on computer systems in security
play

On Computer Systems (In)Security Vinod Ganapathy - PowerPoint PPT Presentation

On Computer Systems (In)Security Vinod Ganapathy vg@csa.iisc.ernet.in Associate Professor/CSA/IISc My goal today To convince you that: 1. Computer systems are difficult to secure Vinod Ganapathy - CSA Undergraduate Symposium 2 My goal


  1. On Computer Systems (In)Security Vinod Ganapathy vg@csa.iisc.ernet.in Associate Professor/CSA/IISc

  2. My goal today To convince you that: 1. Computer systems are difficult to secure Vinod Ganapathy - CSA Undergraduate Symposium 2

  3. My goal today To convince you that: 1. Computer systems are difficult to secure 2. Computer systems security is a fruitful research area Vinod Ganapathy - CSA Undergraduate Symposium 3

  4. My goal today To convince you that: 1. Computer systems are difficult to secure 2. Computer systems security is a fruitful research area 3. You need to apply to the CSA/IISc Ph.D. program and work on these problems  Vinod Ganapathy - CSA Undergraduate Symposium 4

  5. Vinod Ganapathy - CSA Undergraduate Symposium 5

  6. There a “There are no solutions, only p roblems.” re no solutions, only problems Vinod Ganapathy - CSA Undergraduate Symposium 6

  7. Layered computer system design Modern computer systems are built using layers of abstraction Hardware CPU Memory I/O devices Vinod Ganapathy - CSA Undergraduate Symposium 7

  8. Layered computer system design Modern computer systems are built using layers of abstraction IDT … Syscalls Operating Kernel Process System Code List Hardware CPU Memory I/O devices Vinod Ganapathy - CSA Undergraduate Symposium 8

  9. Layered computer system design Modern computer systems are built using layers of abstraction gcc … Utilities & ls , ps , & libc Libraries bash utilities IDT … Syscalls Operating Kernel Process System Code List Hardware CPU Memory I/O devices Vinod Ganapathy - CSA Undergraduate Symposium 9

  10. Layered computer system design Modern computer systems are built using layers of abstraction … User User app app gcc … Utilities & ls , ps , & libc Libraries bash utilities IDT … Syscalls Operating Kernel Process System Code List Hardware CPU Memory I/O devices Vinod Ganapathy - CSA Undergraduate Symposium 10

  11. Fundamental principle in security The lower you go, the more control you have … Least User User control app app gcc … Utilities & ls , ps , & libc Libraries bash utilities IDT … Syscalls Operating Kernel Process System Code List Hardware Most CPU Memory I/O devices control Vinod Ganapathy - CSA Undergraduate Symposium 11

  12. Example: Malware detection User app Utilities & Libraries Operating System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 12

  13. Example: Malware detection User Malware app detector Utilities & Libraries Operating System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 13

  14. Example: Malware detection User Malware Trusted app detector Layer … Utilities & TCB cat ps ls Libraries Operating System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 14

  15. But utilities may be compromised! User Malware app detector Utilities & cat ps ls Libraries Operating System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 15

  16. But utilities may be compromised! Show me 1 file contents User Malware 1 app detector Utilities & cat ps ls Libraries Operating System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 16

  17. But utilities may be compromised! Show me 1 file contents 2 Fake, benign content User Malware 2 app detector Utilities & cat ps ls Libraries Operating System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 17

  18. Solution: Query the OS Query with syscall 1 User Malware app detector Utilities & 1 Libraries Operating System call API TCB System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 18

  19. Solution: Query the OS Query with syscall 1 2 OS reads file User Malware app detector Utilities & 2 Libraries Operating System call API TCB System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 19

  20. Solution: Query the OS Query with syscall 1 2 OS reads file Returns true 3 User Malware file content app detector Utilities & 3 Libraries Operating System call API TCB System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 20

  21. OS detects malicious utilities too cat file A Read file B diff vs ? A B User Malware app detector Utilities & A cat B Libraries Operating System call API TCB System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 21

  22. What if the OS is malicious? User Malware app detector Utilities & Libraries Operating System call API System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 22

  23. Rootkit = Malware that infects OS Rootkits hide malware from detectors  Long-term stealth … Malware detector Utilities & Libraries Operating System call API System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 23

  24. How does an OS get infected? • Exploits of kernel vulnerabilities : – Injecting malicious code by exploiting a memory error in the kernel • Privilege escalation attacks : – Exploit a root process and use resulting administrative privileges to update the kernel • Social engineering attacks : – Trick user into installing fake kernel updates • Defeated via signature verification of kernel updates • Trivial to perform prior to the Windows Vista OS Vinod Ganapathy - CSA Undergraduate Symposium 24

  25. How prevalent are rootkits? • 2010 Microsoft report : 7% of all infections from client machines due to rootkits [1] • 2016 HummingBad Android rootkit: [2] – Up to 85 million Android devices infected? – Earns malware authors $300,000 each week through fraudulent mobile advertisements • Used in many high-profile incidents: – Torpig and Storm botnets – Sony BMG (2005), Greek wiretapping (2004/5) [1] Microsoft Malware Protection Center , “ Some Observations on Rootkits, ” January 2010, https://blogs.technet.microsoft.com/mmpc/2010/01/07/some-observations-on-rootkits [2] CheckPoint Software, “ From HummingBad to Worse, ” July 2016, http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf Vinod Ganapathy - CSA Undergraduate Symposium 25

  26. How can we detect rootkits? Ask for help from the layers below User Malware app detector Utilities & Libraries Operating System call API System TCB Hypervisor (a.k.a. Virtual Machine Monitor) Hardware Vinod Ganapathy - CSA Undergraduate Symposium 26

  27. How low can we go? User Malware app detector Utilities & Libraries Operating System [Bluepill, Subvert] Hypervisor Hardware TCB Vinod Ganapathy - CSA Undergraduate Symposium 27

  28. How low can we go? User Malware app detector Utilities & Libraries Operating System Hardware ??? [Stuxnet, Trojaned ICs] TCB Vinod Ganapathy - CSA Undergraduate Symposium 28

  29. Example 1: Linux Adore rootkit sys_open(...) { int main() ... { } open(…) ... sys_open return(0) } System call table User app OS kernel Vinod Ganapathy - CSA Undergraduate Symposium 29

  30. Example 1: Linux Adore rootkit sys_open(...) { int main() ... { } open(…) ... evil_open return(0) } evil_open(...) { malicious(); sys_open(...) System call table } User app OS kernel Vinod Ganapathy - CSA Undergraduate Symposium 30

  31. Example 1: Linux Adore rootkit Violated : Function pointer values in system call table should not change sys_open(...) { int main() ... { } open(…) ... evil_open return(0) } evil_open(...) { malicious(); sys_open(...) System call table } User app OS kernel Vinod Ganapathy - CSA Undergraduate Symposium 31

  32. Example 2: Windows Fu rootkit run-list: Used by the scheduler to select processes for execution Process A Process B Process C run_list run_list run_list next_task next_task next_task all-tasks: Used for process accounting Vinod Ganapathy - CSA Undergraduate Symposium 32

  33. Example 2: Windows Fu rootkit run-list: Used by the scheduler to select processes for execution Process A Process B Process C Hidden process run_list run_list run_list run_list next_task next_task next_task next_task all-tasks: Used for process accounting Vinod Ganapathy - CSA Undergraduate Symposium 33

  34. Example 2: Windows Fu rootkit Violated : run-list ⊆ all-tasks run-list: Used by the scheduler to select processes for execution Process A Process B Process C Hidden process run_list run_list run_list run_list next_task next_task next_task next_task all-tasks: Used for process accounting Vinod Ganapathy - CSA Undergraduate Symposium 34

  35. Next up? Rootkits on IoT devices! 35

  36. Example: Smart phone rootkits Snoop on private phone conversations Track user location using GPS Email sensitive documents to attacker Stealthily enable camera and microphone Exhaust the battery Enable world-wide DDoS attacks [October 2016] Vinod Ganapathy - CSA Undergraduate Symposium 36

  37. How can devices be misused? 1. Malicious end-users can leverage sensors to exfiltrate or infiltrate unauthorized data 2. Malicious apps on devices can achieve similar goals even if end-user is benign 37

  38. Government or corporate office • Problem : Sensitive documents and meetings can be ex-filtrated using the camera, microphone and storage media • Current solution : Physical security scans, device isolation Faraday cages 38

  39. Challenge : Bring your own device 39

Recommend


More recommend