Beyond Intrusion Prevention and Detection – Intrusion Tolerance Arun Sood International Cyber Center and Department of Computer Science http://cs.gmu.edu/~asood/scit

Introducing a new paradigm for server security—Intrusion Tolerance The Problem Hacker (Actual Photo) Enterprise Server Firewall Introducing a new paradigm for server security—Intrusion Tolerance

Intrusion Tolerance allows malware and hackers into a server… The SCIT Solution Intrusion Tolerance allows malware and hackers into a server… …but uses virtualization to restore the OS and application to a pristine state after attack! Hacker (Actual Photo) Enterprise Server SCIT Virtual Partition SCIT Virtual Server Firewall Every 55 seconds SCIT software cleans and restores the virtual server to its pristine state

Multi-National Security Breach http://news.bbc.co.uk/2/hi/technology/7118452.stm “A huge campaign to poison web searches and trick people into visiting malicious websites has been thwarted.” If a user searched Google for terms such as "hospice", "cotton gin and its effect on slavery", "infinity" and many more The first result pointed to a website from which malicious software was downloaded and embedded on user system. Criminals in country A created domains that were mostly bought by companies in country B and hosted in country C. Tens of thousands of domains were used. These domains tricked the indexing strategy of Google to believe that these web pages were good and reliable source of information. Targeted and organized attacks.

Cross Sector Cyber Threats Strategy Securing Servers Servers and endpoints have to be protected Verizon Data Breach Investigation shows that 99% of the compromised records were from servers A key step in these attacks was the installation of customized malware, which cannot be detected by current systems Current protection can take place at the network level and for important asset protection at the host level Intrusion Prevention Systems including Firewalls Intrusion Detection Systems: statistical, anomaly and behavior based White list and Black lists: IP addresses and software Intrusion Tolerance – intrusions will happen, focus on minimizing losses http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Arun Sood will present the next few slides. We cannot depend on systems internal controls and security foundations; we are forced to protect at the boundary’s edge Ineffective long term because these controls are dependent on human intervention to implement, manage, update 5 5

Multi layered Approach to Security Cross Sector Cyber Threats Strategy Multi layered Approach to Security IPS depend on inspection of incoming packets IDS depend on inspection of incoming and outgoing packets With increasing bandwidth and more matching requirements, the cycles devoted to packet inspection will keep increasing Threat independent approaches are needed for protection Other approaches should be included in the mix, including approaches that do not rely on packet inspection and have potential for threat independent performance: White list of software Time dependent intrusion tolerance 6 6

Key Intrusion Tolerance Approaches SITAR MAFTIA SCIT Detection Based Structure Based Time Dependent Payload Inspection Yes No Voting Algorithm Yes, used to detect faulty replica and survive attacks Yes, used to detect faulty replica and survive attacks. Deterministic Performance Impact Impact on response time. Some impact on computing cycles for starting a new server instance. Execution of ITS algorithm In Application Data Flow Out-of-band Diversity Required Optional, but diversity will make scheme more robust Recovery Adaptive recovery performed upon detecting intrusion detection. Performed upon detecting intrusion. Faulty replica recovered according to healthy ones. Periodic recovery performed by Controller, based on master copy.

Self Cleansing Intrusion Tolerance Next Generation Server Security Technology Infrastructure Servers Including those in DMZ Short Transactions Reduce Exposure Time

Intrusion Tolerance Introducing SCIT, the Intrusion Tolerance System Optimizes application-specific exposure windows (AEW) Targets “overexposed” applications (transactions) Servers are sitting ducks Focus initially on Websites, DNS, Single Sign On Ongoing R&D Authentication (LDAP), Firewall Not targeted at applications with inherently long transaction times (FTP, VPN, etc) Leverages virtualization technology to reduce intrusion risk and costs Reduces exposure time to limit intrusion losses Adds time-based exposure control to intrusion prevention and detection solutions SCIT is based on a new paradigm, but is easy to integrate with existing systems New level of “Day-Zero” protection Increases security through real-time server rotation and cleansing: Enhances security of high availability systems Enables more flexible patch scheduling

SCIT Software SCIT deploys on existing servers - does not require additional physical servers SCIT is cost effective, uses virtualization technology and increases system security SCIT does not interfere with existing IPS and IDS solutions SCIT is an additional layer of defense

Anatomy of an Hack Identify Target Install Malicious Code Foot print analysis Who is NSLookup Search Engines Enumeration Scanning Machines Ports Applications Exploitation Buffer Overflow Spoofing Password DOS Manual Approach Analyze publicly available info. Set scope of attack and identify key targets Damage “Owning” IP Theft, Blackmail, Graffiti, Espoinage Destruction Check for vulnerabilities on each target Attack targets using library of tools and techniques Foot print analysis Who is NSLookup Search Engines Enumeration Automated Scanning Machines Ports Applications Deliver Payload Custom Trojan Rootkit Hacking approaches have become more automated. Our focus is on understanding the attacks on servers. For example, custom viruses are often used to attack client stations to retrieve email address in the address book. Typically dedicated servers do not have address books. Attacks are motivated by financial or political gain, and there are more organized attacks with criminal intent. Damage “Owning” IP Theft, Blackmail, Graffiti, Espoinage Destruction Automated Approach Identify Target Install Malicious Code Hack Other Machines Take over Domain Controller Attack targets using installed software Richard Stiennon, May 2006, http://blogs.zdnet.com/threatchaos/?p=330

How Does SCIT Provide Additional Security? SCIT servers Regularly restored to a known state and remove malicious software installed by attackers. Provide protection while manufacturer is developing a patch, i.e. SCIT servers are protected in the time period between vulnerability detection and patch distribution.  Gives data center managers an additional level of freedom in developing a systematic plan for patch management. SCIT DNS servers  Domain name / IP address mapping is protected from malicious alteration, thus avoiding improper redirection of the traffic. SCIT Web servers Protect the corporate crown jewels, front ends for sensitive information, e.g. customer or employee data sets, IP, and informational web sites.   Regularly restores the sites to known states, and makes it difficult for intruders to undertake harmful acts such as deleting files. Avoid long term defacements. Reduces the risk of large scale data ex-filtration.

Comparison of IDS, IPS, IT Issue Firewall, IDS, IPS Intrusion tolerance Risk management. Reactive. Proactive. A priori information required. Attack models. Software vulnerabilities. Reaction rules. Exposure time selection. Length of longest transaction. Protection approach. Prevent all intrusions. Impossible to achieve. Limit losses. System Administrator workload. High. Manage reaction rules. Manage false alarms. Less. No false alarms generated. Design metric. Unspecified. Exposure time: Deterministic. Packet/Data stream monitoring. Required. Not required. Higher traffic volume requires. More computations. Computation volume unchanged. Applying patches. Must be applied immediately. Can be planned.

Server Rotations Example: 5 online and 3 offline servers -Virtual Physical Server Rotation Online servers; potentially compromised To demonstrate how SCIT works, we take a simple example of 5 online servers and 3 offline servers. SCIT applies to situations that have virtual or physical servers. Current SCIT products use virtual servers. Online servers are potentially compromised. At regular intervals an online server is swapped with an offline clean server. The offline servers go through a cleaning process, and are returned to a known state before being brought online. This swapping process is referred to as a server rotation. In this example, we show the swapping of the servers with small black dots. For this to work, the swapping must take place without user service interruption. Our attempt is to reduce exposure time. For example, for DNS, in a lab setting we have achieved 2 second exposure time using SUN server. In a commercial setting for DNS and webservers, we are planning a sub-minute exposure time. Offline servers; in self-cleansing

Server Rotations Example: 5 online and 3 offline servers -Virtual Physical Server Rotation Online servers; potentially compromised To demonstrate how SCIT works, we take a simple example of 5 online servers and 3 offline servers. SCIT applies to situations that have virtual or physical servers. Current SCIT products use virtual servers. Online servers are potentially compromised. At regular intervals an online server is swapped with an offline clean server. The offline servers go through a cleaning process, and are returned to a known state before being brought online. This swapping process is referred to as a server rotation. In this example, we show the swapping of the servers with small black dots. For this to work, the swapping must take place without user service interruption. Our attempt is to reduce exposure time. For example, for DNS, in a lab setting we have achieved 2 second exposure time using SUN server. In a commercial setting for DNS and webservers, we are planning a sub-minute exposure time. Offline servers; in self-cleansing

Server Rotations Example: 5 online and 3 offline servers -Virtual Physical Server Rotation Online servers; potentially compromised To demonstrate how SCIT works, we take a simple example of 5 online servers and 3 offline servers. SCIT applies to situations that have virtual or physical servers. Current SCIT products use virtual servers. Online servers are potentially compromised. At regular intervals an online server is swapped with an offline clean server. The offline servers go through a cleaning process, and are returned to a known state before being brought online. This swapping process is referred to as a server rotation. In this example, we show the swapping of the servers with small black dots. For this to work, the swapping must take place without user service interruption. Our attempt is to reduce exposure time. For example, for DNS, in a lab setting we have achieved 2 second exposure time using SUN server. In a commercial setting for DNS and webservers, we are planning a sub-minute exposure time. Offline servers; in self-cleansing

Server State Transitions 17

Intrusion Tolerance Increase security by reducing exposure window Exposure window is the time a server is online between rotations Optimizes application-specific exposure windows to servers Decreasing available time for intrusion, reduces potential losses T T Cost

Value for Exposure Window Management Target Applications E-Commerce payments – long session of multiple short transactions Streaming media Web servers DNS services Single Sign On Firewalls Authentication (LDAP) Transaction Processors Long Short Transaction Length VPN Complex Database Queries Back end processing File Transfer (size dependent) Low High Value for Exposure Window Management

Exposure Time Reductions Application Current Server SCIT Server Websites – Windows Server 1 day to 3 month 60 seconds Websites – UNIX Server 1 month to 6 months DNS services – Linux Server 3 months to 1 year 30 seconds In the following slides we show that: Reducing Exposure Time Significantly Reduces Expected Loss

Security Risk Assessment Follows SecurityFocus.com (Symantec), Microsoft

SCIT vs Traditional Cumm Single Loss Expectancy Multi Tier Architecture Web server DNS server Content Manager Database server SCIT Exposure Time Reducing Exposure Time Significantly Reduces Expected Loss

Avoidance is Better Than Cleaning You cannot clean a compromised system by patching it. removing the back doors. using some vulnerability remover. using a virus scanner. reinstalling the operating system over the existing installation. You cannot trust any data copied from a compromised system. the event logs on a compromised system. your latest backup. The only proper way to clean a compromised system is to flatten and rebuild. CLEANING COMPROMISED SYSTEMS IS DIFFICULT. IT IS BETTER TO AVOID HACKING.

Sample Requirements Met by SCIT Servers Web site should not be defaced longer than 1 minute DNS tables should be restored within 1 minute Security architecture should reduce data ex-filtration – SCIT server along with IDS will reduce the volume of data that can be maliciously retrieved To ensure clean servers, remove malware every minute Use diversity to change the face of the webserver every minute

Performance & Functionality Stress Tests Workload: number of user sessions/minute (50,100,125) User session: Series of request and response from server Select item from drop down list and add it to persistent storage OpenSTA is used to generate workload 3 runs per case. Duration of run = 3 * Exposure time for the run each VM is tested at least once Workload consists of N requests every 10 secs. Exposure times of 2,3 and 4 minutes, No Rotation Stand alone web server for Non-SCIT test.

Performance Test Results Exp Time (minutes) User Sessions Avg. Response Time (secs) STD Dev 2 m 50 6.16 0.07 100 6.24 0.01 125 6.27 0.02 3 m 6.10 0.04 6.15 6.31 0.05 4 m 6.08 6.14 No Rotation 6.03 0.00 6.04 SCIT Server Environment Entry Level DELL System Dual processor – 4 cores each Memory: 4 GB Slackware OS Apache, Tomcat, Shopping Cart (Java)

Response Times for Different Exposure Times

Preliminary Performance Data Each user session includes a series of requests and responses. Average “think” time = 2 seconds between requests. Each session involves selecting an item from a drop down list and adding it into the persistent storage. Repeated 3 times. DEPEND 2009, June 09

SCIT Parameters Active window Wo: server accepts requests from the network Grace period Wg: server stops accepting new requests and fulfills outstanding requests in its queue. Exposure window: W = Wo + Wg. Ntotal : total nodes in the cluster. Ntotal, W, and the cleansing-time Tcleansing are inter-related. Copyright 2009 slide 29 29

SCIT State Transition Diagram V A F 1 1–Pa Pa Pc 1-Pc G: Good V: Vulnerable A: Successful Attack F: Failed Simple diagram. Pa: probability of successful attack. Pc: probability of cleansing when in A. F: low chance of occurrence, but still possible: Virtual machine and/or the host machine no longer responds to the Controller. Controller itself fails due to a hardware fault. Copyright 2009 slide 30 30

MTTSF and W W ↓ → (Pa ≤ 1 - e-λW) ↓ W ↓ → (Pc ≥ e-λW) ↑ Then: W ↓ → MTTSFscit ↑ MTTSFSCIT ≥ F(W), where F(W) is a decreasing function of W: Significance: engineer instance of SCIT architecture by tuning W in order to increase or decrease the value of MTTSFSCIT. Copyright 2009 slide 31 31

MTTSF and Grace Period Grace period used by Controller to issue cleansing mode signal. Noutstanding : average # of outstanding requests in the queue when the server enters the grace period. Entire incoming traffic ̴ Poisson(α). It is known: λ = k.α, with k ≤ 1. Noutstanding ≤ α Wo. S: service rate in terms of number of serviced requests per unit time: Wg = Noutstanding /S ≤ (α Wo ) / S Since α/S < 1, estimate for grace period: Wg < Wo . Then: control MTTSFSCIT by online window Wo Copyright 2009 slide 32 32

Observations and Thoughts Specifying security without a time framework is very hard It is easier to assess risk for proactive systems as compared to reactive systems Threat independent protection is critical Protect while patches are being developed We need easy to understand metrics and / or benchmarks SCIT makes it harder for intruder, but how much harder? Cost vs hardening assessment

Conclusion SCIT significantly reduces risk levels for targeted application using virtualization technology Augments existing IPS and IDS solutions – another layer of defense – no interference Completed SCIT web server and SSO server, SCIT DNS server in Q4 Research issues: long duration transactions, randomized defensive strategies, scalability, functionality under load, “penetration” testing, other servers (e.g. email)

SCIT technical publications SCIT Publications + Contact Info SCIT technical publications Links to media reports Links to demo videos http://cs.gmu.edu/~asood/scit Questions? Arun Sood asood@gmu.edu 703.347.4494

Questions SCIT goal is to make it harder for an intruder to do damage. We need a way to say that by having an exposure time of X the task will become Y times harder. Are there ways of assessing this without the use of red teams? What is a good enough exposure time? What metrics and benchmarks are more meaningful to decision makers? Given limited knowledge of future attack methodologies, how does one justify a multi-layered security architecture? Can SCIT simplify the constraints on IDS and thus reduce false alarms?