on demand inter process information
play

On-demand Inter-process Information Flow Tracking Yang Ji, Sangho - PowerPoint PPT Presentation

RAIN: Refinable Attack Investigation with On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang, Mattia Fazzini, Taesoo Kim, Alessandro Orso, and Wenke Lee ACM CCS 2017 Oct 31, 2017 More and more


  1. RAIN: Refinable Attack Investigation with On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang, Mattia Fazzini, Taesoo Kim, Alessandro Orso, and Wenke Lee ACM CCS 2017 Oct 31, 2017

  2. More and more data breaches 2

  3. More and more data breaches DATA BREACHES (SOURCE: BREACH LEVEL INDEX BY GEMALTO) Number of data breaches Number of breached records (mil) 3000 2500 2459 2000 1901 1594 1500 1155 1029 1000 924 918 853 819 815 721 665 658 558 500 513 428 427 316 0 2013-H12013-H22014-H12014-H22015-H12015-H22016-H12016-H22017-H1 2

  4. Is attack investigation accurate? 3

  5. Is attack investigation accurate? A B C 3

  6. Is attack investigation accurate? read A B C 3

  7. Is attack investigation accurate? read A read B C 3

  8. Is attack investigation accurate? read A read B read C 3

  9. Is attack investigation accurate? read A read “Hmm, I only want C !” B read C 3

  10. Is attack investigation accurate? read A read send “Hmm, I only want C !” send B send read send C 3

  11. Is attack investigation accurate? A, B, or C ? read A read send “Hmm, I only want C !” send B send read send C 3

  12. Is attack investigation accurate? Dependency confusion! A, B, or C ? read A read send “Hmm, I only want C !” send B send read send C 3

  13. File archive 4

  14. File archive recv write 4

  15. File archive recv write “Let me change the offer price.” 4

  16. File archive recv write “Let me change the offer price.” 4

  17. File archive write write recv write “Let me change read write the offer price.” 4

  18. File archive ? Is this file affected ? write ? write recv write “Let me change read write the offer price.” ? 4

  19. File archive ? Dependency confusion! Is this file affected ? write ? write recv write “Let me change read write the offer price.” ? 4

  20. Related work Accuracy Runtime Analysis Efficiency Efficiency 4

  21. Related work • System-call-based Accuracy • DTrace, Protracer, LSM, Hi-Fi Runtime Analysis Efficiency Efficiency 4

  22. Related work • System-call-based Accuracy • DTrace, Protracer, LSM, Hi-Fi Runtime Analysis Efficiency Efficiency 4

  23. Related work • System-call-based Accuracy • DTrace, Protracer, LSM, Hi-Fi • Dynamic Information Flow Tracking (DIFT) • Panorama, Dtracker Runtime Analysis Efficiency Efficiency 4

  24. Related work • System-call-based Accuracy • DTrace, Protracer, LSM, Hi-Fi • Dynamic Information Flow Tracking (DIFT) • Panorama, Dtracker Runtime Analysis Efficiency Efficiency 4

  25. Related work • System-call-based Accuracy • DTrace, Protracer, LSM, Hi-Fi • Dynamic Information Flow Tracking (DIFT) • Panorama, Dtracker • DIFT + Record replay Runtime Analysis • Arnold Efficiency Efficiency 4

  26. Related work • System-call-based Accuracy • DTrace, Protracer, LSM, Hi-Fi • Dynamic Information Flow Tracking (DIFT) • Panorama, Dtracker • DIFT + Record replay Runtime Analysis • Arnold Efficiency Efficiency 4

  27. RAIN Accuracy Analysis Runtime Efficiency Efficiency 5

  28. RAIN • We use Accuracy • Record replay • Graph-based pruning • Selective DIFT Analysis Runtime Efficiency Efficiency 5

  29. RAIN • We use Accuracy • Record replay • Graph-based pruning • Selective DIFT • We achieve • High accuracy • Runtime efficiency Analysis Runtime • Highly improved analysis efficiency Efficiency Efficiency RAIN 5

  30. Threat model • Trusts the OS • RAIN tracks user-level attacks. • Tracks explicit channels • Side or covert channel is out of scope. • Records all attacks from their inception • Hardware trojans or OS backdoor is out of scope. 8

  31. Architecture Analysis host Target host 9

  32. Architecture Analysis host Target host RAIN Customized Kernel 9

  33. Architecture Analysis host Target host Customized libc RAIN Customized Kernel 9

  34. Architecture Analysis host Target host Customized Logs libc RAIN Customized Kernel 9

  35. Architecture Analysis host Provenance Target host graph builder Customized Logs libc RAIN Customized Kernel Coarse-level graph 9

  36. Architecture Analysis host Provenance Target host graph builder Triggering, Customized reachability Logs libc analysis RAIN Customized Kernel Coarse-level graph Pruned sub-graph Prune 9

  37. Architecture Analysis host Provenance Target host graph builder Triggering, Customized reachability Logs libc analysis RAIN Replay and Customized selective DIFT Kernel Refined sub-graph Coarse-level graph Pruned sub-graph Refine Prune 9

  38. OS-level record replay 1.Records external inputs 2.Captures the thread switching from the pthread interface, not the produced internal data 3.Records system-wide executions 10

  39. OS-level record replay 1.Records external inputs Thread 1 2.Captures the thread switching from the pthread interface, not the produced internal data 3.Records system-wide executions 10

  40. OS-level record replay 1.Records external inputs Thread 1 2.Captures the thread Socket External switching from the inputs pthread interface, not the produced internal data 3.Records system-wide executions 10

  41. OS-level record replay 1.Records external inputs Thread 1 2.Captures the thread Socket External switching from the inputs pthread interface, not the produced internal data File 3.Records system-wide executions 10

  42. OS-level record replay 1.Records external inputs Thread 1 2.Captures the thread Socket External switching from the inputs pthread interface, not the produced internal data File 3.Records system-wide executions Randomness 10

  43. OS-level record replay Process group 1.Records external inputs Thread 1 2.Captures the thread Socket External switching from the inputs pthread interface, not the produced internal data File 3.Records system-wide executions Randomness 10

  44. OS-level record replay Process group 1.Records external inputs Thread 2 Thread 1 2.Captures the thread Socket External switching from the inputs pthread interface, not the produced internal data File 3.Records system-wide executions Randomness 10

  45. OS-level record replay Process group 1.Records external inputs Thread 2 Thread 1 2.Captures the thread Socket External IPC switching from the inputs pthread interface, not the Internal data produced internal data File 3.Records system-wide executions Thread switching Randomness (via Pthread) 10

  46. OS-level record replay Process group 1.Records external inputs Thread 2 Thread 1 2.Captures the thread Socket External IPC switching from the inputs pthread interface, not the Internal data produced internal data File 3.Records system-wide executions Thread switching Randomness (via Pthread) 10

  47. Coarse-level logging and graph building • Keeps logging system-call events • Constructs a graph to represent: A: Attacker site • the processes, files, and sockets as nodes B: /docs/report.doc • the events as causality edges C: /tmp/errors.zip P1: /usr/bin/firefox 11

  48. Coarse-level logging and graph building • Keeps logging system-call events • Constructs a graph to represent: A: Attacker site • the processes, files, and sockets as nodes B: /docs/report.doc • the events as causality edges C: /tmp/errors.zip P1: /usr/bin/firefox P1 11

  49. Coarse-level logging and graph building • Keeps logging system-call events • Constructs a graph to represent: A: Attacker site • the processes, files, and sockets as nodes B: /docs/report.doc • the events as causality edges C: /tmp/errors.zip B Read P1: /usr/bin/firefox P1 11

  50. Coarse-level logging and graph building • Keeps logging system-call events • Constructs a graph to represent: A: Attacker site • the processes, files, and sockets as nodes B: /docs/report.doc • the events as causality edges C: /tmp/errors.zip B Read P1: /usr/bin/firefox P1 Read C 11

  51. Coarse-level logging and graph building • Keeps logging system-call events • Constructs a graph to represent: A: Attacker site • the processes, files, and sockets as nodes B: /docs/report.doc • the events as causality edges C: /tmp/errors.zip B Read P1: /usr/bin/firefox P1 Send Read C A 11

  52. • Does every recorded execution need replay and DIFT? 12

  53. • Does every recorded execution need replay and DIFT? No! 12

  54. Pruning • Does every recorded execution need replay and DIFT? No! • Prunes the data in the graph based on trigger analysis results • Upstream • Downstream • Point-to-point • Interference 12

  55. A: Attacker site Upstream B: /docs/report.doc C: /tmp/errors.zip D: /docs/ctct1.csv E: /docs/ctct2.pdf F: /docs/loss.csv P1: /usr/bin/firefox P2: /usr/bin/TextEditor P3: /bin/gzip 13

  56. A: Attacker site Upstream B: /docs/report.doc C: /tmp/errors.zip D: /docs/ctct1.csv E: /docs/ctct2.pdf F: /docs/loss.csv P1: /usr/bin/firefox P2: /usr/bin/TextEditor P3: /bin/gzip A 13

Recommend


More recommend