1 / 31

Glavlit: Preventing Exfiltration at Wire Speed

ГУОГТП. Glavlit: Preventing Exfiltration at Wire Speed. Nabil Schear †* , Carmelo Kintana † , Qing Zhang † , Amin Vahdat † † Department of Computer Science and Engineering, University of California at San Diego *Los Alamos National Laboratory. Hotnets V - Irvine, CA - November 30, 2006.

thor
Download Presentation

Glavlit: Preventing Exfiltration at Wire Speed

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ГУОГТП Glavlit: Preventing Exfiltration at Wire Speed Nabil Schear†*, Carmelo Kintana†, Qing Zhang†, Amin Vahdat† †Department of Computer Science and Engineering, University of California at San Diego *Los Alamos National Laboratory Hotnets V - Irvine, CA - November 30, 2006

  2. Information Leaks and Exfiltration • Exfiltration – type of information leak; malicious theft of valuable information • Leaks affect customer confidence, regulatory compliance, profits, etc… • Leaks are inevitable • Targeted attacks, insiders, accidents, etc… Goal: Minimize leaks NO MATTER how or why they happen.

  3. Email File How Does Data Get Out? Accidentally External Network Protected Network Boundary Web servers File User Workstations Didn’t Know file was sensitive ______or An honest mistake Email server

  4. What about Malicious Exfiltration? External Network Protected Network Attacker, malware, or insider uses existing Web server File Boundary Web servers File User Workstations Email server

  5. HTTP File2 More Malicious Leaks External Network Attacker uses hidden channel in protocol to encode sensitive data Protected Network HTTP File2 HTTP Boundary File Web servers User Workstations Email server

  6. Policies Procedures Previous Solutions • Policy • Private Stand-alone LAN External Network Protected Network -Expensive -Granularity _too coarse -Hard to use -Difficult to _enforce Boundary Web servers User Workstations Email server

  7. Previous Solutions • Packet Filter (Firewall) • Passive Monitoring External Network Protected Network -High speed _limits analysis _complexity -Works on _packets not _files -Can’t actively _stop leaks in _progress Firewall Boundary Web servers User Workstations Email server Analysis / Audit

  8. Web servers Proxy Proxy Email server Previous Solutions • Proxies External Network Protected Network -High overhead -Difficult and _complicated _to configure Boundary User Workstations

  9. Guard Warden Our Solution: Glavlit Decouple vetting from verification External Network Protected Network File Boundary -Transparent -High speed -Actively stop _leaks Web servers User Workstations -Arbitrary and powerful analysis -off critical network path

  10. HTTP File2 Guard Warden Our Solution: Glavlit Mitigate covert channels in the application layer protocol External Network Protected Network HTTP Boundary Web servers User Workstations -Prevents a subset _of covert channels -Limits bandwidth _of others

  11. What is Glavlit? • Prevent unauthorized release from HTTP servers while allowing authorized data to pass unhindered • Enforces complex exit policy • Operates at granularity of whole files • Covers wide range of threats • Does not depend on host security • Only trust the Warden and Guard Key Contributions: Ensure that only authorized objects cross the network boundary in payload Mitigate a class of covert channels in application layer protocols

  12. Glavlit is NOT… • Just a firewall • For outgoing HTTP browser requests • Designed to prevent leaks from covert channels below layer 7 • Capable of stopping ALL potential covert channels • In general this is intractable

  13. Two Complementary Techniques for Mitigating Leaks • Content Control • Hash network content against known list of good releasable data • HTTP Protocol Channel Mitigation • Restrict HTTP RFC and parse protocol for syntactic correctness • Check field values for semantic validity • Enforce ordering and normalize timing

  14. Guard Warden Vetting at the Warden • Vetting – authoritative review to decide if an object (a file) is ok to release • Arbitrarily complex and time-consuming • Warden performs arbitrary vetting process Vetting Complete File Approved File Content Provider File

  15. Guard Warden Vetting at the Warden • Generates signatures • Split the file into 1KB chunks • Calculate secure hash of each chunk • Collect file metadata • Share table of signatures for vetted objects with Guard Content Provider Signatures File

  16. Verification at the Guard • Verification - Ensure object crossing network boundary is pre-vetted • Locate object within network stream • Lookup object in signature table based upon hash of first 256 bytes of the file • Verify file content • Hash and check each chunk • Packets can egress as soon as all their chunks are verified • Can actively stop invalid data by dropping packets and injecting TCP RESET packets

  17. Need an In-order TCP Stream • How to verify data in lost, retransmitted, or out of order packets? • Keep a sliding window of packet content and cache for old packets Packet Cache Pending Data Unused Buffer Space Packet Header Queue Send TCP/IP Header TCP/IP Header TCP/IP Header TCP/IP Header TCP/IP Header

  18. Protocol Channels • Protocol Channel • Unauthorized communication channel • Present in L7 protocol or its operation • Channel Carrier • Cover data holding the channel • Types of carriers in protocol channels • Structured • Unstructured

  19. Structured Protocol Channels • Attackers can encode data in structured protocol fields in an HTTP response HTTP/1.1 200 OK Date: Thu, 23 Nov 2006 03:45:23 GMT Server: Apache Last-Modified: Fri, 10 Mar 2006 05:56:06 GMT Accept-Ranges: bytes Content-Length: 255 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 255 254 Credit-Card-Num: 1234-5678-9012-3456 Key Insight: most fields are verifiable

  20. Verifying Structured Data • Does it look right? (Syntactic) • Check syntax against restricted RFC specification • Pre-specified headers and order • Does it make sense? (Semantic) • Check against corresponding request • Restrict server responses to aid verification • Check metadata against Warden Info • Content-Length, Last-Modified, etc…

  21. Unstructured Carriers • Attackers can also encode information in network order or timing • Correlate request/response pairs to enforce ordering • Actively alter timing behavior by delaying server responses • Model server response behavior and block deviations

  22. Evaluation Setup • How fast is Glavlit verification relative to • Direct connection • Linux software bridge • Glavlit Guard with verification off • No hashing or protocol parsing • TCP reassembly and packet forwarding only Apache 2.2.2 Web Server Linux Host Running Guard Network Boundary Custom HTTP Client Gigabit Ethernet Gigabit Ethernet

  23. System Throughput

  24. Evaluation Discussion • Guard and Web server both pay the price for more connections on small files • Per-connection overhead reduces performance for small files (~50%) • Parsing • TCP Connection/Stream/State Allocation • pcap and libnet kernel switching overhead • For common Web files (~10KB+) performance is comparable to direct connect and Linux kernel bridge • Total request latency NOT affected

  25. Conclusions • Content control prevents information that is not explicitly allowed from exiting • Prevents inadvertent disclosure • Protocol Channel Mitigation prevents many channels and limits others • Raises the Bar for attackers wanting to steal valuable data • Performance overhead acceptable in un-tunedprototype • FIRST system to actively limit application layer covert channels

  26. Author Contact Info {nschear, ckintana, qzhang, vahdat} @cs.ucsd.edu Thank you QUESTIONS?

  27. Guard CPU Usage

  28. Guard No-Verify CPU Usage

  29. Verifying Dynamically Generated Content • Goal: Leverage static content verification as much as possible • Rolling Checksum (ala rsync) • Rabin Fingerprints for variable sized chunks • High speed analysis engine for mismatch regions • Self describing templates

  30. Related Work • Content Control • Commercial Solutions (Entrust, Fidelis, Vontu, PortAuthority) • Covert Channels • Web Tap, Eraser, Infranet • Detection of Layer 3 and 4 Channels (NUSHU, Loki, etc…) • Murdoch et al., Fisk et al., Tumoian et al. • Vetting Review Tools • Wetstone StegoSuite • Los Alamos National Lab - File Scrub

  31. Future Work • Dynamic Content • Fuzzy Fingerprinting matching • Self Describing Web Language (JWig) • Support More Protocols • SMTP, IM, etc… • SSL Traffic Support • More tuning for better performance • Possible hardware acceleration?

More Related