1 / 26

K. Jain and R. Sekar Cho, Ho-Gi Operating System Lab in GNU

User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement. K. Jain and R. Sekar Cho, Ho-Gi Operating System Lab in GNU. Abstract. Untrusted or malicious applications

jeroen
Download Presentation

K. Jain and R. Sekar Cho, Ho-Gi Operating System Lab in GNU

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User-Level Infrastructure for System Call Interposition:A Platform for Intrusion Detection and Confinement K. Jain and R. Sekar Cho, Ho-Gi Operating System Lab in GNU

  2. Abstract • Untrusted or malicious applications • damage can ultimately be inflicted only via system calls made by processes running on the target system • Detection and confinement • Previous work • have relied on an in-kernel approach • This paper • user-level infrastructure • providing adequate set of capabilities in the infrastructure • portability of the security enhancements and the infrastructure itself across different operating systems • minimizing performance overheads associated with interception for a wide range of applications [JaSe00]

  3. Intrusion Detection • Passive approach • offline intrusion detection techniques that make use of system audit data • system audit logs often do not provide all of the information needed for intrusion detection • system-call interception can significantly enhance the power and effectiveness • Proactive approach • can prevent or isolate attacks before any damage is caused • damage can ultimately be effected only via system calls made by processes running on the target system • possible to identify (and prevent) damage if we can monitor every system call made by every process [JaSe00]

  4. System-call interposition • extension codes are interposed at the system call entry and exit points at the user-level or the operating system kernel • demonstration • application-specific access control, intrusion detection, transparent enhancements for security or fault-tolerance • without making any changes to the applications [JaSe00]

  5. application kernel kernel LIBC syscall() mapped_syscall() mapped_syscall() application LIBC syscall() • Previous work in system-call interposition • within libraries • system-calls are accessed via a wrapper function within the libc library on most UNIX systems Problem Inter LIB [JaSe00]

  6. within the operating system kernel • all of the extension code (for all processes being monitored) runs in the kernel mode • low interception overhead • problems • bring down the entire system • state-of-the-art kernel-resident software development lags user-level software development significantly • require superuser privileges • require kernel modifications [JaSe00]

  7. develop a user-level implementation of an infrastructure : helper applications launched from a web-browser or a mail reader • used the capabilities provided by the Solaris operating system to intercept the system calls • same privileges both the monitored and monitoring process • problems • expressive power and performance of user-level system call interposition were not explored • limited capabilities for the extension code • portability of their system to other popular variants of UNIX [JaSe00]

  8. Trace mechanism provided by versions UNIX variant [JaSe00]

  9. System Overview • Components of the system [JaSe00]

  10. Supervisor Interface class SupIfc{ … void read_entry(Integer& fd, CharPtr& buf, Integer& count); void read_exit(Interger& fd, CharPtr&buf, Integer& count, Integer& rv); … kill(); abort(); switch(); class CharPtr charPtr; class Integer integer; }; //reference scInfo[]; class CharPtr{ int get(char *buf, int len); int put(char *buf, int len); int lockVal(); }; [JaSe00]

  11. abstraction mechanisms for writing a supervisor class without having to hard-code system call names or argument types specific to one or more variants of UNIX • Basic form • Example • Linux • OSF/1 eventName(X) ::= (s1(Y1)|Cond1)||…||(sn(Yn)|Condn) readFd(Integer fd) ::= read(fd,_,_) || readdir(fd,_,_) || getdents(fd,_,_) || readv(fd,_,_) readFd(Integer fd) ::= read(fd,_,_) || readdir(fd,_,_) || getdents(fd,_,_,_) || readv(fd,_,_) [JaSe00]

  12. Using supervisor class • defining abstract events of interest denidCalls ::= fork || execve || connect || bind || listen || chmod || chown || chgrp || kill || ptrace || sendto || mkdir || utimes || rename || … wrOpen(f) ::= (open(f, md) | isWrite(md)) || creatte(f) || truncate(f) class UntrustedUtility::SupIfc{ … void deniedCalls_entry(); void wrOpen(CharPtr f); … }; void UntrustedUtility::deniedCalls_entry(){ abort(EPERM); } void UntrustedUtility::wrOpen(CharPtr f){ char *fv = f.get(); /* we may want to lockVal(), first */ if(!isInDir(fv, “/tmp”) && (exists(fv))) abort(EPERM); } [JaSe00]

  13. Runtime system //reference scInfo[]; specific the registers that contain the system call arguments class RtIfc{ … class SupIfc supObj[]; //dynamic loading MappingFimeManager mainLoop(); … attachProcess(); waitForCall(); getScNum(); isEntry(); … }; //OS/Architecture independent functions //OS/Architecture dependent functions [JaSe00]

  14. pid = waitForCall() call = getscno(pid) ENTRY isEntry(call) EXIT SIGNAL switch(call) switch(call) OPEN_ENTRY OPEN_EXIT supOj[id].open_entry(scInfo[OPEN_ENTRY][0], scInfo[OPEN_ENTRY][1], scInfo[OPEN_ENTRY][2]); supOj[id].open_exit(scInfo[OPEN_ENTRY][0], scInfo[OPEN_ENTRY][1], scInfo[OPEN_ENTRY][2] scInfo[OPEN_ENTRY[3]); //signal related processing (obitted) • Main loop [JaSe00]

  15. Performance Results • In-kernel system call interposition [JaSe00]

  16. CPU time for monitored app AND monitoring process CPU time for unmonitored app • User-level system call interposition • Additional overheads • due to context switches • relatively inefficient operations to access the memory of monitored process • Environment • Target Application • CPU-intensive, disk I/O intensive, network-intensive applications • Measuring - 1 [JaSe00]

  17. Overhead for system call interception for different applications CPU-intensive Disk I/O-intensive Network-intensive [JaSe00]

  18. Increase in overhead with increase in number of system calls • overhead is between 26 and 38 microseconds per system call [JaSe00]

  19. Network Servers • FTP server throughput two machines one machines [JaSe00]

  20. HTTP server throughput • used two client machines and one server machine two machines one machines [JaSe00]

  21. HTTP response time two machines one machines [JaSe00]

  22. Interception overheads on other UINX variants • IRIX and OSF/1 ignored “uninteresting” system calls like read and write • intercepted only the entry and not the exit [JaSe00]

  23. Overhead for fetching arguments • target programs • ghostscript, tar and ftpd operating system provides efficient bulk read and write operations no system call need using /proc system requires a single system call strings of relatively small size such as file name requires one ptrace system call per 4bytes of data to be written [JaSe00]

  24. Discussion • Possible applications • Policy-based Auditing • can record information about system calls and signals in a log file • Intrusion detection • can make use of system call information to perform target task • Access Control • Confining applications • cannot be bypassed • provide for aborting system calls, modifying arguments, and locking argument values • Other applications • transparent encryption, data replication, etc. [JaSe00]

  25. Drawbacks • the extension code perform operations in the context of the monitoring program • overhead is higher than that for kernel-based implementations • implemented on top of the interfaces provided by the operating system features [JaSe00]

  26. Conclusions • presented a new approach for developing a user-level infrastructure for system call interception and extension • offers similar level of security and comparable level of capabilities as kernel-based implementations • normal uses can develop and deploy their own extensions • damage due to errors in the extension code is limited • Does not bring down the entire system • portable across many versions of UNIX • presented a comprehensive analysis of the performance impact due to user-level interception of system calls [JaSe00]

More Related