Detecting Remote Security Attacks with Specification-Based Monitoring - PowerPoint PPT Presentation

About This Presentation
Title:

Detecting Remote Security Attacks with Specification-Based Monitoring

Description:

... tOFsOTsOOpOOSOOtOOFOd OdFOFdFtdOSdOsdd ddtdFdOdfFdeTOtdtFftfFfOfdtfFfTfftfe TfOf ... O fddf f ef d f e ffef n n n n n n nn n C ... – PowerPoint PPT presentation

Number of Views:12
Avg rating:3.0/5.0
Slides: 50
Provided by: thoma55
Category:

less

Transcript and Presenter's Notes

Title: Detecting Remote Security Attacks with Specification-Based Monitoring


1
Detecting Remote Security Attacks with
Specification-Based Monitoring
  • Jonathon Giffin, Somesh Jha, Barton Miller
  • University of Wisconsin
  • giffin,jha,bart_at_cs.wisc.edu
  • WiSA Wisconsin Safety Analyzer

2
Overview
  • I can attack your computer via the Condor jobs
    you run remotely.
  • We can help you can detect these attacks by
    constructing a model of your Condor job and
    enforcing the model at runtime.

3
A New View
  • Running programs are objects to be easily
    manipulated
  • The vehicle the DynInst API

4
DynInst Dynamic Instrumentation
  • Machine independent library for instrumentation
    of running processes
  • Modify control flow of the process
  • Load new code into the process
  • Remove, replace, or redirect function calls
  • Asynchronously call any function in the process

5
Condor Attack Lurking Jobs
Shadow Process giffin
Evil User Job nobody
system calls
Submitting Host
Execution Host
6
Condor Attack Lurking Jobs
Shadow Process giffin
Evil User Job nobody
system calls
Lurker Process nobody
Submitting Host
Execution Host
7
Condor Attack Lurking Jobs
Lurker Process nobody
Execution Host
8
Condor Attack Lurking Jobs
Shadow Process bart
Barts User Job nobody
system calls
Lurker Process nobody
Submitting Host
Execution Host
9
Condor Attack Lurking Jobs
Shadow Process bart
Barts User Job nobody
system calls
attach
Lurker Process nobody
Submitting Host
Execution Host
10
Condor Attack Lurking Jobs
Shadow Process bart
Barts User Job nobody
system calls
Control remote system calls
attach
Lurker Process nobody
Submitting Host
Execution Host
11
Condor Attack Lurking Jobs
Shadow Process bart
Barts User Job nobody
system calls
rm -rf
rm -rf
Control remote system calls
attach
Lurker Process nobody
Submitting Host
Execution Host
12
Trust Boundary
  • Local process trusts
  • Itself
  • Other processes running with its UID
  • Local operating system
  • Local administrator
  • All root-level processes
  • Condor extends the trust boundary to the remote
    machine

13
Trust Boundary
Local Process bart
Submitting Host
14
Trust Boundary
Shadow Process bart
Barts User Job nobody
system calls
Submitting Host
Execution Host
15
Condor Attack Remote Manipulation
Shadow Process bart
Barts User Job nobody
system calls
rm -rf
rm -rf
Control remote system calls
attach
Evil Process root
Submitting Host
Execution Host
16
Can We Safely Execute Our Jobs?
  • The threats
  • 1. Cause the job to make improper remote system
    calls.
  • 2. Cause the job to calculate an incorrect
    answer.
  • 3. Steal data from the remote job.
  • Threat protection strategies
  • Monitor execution of remote job (threat 1)
  • File or system call sand-boxing (1)
  • Obfuscate or encode remote job (1, 3)
  • Replicate remote job (2)

17
Countering Remote Attacks
  • Goal Even if an intruder can see, examine, and
    fully control the remote job, no harm can come to
    the local machine.
  • Method Model all possible sequences of remote
    system calls. At runtime, update the model with
    each received call.
  • Key technology Static analysis of binary code.

18
Execution Monitoring
User Job
Analyzer
Checking Shadow
Modified User Job
19
Execution Monitoring
Modified User Job
Checking Shadow
system calls
Job Model
Submitting Host
Execution Host
20
Execution Monitoring
Modified User Job
Checking Shadow
system calls
Call 1
Call 2
Call 3
X
Job Model
Submitting Host
Execution Host
21
Model Construction
User Job
Analyzer
Checking Shadow
Modified User Job
Control Flow Graphs
Binary Program
Global Automaton
Local Automata
22
Control Flow Graph Generation
  • function (int a)
  • if (a lt 0)
  • read(0, 15)
  • line()
  • else
  • read(a, 15)
  • close(a)

23
Control Flow GraphTranslation
24
Control Flow GraphTranslation
25
Interprocedural ModelGeneration
A
read
read
close
line
26
Interprocedural ModelGeneration
A
read
read
line
write
close
line
27
Interprocedural ModelGeneration
B
A
line
read
read
line
write
close
close
line
28
Interprocedural ModelGeneration
B
A
line
read
read
line
write
close
close
29
Interprocedural ModelGeneration
B
A
read
read
line
write
close
close
30
PossiblePaths
B
A
read
read
line
write
close
close
31
PossiblePaths
B
A
read
read
line
write
close
close
32
ImpossiblePaths
B
A
read
read
line
write
close
close
33
ImpossiblePaths
B
A
read
read
line
write
close
close
34
Adding ContextSensitivity
B
A
read
Y
read
line
X
write
close
close
Y
X
35
PDA State Explosion
  • e-edge identifiers maintained on a stack
  • Stack may grow to be unbounded
  • Solution
  • Dyck language model
  • Stack operations visible in call stream
  • Requires binary rewriting

X
36
Dyck LanguageModel
B
A
read
Y
read
line
X
write
close
close
Y
X
37
Dyck LanguageModel
B
A
read
Y
read
line
X
write
close
close
Y
X
38
Dyck LanguageModel
B
A
read
Y
read
line
X
write
close
close
Y
X
39
Rewriting User Job
User Job
Analyzer
Checking Shadow
Modified User Job
Binary Program
Rewritten Binary
40
Rewriting User Job
  • Insert dummy remote system calls around function
    call sites
  • Notify monitor of stack activity
  • function (int a)
  • if (a lt 0)
  • read(0, 15)
  • line()
  • else
  • read(a, 15)
  • close(a)

41
Rewriting User Job
  • Insert dummy remote system calls around function
    call sites
  • Notify monitor of stack activity
  • function (int a)
  • if (a lt 0)
  • read(0, 15)
  • line()
  • else
  • read(a, 15)
  • close(a)

42
Rewriting User Job
  • Insert dummy remote system calls around function
    call sites
  • Notify monitor of stack activity
  • Null calls are cheap
  • function (int a)
  • if (a lt 0)
  • read(0, 15)
  • X()
  • line()
  • X()
  • else
  • read(a, 15)
  • close(a)

43
Dyck LanguageModel
B
A
read
Y
read
line
X
write
close
close
Y
X
44
Test Programs
Program Number of Instructions
procmail 107,246
gzip 56,710
cat 54,028
ps 59,814
fdformat 67,874
eject 70,177
45
Accuracy Metric
  • Average branching factor

chown
getpid
open
46
(No Transcript)
47
(No Transcript)
48
Important Ideas
  • Running jobs remotely enables malicious attacks
    against the shadow process.
  • Pre-execution static analysis to construct a
    model of the remote call sequences addresses this
    threat.
  • The Dyck model effectively balances model
    accuracy and runtime cost.

49
Detecting Remote Security Attacks with
Specification-Based Monitoring
  • Jonathon Giffin, Somesh Jha, Barton Miller
  • University of Wisconsin
  • giffin,jha,bart_at_cs.wisc.edu
  • WiSA Wisconsin Safety Analyzer
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Detecting Remote Security Attacks with Specification-Based Monitoring" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!