detect known violations of policy
play

Detect Known Violations of Policy Goal: does a specific action - PDF document

Sep 27, 2023 •272 likes •546 views

Detect Known Violations of Policy Goal: does a specific action and/or state that is known to violate security policy occur? Assume that action automatically violates policy Policy may be implicit, not explicit Used to look for

  1. Detect Known Violations of Policy • Goal: does a specific action and/or state that is known to violate security policy occur? – Assume that action automatically violates policy – Policy may be implicit, not explicit – Used to look for known attacks June 1, 2004 ECS 235 Slide #1 Example • Land attack – Consider 3-way handshake to initiate TCP connection (next slide) – What happens if source, destination ports and addresses the same? Host expects ACK( t +1), but gets ACK( s +1). – RFC ambiguous: • p. 36 of RFC: send RST to terminate connection • p. 69 of RFC: reply with empty packet having current sequence number t +1 and ACK number s +1—but it receives packet and ACK number is incorrect. So it repeats this … system hangs or runs very slowly, depending on whether interrupts are disabled June 1, 2004 ECS 235 Slide #2 1

  2. 3-Way Handshake and Land Normal: 1. srcseq = s , expects ACK s +1 2. destseq = t , expects ACK t +1; src gets ACK s+ 1 3. srcseq = s +1, destseq = t +1; dest gets ACK t +1 SYN( s ) Land: Source SYN( t )ACK( s + 1) Destination 1. srcseq = destseq = s, expects ACK (t + 1) ACK s+1 2. srcseq = destseq = t, expects ACK t+1 but gets ACK s+1 3. Never reached; recovery from error in 2 attempted June 1, 2004 ECS 235 Slide #3 Detection • Must spot initial Land packet with source, destination addresses the same • Logging requirement: – source port number, IP address – destination port number, IP address • Auditing requirement: – If source port number = destination port number and source IP address = destination IP address, packet is part of a Land attack June 1, 2004 ECS 235 Slide #4 2

  3. Auditing Mechanisms • Systems use different mechanisms – Most common is to log all events by default, allow sysadmin to disable logging that is unnecessary • Two examples – One audit system designed for a secure system – One audit system designed for non-secure system June 1, 2004 ECS 235 Slide #5 Secure Systems • Auditing mechanisms integrated into system design and implementation • Security officer can configure reporting and logging: – To report specific events – To monitor accesses by a subject – To monitor accesses to an object • Controlled at audit subsystem – Irrelevant accesses, actions not logged June 1, 2004 ECS 235 Slide #6 3

  4. Example 1: VAX VMM • Designed to be a secure production system – Audit mechanism had to have minimal impact – Audit mechanism had to be very reliable • Kernel is layered – Logging done where events of interest occur – Each layer audits accesses to objects it controls • Audit subsystem processes results of logging from mechanisms in kernel – Audit subsystem manages system log – Invoked by mechanisms in kernel June 1, 2004 ECS 235 Slide #7 VAX VMM Audit Subsystem • Calls provide data to be logged – Identification of event, result – Auxiliary data depending on event – Caller’s name • Subsystem checks criteria for logging – If request matches, data is logged – Criteria are subject or object named in audit table, and severity level (derived from result) – Adds date and time, other information June 1, 2004 ECS 235 Slide #8 4

  5. Other Issues • Always logged – Programmer can request event be logged – Any attempt to violate policy • Protection violations, login failures logged when they occur repeatedly • Use of covert channels also logged • Log filling up – Audit logging process signaled to archive log when log is 75% full – If not possible, system stops June 1, 2004 ECS 235 Slide #9 Example 2: CMW • Compartmented Mode Workstation designed to allow processing at different levels of sensitivity – Auditing subsystem keeps table of auditable events – Entries indicate whether logging is turned on, what type of logging to use – User level command chaud allows user to control auditing and what is audited • If changes affect subjects, objects currently being logged, the logging completes and then the auditable events are changed June 1, 2004 ECS 235 Slide #10 5

  6. CMW Process Control • System calls allow process to control auditing – audit_on turns logging on, names log file – audit_write validates log entry given as parameter, logs entry if logging for that entry is turned on – audit_suspend suspends logging temporarily – audit_resume resumes logging after suspension – audit_off turns logging off for that process June 1, 2004 ECS 235 Slide #11 System Calls • On system call, if auditing on: – System call recorded – First 3 parameters recorded (but pointers not followed) • How audit_write works – If room in log, append new entry – Otherwise halt system, discard new entry, or disable event that caused logging • Continue to try to log other events June 1, 2004 ECS 235 Slide #12 6

  7. Other Ways to Log • Problem: some processes want to log higher-level abstractions (application logging) – Window manager creates, writes high-level events to log – Difficult to map low-level events into high- level ones – Disables low-level logging for window manager as unnecessary June 1, 2004 ECS 235 Slide #13 CMW Auditing • Tool ( redux ) to analyze logged events • Converts binary logs to printable format • Redux allows user to constrain printing based on several criteria – Users – Objects – Security levels – Events June 1, 2004 ECS 235 Slide #14 7

  8. Non-Secure Systems • Have some limited logging capabilities – Log accounting data, or data for non-security purposes – Possibly limited security data like failed logins • Auditing subsystems focusing on security usually added after system completed – May not be able to log all events, especially if limited kernel modifications to support audit subsystem June 1, 2004 ECS 235 Slide #15 Example: Basic Security Module • BSM enhances SunOS, Solaris security – Logs composed of records made up of tokens • Token contains information about event: user identity, groups, file system information, network, system call and result, etc. as appropriate June 1, 2004 ECS 235 Slide #16 8

  9. More About Records • Records refer to auditable events – Kernel events: opening a file – Application events: failure to authenticate when logging in • Grouped into audit event classes based on events causing record generation – Before log created: tell system what to generate records for – After log created: defined classes control which records given to analysis tools June 1, 2004 ECS 235 Slide #17 Example Record • Logs are binary; this is from praudit header,35,AUE_EXIT,Wed Sep 18 11:35:28 1991, + 570000 msec, process,bishop,root,root,daemon,1234, return,Error 0,5 trailer,35 June 1, 2004 ECS 235 Slide #18 9

  10. Auditing File Systems • Network File System (NFS) – Industry standard – Server exports file system; client imports it – Root of tree being exported called server mount point ; place in client file tree where exported file system imported called client mount point • Logging and Auditing File System (LAFS) – Built on NFS June 1, 2004 ECS 235 Slide #19 NFS Version 2 • Mounting protocol – Client kernel contacts server’s mount daemon – Daemon checks client is authorized to mount file system – Daemon returns file handle pointing to server mount point – Client creates entry in client file system corresponding to file handle – Access restrictions enforced • On client side: server not aware of these • On server side: client not aware of these June 1, 2004 ECS 235 Slide #20 10

  11. File Access Protocol • Process tries to open file as if it were local • Client kernel sends file handle for element of path referring to remote file to server’s NFS server using LOOKUP request • If file handle valid, server replies with appropriate file handle • Client requests attributes with GETATTR – Client then determines if access allowed; if not, denies • Iterate above three steps until handle obtained for requested file – Or access denied by client June 1, 2004 ECS 235 Slide #21 Other Important Details • NFS stateless – Server has no idea which files are being accessed and by whom • NFS access control – Most servers require requests to come from privileged programs • Check that source port is 1023 or less – Underlying messages identify user • To some degree of certainty … June 1, 2004 ECS 235 Slide #22 11

  12. Site Policy 1. NFS servers respond only to authorized clients 2. UNIX access controls regulate access to server’s exported file system 3. No client host can access a nonexported file system June 1, 2004 ECS 235 Slide #23 Resulting Constraints 1. File access granted ⇒ client authorized to import file system, user can search all parent directories, user can access file as requested, file is descendent of server’s file system mount point • From P1, P2, P3 2. Device file created or file type changed to device ⇒ user’s UID is 0 • From P2; only UID 0 can do these actions June 1, 2004 ECS 235 Slide #24 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A National Perspective on Responding to Parole Violations Responses to Parole Violations

A National Perspective on Responding to Parole Violations Responses to Parole Violations

A National Perspective on Responding to Parole Violations Responses to Parole Violations Traditionally. Very little attention or visibility Very little policy Great discretion on the part of parole officers Monitor

553 views • 16 slides
AGLC Information Presentation ALIC 2016 Recent Policy Changes and Most Common Violations Found

AGLC Information Presentation ALIC 2016 Recent Policy Changes and Most Common Violations Found

AGLC Information Presentation ALIC 2016 Recent Policy Changes and Most Common Violations Found By Inspectors Overview Recent Policy Changes 7 Common Violations Recent Policy Changes Nude Entertainment Happy Hour

416 views • 22 slides
Astronomical Tests Possible Violations of . . . Possible Violations of . . . of Relativity:

Astronomical Tests Possible Violations of . . . Possible Violations of . . . of Relativity:

Relativistic Celestial . . . Towards Extended . . . Possible Violations of . . . Astronomical Tests Possible Violations of . . . Possible Violations of . . . of Relativity: Possible Cosmological . . . Possible Effects of Torsion beyond

310 views • 12 slides
Avoiding Antitrust Violations In Avoiding Antitrust Violations In Employment Recruiting Leveraging

Avoiding Antitrust Violations In Avoiding Antitrust Violations In Employment Recruiting Leveraging

Presenting a live 75 minute webinar with interactive Q&A Avoiding Antitrust Violations In Avoiding Antitrust Violations In Employment Recruiting Leveraging Guidance on Non Solicitation Agreements from Recent DOJ Consent Decree THURS

471 views • 20 slides
TOP TEN TOP TEN HAZARDOUS WASTE HAZARDOUS WASTE GENERATOR VIOLATIONS GENERATOR VIOLATIONS And

TOP TEN TOP TEN HAZARDOUS WASTE HAZARDOUS WASTE GENERATOR VIOLATIONS GENERATOR VIOLATIONS And

TOP TEN TOP TEN HAZARDOUS WASTE HAZARDOUS WASTE GENERATOR VIOLATIONS GENERATOR VIOLATIONS And How To Avoid Them PRESENTED BY HERB NICHOLSON, P.G. ENVIRONMENTAL SPECIALIST STATE OF TENNESSEE MEMPHIS ENVIRONMENTAL FIELD OFFICE DIVISION OF

482 views • 45 slides
FuZZan: Efficient Sanitizer Metadata Design for Fuzzing Yuseok Jeon 1 , WookHyun Han 2 , Nathan

FuZZan: Efficient Sanitizer Metadata Design for Fuzzing Yuseok Jeon 1 , WookHyun Han 2 , Nathan

FuZZan: Efficient Sanitizer Metadata Design for Fuzzing Yuseok Jeon 1 , WookHyun Han 2 , Nathan Burow 1 , Mathias Payer 1 3 1 2 3 Sanitizer: Debug Policy Violations Observe actual execution and flag incorrect behavior E.g., detect

470 views • 23 slides
It is possible that vehicle violations, and safety compliance, and (vii) a crash management

It is possible that vehicle violations, and safety compliance, and (vii) a crash management

accidents, driver violations, maintenance, (vi) hazmat It is possible that vehicle violations, and safety compliance, and (vii) a crash management records, as indicator. Using 24 months of data can and will compared to the entire carrier

294 views • 4 slides
Detect ctor Charact cterization fo for the underground gr gravitational-wave detect ctor,

Detect ctor Charact cterization fo for the underground gr gravitational-wave detect ctor,

Detect ctor Charact cterization fo for the underground gr gravitational-wave detect ctor, KAGRA Keiko Kokeyama, Takahiro Yamamoto, Taka-aki Yokozawa, Chihiro Kozakai, Yuta Fujikawa, Shoichi Oshino, Tatsuki Washimi, Alex Urban, Siddharth

400 views • 14 slides
SEC Targets Alleged Pricing Violations Inside this issue: SEC Targets Alleged Pricing The

SEC Targets Alleged Pricing Violations Inside this issue: SEC Targets Alleged Pricing The

February 2012 SEC Targets Alleged Pricing Violations Inside this issue: SEC Targets Alleged Pricing The Securities and Exchange Commissions (SEC) Enforcement Division Violations ................................... 1 made headlines

115 views • 7 slides
Today An Overview of Common Violations of MassDEP Regulations in the Bureau of Air and Waste

Today An Overview of Common Violations of MassDEP Regulations in the Bureau of Air and Waste

Environmental Compliance Today An Overview of Common Violations of MassDEP Regulations in the Bureau of Air and Waste September 8, 2017 Eco-Efficiency Center, Devens Agenda MassDEP Overview Common Violations AQ, HW, IWW, TURA

601 views • 37 slides
The College of Charleston Honor Code A Crash Course Types of Violations Class 3

The College of Charleston Honor Code A Crash Course Types of Violations Class 3

The College of Charleston Honor Code A Crash Course Types of Violations Class 3 Unintentional Due to a misunderstanding, ignorance, confusion/poor communication Examples provided by the honor code guide Types of Violations

141 views • 10 slides
Transcultural Identity in European Popular Crime Narratives Slides: Federico Pagello

Transcultural Identity in European Popular Crime Narratives Slides: Federico Pagello

Detecting Transcultural Identity in European Popular Crime Narratives Slides: Federico Pagello (University of Bologna) Mediating Italy in a Global 1 Project overview 1. What is DETECt ? 2. Who is DETECt ? 3. Why DETECt ? 4. DETECt

521 views • 18 slides
Quark-sector CP violations and beyond Youngjoon Kwon Yonsei University 1st T2HKK Workshop @

Quark-sector CP violations and beyond Youngjoon Kwon Yonsei University 1st T2HKK Workshop @

Quark-sector CP violations and beyond Youngjoon Kwon Yonsei University 1st T2HKK Workshop @ SNU, Nov. 21-22, 2016 Outline Introduction & Motivation CP violations in the quark sector Outlook 2 The three frontiers Flavor Physics 5 3

435 views • 41 slides
VIOLATIONS AND IRREGULARITIES IN THE 2012 PRESIDENTIAL ELECTION PRESENTATION BY DR. MAHAMUDU

VIOLATIONS AND IRREGULARITIES IN THE 2012 PRESIDENTIAL ELECTION PRESENTATION BY DR. MAHAMUDU

EVIDENCE OF MALPRACTICES, VIOLATIONS AND IRREGULARITIES IN THE 2012 PRESIDENTIAL ELECTION PRESENTATION BY DR. MAHAMUDU BAWUMIA 1 2 ND PETITIONER EVIDENCE OF ELECTION MALPRACTICES, VIOLATIONS AND IRREGULARITIES OVERVIEW : BACKGROUND

795 views • 61 slides
Can We Detect Crisp Sets Based Only on How to Detect 1- . . . the Subsethood Ordering of Fuzzy

Can We Detect Crisp Sets Based Only on How to Detect 1- . . . the Subsethood Ordering of Fuzzy

Formulation of the . . . Formulation of the . . . Let Us First Consider . . . How to Detect the . . . Can We Detect Crisp Sets Based Only on How to Detect 1- . . . the Subsethood Ordering of Fuzzy Sets? How to Detect 1- . . . Fuzzy Sets

230 views • 12 slides
WIDESPREAD AND SYSTEMIC VIOLATIONS: EUROPEAN SYSTEM P R O F E S S O R P H I L I P L E A C H E

WIDESPREAD AND SYSTEMIC VIOLATIONS: EUROPEAN SYSTEM P R O F E S S O R P H I L I P L E A C H E

WIDESPREAD AND SYSTEMIC VIOLATIONS: EUROPEAN SYSTEM P R O F E S S O R P H I L I P L E A C H E H R A C , M I D D L E S E X U N I V E R S I T Y , L O N D O N EUROPEAN COURT PILOT JUDGMENTS Political impetus in early 2000s Immense case

354 views • 24 slides
Quadrennial Actuarial Audit of the Virginia Retirement System Stephen T. McElhaney, FSA Plans

Quadrennial Actuarial Audit of the Virginia Retirement System Stephen T. McElhaney, FSA Plans

July 10, 2006 Quadrennial Actuarial Audit of the Virginia Retirement System Stephen T. McElhaney, FSA Plans reviewed June 30, 2005 actuarial valuations VRS Pension Benefits (including selected local governments) Health Care Credit

357 views • 13 slides
Risk Disclosure Preceding Negative Outcomes: The Effects of Reporting Critical Audit Matters on

Risk Disclosure Preceding Negative Outcomes: The Effects of Reporting Critical Audit Matters on

Risk Disclosure Preceding Negative Outcomes: The Effects of Reporting Critical Audit Matters on Judgments of Auditor Liability Kelsey Brasel, Ball State University Marcus Doxey, The University of Alabama Jonathan Grenier, Miami University

681 views • 50 slides
WFU LAW Samples of Aligned Outcomes from the Wake Forest School of Law online Master of Studies

WFU LAW Samples of Aligned Outcomes from the Wake Forest School of Law online Master of Studies

The Learning Outcomes Hierarchy: WFU LAW Samples of Aligned Outcomes from the Wake Forest School of Law online Master of Studies in Law online MSL Ellen Murphy, JD, MEd Assistant Dean Instructional Tech. & Design Wake Forest University

400 views • 7 slides
TM Standards Deliverables Fulfill legal requirements Drive brand Ensure safe

TM Standards Deliverables Fulfill legal requirements Drive brand Ensure safe

TM Supplier Values S afety The Standards describe how we and P eople our suppliers put integrity into E nvironment practice every day by living up to the Q uality following supplier values: D elivery C ost TM Supplier Values S afety: of

127 views • 11 slides
9/7/2011 Overview of Proposed International Audit Quality Framework Jon Grant, Chair, IAASB

9/7/2011 Overview of Proposed International Audit Quality Framework Jon Grant, Chair, IAASB

IAASB CAG PAPER IAASB CAG Agenda (September 2011) Agenda Item C - Slides to Introduce AQ Presentation 9/7/2011 Overview of Proposed International Audit Quality Framework Jon Grant, Chair, IAASB Audit Quality Task Force IAASB CAG Meeting

460 views • 6 slides
Presenter Kelly Berger-Davis Quality Assurance & Technical Specialist Center for Audit

Presenter Kelly Berger-Davis Quality Assurance & Technical Specialist Center for Audit

4/8/2015 Changes to Federal Grants & Single Audits (A-87, A-21, A-122, A-102, A-110, A-89, A-133 & A-50) The New OMB Uniform Guidance Presenter Kelly Berger-Davis Quality Assurance & Technical Specialist Center for Audit

722 views • 55 slides
OIG Audits A Grantees Perspective Whats the process for an OIG Audit? OIG notifies grantee

OIG Audits A Grantees Perspective Whats the process for an OIG Audit? OIG notifies grantee

OIG Audits A Grantees Perspective Whats the process for an OIG Audit? OIG notifies grantee of upcoming audit OIG review files may visit a community Exit conference (grantee can provide verbal comments) OIG issues draft

89 views • 7 slides
Intro to Life Cycle Analysis 2.83/2.813 Manufacturing End of Life Mining Use Phase Life Cycle

Intro to Life Cycle Analysis 2.83/2.813 Manufacturing End of Life Mining Use Phase Life Cycle

Intro to Life Cycle Analysis 2.83/2.813 Manufacturing End of Life Mining Use Phase Life Cycle Assessment LCA is a methodology to account for and assess the environmental impacts from all phases / stages of a product life cycle Mining

993 views • 72 slides

More recommend