system health and intrusion monitoring system health and
play

System Health and Intrusion Monitoring System Health and Intrusion - PowerPoint PPT Presentation

Advanced Security Research System Health and Intrusion Monitoring System Health and Intrusion Monitoring Using a Hierarchy of Constraints Using a Hierarchy of Constraints Calvin Ko Calvin Ko , Network Associates, Inc. NAI Labs , Network


  1. Advanced Security Research System Health and Intrusion Monitoring System Health and Intrusion Monitoring Using a Hierarchy of Constraints Using a Hierarchy of Constraints Calvin Ko Calvin Ko , Network Associates, Inc. NAI Labs , Network Associates, Inc. NAI Labs Jeff Rowe Jeff Rowe University of California, Davis University of California, Davis October 2001

  2. Advanced Security Research Abstract IDS Model Abstract IDS Model Detect Historical Detect actions by the effect/manifestation of Behavior attackers the attacker’s actions Attacks / Rules Vulnerabilities Intended/Expected Behavior ID Result Engine Audit Data (e.g., Kernel Audit trails, Network packets, Syslog, …) RAID 2001-2

  3. Advanced Security Research System Health and Intrusion Monitoring (SHIM) System Health and Intrusion Monitoring (SHIM) • Extend existing specification-based detection work • Employ a hierarchy of constraints/specifications – describe healthy/correct operation of a system – capture static behavior, dynamic behavior, time- dependent behavior of different components at different levels of abstraction – detect manifestations of attacks or security errors regardless of the cause • Utilize data at all levels – network, host, OS kernel, application • Reason about the specifications RAID 2001-3

  4. Advanced Security Research Top Level Threats addressed by SHIM Top Level Threats addressed by SHIM • Remote-to-Local, Remote-to-Root • User-to-Root • Insider – exceeding his/her privileges – misusing his/her privileges • Trojan Horses • Denial of Services • Masqueraders & Probing • Privileged processes – setuid root programs, servers/daemons, administrator processes RAID 2001-4

  5. Advanced Security Research Constraint Model Constraint Model Temporal/Interaction Operational Integrity System-wide Resource Usage Data Integrity System Services Access Host Programs and Network Protocols Applications RAID 2001-5

  6. Advanced Security Research Constraint Development Constraint Development Security Functionality & Attack / Policies, Design System Vulnerability Principles Semantics Models Hierarchical Configuration, Higher Level Constraint historical behavior, Constraints Model & system policy Constraints RAID 2001-6

  7. Advanced Security Research Roadmap Roadmap • Technical objective • Approach and Rationale • Useful types of constraints • Program constraints • Protocol constraints • High level constraints • Ongoing and Future Work RAID 2001-7

  8. Advanced Security Research Useful Types of Constraints Useful Types of Constraints • Policy on Users – Files a user can access – Resources a user is allowed to possess • Protocol Specifications -- operational view – Defines allowable transitions – Defines allowable time in a given state • Protocol Specifications -- message content – Mappings delivered by DNS should accurately represent view of authoritative router – IP addresses are not spoofed RAID 2001-8

  9. Advanced Security Research Useful Types of Constraints (cont.) Useful Types of Constraints (cont.) • Protocols -- Invariant and assumptions – IP Routers approximate Kirchoff’s law – Packets are not sniffed by third-party – Packet source must be a non-congested/non-DOSed host • Programs -- valid access constraints – Programs access only certain objects • Programs - Interaction constraints – program interaction should not change the semantic • Data Integrity – e.g., passwords, other authentication information – authorization information, process table RAID 2001-9

  10. Advanced Security Research Access Constraints for Programs Access Constraints for Programs • Can Detect – remote users gain local accesses – local users gain additional privileges – Trojan Horses • Work well for many programs, e.g., passwd, lpr, lprm, lpq, fingerd, at, atq, … • Some program can potentially access many files, e.g., httpd, ftpd – break the execution into pieces (or threadlets) . Define the valid access for each threadlets. – Threadlet defined by transition operations RAID 2001-10

  11. Advanced Security Research Component-Specific Constraints Component-Specific Constraints • Privileged programs – e.g., Ftp daemon • Read files that are world readable • Write files that are owned by the user • Execute only /bin/ls, /bin/gzip, /bin/tar, /bin/compress • Critical Data – E.g., The password file in a Unix system should be in the correct form and each user should have a password. RAID 2001-11

  12. Advanced Security Research General Constraints General Constraints • A privileged process should discard all its privileges and capabilities before it gives control to a user. • The temporary file for a program should be accessible only by the program execution and should be removed when the program exits • An application should read only configuration files owned by the user that it is running as RAID 2001-12

  13. Advanced Security Research Prototype SHIM Host Monitor Prototype SHIM Host Monitor SHIM Analyzer Modules Constraints / Specifications SHIM SHIM Monitor Monitor SHIM Compiler Other Control sources Agile Kernel Auditor SHIM Analyzer Module Linux or Solaris Kernel RAID 2001-13

  14. Advanced Security Research Protocol Constraints Protocol Constraints • Address Resolution Protocol (ARP) – For mapping between the Ethernet layer and the IP layer – Hosts on the network query all machines for their Ethernet-to- IP assignments before sending to a new IP address. Hosts typically keep a local list of mappings ( the ARP cache ) to avoid repetitive queries • ARP Cache Poisoning – Unsolicited Response – Bogus Request – Bogus Response – Both a spurious Request and a spurious Response RAID 2001-14

  15. Advanced Security Research An ARP Specification An ARP Specification ARP Request ARP Request ARP Response i reply_wait cached ARP cache timeout RAID 2001-15

  16. Advanced Security Research Unsolicited ARP Response Unsolicited ARP Response ARP REPLY to victim blanc.cs.ucdavis.edu IS-AT 08:00:20:23:71:52 • ARP reply will be accepted by a victim machine, even though it hasn’t sent a request. • Sending a arbitrary IP to Ethernet mapping will poison the victim’s ARP cache. • Sending an unsolicited response to the broadcast Ethernet address poisons the cache of all machines (Solaris, Windows, Linux). RAID 2001-16

  17. Advanced Security Research Bogus ARP Request Bogus ARP Request ARP REQUEST WHO-HAS olympus.cs.ucdavis.edu TELL blanc.cs.ucdavis.edu at 08:00:20:23:71:52 • ARP implementations cache entries based upon broadcast requests. • Even if the host isn’t involved in any resolution their cache will update with the information contained in third-party requests. • Sending out an request with bogus sender information poisons everyone’s cache. RAID 2001-17

  18. Advanced Security Research An ARP Specification An ARP Specification Bogus ARP Unsolicited ARP alarm Response Response Malformed ARP Request Request ARP Request ARP Response i reply_wait cached ARP cache timeout RAID 2001-18

  19. Advanced Security Research ARP Monitor Implementation ARP Monitor Implementation • Built on the snort open-source IDS platform - Uses the snort preprocessor plug-in feature - No measurable difference in baseline IDS performance due to the low volume of ARP traffic. • Single ARP correctness specification catches all five ARP vulnerabilities RAID 2001-19

  20. Advanced Security Research A DHCP Specification A DHCP Specification • Dynamic Host Configuration Protocol (DHCP) – provides centralized management of client workstation configuration parameters – Distributed servers cooperatively allocate client parameters, even across sub-networks. • DHCP typically configures – IP address allocation – Gateway router address – DNS servers RAID 2001-20

  21. Advanced Security Research DHCP Messages DHCP Messages From Server Message Use • DHCPOFFER Server to client in response to DHCPDISCOVER with offer of configuration parameters. • DHCPACK Server to client with configuration parameters, including committed network address. • DHCPNAK Server to client indicating client's notion of network address is incorrect (e.g., client has moved to new subnet) or client's lease as expired From Clients Message Use • DHCPDISCOVER Client broadcast to locate available servers. • DHCPREQUEST Client message to servers either (a) requesting offered parameters from one server and implicitly declining offers from all others, (b) confirming correctness of previously allocated address after, e.g., system reboot, or (c) extending the lease on a particular network address. • DHCPDECLINE Client to server indicating network address is already in use. • DHCPRELEASE Client to server relinquishing network address and cancelling remaining lease. • DHCPINFORM Client to server, asking only for local configuration parameters; client already has externally configured network address. RAID 2001-21

Recommend


More recommend