Backtracking Intrusions By King & Chen Presented by: Sebastian Tomaszewski Mike DeSantis

Backtracker Presentation Agenda Introduction Research Problem Key Ideas / Approaches Evaluation Conclusion

Backtracker Introduction This paper discusses a new software tool to aid system administrators in providing system security. Backtracker’s goal is to reconstruct a timeline of events that occur in an attack, and to generate a visual representation of actions taken by a system intruder. This is a upgrade from previously existing software.

Research Problem Identify source of intrusion on a computer system Analyze sequence of actions taken by intruder Identify files & processes that have been effected Minimize system overhead to achieve tracking

Research Problem - Importance Once an attack has occurred: Identify venerability point that attacker exploited Fix system venerability that attacker gained access through Undue damage that attacker inflicted

Key Idea – Detection Identify a ‘detection point’ on one or more levels (ie. file modification, firewall, port scanning, process that is behaving in an unusual or suspicious manner) Tools providing ability to achieve a detection point: Tripwire, Snort, Coroner’s Toolkit (each is endorsed by Backtracker)

Key Idea - Differentiation Other software package exists, but suffer from limitations: Limited data & easily disabled logging Encrypted data used by attacker Backtracker addresses these limitations and provides many tools to analyze attacking transactions

Application - Differentiation Works by observing OS-level objects (files, filenames, processes) through a compromise between application level and machine level, tracking by process ID and version number - Application level: Semantically rich, easily disabled by an attacker - Machine level: Semantically poor, hard to disable by an attacker

Key Idea – Graph generation Generate a dependency graph through OBJECTS: Log objects and dependency-causing events during runtime. Save enough information to build a graph that depicts the dependency relationships between all objects seen over that execution. Backtracker keeps track of a process from the time it is created by a fork or clone system call, to the point where it exits. Prioritize all parts of the dependency graph for easy of searching for an attacker’s actions

Application – Graph Generation [Object definitions] A file object is identified uniquely by a device, inode number, version number (Backtracker treats pipes as normal files) A filename object refer to the directory data that maps a name to a file object A process is identified uniquely by a process ID and version number

Application – Graph Generation [Dependency causing events] One process directly effects the execution of another process object A process effects or is effected by data or attributes associated with a file object A process effects or is effected by a filename object Note: Effecting an object is not the same as controlling an object!

Application – Graph Generation [Prioritizing dependency graph] Dependency graphs for a busy system will be too large to scrutinize each object/event Ignore certain objects & events: Ignore all child events from a specific event Ignore read but not written files in a time period Ignore helper processes Choose several detection points to scrutinize

Application - Graph Generation “PTrace Attack” Analysis Exploits a race condition in Linux PTrace code to gain root access 1) Attacker caused Apache web server (httpd) to create a command shell (bash) 2) Downloaded and unpacked an executable 3) Run the executable using a different group identity

Key Idea – Dependency & Event Tracking A tracking system must examine higher level events instead of low level events to minimize system overhead Examples of high-level events: Changing contents of a file Creating a child process Examples of low-level events: Changing a file’s access time Creating a filename in a directory

Application – Dependency & Event Tracking Backtracker is able to provide useful analysis without tracking low level events even if low level events are used in the attack Backtracker logs & analyzes: Process creation through fork or clone Load and store to shared memory Read and write of files and pipes Receive data from a socket Perform execve of files Load and store to m-map’ed files Opening a file Note: Backtracker produces a 9% running time overhead and 1.2GB of log data per day for an operating system intensive workload

Application – Dependency & Event Tracking [In virtual machine environments] Virtual machine monitor prevents intruders in the guest OS from interfering with event tracking Virtual machine monitor notifies Backtracker whenever a guest application performs a high level event

Evaluation - Introduction To test Backtracker, a default installation of RedHat 7.0 was setup on a Honeypot machine RedHat: Vulnerable to several remote and local attacks Honeypot: Vulnerable to at least two attacks (Apache) A “Bind” attack was run on this system Files read but not written are ignored Ignore files in /root/.bash_history, lastlog, utmp, mtab Ignore helper processes

Evaluation - Results 1) Gain access through httpd (Apache) 2) Downloaded a rootkit using wget 3) Write the rootkit to the file “/tmp/ /bind”

Evaluation - Shortcomings Backtracker can be circumvented by: Attacking the layers upon which Backtracker’s analysis or logging depend Using a hidden channel to break the chain of events that Backtracker tracks An attacker carrying out an attack sequence of steps over a long period of time Attacking the Virtual machine monitor layer or host OS (Much harder than attacking guest kernel)

Conclusion Data integrity and security is vital as computing becomes more widespread. Backtracker allows system administrators to analyze an attack, and avoid future vulnerability. An everyday applications of this technology might be for a banking system administration team to protect their clients accounts. Questions?