intrusion recovery using selective re execution
play

Intrusion Recovery using Selective Re-execution Taesoo Kim, Xi - PowerPoint PPT Presentation

Intrusion Recovery using Selective Re-execution Taesoo Kim, Xi Wang, Nickolai Zeldovich , M. Frans Kaashoek MIT CSAIL Attackers routinely compromise system integrity Attackers routinely compromise system integrity Attackers routinely


  1. Intrusion Recovery using Selective Re-execution Taesoo Kim, Xi Wang, Nickolai Zeldovich , M. Frans Kaashoek MIT CSAIL

  2. Attackers routinely compromise system integrity

  3. Attackers routinely compromise system integrity

  4. Attackers routinely compromise system integrity

  5. Compromises inevitable ● Difficult to write bug-free software ● Administrators mis-configure policies ● Users choose weak, guessable passwords

  6. Compromises inevitable ● Difficult to write bug-free software ● Administrators mis-configure policies ● Users choose weak, guessable passwords ● Need both “proactive” security, and “reactive” recovery mechanisms

  7. Limited existing recovery tools ● Anti-virus tools ● Only repair for predictable attacks ● Backup tools ● Restoring from backup discards all changes

  8. Limited existing recovery tools ● Anti-virus tools ● Only repair for predictable attacks ● Backup tools ● Restoring from backup discards all changes ● Administrators spend days or weeks manually tracking down all effects of the attack ● No guarantee if they found everything

  9. Challenge: disentangle changes by attacker and legitimate user ● Adversary could have modified many files directly ● Legitimate processes may have been affected ● Users ran trojaned pdflatex or ls ● SSH server read a modified /etc/passwd ● Those processes are now suspect as well

  10. Our approach: help users disentangle on one machine ● Record history of all computations on machine ● After intrusion found, roll back affected objects ● Re-execute actions that were indirectly affected ● Minimize user input required to disentangle ● User edited attacker's file with emacs ● External effects outside of our control

  11. Contributions ● New approach to system-wide intrusion recovery ● Action history graph tracks computations and repairs ● Techniques: re-execution , predicates , and refinement ● Retro : prototype recovery system for Linux ● Recovers from 10 real-world and synthetic attacks ● No user input required in most cases

  12. Contributions ● New approach to system-wide intrusion recovery ● Action history graph tracks computations and repairs ● Techniques: re-execution , predicates , and refinement ● Retro : prototype recovery system for Linux ● Recovers from 10 real-world and synthetic attacks ● No user input required in most cases ● Instead of spending days on manual recovery, admin can use Retro to automatically recover, and ensure that all effects of attack are caught

  13. Example attack scenario ● Attacker modifies /etc/passwd to add new account ● Installs trojan pdflatex , ls to restart, hide botnet ● Admin modifies /etc/passwd to add account for Alice ● Alice logs in via SSH ● SSH server reads /etc/passwd ● Alice runs trojaned pdflatex , ls ● Attacker not targeting Alice, wants to run botnet

  14. Strawman 1: Taint tracking pdflatex LaTeX binary process … Alice's Alice's shell Attacker passwd Alice's login process file PDF file Alice's paper botnet.c adduser Alice's alice files Admin's shell

  15. Strawman 1: Taint tracking ● Log all OS-level dependencies in system pdflatex LaTeX binary process … Alice's Alice's shell Attacker passwd Alice's login process file PDF file Alice's paper botnet.c adduser Alice's alice files Admin's shell

  16. Strawman 1: Taint tracking ● Given attack, track down all affected files, and restore just those files from backup pdflatex LaTeX Attack binary process … Alice's Alice's shell Attacker passwd Alice's login process file PDF file Alice's paper botnet.c adduser Alice's alice files Admin's shell

  17. Strawman 1: Taint tracking ● Given attack, track down all affected files, and restore just those files from backup pdflatex LaTeX Attack binary process … Alice's Alice's shell Attacker passwd Alice's login process file PDF file Alice's paper botnet.c adduser Alice's alice files Admin's shell

  18. Problem with taint tracking: false positives ● Taint tracking conservatively propagates everywhere through shared files pdflatex LaTeX Attack binary process … Alice's Alice's shell Attacker passwd Alice's login process file PDF file Alice's paper botnet.c adduser Alice's alice files Admin's shell

  19. Problem with taint tracking: false positives Alice's account and files are lost! ● Taint tracking conservatively propagates everywhere through shared files pdflatex LaTeX Attack binary process … Alice's Alice's shell Attacker passwd Alice's login process file PDF file Alice's paper botnet.c adduser Alice's alice files Admin's shell

  20. Strawman 2: VM Time Virtual machine

  21. Strawman 2: VM Time Inputs Outputs Virtual machine

  22. Periodic VM checkpoints Time Inputs Outputs Virtual machine

  23. Step 1: identify attack input Time Inputs Outputs Attack input Virtual machine

  24. Step 2: roll back to checkpoint Time Inputs Outputs Attack input Virtual machine

  25. Step 3: replay non-attack inputs Time Inputs Outputs Attack input X Virtual machine

  26. Problem with VM strawman: re-execution is expensive, diverges Time Inputs Outputs Attack input X ● May take one week to re-execute for a week-old attack ● Original VM inputs may be meaningless for new system Non-determinism: new SSH crypto keys, inode #s, app state, … ● Can't do deterministic re-execution, since some inputs changed ●

  27. Retro 's approach: selective re-execution ● Record fine-grained action history graph ● Includes system call arguments, function calls, … ● Assume tamper-proof kernel, storage ● Roll back objects directly affected by attack ● Avoid the false positives of taint tracking ● Re-execute actions indirectly affected by attack ● Avoid expense, non-determinism of whole-VM re-exec.

  28. Action history graph : Objects represent files, processes attacker's password adduser admin's Time process file alice shell

  29. Action history graph : Actions represent execution attacker's password adduser admin's Time process file alice shell

  30. Action history graph : Actions have dependencies attacker's password adduser admin's Time process file alice shell w r i t e ( o f f s e t , d a t a )

  31. Action history graph : Actions have dependencies attacker's password adduser admin's Time process file alice shell w r i t e ( o f f s e t , d a t a ) c e x e ) . . , s g r a , g o r p (

  32. Action history graph : Actions have dependencies attacker's password adduser admin's Time process file alice shell w r i t e ( o f f s e t , d a t a ) c e x e ) . . , s g r a , g o r p ( r e a d ( o f f s e t , d a t a ) e t i r w ) a t a d , t e s f f o (

  33. Action history graph : Actions have dependencies attacker's password adduser admin's Time process file alice shell w r i t e ( o f f s e t , d a t a ) c e x e ) . . , s g r a , g o r p ( r e a d ( o f f s e t , d a t a ) e t i r w ) a t a d , t e s f f o ( e x i t ( s t a t u s )

  34. Action history graph : Objects have checkpoints attacker's password adduser admin's Time process file alice shell w r i t e ( o f f s e t , d a t a ) c e x e ) . . , s g r a , g o r p ( r e a d ( o f f s e t , d a t a ) e t i r w ) a t a d , t e s f f o ( e x i t ( s t a t u s )

  35. Step 1: find attack action attacker's password adduser admin's Time process file alice shell w r i t e ( o f f s e t , d a t a ) c e x e ) . . , s g r a , g o r p ( r e a d ( o f f s e t , d a t a ) e t i r w ) a t a d , t e s f f o ( e x i t ( s t a t u s )

  36. Step 2: roll back affected objects attacker's password adduser admin's Time process file alice shell w r i t e ( o f f s e t , d a t a ) c e x e ) . . , s g r a , g o r p ( r e a d ( o f f s e t , d a t a ) e t i r w ) a t a d , t e s f f o ( e x i t ( s t a t u s )

  37. Step 3: redo non-attack actions attacker's password adduser admin's Time process file alice shell w r i t e ( o X f f s e t , d a t a ) c e x e ) . . , s g r a , g o r p ( r e a d ( o f f s e t , d a t a ) e t i r w ) a t a d , t e s f f o ( e x i t ( s t a t u s )

  38. Repeat step 2: roll back objects attacker's password adduser admin's Time process file alice shell w r i t e ( o X f f s e t , d a t a ) c e x e ) . . , s g r a , g o r p ( r e a d ( o f f s e t , d a t a ) e t i r w ) a t a d , t e s f f o ( e x i t ( s t a t u s )

Recommend


More recommend