Title: Security%20Basic%20
1Security Basic Attacking Malicious Code
2Contents
1
Intrusion-Detection Systems
2
Monitoring and Recovering from Attacks
3
Role of Virtual Machine Technology
4
Intrusion-Detection Systems
Attacking Malicious Code
3Security
- The most common way the security of a system is
compromised is simply for an attacker to get
access to the privileged part of the system - Another common type of attack exploits inherent
weaknesses in system software - One Common type of security hole involves
unchecked accesses to C arrays
4Security
User Mode
Supervisor Mode
User Mode
Supervisor Mode
User invokes system program with normal input
Malicious user invokes system program with
tailored input that causes buffer overflow in
stack
Return address in stack changed due to
overflow vulnerable system program performs
fuction and returns to user-specified address,
e.g., address of shell program
System program performs function and returns to
user
User performs subsequent task
User gets full control of system through
shell program running in supervisor mode
User Mode
Supervisor Mode
User invokes system program with faulty input
that causes buffer overflow in stack
Return address in stack clobbered due
to overflow vulnerable system program
performs function and returns to illegal address
system exception
5Security Intrusion-Detection Systems
- Intrusion-detection System
- examine a computer to check for potential attacks
- depend on the general knowledge of how potential
attacks may take place - Network-based intrusion-detection system(NIDS)
- Host-based intrusion-detection system(HIDS)
6Security Monitoring and Recovering from Attacks
- Logging
- saves information about critical activity on a
system - e.g., login attempts and accesses or changes to
certain important files on the system - The requirements of system logs
- A checkpoint of the system must be available for
some point in the past - External events must be logged in sufficient
detail so that they can be simulated accurately
when the system is being replayed
7Security Role of Virtual Machine Technology
- Three examples of the use of virtual machines in
the area of system security - Virtual Machine as a Sandbox
- Virtual Machine for Monitoring Low-Level Activity
- Secure and Complete Logging Using Virtual Machines
8Security Role of Virtual Machine Technology
- Virtual Machine as a SandBox
- Virtual machines allow the isolation of complete
system environments from one another - This ability to isolate a virtual machine makes
it useful as a tool for closely examining the
effects of an attack after it has occured
- Sandbox for
- testing intrusion-detection schemes
- permitting attacks that can be monitored
- cloning systems that have been attacked
9Security Role of Virtual Machine Technology
- Virtual Machine for Monitoring Low-Level Activity
- Two ways to configure an IDS in a virtual machine
system - The IDS can be written as a separate process in
its own virtual machine, or on the host operating
system of a hosted virtual machine, with special
access to the functions of the VMM through a
dedicated interface - Ex) Livewire System
- The IDS can be integrated with the VMM
10Security Role of Virtual Machine Technology
- The OS interface library
- provides an OS-level view of the monitored
virtual machine, obtained by interpreting the
metadata returned by the guest OS through the VMM - policy engine
- provides a framework to implement common policies
as well as a set of policy modules each of which
implements an intrusion-detection scheme
11Security Role of Virtual Machine Technology
- Secure and Complete Logging Using Virtual
Machines - A log of the activity on a system enables
analysis of the events associated with an attack - Logging method
- A common method
- record all accesses to important and critical
parts of the system - The sequence of inputs with the time recorded
during the execution - A better reference for recording nondeterministic
events is the number of instructions that have
been completed by the machine rather than the
time on the system clock - A more efficient and an equally effective measure
is the number of branches that have been executed
by the machine - Counting events(ex the number of inst/branches
executed) is accomplished through the setting of
special performance counters visible at the ISA
level - To ensure the delivery of a nondeterministic
event at a precise point in the computation, they
use a two-phase technique
12Security Role of Virtual Machine Technology
13Security Role of Dynamic Binary Rewriting
Technology in Security
- The ability to control the execution of a program
through the runtime makes it possible for the
runtime to sandbox the execution of a program - This is the principle behind program shepherding
- The fundamental idea behind program shepherding
is that a program can be adequately protected by
ensuring that - every branch or jump is to a legal location
- every branch into a code region originate from
either another part of the same program or from
some other trusted location on the system
14Security Role of Dynamic Binary Rewriting
Technology in Security
- Restricting Control Transfers
- The way in which control transfers can be
restricted - To add instrumentation at branch and jump site to
check the vailidty of the target - A more effective way of achieving this is through
techniques used in dynamic binary optinization - In order to ensure that the code being executed
is not maliciously modified, the code cache
itself should be protected by making it writable
only when the runtime is in control - Management of control flow transfers
- For each direct branch from one cached basic
block to another, security checks are performed
at the time the basic blocks are linked - A link is added only if the security policy
allows a direct transfer - Otherwise control returns to a runtime routine
that checks for and handles all potential
security violation
15Security Role of Dynamic Binary Rewriting
Technology in Security
- Restricting Code Execution
- Modern program binary file formats separate the
code sections from the data sections and allow
loaders to write protect code pages as they are
brought into memory - There are two cases of importance
- The first is the case of new sections of code
that are created and then loaded for execution - The second case occurs when code and data are
shared on the same page
16Attacking Malicious Code
17Attacking Malicious Code
- What is Malicious Code?
- Malicious code is any code added, changed, or
removed from a software system to intentionally
cause harm or subvert the systems intended
function.
18Attacking Malicious Code
- A Growing Problem
- Networks are everywhere
- The growing connectivity of computers through the
Internet has increased both the number of attack
vectors and the ease with which an attack can be
made - Because access through a network does not require
human intervention, launching automated attacks
from the comfort of your living room is easy - System complexity is rising
- Windows/NT consists of tens of millions of lines
of code, and associated applications are becoming
equally complex - The use of unsafe programming languages
exacerbate the problem - Improper configuration can open the door to
malicious code - Systems are easily extensible
- the very nature of extensible systems makes it
hard to prevent malicious code from slipping in
as an unwanted extension
19Attacking Malicious Code
- Defense against Malicious Code
- There are four approaches that the host can take
to protect itself - Analyze the code and reject it if there is the
potential that executing it will cause harm - Rewrite the code before executing it so that it
can do no harm - Monitor the code while its executing and stop it
before it does harm or - Audit the code during executing and take policing
action if it did some harm - Stick to your Principles
- To protect against this common failing, it is
important to follow well-established security
principles when designing security policies - The Principle of least Privilege
- a component should be given the minimum access
necessary to accomplish its intended task - The Principle of Minimum Trusted Computing
Base(TCB) - The TCB is the set of h/w and s/w components that
make up our security enforcement mechanisms - The best way to assure that your system is secure
is to keep your TCB small and simple
20Attacking Malicious Code
- Current Defenses
- OS-Based Reference Monitors
- Address translation hardware, distinct
supervisor- and user- modes, timer interrupts,
and system calls serve in combination to enforce
limited forms of availability, fault containment,
and authorization properties - Scanning for known malicious code
- Blacklisting matches programs against a database
of known virus signatures - Unknown malicious code will easily get by the
simple defenses to carry out its dirty work - It is too easy to make trivial changes to
malicious code to thwart almost every black
listing scheme - Code Signing
- Code signing is an approach for authenticating
code based on public-key cryptography and digital
signatures
21Attacking Malicious Code
- Promising New Defenses
- Software-Based Reference Monitors
- Their basic idea is to rewrite binary code by
inserting checks on each memory access and each
control transfer to ensure that those accesses
are valid - Type-safe language
- Type systems that support type abstraction let
programmers specify new, abstract types and
signatures for operations that prevent
unauthorized code from applying the wrong
operations to the wrong values - Proof-Carrying Code
- The basic idea is to require any untrusted code
to come equipped with an explicit,
machine-check-able proof that code respects a
given security policy
22Attacking Malicious Code
- Policy as Achilles Heel
- When Policy breaks down
- Bad policy allows malicious code to do something
malicious because policy does not forbid it - Incorrectly enforced policy allows code to do
something malicious even if it is correctly
forbidden by policy.
23Attacking Malicious Code
- The Many Levels of Policy
- How are we set policy to combat malicious code?
- The key is to focus on defining metalevel
policies that system administrators work with
naturally in terms of collections of lower-level
enforcement mechanism - The problem is that low-level properties do not
align nicely with what most security
administrators think of as policy building blocks - The answer is to understand policy as a layered
set of abstractions
24Thank You !
Your Slogan