A Recursive Session Token Protocol for use in Computer Forensics and TCP Traceback Brian Carrier - PowerPoint PPT Presentation

Loading...

PPT – A Recursive Session Token Protocol for use in Computer Forensics and TCP Traceback Brian Carrier PowerPoint presentation | free to view - id: a81e3-OWI0N



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

A Recursive Session Token Protocol for use in Computer Forensics and TCP Traceback Brian Carrier

Description:

Only printable ASCII allowed in the random token ... token-characters ::= All printable ASCII except ':' Figure 2: STOP Protocol Grammar ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 30
Provided by: Tech76
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: A Recursive Session Token Protocol for use in Computer Forensics and TCP Traceback Brian Carrier


1
A Recursive Session Token Protocol for use in
Computer Forensics and TCP Traceback- Brian
Carrier Clay Shields
  • Pallavi Phene
  • phene_at_cs.uh.edu
  • 21st March, 2003

2
Motivation
H0
H1
H2
Hn-1
Hn
C0
C1
Cn-1
Figure 1 Connection Chain example between host
H0 Hn.
3
Motivation (contd)
  • Technique to address stone stepping
  • Administrative hop-by-hop traceback not effective
  • Insufficient resources
  • Insufficient knowledge about the connection
  • Lack of trust in the requesting party

4
Outline
  • Connection Chain Traceback
  • Identification (ident) Protocol
  • Session Token Protocol (STOP)
  • Implementation
  • Performance Results
  • Conclusion
  • References

5
Connection Chain Traceback
  • Network Based Solutions
  • Analysis of Content-Based Thumbprints
  • Timing Analysis of user idle times
  • Analysis of TCP Sequence s
  • Host Based Solutions
  • Caller ID systems

6
Identification Protocol
  • RFC 1413
  • Allows server to identify client-side user name
  • TCP Port for ident protocol ? 113
  • Terminology
  • CL_PORT ? client side TCP port
  • SV_PORT ? server side TCP port

7
ident Operation
2) Detect attack or intrusion
6) Determine which process has connection from
ltCL_PORTgt to ltSV_PORTgt
3) Initiate identification traceback
8
Limitations of ident Protocol
  • Invasive
  • Daemon can return the username of any service
    (even if it did not originate the message)
  • Enhancements return random token, or encrypt
    user id

9
Session TOken Protocol
  • Extension of ident protocol
  • Developed for investigation of stepping-stone
    chains while maintaining privacy

10
Basic Operation of STOP
Save application-level data about process and
user when connection is established
STOP Daemon
Token must be presented to system administrator
for authorization to obtain actual user
information
11
Protocol Design Goals
  • Backward compatibility
  • Authentication of requester
  • Ability to request additional data storage
  • Ability to request path trace
  • Configurable to satisfy system security policy
  • Efficient implementation
  • Allow request from hosts outside the contention
    chain

12
Protocol Design
  • Modification of ident Messages
  • Modify Request Message
  • to provide more options
  • Modify Response Message
  • to protect privacy

13
Request Message Modification Request Type
  • ID
  • Save username, return random token
  • Same operation as ident protocol
  • ID_REC
  • Save username, return random token
  • Repeat recursively to the host that user logged
    in from
  • Requires random session identifier to identify
    cycles in the recursion
  • SV
  • Save username and additional information
  • SV_REC
  • Hybrid of SV and ID_REC

14
Ident Response Message
  • Message format
  • ltCL_PORTgt , ltSV_PORTgt ltRESPONSE-TYPEgt
    ltADDITIONAL_INFORMATIONgt
  • ltADDITIONAL_INFORMATIONgtspecifies
  • O.S. user id when the user is identified or
  • random token (unformatted character string) to
    protect privacy when OTHER is specified
  • Error message (INVALID_PORT, NO_USER,
    HIDDEN_USER, UNKNOWN_ERROR) when user is not
    identified

15
Response Message Modification
  • Instead of Operating system name, STOP always
    returns OTHER
  • HIDDEN_USER will not be used as an error
    message
  • Only printable ASCII allowed in the random token

16
ltrequestgt ltport-pairgt "" ltrequest-typegt ""
ltipgtltEOLgt ltport-pairgt ltintegergt ","
ltintegergt ltrequest-typegt "ID" "ID REC" ""
ltsidgt "SV" "SV REC" "" ltsidgt ltipgt
ltbytegt"."ltbytegt"."ltbytegt"."ltbytegt ltsidgt
ltintgt ltEOLgt CR LF ltreplygt ltport-pairgt ""
ltreply-textgt ltEOLgt ltreply-textgt ltident-replygt
lterror-replygt ltident-replygt "USERID" ""
"OTHER" "," ltcharsetgt "" ltuser-tokengt lterror-re
plygt "ERROR" "" lterror-typegt lterror-typegt
"INVALID-PORT" "UNKNOWN-ERROR" "NO-USER"
lterror-tokengt ltcharsetgt "US-ASCII" as
defined in RFC 1340 ltuser-tokengt
1512lttoken-charactersgt lterror-tokengt
"X"163lttoken-charactersgt ltbytegt integer
values 0 to 28 in ASCII ltintgt integer values
0 to 232 in ASCII lttoken-charactersgt All
printable ASCII except ""
Figure 2 STOP Protocol Grammar
17
STOP Daemon properties
  • Return a cryptographically secure random token
    for all established connections
  • When ID option selected return actual username
  • Return error message for request of TCP sessions
    that were not initiated by the local host

18
Saving Process State
  • Provide options for what process and system data
    to save for SV or SV_REC requests
  • Example of process data
  • Process name PID
  • Parent PID
  • Real effective UID
  • Process start time priority
  • Terminal device
  • List of open sockets, files, pipes
  • Host name
  • Boot time
  • Operating System, version, kernel date and build
  • Address of machine that sent the request
  • Address and port of remote end of socket
  • Address and port of local end of socket
  • Type and time of request
  • Entries from utmp for all users mentioned in the
    report

19
Recursion
  • Generation of tokens along an entire path of
    hosts
  • Send original reply token to the requester
  • Save tokens from recursive requests along with
    original reply token
  • Recursive request contains a random session
    identifier to prevent cycles and denial of
    service situations
  • Process only one request of type ID_REC or SV_REC
    from the same host with the same session
    identifier for the last 120s.

20
Security Analysis
  • If host Hi is compromised and the daemon on Hi is
    killed then the path can be traced back to only
    Hi
  • If the daemon is tampered then either it
  • Does not save any data or
  • Does not send recursive requests or
  • Saves false user and recursive data
  • In any case, data provided by STOP will have to
    be verified

21
Implementation
  • Implemented by modifying the open source version
    of ident daemon called oidentd
  • Run-time options
  • Always return random tokens instead of errors
  • Always return UNKNOWN_ERROR
  • Select data to be saved for SV and SV_REC
  • Restrict the number of active lookups
  • Built on Solaris 2.7, OpenBSD 2.8 and Debian
    Linux 2.2

22
  • Resolved all pipes and sockets for a process and
    recursively for its parent
  • For SV and SV_REC requests, data is stored and
    its hashed value is returned as the random token

23
Performance Results Request Processing Time
  • Simple Process Tree

Hi
SCHED
INIT
SSHD
Hi-1
SSHD
CSH
Table I Average Lookup Time for 6 Unique
Processes
TELNET
Hi1
Figure 3 Process Tree with 6 unique processes
24
  • Complex Process Environment

4 SCHED
Hi
Figure 4 Process Tree with 14 unique processes
3 INIT
Hi-1
2 P3
14 P1
13 P2
Hi1
1 P4
12 P5
11 P8
7 P7
10 P6
6 P10
9 P9
Inheritance Uni-directional Pipe Internet Socket
5 P12
8 P14
25
Table II Average Lookup Time for 14 Unique
Processes
26
Performance Results System Performance
Table III System Performance Data
27
Figure 5 STOP Overhead
28
Conclusion
  • STOP facilitates tracing of attacker who is using
    a series of hosts
  • STOP protects users privacy by returning only
    random token
  • Effective when many hosts are running it in a
    tightly constrained environment
  • STOP can be used in parallel with other traceback
    techniques to provide application level data to
    investigators
  • STOP may not solve TCP connection-chain
    traceback in all situations

29
References
  • B. Carrier and C. Shields, "A Recursive Session
    Token Protocol For Use in Computer Forensics and
    TCP Traceback", Proceedings of the IEEE INFOCOM
    2002, June, 2002, New York
  • RFC 1413 - Identification Protocol, February
    1993,
  • www.rfc-editor.org/rfc/rfc1413.txt
About PowerShow.com