System Intrusions Professor Adam Bates Fall 2018 Security & - - PowerPoint PPT Presentation

system intrusions
SMART_READER_LITE
LIVE PREVIEW

System Intrusions Professor Adam Bates Fall 2018 Security & - - PowerPoint PPT Presentation

Apr 02, 2023 369 likes •731 views

CS 563 - Advanced Computer Security: System Intrusions Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Survey broad topics in the system intrusions area

slide-1
SLIDE 1

Security & Privacy Research at Illinois (SPRAI)

Professor Adam Bates Fall 2018

CS 563 - Advanced Computer Security:

System Intrusions

slide-2
SLIDE 2

CS423: Operating Systems Design

Administrative

2

Learning Objectives:

  • Survey broad topics in the “system intrusions” area

Announcements:

  • Reaction paper was due today (and all classes)
  • Feedback for reaction papers soon
  • “Preference Proposal” Homework due 9/24 (next slide)
  • 33 students left in the course as of yesterday
  • ~= 1 Paper presentation per student?

Reminder: Please put away (backlit) devices at the start of class

2

slide-3
SLIDE 3

Security & Privacy Research at Illinois (SPRAI)

System Intrusions

11

We live in an age of high profile data breaches… Operation Aurora: Google Mail was subject to a sustained nation state attack for the entire year of 2009.

slide-4
SLIDE 4

Security & Privacy Research at Illinois (SPRAI) 12

Target loses 70 million credit card numbers…

System Intrusions

We live in an age of high profile data breaches…

slide-5
SLIDE 5

Security & Privacy Research at Illinois (SPRAI) 13

DNC loses 30 thousand emails…

System Intrusions

We live in an age of high profile data breaches…

slide-6
SLIDE 6

Security & Privacy Research at Illinois (SPRAI) 14

System Intrusions

We live in an age of high profile data breaches…

slide-7
SLIDE 7

Security & Privacy Research at Illinois (SPRAI) 15

Equifax Data Breach Timeline 2017

apr may jun jul aug sep

  • ct

Breached Detected Hackers in Equifax Servers Patched Breached Announced

We live in an age of high profile data breaches…

System Intrusions

slide-8
SLIDE 8

Security & Privacy Research at Illinois (SPRAI)

Equifax Data Breach Timeline 2017

apr may jun jul aug sep

  • ct

Breached Detected Hackers in Equifax Servers Patched Breached Announced

16

Humans are very much in the loop… 1,000’s of hours of forensic analysis! 3 Months of crucial attack audit logs… huge overheads!

We live in an age of high profile data breaches…

System Intrusions

slide-9
SLIDE 9

Security & Privacy Research at Illinois (SPRAI) 17

How can we make sense of the available forensic data? Can we understand the attacker in time to prevent them from reaching their goal?

System Intrusions

We live in an age of high profile data breaches…

slide-10
SLIDE 10

Security & Privacy Research at Illinois (SPRAI)

Backtracking Intrusions

18

[King and Chen, SOSP’03] Idea: Parse individual system events into relationship graphs

index.html NGINX abc.com Bash

Dependency Graph

Bash:

exec(“./NGINX”);

NGINX:

recv(…,“abc.com”); fread(“index.html”);

System Execution

  • 1. Bash, Spawns NGINX
  • 2. NGINX, Receives from abc.com
  • 3. NGINX, Reads File index.html
  • 4. ….......

Event Log

slide-11
SLIDE 11

Security & Privacy Research at Illinois (SPRAI)

BackTracker

19

  • Observes OS-level events
  • Objects: processes, files, filenames
  • Traces System Call Events: Process/Process, Process/File, Process/Filename
  • Alternatives? Why OS level?
  • Constructs dependency graph offline
  • Filters graph for more succinct explanations
  • EventLogger mechanism embedded in virtual hypervisor hosting target system
slide-12
SLIDE 12

Security & Privacy Research at Illinois (SPRAI)

BackTracker

20

  • Observes OS-level events
  • Objects: processes, files, filenames
  • Traces System Call Events: Process/Process, Process/File, Process/Filename
  • Alternatives? Why OS level?
  • Constructs dependency graph offline
  • Filters graph for more succinct explanations
  • EventLogger mechanism embedded in virtual hypervisor hosting target system

Is BackTracker a reference monitor?

slide-13
SLIDE 13

Security & Privacy Research at Illinois (SPRAI)

Dependency Types

21

  • High-Control Events: Events through which an attacker

can directly “accomplish a task” (i.e., security-critical)

  • Ex: write or read a file, create a process
  • Low-Control Events: Events through which an attacker

might indirectly “accomplish a task” by affecting another process

  • Ex: modify file metadata, create directory entries
  • BackTracker primarily supports tracking of high-

control events.

  • Thoughts on this?
slide-14
SLIDE 14

Security & Privacy Research at Illinois (SPRAI)

Graph Construction

22

?

Dependency graphs

  • vs. backtraces….
slide-15
SLIDE 15

Security & Privacy Research at Illinois (SPRAI)

Graph Construction

23

Dependency graphs

  • vs. backtraces….
slide-16
SLIDE 16

Security & Privacy Research at Illinois (SPRAI)

Filtering

24

Even backtraces (i.e., dependency subgraphs) get real big, real fast…

slide-17
SLIDE 17

Security & Privacy Research at Illinois (SPRAI)

Filtering

25

Even backtraces (i.e., dependency subgraphs) get real big, real fast… Filtering Strategies

  • Blacklist objects or event types
  • Prune read-only files from graph
  • Prune helper applications from graph (how?)
  • Calculate the intersection of multiple detection points
slide-18
SLIDE 18

Security & Privacy Research at Illinois (SPRAI)

Filtering

26

Even backtraces (i.e., dependency subgraphs) get real big, real fast…

slide-19
SLIDE 19

Security & Privacy Research at Illinois (SPRAI)

Filtering

27

Even backtraces (i.e., dependency subgraphs) get real big, real fast…

slide-20
SLIDE 20

Security & Privacy Research at Illinois (SPRAI)

Evaluation

28

Multiple real attacks against honeypot ReVirt VM, plus one synthetic attack…

slide-21
SLIDE 21

Security & Privacy Research at Illinois (SPRAI)

Evaluation

29

Multiple real attacks against honeypot ReVirt VM, plus one synthetic attack…

slide-22
SLIDE 22

Security & Privacy Research at Illinois (SPRAI)

Kernel-Supported Cost-Effective Logging

30

  • BackTracker — still extraordinarily costly
  • In Enterprise environment, one backtrace query

may take days to return [Liu et al., NDSS’18]

  • Ma et al. ATC’18 Linux Audit Benchmarks:

High Storage Overhead High CPU Overhead

slide-23
SLIDE 23

Security & Privacy Research at Illinois (SPRAI)

Kernel-Supported Cost-Effective Logging

31

  • BackTracker — still extraordinarily costly
  • In Enterprise environment, one backtrace query

may take days to return [Liu et al., NDSS’18]

  • Ma et al. ATC’18 Linux Audit Benchmarks:
slide-24
SLIDE 24

Security & Privacy Research at Illinois (SPRAI)

KCAL addresses several shortcomings of Linux Audit

  • Raw logging overhead
  • In-Kernel execution partitioning
  • In-Kernel elimination of event redundancy
  • In-Kernel garbage collection of irrelevant events

KCAL

32

slide-25
SLIDE 25

Security & Privacy Research at Illinois (SPRAI)

KCAL Kernel-User IPC

33

  • KCAL drops inefficient Netlink channel in favor of

faster kernel-user communication.

  • Uses shared memory instead.
  • Same trick used in other auditing frameworks like Hi-

Fi (ACSAC’12), LPM (Security’15).

slide-26
SLIDE 26

Security & Privacy Research at Illinois (SPRAI)

KCAL Redundancy Filters

34

  • King and Chen 2003 observe

event redundancy in offline graph construction phase, eliminate it.

  • KCAL pushes redundancy

elimination into capture phase

  • Achieved through decentralized

kernel object cache

  • Why is it safe to eliminate

redundant log events?

slide-27
SLIDE 27

Security & Privacy Research at Illinois (SPRAI)

KCAL Execution Partitioning

35

  • King and Chen 2003 allude to

dependency explosion problem, solve with time slicing

  • Dependency Explosion: Each

process output assumed to depend on all prior inputs

  • KCAL includes execution

partitioning* module to address this, enables further reduction

* c.f. BEEP (NDSS’13)

slide-28
SLIDE 28

Security & Privacy Research at Illinois (SPRAI)

KCAL Execution Partitioning

36

Does EP reduce effectiveness of redundancy filtering?

  • No. optimization tracks when
  • ne unit’s dependency should be

applied to addition units.

In-Unit Redundancy Cross-Unit Redundancy

slide-29
SLIDE 29

Security & Privacy Research at Illinois (SPRAI)

KCAL Garbage Collection

37

Temporary files are not relevant to attack forensics

  • King and Chen 2003 observe

forensically irrelevant files (e.g., read-only) can be filtered.

  • KCAL pushes garbage collection

into capture phase

  • Achieved through decentralized

kernel object cache

  • Why is it safe to eliminate

redundant log events?

slide-30
SLIDE 30

Security & Privacy Research at Illinois (SPRAI)

KCAL Evaluation

38

Storage Overhead

Before After

slide-31
SLIDE 31

Security & Privacy Research at Illinois (SPRAI)

KCAL Evaluation

39

CPU Overhead

Before After

slide-32
SLIDE 32

Security & Privacy Research at Illinois (SPRAI)

KCAL Evaluation

40

auditd cpu consumption Because kernel is not always logging, auditd actually sleeps; normally auditd can easily consume 100% of a core’s cycles.

slide-33
SLIDE 33

Security & Privacy Research at Illinois (SPRAI)

KCAL Evaluation

41

Kernel Memory Consumption

G r a c e f u l degradation as cache size decreases Manageable per-process cache size

slide-34
SLIDE 34

Security & Privacy Research at Illinois (SPRAI)

System Intrusions: Looking Forward

42

  • Where to look for literature: “Big 4” security conferences (IEEE

S&P a.k.a. Oakland, USENIX Security, CCS, NDSS), reputable second tier conferences (i.e., RAID).

  • Hot Topics in System Intrusion (not exhaustive):
  • Attack PROV: Efficiency (e.g., Hybrid Tainting), Fidelity (e.g.,

Execution Partitioning), Security (e.g., Provenance Monitor)

  • Software Security: Attacks (e.g., any Binary Exploitation stuff),

Defenses (e.g., CFI, Privilege Separation, TCB Minimization)

  • Intrusion Detection
  • Vulnerability Discovery (e.g., Fuzzing, Concolic Testing)
  • Network-Based Monitoring and Defense