200 likes | 213 Views
This paper introduces Backtracker, a new software tool to aid system administrators in identifying intrusions, analyzing attacker actions, and minimizing system overhead. The tool reconstructs attack timelines and generates visual representations of intruder actions, providing valuable insights for system security.
E N D
Backtracking Intrusions By King & Chen Presented by: Sebastian Tomaszewski Mike DeSantis
Backtracker Presentation Agenda • Introduction • Research Problem • Key Ideas / Approaches • Evaluation • Conclusion
Backtracker Introduction • This paper discusses a new software tool to aid system administrators in providing system security. • Backtracker’s goal is to reconstruct a timeline of events that occur in an attack, and to generate a visual representation of actions taken by a system intruder. This is a upgrade from previously existing software.
Research Problem • Identify source of intrusion on a computer system • Analyze sequence of actions taken by intruder • Identify files & processes that have been effected • Minimize system overhead to achieve tracking
Research Problem - Importance Once an attack has occurred: • Identify venerability point that attacker exploited • Fix system venerability that attacker gained access through • Undue damage that attacker inflicted
Key Idea – Detection • Identify a ‘detection point’ on one or more levels (ie. file modification, firewall, port scanning, process that is behaving in an unusual or suspicious manner) • Tools providing ability to achieve a detection point: Tripwire, Snort, Coroner’s Toolkit (each is endorsed by Backtracker)
Key Idea - Differentiation • Other software package exists, but suffer from limitations: • Limited data & easily disabled logging • Encrypted data used by attacker • Backtracker addresses these limitations and provides many tools to analyze attacking transactions
Application - Differentiation • Works by observing OS-level objects (files, filenames, processes) through a compromise between application level and machine level, tracking by process ID and version number - Application level: Semantically rich, easily disabled by an attacker - Machine level: Semantically poor, hard to disable by an attacker
Key Idea – Graph generation • Generate a dependency graph through OBJECTS: • Log objects and dependency-causing events during runtime. • Save enough information to build a graph that depicts the dependency relationships between all objects seen over that execution. • Backtracker keeps track of a process from the time it is created by a fork or clone system call, to the point where it exits. • Prioritize all parts of the dependency graph for easy of searching for an attacker’s actions
Application – Graph Generation[Object definitions] • A file object is identified uniquely by a device, inode number, version number (Backtracker treats pipes as normal files) • A filename object refer to the directory data that maps a name to a file object • A process is identified uniquely by a process ID and version number
Application – Graph Generation [Dependency causing events] • One process directly effects the execution of another process object • A process effects or is effected by data or attributes associated with a file object • A process effects or is effected by a filename object Note: Effecting an object is not the same as controlling an object!
Application – Graph Generation [Prioritizing dependency graph] • Dependency graphs for a busy system will be too large to scrutinize each object/event • Ignore certain objects & events: • Ignore all child events from a specific event • Ignore read but not written files in a time period • Ignore helper processes • Choose several detection points to scrutinize
Application - Graph Generation “PTrace Attack” Analysis Exploits a race condition in Linux PTrace code to gain root access 1) Attacker caused Apache web server (httpd) to create a command shell (bash) 2) Downloaded and unpacked an executable 3) Run the executable using a different group identity
Key Idea – Dependency & Event Tracking • A tracking system must examine higher level events instead of low level events to minimize system overhead • Examples of high-level events: • Changing contents of a file • Creating a child process • Examples of low-level events: • Changing a file’s access time • Creating a filename in a directory
Application – Dependency & Event Tracking • Backtracker is able to provide useful analysis without tracking low level events even if low level events are used in the attack • Backtracker logs & analyzes: • Process creation through fork or clone • Load and store to shared memory • Read and write of files and pipes • Receive data from a socket • Perform execve of files • Load and store to m-map’ed files • Opening a file Note: Backtracker produces a 9% running time overhead and 1.2GB of log data per day for an operating system intensive workload
Application – Dependency & Event Tracking[In virtual machine environments] • Virtual machine monitor prevents intruders in the guest OS from interfering with event tracking • Virtual machine monitor notifies Backtracker whenever a guest application performs a high level event
Evaluation - Introduction • To test Backtracker, a default installation of RedHat 7.0 was setup on a Honeypot machine • RedHat: Vulnerable to several remote and local attacks • Honeypot: Vulnerable to at least two attacks (Apache) • A “Bind” attack was run on this system • Files read but not written are ignored • Ignore files in /root/.bash_history, lastlog, utmp, mtab • Ignore helper processes
Evaluation - Results 1) Gain access through httpd (Apache) 2) Downloaded a rootkit using wget 3) Write the rootkit to the file “/tmp/ /bind”
Evaluation - Shortcomings • Backtracker can be circumvented by: • Attacking the layers upon which Backtracker’s analysis or logging depend • Using a hidden channel to break the chain of events that Backtracker tracks • An attacker carrying out an attack sequence of steps over a long period of time • Attacking the Virtual machine monitor layer or host OS (Much harder than attacking guest kernel)
Conclusion • Data integrity and security is vital as computing becomes more widespread. Backtracker allows system administrators to analyze an attack, and avoid future vulnerability. • An everyday applications of this technology might be for a banking system administration team to protect their clients accounts. • Questions?