1 / 18

DYMO : Tracking Dynamic Code Identity

DYMO : Tracking Dynamic Code Identity. Bob Gilber , Richard Kemmerer, Christopher Kruegel , Giovanni Vigna University of California, Santa Barbara RAID 2011,9 報告者:張逸文. Outline. Introduction System Overview System Implementation Applications for DYMO Evaluation Security Analysis

dougal
Download Presentation

DYMO : Tracking Dynamic Code Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DYMO:Tracking Dynamic Code Identity Bob Gilber, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara RAID 2011,9 報告者:張逸文

  2. Outline • Introduction • System Overview • System Implementation • Applications for DYMO • Evaluation • Security Analysis • Related Work • Conclusions

  3. Introduction(#1) • Access control:user-based authorization • Code identity • Measurements of a process • DYMO, a system that provides a dynamic code identity primitive • Identity label • Network access

  4. Introduction(#2) • Track the run-time integrity of a process • DYMO • Extending DYMO to label network packets • Experimental results

  5. System Overview(#1) • System requirements • Precise • Secure • Efficient • System Design • Computing cryptographic hash of each code section as the process’ identity • Precise Label computation

  6. System Overview(#2) • Handling Dynamically Generated Code • Don’t hash dynamic code regions directly • dynamically generated code only in certain known parts • Secure Label Computation • runs at a higher privilege • Inside a VMM / as part of the OS • Efficient Label Computation • Modify Windows memory management routines • The label is computed incrementally

  7. System Implementation(#1) • Problems • Load DLLs during run-time • Arbitrary memory regions • DLL reloading • System Initialization • Register for kernel-provided callbacks • Hook the NT kernel system services • Hook the page fault handler • Use Data Execution Prevention(DEP)

  8. System Implementation(#2) • Identity Label Generation • Image hash + region hash = identity label • Image Hashes • Build process profile • Locate the code segment • Modifypageprotection • DEP exception • Page fault handler

  9. System Implementation(#3) • Region Hashes • hook NtAllocateVirtualMemory, NtMapViewOfSection, NtProtectVirtualMemory • checkexecuteaccess • These executable regions are for dynamic code generation • Handling Dynamic Code Generation • Allocator • Writer • Caller regionhash

  10. System Implementation(#4) • Handling the PAGE_EXECUTE_READWRITE protection • PAGE_EXECUTE_READWRITE => PAGE_READWRITE + PAGE_EXECUTE_READ • Establishing Identity • Strict matching policy • Relaxed matching policy

  11. Application for DYMO(#1) • Application-Based Access Control • accesscontrolbased on the identity • global distribution mechanisms • whitelistforallusers • DYMO Network Extension • Inject network packet • Label Size Optimization • Huffman • Split label over multiple packets

  12. Application for DYMO(#2) • The injector:NDIS Intermediate Filter driver • The Broker:TDI Filter driver TCP/IP transport driver Modified packet Network Adapter Modified packet injector Process identity label broker Connection ID

  13. Evaluation(#1) • Label Precision • Three experimentalenvironment • Training database • 93% applications’ labels are precision • Effect of Process Tampering • Tampering by Malware • Tampering by Exploits • Performance Impact

  14. Evaluation(#2)

  15. Evaluation(#3) • PassMarkAppTimer tool < 1 sec.

  16. Security Analysis • Create executable memory regions • Add code to a trusted program • Tamper with the data of a process • Non-control-data attack

  17. Related Work • Local Identification • Patagonix – a hypervisor-based system • Tripwire – static code identity • Remote Identification • Sailerti al. Trusted Platform Module – identify applications for remote attestation

  18. Conclusion • DYMO, a dynamic code identity primitive • Extends DYMO to network packet • An acceptable performance overhead • Future work • Extending DYMO to other platforms • Sophisticated network-level policy enforcement mechanism

More Related