Security%20Basic%20

1
Security Basic Attacking Malicious Code

• Presented by Jongpil Lee

2
Contents
1
Intrusion-Detection Systems
2
Monitoring and Recovering from Attacks
3
Role of Virtual Machine Technology
4
Intrusion-Detection Systems
Attacking Malicious Code
3
Security

• The most common way the security of a system is
  compromised is simply for an attacker to get
  access to the privileged part of the system
• Another common type of attack exploits inherent
  weaknesses in system software
• One Common type of security hole involves
  unchecked accesses to C arrays

4
Security
User Mode
Supervisor Mode
User Mode
Supervisor Mode
User invokes system program with normal input
Malicious user invokes system program with
tailored input that causes buffer overflow in
stack
Return address in stack changed due to
overflow vulnerable system program performs
fuction and returns to user-specified address,
e.g., address of shell program
System program performs function and returns to
user
User performs subsequent task
User gets full control of system through
shell program running in supervisor mode
User Mode
Supervisor Mode
User invokes system program with faulty input
that causes buffer overflow in stack
Return address in stack clobbered due
to overflow vulnerable system program
performs function and returns to illegal address
system exception
5
Security Intrusion-Detection Systems

• Intrusion-detection System
• examine a computer to check for potential attacks
• depend on the general knowledge of how potential
  attacks may take place
• Network-based intrusion-detection system(NIDS)
• Host-based intrusion-detection system(HIDS)

6
Security Monitoring and Recovering from Attacks

• Logging
• saves information about critical activity on a
  system
• e.g., login attempts and accesses or changes to
  certain important files on the system
• The requirements of system logs
• A checkpoint of the system must be available for
  some point in the past
• External events must be logged in sufficient
  detail so that they can be simulated accurately
  when the system is being replayed

7
Security Role of Virtual Machine Technology

• Three examples of the use of virtual machines in
  the area of system security
• Virtual Machine as a Sandbox
• Virtual Machine for Monitoring Low-Level Activity
• Secure and Complete Logging Using Virtual Machines

8
Security Role of Virtual Machine Technology

• Virtual Machine as a SandBox
• Virtual machines allow the isolation of complete
  system environments from one another
• This ability to isolate a virtual machine makes
  it useful as a tool for closely examining the
  effects of an attack after it has occured

• Sandbox for
• testing intrusion-detection schemes
• permitting attacks that can be monitored
• cloning systems that have been attacked

9
Security Role of Virtual Machine Technology

• Virtual Machine for Monitoring Low-Level Activity
• Two ways to configure an IDS in a virtual machine
  system
• The IDS can be written as a separate process in
  its own virtual machine, or on the host operating
  system of a hosted virtual machine, with special
  access to the functions of the VMM through a
  dedicated interface
• Ex) Livewire System
• The IDS can be integrated with the VMM

10
Security Role of Virtual Machine Technology

• The OS interface library
• provides an OS-level view of the monitored
  virtual machine, obtained by interpreting the
  metadata returned by the guest OS through the VMM
• policy engine
• provides a framework to implement common policies
  as well as a set of policy modules each of which
  implements an intrusion-detection scheme

11
Security Role of Virtual Machine Technology

• Secure and Complete Logging Using Virtual
  Machines
• A log of the activity on a system enables
  analysis of the events associated with an attack
• Logging method
• A common method
• record all accesses to important and critical
  parts of the system
• The sequence of inputs with the time recorded
  during the execution
• A better reference for recording nondeterministic
  events is the number of instructions that have
  been completed by the machine rather than the
  time on the system clock
• A more efficient and an equally effective measure
  is the number of branches that have been executed
  by the machine
• Counting events(ex the number of inst/branches
  executed) is accomplished through the setting of
  special performance counters visible at the ISA
  level
• To ensure the delivery of a nondeterministic
  event at a precise point in the computation, they
  use a two-phase technique

12
Security Role of Virtual Machine Technology
13
Security Role of Dynamic Binary Rewriting
Technology in Security

• The ability to control the execution of a program
  through the runtime makes it possible for the
  runtime to sandbox the execution of a program
• This is the principle behind program shepherding
• The fundamental idea behind program shepherding
  is that a program can be adequately protected by
  ensuring that
• every branch or jump is to a legal location
• every branch into a code region originate from
  either another part of the same program or from
  some other trusted location on the system

14
Security Role of Dynamic Binary Rewriting
Technology in Security

• Restricting Control Transfers
• The way in which control transfers can be
  restricted
• To add instrumentation at branch and jump site to
  check the vailidty of the target
• A more effective way of achieving this is through
  techniques used in dynamic binary optinization
• In order to ensure that the code being executed
  is not maliciously modified, the code cache
  itself should be protected by making it writable
  only when the runtime is in control
• Management of control flow transfers
• For each direct branch from one cached basic
  block to another, security checks are performed
  at the time the basic blocks are linked
• A link is added only if the security policy
  allows a direct transfer
• Otherwise control returns to a runtime routine
  that checks for and handles all potential
  security violation

15
Security Role of Dynamic Binary Rewriting
Technology in Security

• Restricting Code Execution
• Modern program binary file formats separate the
  code sections from the data sections and allow
  loaders to write protect code pages as they are
  brought into memory
• There are two cases of importance
• The first is the case of new sections of code
  that are created and then loaded for execution
• The second case occurs when code and data are
  shared on the same page

16
Attacking Malicious Code
17
Attacking Malicious Code

• What is Malicious Code?
• Malicious code is any code added, changed, or
  removed from a software system to intentionally
  cause harm or subvert the systems intended
  function.

18
Attacking Malicious Code

• A Growing Problem
• Networks are everywhere
• The growing connectivity of computers through the
  Internet has increased both the number of attack
  vectors and the ease with which an attack can be
  made
• Because access through a network does not require
  human intervention, launching automated attacks
  from the comfort of your living room is easy
• System complexity is rising
• Windows/NT consists of tens of millions of lines
  of code, and associated applications are becoming
  equally complex
• The use of unsafe programming languages
  exacerbate the problem
• Improper configuration can open the door to
  malicious code
• Systems are easily extensible
• the very nature of extensible systems makes it
  hard to prevent malicious code from slipping in
  as an unwanted extension

19
Attacking Malicious Code

• Defense against Malicious Code
• There are four approaches that the host can take
  to protect itself
• Analyze the code and reject it if there is the
  potential that executing it will cause harm
• Rewrite the code before executing it so that it
  can do no harm
• Monitor the code while its executing and stop it
  before it does harm or
• Audit the code during executing and take policing
  action if it did some harm
• Stick to your Principles
• To protect against this common failing, it is
  important to follow well-established security
  principles when designing security policies
• The Principle of least Privilege
• a component should be given the minimum access
  necessary to accomplish its intended task
• The Principle of Minimum Trusted Computing
  Base(TCB)
• The TCB is the set of h/w and s/w components that
  make up our security enforcement mechanisms
• The best way to assure that your system is secure
  is to keep your TCB small and simple

20
Attacking Malicious Code

• Current Defenses
• OS-Based Reference Monitors
• Address translation hardware, distinct
  supervisor- and user- modes, timer interrupts,
  and system calls serve in combination to enforce
  limited forms of availability, fault containment,
  and authorization properties
• Scanning for known malicious code
• Blacklisting matches programs against a database
  of known virus signatures
• Unknown malicious code will easily get by the
  simple defenses to carry out its dirty work
• It is too easy to make trivial changes to
  malicious code to thwart almost every black
  listing scheme
• Code Signing
• Code signing is an approach for authenticating
  code based on public-key cryptography and digital
  signatures

21
Attacking Malicious Code

• Promising New Defenses
• Software-Based Reference Monitors
• Their basic idea is to rewrite binary code by
  inserting checks on each memory access and each
  control transfer to ensure that those accesses
  are valid
• Type-safe language
• Type systems that support type abstraction let
  programmers specify new, abstract types and
  signatures for operations that prevent
  unauthorized code from applying the wrong
  operations to the wrong values
• Proof-Carrying Code
• The basic idea is to require any untrusted code
  to come equipped with an explicit,
  machine-check-able proof that code respects a
  given security policy

22
Attacking Malicious Code

• Policy as Achilles Heel
• When Policy breaks down
• Bad policy allows malicious code to do something
  malicious because policy does not forbid it
• Incorrectly enforced policy allows code to do
  something malicious even if it is correctly
  forbidden by policy.

23
Attacking Malicious Code

• The Many Levels of Policy
• How are we set policy to combat malicious code?
• The key is to focus on defining metalevel
  policies that system administrators work with
  naturally in terms of collections of lower-level
  enforcement mechanism
• The problem is that low-level properties do not
  align nicely with what most security
  administrators think of as policy building blocks
• The answer is to understand policy as a layered
  set of abstractions

24
Thank You !
Your Slogan