
- Ability to request additional data storage
- Ability to request path trace
- Configurable to satisfy system security policy
- Efficient implementation
- Allow request from hosts outside the contention
chain
12Protocol Design
- Modification of ident Messages
- Modify Request Message
- to provide more options
- Modify Response Message
- to protect privacy
-
13Request Message Modification Request Type
- ID
- Save username, return random token
- Same operation as ident protocol
- ID_REC
- Save username, return random token
- Repeat recursively to the host that user logged
in from - Requires random session identifier to identify
cycles in the recursion - SV
- Save username and additional information
- SV_REC
- Hybrid of SV and ID_REC
14Ident Response Message
- Message format
- ltCL_PORTgt , ltSV_PORTgt ltRESPONSE-TYPEgt
ltADDITIONAL_INFORMATIONgt - ltADDITIONAL_INFORMATIONgtspecifies
- O.S. user id when the user is identified or
- random token (unformatted character string) to
protect privacy when OTHER is specified - Error message (INVALID_PORT, NO_USER,
HIDDEN_USER, UNKNOWN_ERROR) when user is not
identified
15Response Message Modification
- Instead of Operating system name, STOP always
returns OTHER - HIDDEN_USER will not be used as an error
message - Only printable ASCII allowed in the random token
16ltrequestgt ltport-pairgt "" ltrequest-typegt ""
ltipgtltEOLgt ltport-pairgt ltintegergt ","
ltintegergt ltrequest-typegt "ID" "ID REC" ""
ltsidgt "SV" "SV REC" "" ltsidgt ltipgt
ltbytegt"."ltbytegt"."ltbytegt"."ltbytegt ltsidgt
ltintgt ltEOLgt CR LF ltreplygt ltport-pairgt ""
ltreply-textgt ltEOLgt ltreply-textgt ltident-replygt
lterror-replygt ltident-replygt "USERID" ""
"OTHER" "," ltcharsetgt "" ltuser-tokengt lterror-re
plygt "ERROR" "" lterror-typegt lterror-typegt
"INVALID-PORT" "UNKNOWN-ERROR" "NO-USER"
lterror-tokengt ltcharsetgt "US-ASCII" as
defined in RFC 1340 ltuser-tokengt
1512lttoken-charactersgt lterror-tokengt
"X"163lttoken-charactersgt ltbytegt integer
values 0 to 28 in ASCII ltintgt integer values
0 to 232 in ASCII lttoken-charactersgt All
printable ASCII except ""
Figure 2 STOP Protocol Grammar
17STOP Daemon properties
- Return a cryptographically secure random token
for all established connections - When ID option selected return actual username
- Return error message for request of TCP sessions
that were not initiated by the local host
18Saving Process State
- Provide options for what process and system data
to save for SV or SV_REC requests - Example of process data
- Process name PID
- Parent PID
- Real effective UID
- Process start time priority
- Terminal device
- List of open sockets, files, pipes
- Host name
- Boot time
- Operating System, version, kernel date and build
- Address of machine that sent the request
- Address and port of remote end of socket
- Address and port of local end of socket
- Type and time of request
- Entries from utmp for all users mentioned in the
report
19Recursion
- Generation of tokens along an entire path of
hosts - Send original reply token to the requester
- Save tokens from recursive requests along with
original reply token - Recursive request contains a random session
identifier to prevent cycles and denial of
service situations - Process only one request of type ID_REC or SV_REC
from the same host with the same session
identifier for the last 120s.
20Security Analysis
- If host Hi is compromised and the daemon on Hi is
killed then the path can be traced back to only
Hi - If the daemon is tampered then either it
- Does not save any data or
- Does not send recursive requests or
- Saves false user and recursive data
- In any case, data provided by STOP will have to
be verified
21Implementation
- Implemented by modifying the open source version
of ident daemon called oidentd - Run-time options
- Always return random tokens instead of errors
- Always return UNKNOWN_ERROR
- Select data to be saved for SV and SV_REC
- Restrict the number of active lookups
- Built on Solaris 2.7, OpenBSD 2.8 and Debian
Linux 2.2
22- Resolved all pipes and sockets for a process and
recursively for its parent - For SV and SV_REC requests, data is stored and
its hashed value is returned as the random token
23Performance Results Request Processing Time
Hi
SCHED
INIT
SSHD
Hi-1
SSHD
CSH
Table I Average Lookup Time for 6 Unique
Processes
TELNET
Hi1
Figure 3 Process Tree with 6 unique processes
24- Complex Process Environment
4 SCHED
Hi
Figure 4 Process Tree with 14 unique processes
3 INIT
Hi-1
2 P3
14 P1
13 P2
Hi1
1 P4
12 P5
11 P8
7 P7
10 P6
6 P10
9 P9
Inheritance Uni-directional Pipe Internet Socket
5 P12
8 P14
25Table II Average Lookup Time for 14 Unique
Processes
26Performance Results System Performance
Table III System Performance Data
27Figure 5 STOP Overhead
28Conclusion
- STOP facilitates tracing of attacker who is using
a series of hosts - STOP protects users privacy by returning only
random token - Effective when many hosts are running it in a
tightly constrained environment - STOP can be used in parallel with other traceback
techniques to provide application level data to
investigators - STOP may not solve TCP connection-chain
traceback in all situations
29References
- B. Carrier and C. Shields, "A Recursive Session
Token Protocol For Use in Computer Forensics and
TCP Traceback", Proceedings of the IEEE INFOCOM
2002, June, 2002, New York - RFC 1413 - Identification Protocol, February
1993, - www.rfc-editor.org/rfc/rfc1413.txt