1 / 20

Backtracking Intrusions

This paper introduces Backtracker, a new software tool to aid system administrators in identifying intrusions, analyzing attacker actions, and minimizing system overhead. The tool reconstructs attack timelines and generates visual representations of intruder actions, providing valuable insights for system security.

vlacey
Download Presentation

Backtracking Intrusions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Backtracking Intrusions By King & Chen Presented by: Sebastian Tomaszewski Mike DeSantis

  2. Backtracker Presentation Agenda • Introduction • Research Problem • Key Ideas / Approaches • Evaluation • Conclusion

  3. Backtracker Introduction • This paper discusses a new software tool to aid system administrators in providing system security. • Backtracker’s goal is to reconstruct a timeline of events that occur in an attack, and to generate a visual representation of actions taken by a system intruder. This is a upgrade from previously existing software.

  4. Research Problem • Identify source of intrusion on a computer system • Analyze sequence of actions taken by intruder • Identify files & processes that have been effected • Minimize system overhead to achieve tracking

  5. Research Problem - Importance Once an attack has occurred: • Identify venerability point that attacker exploited • Fix system venerability that attacker gained access through • Undue damage that attacker inflicted

  6. Key Idea – Detection • Identify a ‘detection point’ on one or more levels (ie. file modification, firewall, port scanning, process that is behaving in an unusual or suspicious manner) • Tools providing ability to achieve a detection point: Tripwire, Snort, Coroner’s Toolkit (each is endorsed by Backtracker)

  7. Key Idea - Differentiation • Other software package exists, but suffer from limitations: • Limited data & easily disabled logging • Encrypted data used by attacker • Backtracker addresses these limitations and provides many tools to analyze attacking transactions

  8. Application - Differentiation • Works by observing OS-level objects (files, filenames, processes) through a compromise between application level and machine level, tracking by process ID and version number - Application level: Semantically rich, easily disabled by an attacker - Machine level: Semantically poor, hard to disable by an attacker

  9. Key Idea – Graph generation • Generate a dependency graph through OBJECTS: • Log objects and dependency-causing events during runtime. • Save enough information to build a graph that depicts the dependency relationships between all objects seen over that execution. • Backtracker keeps track of a process from the time it is created by a fork or clone system call, to the point where it exits. • Prioritize all parts of the dependency graph for easy of searching for an attacker’s actions

  10. Application – Graph Generation[Object definitions] • A file object is identified uniquely by a device, inode number, version number (Backtracker treats pipes as normal files) • A filename object refer to the directory data that maps a name to a file object • A process is identified uniquely by a process ID and version number

  11. Application – Graph Generation [Dependency causing events] • One process directly effects the execution of another process object • A process effects or is effected by data or attributes associated with a file object • A process effects or is effected by a filename object Note: Effecting an object is not the same as controlling an object!

  12. Application – Graph Generation [Prioritizing dependency graph] • Dependency graphs for a busy system will be too large to scrutinize each object/event • Ignore certain objects & events: • Ignore all child events from a specific event • Ignore read but not written files in a time period • Ignore helper processes • Choose several detection points to scrutinize

  13. Application - Graph Generation “PTrace Attack” Analysis Exploits a race condition in Linux PTrace code to gain root access 1) Attacker caused Apache web server (httpd) to create a command shell (bash) 2) Downloaded and unpacked an executable 3) Run the executable using a different group identity

  14. Key Idea – Dependency & Event Tracking • A tracking system must examine higher level events instead of low level events to minimize system overhead • Examples of high-level events: • Changing contents of a file • Creating a child process • Examples of low-level events: • Changing a file’s access time • Creating a filename in a directory

  15. Application – Dependency & Event Tracking • Backtracker is able to provide useful analysis without tracking low level events even if low level events are used in the attack • Backtracker logs & analyzes: • Process creation through fork or clone • Load and store to shared memory • Read and write of files and pipes • Receive data from a socket • Perform execve of files • Load and store to m-map’ed files • Opening a file Note: Backtracker produces a 9% running time overhead and 1.2GB of log data per day for an operating system intensive workload

  16. Application – Dependency & Event Tracking[In virtual machine environments] • Virtual machine monitor prevents intruders in the guest OS from interfering with event tracking • Virtual machine monitor notifies Backtracker whenever a guest application performs a high level event

  17. Evaluation - Introduction • To test Backtracker, a default installation of RedHat 7.0 was setup on a Honeypot machine • RedHat: Vulnerable to several remote and local attacks • Honeypot: Vulnerable to at least two attacks (Apache) • A “Bind” attack was run on this system • Files read but not written are ignored • Ignore files in /root/.bash_history, lastlog, utmp, mtab • Ignore helper processes

  18. Evaluation - Results 1) Gain access through httpd (Apache) 2) Downloaded a rootkit using wget 3) Write the rootkit to the file “/tmp/ /bind”

  19. Evaluation - Shortcomings • Backtracker can be circumvented by: • Attacking the layers upon which Backtracker’s analysis or logging depend • Using a hidden channel to break the chain of events that Backtracker tracks • An attacker carrying out an attack sequence of steps over a long period of time • Attacking the Virtual machine monitor layer or host OS (Much harder than attacking guest kernel)

  20. Conclusion • Data integrity and security is vital as computing becomes more widespread. Backtracker allows system administrators to analyze an attack, and avoid future vulnerability. • An everyday applications of this technology might be for a banking system administration team to protect their clients accounts. • Questions?

More Related