On Computer Systems (In)Security Vinod Ganapathy vg@csa.iisc.ernet.in Associate Professor/CSA/IISc
My goal today To convince you that: 1. Computer systems are difficult to secure Vinod Ganapathy - CSA Undergraduate Symposium 2
My goal today To convince you that: 1. Computer systems are difficult to secure 2. Computer systems security is a fruitful research area Vinod Ganapathy - CSA Undergraduate Symposium 3
My goal today To convince you that: 1. Computer systems are difficult to secure 2. Computer systems security is a fruitful research area 3. You need to apply to the CSA/IISc Ph.D. program and work on these problems Vinod Ganapathy - CSA Undergraduate Symposium 4
Vinod Ganapathy - CSA Undergraduate Symposium 5
There a “There are no solutions, only p roblems.” re no solutions, only problems Vinod Ganapathy - CSA Undergraduate Symposium 6
Layered computer system design Modern computer systems are built using layers of abstraction Hardware CPU Memory I/O devices Vinod Ganapathy - CSA Undergraduate Symposium 7
Layered computer system design Modern computer systems are built using layers of abstraction IDT … Syscalls Operating Kernel Process System Code List Hardware CPU Memory I/O devices Vinod Ganapathy - CSA Undergraduate Symposium 8
Layered computer system design Modern computer systems are built using layers of abstraction gcc … Utilities & ls , ps , & libc Libraries bash utilities IDT … Syscalls Operating Kernel Process System Code List Hardware CPU Memory I/O devices Vinod Ganapathy - CSA Undergraduate Symposium 9
Layered computer system design Modern computer systems are built using layers of abstraction … User User app app gcc … Utilities & ls , ps , & libc Libraries bash utilities IDT … Syscalls Operating Kernel Process System Code List Hardware CPU Memory I/O devices Vinod Ganapathy - CSA Undergraduate Symposium 10
Fundamental principle in security The lower you go, the more control you have … Least User User control app app gcc … Utilities & ls , ps , & libc Libraries bash utilities IDT … Syscalls Operating Kernel Process System Code List Hardware Most CPU Memory I/O devices control Vinod Ganapathy - CSA Undergraduate Symposium 11
Example: Malware detection User app Utilities & Libraries Operating System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 12
Example: Malware detection User Malware app detector Utilities & Libraries Operating System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 13
Example: Malware detection User Malware Trusted app detector Layer … Utilities & TCB cat ps ls Libraries Operating System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 14
But utilities may be compromised! User Malware app detector Utilities & cat ps ls Libraries Operating System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 15
But utilities may be compromised! Show me 1 file contents User Malware 1 app detector Utilities & cat ps ls Libraries Operating System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 16
But utilities may be compromised! Show me 1 file contents 2 Fake, benign content User Malware 2 app detector Utilities & cat ps ls Libraries Operating System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 17
Solution: Query the OS Query with syscall 1 User Malware app detector Utilities & 1 Libraries Operating System call API TCB System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 18
Solution: Query the OS Query with syscall 1 2 OS reads file User Malware app detector Utilities & 2 Libraries Operating System call API TCB System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 19
Solution: Query the OS Query with syscall 1 2 OS reads file Returns true 3 User Malware file content app detector Utilities & 3 Libraries Operating System call API TCB System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 20
OS detects malicious utilities too cat file A Read file B diff vs ? A B User Malware app detector Utilities & A cat B Libraries Operating System call API TCB System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 21
What if the OS is malicious? User Malware app detector Utilities & Libraries Operating System call API System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 22
Rootkit = Malware that infects OS Rootkits hide malware from detectors Long-term stealth … Malware detector Utilities & Libraries Operating System call API System Hardware Vinod Ganapathy - CSA Undergraduate Symposium 23
How does an OS get infected? • Exploits of kernel vulnerabilities : – Injecting malicious code by exploiting a memory error in the kernel • Privilege escalation attacks : – Exploit a root process and use resulting administrative privileges to update the kernel • Social engineering attacks : – Trick user into installing fake kernel updates • Defeated via signature verification of kernel updates • Trivial to perform prior to the Windows Vista OS Vinod Ganapathy - CSA Undergraduate Symposium 24
How prevalent are rootkits? • 2010 Microsoft report : 7% of all infections from client machines due to rootkits [1] • 2016 HummingBad Android rootkit: [2] – Up to 85 million Android devices infected? – Earns malware authors $300,000 each week through fraudulent mobile advertisements • Used in many high-profile incidents: – Torpig and Storm botnets – Sony BMG (2005), Greek wiretapping (2004/5) [1] Microsoft Malware Protection Center , “ Some Observations on Rootkits, ” January 2010, https://blogs.technet.microsoft.com/mmpc/2010/01/07/some-observations-on-rootkits [2] CheckPoint Software, “ From HummingBad to Worse, ” July 2016, http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf Vinod Ganapathy - CSA Undergraduate Symposium 25
How can we detect rootkits? Ask for help from the layers below User Malware app detector Utilities & Libraries Operating System call API System TCB Hypervisor (a.k.a. Virtual Machine Monitor) Hardware Vinod Ganapathy - CSA Undergraduate Symposium 26
How low can we go? User Malware app detector Utilities & Libraries Operating System [Bluepill, Subvert] Hypervisor Hardware TCB Vinod Ganapathy - CSA Undergraduate Symposium 27
How low can we go? User Malware app detector Utilities & Libraries Operating System Hardware ??? [Stuxnet, Trojaned ICs] TCB Vinod Ganapathy - CSA Undergraduate Symposium 28
Example 1: Linux Adore rootkit sys_open(...) { int main() ... { } open(…) ... sys_open return(0) } System call table User app OS kernel Vinod Ganapathy - CSA Undergraduate Symposium 29
Example 1: Linux Adore rootkit sys_open(...) { int main() ... { } open(…) ... evil_open return(0) } evil_open(...) { malicious(); sys_open(...) System call table } User app OS kernel Vinod Ganapathy - CSA Undergraduate Symposium 30
Example 1: Linux Adore rootkit Violated : Function pointer values in system call table should not change sys_open(...) { int main() ... { } open(…) ... evil_open return(0) } evil_open(...) { malicious(); sys_open(...) System call table } User app OS kernel Vinod Ganapathy - CSA Undergraduate Symposium 31
Example 2: Windows Fu rootkit run-list: Used by the scheduler to select processes for execution Process A Process B Process C run_list run_list run_list next_task next_task next_task all-tasks: Used for process accounting Vinod Ganapathy - CSA Undergraduate Symposium 32
Example 2: Windows Fu rootkit run-list: Used by the scheduler to select processes for execution Process A Process B Process C Hidden process run_list run_list run_list run_list next_task next_task next_task next_task all-tasks: Used for process accounting Vinod Ganapathy - CSA Undergraduate Symposium 33
Example 2: Windows Fu rootkit Violated : run-list ⊆ all-tasks run-list: Used by the scheduler to select processes for execution Process A Process B Process C Hidden process run_list run_list run_list run_list next_task next_task next_task next_task all-tasks: Used for process accounting Vinod Ganapathy - CSA Undergraduate Symposium 34
Next up? Rootkits on IoT devices! 35
Example: Smart phone rootkits Snoop on private phone conversations Track user location using GPS Email sensitive documents to attacker Stealthily enable camera and microphone Exhaust the battery Enable world-wide DDoS attacks [October 2016] Vinod Ganapathy - CSA Undergraduate Symposium 36
How can devices be misused? 1. Malicious end-users can leverage sensors to exfiltrate or infiltrate unauthorized data 2. Malicious apps on devices can achieve similar goals even if end-user is benign 37
Government or corporate office • Problem : Sensitive documents and meetings can be ex-filtrated using the camera, microphone and storage media • Current solution : Physical security scans, device isolation Faraday cages 38
Challenge : Bring your own device 39
Recommend
More recommend