on demand inter process information
play

On-demand Inter-process Information Flow Tracking Yang Ji, Sangho - PowerPoint PPT Presentation

Oct 30, 2022 •388 likes •1.28k views

RAIN: Refinable Attack Investigation with On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang, Mattia Fazzini, Taesoo Kim, Alessandro Orso, and Wenke Lee ACM CCS 2017 Oct 31, 2017 More and more

  1. RAIN: Refinable Attack Investigation with On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang, Mattia Fazzini, Taesoo Kim, Alessandro Orso, and Wenke Lee ACM CCS 2017 Oct 31, 2017

  2. More and more data breaches 2

  3. More and more data breaches DATA BREACHES (SOURCE: BREACH LEVEL INDEX BY GEMALTO) Number of data breaches Number of breached records (mil) 3000 2500 2459 2000 1901 1594 1500 1155 1029 1000 924 918 853 819 815 721 665 658 558 500 513 428 427 316 0 2013-H12013-H22014-H12014-H22015-H12015-H22016-H12016-H22017-H1 2

  4. Is attack investigation accurate? 3

  5. Is attack investigation accurate? A B C 3

  6. Is attack investigation accurate? read A B C 3

  7. Is attack investigation accurate? read A read B C 3

  8. Is attack investigation accurate? read A read B read C 3

  9. Is attack investigation accurate? read A read “Hmm, I only want C !” B read C 3

  10. Is attack investigation accurate? read A read send “Hmm, I only want C !” send B send read send C 3

  11. Is attack investigation accurate? A, B, or C ? read A read send “Hmm, I only want C !” send B send read send C 3

  12. Is attack investigation accurate? Dependency confusion! A, B, or C ? read A read send “Hmm, I only want C !” send B send read send C 3

  13. File archive 4

  14. File archive recv write 4

  15. File archive recv write “Let me change the offer price.” 4

  16. File archive recv write “Let me change the offer price.” 4

  17. File archive write write recv write “Let me change read write the offer price.” 4

  18. File archive ? Is this file affected ? write ? write recv write “Let me change read write the offer price.” ? 4

  19. File archive ? Dependency confusion! Is this file affected ? write ? write recv write “Let me change read write the offer price.” ? 4

  20. Related work Accuracy Runtime Analysis Efficiency Efficiency 4

  21. Related work • System-call-based Accuracy • DTrace, Protracer, LSM, Hi-Fi Runtime Analysis Efficiency Efficiency 4

  22. Related work • System-call-based Accuracy • DTrace, Protracer, LSM, Hi-Fi Runtime Analysis Efficiency Efficiency 4

  23. Related work • System-call-based Accuracy • DTrace, Protracer, LSM, Hi-Fi • Dynamic Information Flow Tracking (DIFT) • Panorama, Dtracker Runtime Analysis Efficiency Efficiency 4

  24. Related work • System-call-based Accuracy • DTrace, Protracer, LSM, Hi-Fi • Dynamic Information Flow Tracking (DIFT) • Panorama, Dtracker Runtime Analysis Efficiency Efficiency 4

  25. Related work • System-call-based Accuracy • DTrace, Protracer, LSM, Hi-Fi • Dynamic Information Flow Tracking (DIFT) • Panorama, Dtracker • DIFT + Record replay Runtime Analysis • Arnold Efficiency Efficiency 4

  26. Related work • System-call-based Accuracy • DTrace, Protracer, LSM, Hi-Fi • Dynamic Information Flow Tracking (DIFT) • Panorama, Dtracker • DIFT + Record replay Runtime Analysis • Arnold Efficiency Efficiency 4

  27. RAIN Accuracy Analysis Runtime Efficiency Efficiency 5

  28. RAIN • We use Accuracy • Record replay • Graph-based pruning • Selective DIFT Analysis Runtime Efficiency Efficiency 5

  29. RAIN • We use Accuracy • Record replay • Graph-based pruning • Selective DIFT • We achieve • High accuracy • Runtime efficiency Analysis Runtime • Highly improved analysis efficiency Efficiency Efficiency RAIN 5

  30. Threat model • Trusts the OS • RAIN tracks user-level attacks. • Tracks explicit channels • Side or covert channel is out of scope. • Records all attacks from their inception • Hardware trojans or OS backdoor is out of scope. 8

  31. Architecture Analysis host Target host 9

  32. Architecture Analysis host Target host RAIN Customized Kernel 9

  33. Architecture Analysis host Target host Customized libc RAIN Customized Kernel 9

  34. Architecture Analysis host Target host Customized Logs libc RAIN Customized Kernel 9

  35. Architecture Analysis host Provenance Target host graph builder Customized Logs libc RAIN Customized Kernel Coarse-level graph 9

  36. Architecture Analysis host Provenance Target host graph builder Triggering, Customized reachability Logs libc analysis RAIN Customized Kernel Coarse-level graph Pruned sub-graph Prune 9

  37. Architecture Analysis host Provenance Target host graph builder Triggering, Customized reachability Logs libc analysis RAIN Replay and Customized selective DIFT Kernel Refined sub-graph Coarse-level graph Pruned sub-graph Refine Prune 9

  38. OS-level record replay 1.Records external inputs 2.Captures the thread switching from the pthread interface, not the produced internal data 3.Records system-wide executions 10

  39. OS-level record replay 1.Records external inputs Thread 1 2.Captures the thread switching from the pthread interface, not the produced internal data 3.Records system-wide executions 10

  40. OS-level record replay 1.Records external inputs Thread 1 2.Captures the thread Socket External switching from the inputs pthread interface, not the produced internal data 3.Records system-wide executions 10

  41. OS-level record replay 1.Records external inputs Thread 1 2.Captures the thread Socket External switching from the inputs pthread interface, not the produced internal data File 3.Records system-wide executions 10

  42. OS-level record replay 1.Records external inputs Thread 1 2.Captures the thread Socket External switching from the inputs pthread interface, not the produced internal data File 3.Records system-wide executions Randomness 10

  43. OS-level record replay Process group 1.Records external inputs Thread 1 2.Captures the thread Socket External switching from the inputs pthread interface, not the produced internal data File 3.Records system-wide executions Randomness 10

  44. OS-level record replay Process group 1.Records external inputs Thread 2 Thread 1 2.Captures the thread Socket External switching from the inputs pthread interface, not the produced internal data File 3.Records system-wide executions Randomness 10

  45. OS-level record replay Process group 1.Records external inputs Thread 2 Thread 1 2.Captures the thread Socket External IPC switching from the inputs pthread interface, not the Internal data produced internal data File 3.Records system-wide executions Thread switching Randomness (via Pthread) 10

  46. OS-level record replay Process group 1.Records external inputs Thread 2 Thread 1 2.Captures the thread Socket External IPC switching from the inputs pthread interface, not the Internal data produced internal data File 3.Records system-wide executions Thread switching Randomness (via Pthread) 10

  47. Coarse-level logging and graph building • Keeps logging system-call events • Constructs a graph to represent: A: Attacker site • the processes, files, and sockets as nodes B: /docs/report.doc • the events as causality edges C: /tmp/errors.zip P1: /usr/bin/firefox 11

  48. Coarse-level logging and graph building • Keeps logging system-call events • Constructs a graph to represent: A: Attacker site • the processes, files, and sockets as nodes B: /docs/report.doc • the events as causality edges C: /tmp/errors.zip P1: /usr/bin/firefox P1 11

  49. Coarse-level logging and graph building • Keeps logging system-call events • Constructs a graph to represent: A: Attacker site • the processes, files, and sockets as nodes B: /docs/report.doc • the events as causality edges C: /tmp/errors.zip B Read P1: /usr/bin/firefox P1 11

  50. Coarse-level logging and graph building • Keeps logging system-call events • Constructs a graph to represent: A: Attacker site • the processes, files, and sockets as nodes B: /docs/report.doc • the events as causality edges C: /tmp/errors.zip B Read P1: /usr/bin/firefox P1 Read C 11

  51. Coarse-level logging and graph building • Keeps logging system-call events • Constructs a graph to represent: A: Attacker site • the processes, files, and sockets as nodes B: /docs/report.doc • the events as causality edges C: /tmp/errors.zip B Read P1: /usr/bin/firefox P1 Send Read C A 11

  52. • Does every recorded execution need replay and DIFT? 12

  53. • Does every recorded execution need replay and DIFT? No! 12

  54. Pruning • Does every recorded execution need replay and DIFT? No! • Prunes the data in the graph based on trigger analysis results • Upstream • Downstream • Point-to-point • Interference 12

  55. A: Attacker site Upstream B: /docs/report.doc C: /tmp/errors.zip D: /docs/ctct1.csv E: /docs/ctct2.pdf F: /docs/loss.csv P1: /usr/bin/firefox P2: /usr/bin/TextEditor P3: /bin/gzip 13

  56. A: Attacker site Upstream B: /docs/report.doc C: /tmp/errors.zip D: /docs/ctct1.csv E: /docs/ctct2.pdf F: /docs/loss.csv P1: /usr/bin/firefox P2: /usr/bin/TextEditor P3: /bin/gzip A 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y.

RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y.

RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y. Ji, S. Lee, E. Downing, et.al. CCS17 Presented by: Mohammad A. Noureddine CS563 Fall 2018 No Shortage of Recent Breaches! 1 Investigating

804 views • 28 slides
On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang,

On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang,

RAIN: Refinable Attack Investigation with On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang, Mattia Fazzini, Taesoo Kim, Alessandro Orso, and Wenke Lee ACM CCS 2017 Oct 31, 2017 More and more

870 views • 27 slides
Interprocess Communication and Synchronization Chester Rebeiro IIT Madras 1 Inter Process

Interprocess Communication and Synchronization Chester Rebeiro IIT Madras 1 Inter Process

Interprocess Communication and Synchronization Chester Rebeiro IIT Madras 1 Inter Process Communication Advantages of Inter Process Communication (IPC) Information sharing Modularity/Convenience 3 ways Shared memory

1.13k views • 83 slides
IPC, Threads, Races, Critical Sections Inter-Process Communication 7A. Inter-Process

IPC, Threads, Races, Critical Sections Inter-Process Communication 7A. Inter-Process

4/23/2018 IPC, Threads, Races, Critical Sections Inter-Process Communication 7A. Inter-Process Communication the exchange of data between processes 3T. Threads Goals simplicity 7B. The Critical Section Problem convenience

355 views • 8 slides
IPC, Threads, Races, Critical Sections Inter-Process Communication 7A. Inter-Process

IPC, Threads, Races, Critical Sections Inter-Process Communication 7A. Inter-Process

4/14/2017 IPC, Threads, Races, Critical Sections Inter-Process Communication 7A. Inter-Process Communication the exchange of data between processes 3T. Threads Goals simplicity 7B. The Critical Section Problem convenience

205 views • 8 slides
Inter-Process Communication Heechul Yun Disclaimer: some slides are adopted from the book

Inter-Process Communication Heechul Yun Disclaimer: some slides are adopted from the book

Inter-Process Communication Heechul Yun Disclaimer: some slides are adopted from the book authors slides with permission 1 Inter-Process Communication (IPC) What is it? Communication among processes Why needed? Information

552 views • 24 slides
Inter-process Communication Emmanuel Fleury B1-201 fleury@cs.aau.dk 1 Outline

Inter-process Communication Emmanuel Fleury B1-201 fleury@cs.aau.dk 1 Outline

(System V) Inter-process Communication Emmanuel Fleury B1-201 fleury@cs.aau.dk 1 Outline Inter-Process Communication Semaphores Message Queues Shared Memory Segments 2 Inter-Process Communication 3 What is (System V) IPC

828 views • 62 slides
Chapter 4: Threads Process Scheduling Process Creation and Termination Inter-process

Chapter 4: Threads Process Scheduling Process Creation and Termination Inter-process

Recap Process Concepts Chapter 4: Threads Process Scheduling Process Creation and Termination Inter-process Communication Communication in Client-Server Systems Presented By: Dr. El-Sayed M. El-Alfy Note: Most of the slides

459 views • 10 slides
Distributed Object Technologies Lecture 8 Chapter 4: Inter-process Communications 95-702

Distributed Object Technologies Lecture 8 Chapter 4: Inter-process Communications 95-702

Organizational Communications and Distributed Object Technologies Lecture 8 Chapter 4: Inter-process Communications 95-702 Distributed Systems Information 1 System Management Middleware layers Applications, services RMI and RPC Middleware

659 views • 49 slides
Project 4 Inter-Process Communication and Process Management COS 318 Fall 2016 Project 4: IPC

Project 4 Inter-Process Communication and Process Management COS 318 Fall 2016 Project 4: IPC

Project 4 Inter-Process Communication and Process Management COS 318 Fall 2016 Project 4: IPC and Process Management Goal: Add new IPC mechanism and process management to the kernel. Read the project spec for the details. Get a

411 views • 17 slides
Project 4 Inter-Process Communica3on and Process Management

Project 4 Inter-Process Communica3on and Process Management

Project 4 Inter-Process Communica3on and Process Management COS 318 Fall 2015 Project 4: IPC and Process Management Goal: Add new IPC

528 views • 17 slides
Inter-Process Communication Disclaimer: some slides are adopted from the book authors slides

Inter-Process Communication Disclaimer: some slides are adopted from the book authors slides

Inter-Process Communication Disclaimer: some slides are adopted from the book authors slides with permission 1 Recap Hints int count = 0; int main() Each process has its own { private address space int pid = fork(); if (pid ==

634 views • 29 slides
Systems Programming & Engineering Spring 2018 Inter-process Communication (IPC) Tyler

Systems Programming & Engineering Spring 2018 Inter-process Communication (IPC) Tyler

ECE 650 Systems Programming & Engineering Spring 2018 Inter-process Communication (IPC) Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) Recall Process vs. Thread A process is A thread is

383 views • 24 slides
English 120 INFORMATION SEARCH PROCESS Search Process Credo Reference Book Resources (searching

English 120 INFORMATION SEARCH PROCESS Search Process Credo Reference Book Resources (searching

English 120 INFORMATION SEARCH PROCESS Search Process Credo Reference Book Resources (searching LIBROS-WorldCat Discovery ) Periodical Articles (searching online databases) Films on Demand World Wide Web 1 Accessing Credo Reference Access

195 views • 7 slides
Inter-Process Communication Lecture 5 Disclaimer: some slides are adopted from the book authors

Inter-Process Communication Lecture 5 Disclaimer: some slides are adopted from the book authors

Inter-Process Communication Lecture 5 Disclaimer: some slides are adopted from the book authors slides with permission 1 Recap What are the three components of a process? Address space CPU context OS resources What are the

421 views • 26 slides
English 120 INFORMATION SEARCH PROCESS Search Process Book Resources (searching LIBROS-WorldCat

English 120 INFORMATION SEARCH PROCESS Search Process Book Resources (searching LIBROS-WorldCat

English 120 INFORMATION SEARCH PROCESS Search Process Book Resources (searching LIBROS-WorldCat Discovery ) Periodical Articles (searching online databases) Films on Demand World Wide Web 1 Accessing LIBROS (WorldCat Discovery) Access the

157 views • 5 slides
LSST: Petascale opportunities and challenges Tony Tyson, University of California, Davis 1 2

LSST: Petascale opportunities and challenges Tony Tyson, University of California, Davis 1 2

LSST: Petascale opportunities and challenges Tony Tyson, University of California, Davis 1 2 Relative data volume from survey telescopes & cameras 1000 Etendue ( m2 deg2 ) 100 Max 10 Survey 1 4 The new sky Probing Dark Matter

351 views • 24 slides
1 [Saito] Key Points Key Points How Do Computers Fail? How Do Computers Fail?

1 [Saito] Key Points Key Points How Do Computers Fail? How Do Computers Fail?

Using Clusters for Scalable Services Using Clusters for Scalable Services Clusters are a common vehicle for improving scalability and availability at a single service site in the network. Are network services the Killer App for clusters?

359 views • 5 slides
An Introduction to Archivepelago Corey D Clawson, Rutgers University Newark @CD_Clawson |

An Introduction to Archivepelago Corey D Clawson, Rutgers University Newark @CD_Clawson |

Unearthing Historical Networks Using Neo4j: An Introduction to Archivepelago Corey D Clawson, Rutgers University Newark @CD_Clawson | @Archivepelago coreyclawson.com/archivepelago Offer a means of considering/modeling artistic influence

501 views • 20 slides
Katie Martin Darren Young BPE2019 The central platform for the docs.rockarch.org documentation

Katie Martin Darren Young BPE2019 The central platform for the docs.rockarch.org documentation

Katie Martin Darren Young BPE2019 The central platform for the docs.rockarch.org documentation of the Rockefeller Archive Center Ford Foundation grant creates positions for 3 new archivists at RAC: Katie Martin - Processing Project

739 views • 47 slides
File Management Tools gzip and gunzip tar find df and du od nm and strip

File Management Tools gzip and gunzip tar find df and du od nm and strip

File Management Tools gzip and gunzip tar find df and du od nm and strip sftp and scp Gzip and Gunzip The gzip utility compresses a specified list of files. After compressing each specified file, it renames it to

1.12k views • 19 slides
Where do you keep your photos? Personal Information Management in a Networked World

Where do you keep your photos? Personal Information Management in a Networked World

Where do you keep your photos? Personal Information Management in a Networked World Understand some of the problems relating to the management of digital belongings Understand how these are shifting in an online, socially networked

497 views • 38 slides
Historical page load time monitoring using Drupal and WebPageTest David Stinemetze Twitter:

Historical page load time monitoring using Drupal and WebPageTest David Stinemetze Twitter:

David Stinemetze Software Developer V Historical page load time monitoring using Drupal and WebPageTest David Stinemetze Twitter: @DavidStinemetze Software Developer V Drupal.org/Slack: @WidgetsBurritos Rackspace Technology Slides:

866 views • 38 slides
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Ste ff ens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions of Cross-Site Scripting Server Client

413 views • 14 slides

More recommend