1 / 45

Protecting Your Local Host From Remote Security Attacks

Protecting Your Local Host From Remote Security Attacks. Jonathon Giffin, Somesh Jha, Bart Miller University of Wisconsin. Overview. How to Easily do Dangerous and Malicious Things to a Running Job

cmanley
Download Presentation

Protecting Your Local Host From Remote Security Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Your Local Host From Remote Security Attacks Jonathon Giffin, Somesh Jha, Bart Miller University of Wisconsin

  2. Overview • How to Easily do Dangerous and Malicious Things to a Running Job • How to Detect Manipulations of Your Jobs with Pre-Execution Static Analysis and Runtime Monitoring WiSA - Jonathon Giffin

  3. A New View • Running programs are objects to be easily manipulated • The vehicle: the DynInst API WiSA - Jonathon Giffin

  4. DynInst: Dynamic Instrumentation • Machine independent library for instrumentation of running processes • Modify control flow of the process: • Load new code into the process • Remove, replace, or redirect function calls • Asynchronously call any function in the process WiSA - Jonathon Giffin

  5. Condor Attack: Lurking Jobs Shadow Process giffin Malicious User Job nobody system calls Submitting Host Execution Host WiSA - Jonathon Giffin

  6. fork Condor Attack: Lurking Jobs Shadow Process giffin Malicious User Job nobody system calls Lurker Process nobody Submitting Host Execution Host WiSA - Jonathon Giffin

  7. Condor Attack: Lurking Jobs Lurker Process nobody Submitting Host Execution Host WiSA - Jonathon Giffin

  8. Condor Attack: Lurking Jobs Shadow Process bart Innocent User Job nobody system calls Lurker Process nobody Submitting Host Execution Host WiSA - Jonathon Giffin

  9. Condor Attack: Lurking Jobs Shadow Process bart Innocent User Job nobody system calls attach Lurker Process nobody Submitting Host Execution Host WiSA - Jonathon Giffin

  10. Condor Attack: Lurking Jobs Shadow Process bart Innocent User Job nobody system calls Control remote system calls attach Lurker Process nobody Submitting Host Execution Host WiSA - Jonathon Giffin

  11. Condor Attack: Lurking Jobs Shadow Process bart Innocent User Job nobody system calls rm -rf * rm -rf * Control remote system calls attach Lurker Process nobody Submitting Host Execution Host WiSA - Jonathon Giffin

  12. Can We Safely ExecuteOur Jobs Remotely? The threats: 1. Cause the job to make improper remote system calls. 2. Cause the job to calculate an incorrect answer. 3. Steal data from the remote job. Threat protection strategies: • Monitor execution of remote job (threat #1) • File or system call sand-boxing (#1) • Obfuscate or encode remote job (#1, #3) • Replicate remote job (#2) WiSA - Jonathon Giffin

  13. Countering Remote Attacks • Goal: Even if an intruder can see, examine, and fully control the remote job, no harm can come to the local machine. • Method: Model all possible sequences of remote system calls. At runtime, update the model with each received call. • Key technology: Static analysis of binary code. WiSA - Jonathon Giffin

  14. Execution Monitoring User Job Analyzer Checking Shadow Modified User Job WiSA - Jonathon Giffin

  15. Execution Monitoring Modified User Job Checking Shadow system calls Job Model Submitting Host Execution Host WiSA - Jonathon Giffin

  16. Execution Monitoring Modified User Job Checking Shadow system calls Call 1 Call 2 Call 3 X Job Model Submitting Host Execution Host WiSA - Jonathon Giffin

  17. Model Construction User Job Analyzer Checking Shadow Modified User Job Control Flow Graphs Binary Program Global Automaton Local Automata WiSA - Jonathon Giffin

  18. CFG ENTRY if call read call read call line call close return CFG EXIT Control Flow Graph Generation function( int a ) { if( a < 0 ) { read( 0, 15 ); line(); } else { read( a, 15 ); close( a ); } } WiSA - Jonathon Giffin

  19. CFG ENTRY if read read call read call read call line call close close line return CFG EXIT Control Flow GraphTranslation WiSA - Jonathon Giffin

  20. Interprocedural ModelGeneration A read read close line WiSA - Jonathon Giffin

  21. Interprocedural ModelGeneration A read read line write close line WiSA - Jonathon Giffin

  22. Interprocedural ModelGeneration B A line read read line write close close line WiSA - Jonathon Giffin

  23. Interprocedural ModelGeneration B A line read read line write close close WiSA - Jonathon Giffin

  24. Interprocedural ModelGeneration B A read read line write close close WiSA - Jonathon Giffin

  25. PossiblePaths B A read read line write close close WiSA - Jonathon Giffin

  26. PossiblePaths B A read read line write close close WiSA - Jonathon Giffin

  27. ImpossiblePaths B A read read line write close close WiSA - Jonathon Giffin

  28. ImpossiblePaths B A read read line write close close WiSA - Jonathon Giffin

  29. Adding ContextSensitivity B A read read Y line X write close close Y X WiSA - Jonathon Giffin

  30. Rewriting User Job User Job Analyzer Checking Shadow Modified User Job Binary Program Rewritten Binary WiSA - Jonathon Giffin

  31. Null CallInsertion B A read read line write close close WiSA - Jonathon Giffin

  32. Null CallInsertion B A read read line write close null_2 close null_1 WiSA - Jonathon Giffin

  33. Call Site Renaming function( int a ) { if( a < 0 ) { read( 0, 15 ); line(); } else { read( a, 15 ); close( a ); } } • Give each monitored call site a unique name • Captures arguments • Obfuscation • Limits attack call set • Reduces nondeterminism WiSA - Jonathon Giffin

  34. Call Site Renaming function( int a ) { if( a < 0 ) { _638(); line(); } else { read( a, 15 ); close( a ); } } • Give each monitored call site a unique name • Captures arguments • Obfuscation • Limits attack call set • Reduces nondeterminism WiSA - Jonathon Giffin

  35. Call Site Renaming function( int a ) { if( a < 0 ) { _638(); line(); } else { _83( a ); close( a ); } } • Give each monitored call site a unique name • Captures arguments • Obfuscation • Limits attack call set • Reduces nondeterminism WiSA - Jonathon Giffin

  36. Call Site Renaming function( int a ) { if( a < 0 ) { _638(); line(); } else { _83( a ); _1920( a ); } } • Give each monitored call site a unique name • Captures arguments • Obfuscation • Limits attack call set • Reduces nondeterminism WiSA - Jonathon Giffin

  37. Call Site Renaming • Give each monitored call site a unique name • Captures arguments • Obfuscation • Limits attack call set • Reduces nondeterminism _638 _83 _1920 line WiSA - Jonathon Giffin

  38. Prototype Implementation • Simulates remote execution environment • Null calls inserted at function entries • Measure null call overheads • Measure null call bandwidth use • Measure model precision WiSA - Jonathon Giffin

  39. Test Programs WiSA - Jonathon Giffin

  40. Precision Metric • Average branching factor chown getpid open WiSA - Jonathon Giffin

  41. WiSA - Jonathon Giffin

  42. Null Call Costs:Monitoring Overhead & Bandwidth WiSA - Jonathon Giffin

  43. WiSA - Jonathon Giffin

  44. Important Ideas • Running jobs remotely enables malicious attacks against the shadow process. • Pre-execution static analysis to construct a model of the remote call sequences addresses this threat. • Improving model precision is a hard problem. Null calls are an effective and reasonable optimization. WiSA - Jonathon Giffin

  45. Protecting Your Local Host From Remote Security Attacks Jonathon Giffin, Somesh Jha, Bart Miller University of Wisconsin

More Related