Automatic for the people: Reducing inadvertent leaks by personal machines Landon Cox Duke University.

Slides:

Advertisements

Similar presentations

Advertisements

Enabling Secure Internet Access with ISA Server

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.

DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.

The Internet and Java Sockets ICW Lecture 5 Tom Chothia.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

The Internet Useful Definitions and Concepts About the Internet.

Background Info The UK Mirror Service provides mirror copies of data and programs from many sources all over the world. This enables users in the UK to.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Fawaz Alsaadi Fahad Alsolmai.  Secure information sharing across different organizations is an emerging issue for collaborative software development,

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Internet Basics.

1 Enabling Secure Internet Access with ISA Server.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Practical PC, 7 th Edition Chapter 9: Sending and Attachments.

The internet and the WWW

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

1 Proceeding the Second Exercises on Computer and Systems Engineering Professor OKAMURA Laboratory. Othman Othman M.M.

INTRODUCTION TO WEB DATABASE PROGRAMMING

IT 210 The Internet & World Wide Web introduction.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

 Internet vs WWW  Pages vs Sites  How the Internet Works  Getting a Web Presence.

Address Space Layout Permutation

BitTorrent Internet Technologies and Applications.

Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,

How the Internet Works. The Internet and the Web The Web is actually just one of many computer applications that run on the Internet Among others are.

1 Chapter 2 (Continued) Section 2.2 Section 2.2. Internet Service Provider (ISP) ISP - a company that connects you through your communications line to.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.

XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.

Copyright © 2002 Pearson Education, Inc. Slide 3-1 CHAPTER 3 Created by, David Zolzer, Northwestern State University—Louisiana The Internet and World Wide.

Web Page Design I Basic Computer Terms “How the Internet & the World Wide Web (www) Works”

Parallelizing Security Checks on Commodity Hardware E.B. Nightingale, D. Peek, P.M. Chen and J. Flinn U Michigan.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Virtual Private Networking Irfan Khan Myo Thein Nick Merante.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Application Block Diagram III. SOFTWARE PLATFORM Figure above shows a network protocol stack for a computer that connects to an Ethernet network and.

Page 1 Process Migration & Allocation Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this.

TCP/IP (Transmission Control Protocol / Internet Protocol)

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

The Internet. Important Terms Network Network Internet Internet WWW (World Wide Web) WWW (World Wide Web) Web page Web page Web site Web site Browser.

Lesson 10—Networking BASICS1 Networking BASICS The Internet and Its Tools Unit 3 Lesson 10.

Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

1 Network Communications A Brief Introduction. 2 Network Communications.

R Some of these slides are from Prof Frank Lin SJSU. r Minor modifications are made. 1.

Securing Access to Data Using IPsec Josh Jones Cosc352.

Page PearsonAccess™ Technology Training Online Test Configuration.

Search Engine and Optimization 1. Introduction to Web Search Engines 2.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

An example of peer-to-peer application

Web Caching? Web Caching:.

Topic 5: Communication and the Internet

Chapter 12: Automated data collection methods

CUPS Print Services.

Read this to find out how the internet works!

Presentation transcript:

Automatic for the people: Reducing inadvertent leaks by personal machines Landon Cox Duke University

Inadvertent leaks Usability and privacy: A Study of Kazaa... ‣ Good and Krekelberg, CHI, 2003 ‣ In 12 hours, found 150 inboxes on Kazaa ‣ Observed people downloading dummy inbox Problem hasn’t gone away

Stories from 2009

Technical solution? Reference monitor Policy Process Process Process Network Files IPC Servers: Asbestos, HiStar, Flume Languages: Jif, Laminar, Resin Desktop: PrivacyScope, TightLip DevAdminUser Automation

Automatic policy specific. State of the art: pattern matching ‣ Look for strings that look like SSNs, CCs, etc. ‣ find_SSNs, Firefly, SENF, Spider, etc. ‣ A bit brittle and error-prone ‣ High false positive/negative rates Let’s take a different approach

Key observations 1) Personal machines often cache sensitive data 2) Servers force clients to access files using crypto 3) Crypto is general technique, used across admin. domains and applications

RedFlag overview Identifies processes that store decrypted data ‣ Unobtrusive (requires no user input) ‣ Compatible with legacy applications ‣ Compatible with existing Internet protocols High-level insights ‣ Stop trying to figure out what sensitive data looks like ‣ Use heuristics of how sensitive data is handled

Caveats We cannot stop all inadvertent leaks ‣ Stop large, important class of leaks Trust and threat model ‣ Uncompromised host ‣ No IP spoofing or DNS hijacking ‣ Correct, trusted reference monitor (take your pick) ‣ Buggy/absent access-control policies

RedFlag system overview Monitor sockets Inspect process Compose rules

Monitoring sockets Goal ‣ Try to identify incoming encrypted data ‣ Only at application level (e.g., SSL) Easy for most widely used apps ‣ Look at remote port (e.g., 443 or 993) Not always sufficient ‣ Non-standard ports: Skype, Groove, Groupwise ‣ XMPP sends SSL, non-SSL data to same port (5222/TCP)

Information entropy Compute entropy score for ambiguous ports ‣ Negligible performance overhead ‣ If score above threshold (~7.9 bits/byte), invoke inspection process Can induce false positives ‣ Compressed data sent in the clear (e.g., mp3s) ‣ On-the-fly compression schemes (e.g., http content-coding=gzip ) Luckily, doesn’t need to be 100% accurate ‣ Really just a performance optimization to save work ‣ Only used as a first-pass filter ‣ Correct any mistakes in inspection phase

RedFlag system overview Monitor sockets Inspect process Compose rules

Inspect process Goals of inspection ‣ Infer when file write depends on network read ‣ Determine whether file write is decrypted data Use taint-tracking ‣ Too slow to perform in critical path of desktop apps ‣ Perform asynchronously via deterministic replay ‣ Fork if network monitor flags process (port or entropy) ‣ Log libc calls in original, use log in replay process ‣ Attach taint-tracker to replayed process (e.g., PIN) ‣ Perform analysis on a free core in the background

Taint tracking Implement with PIN ‣ Rewrite instructions to propagate taint ‣ Record taint in shadow memory Key questions ‣ What are the taint sources? ‣ What info to send to the policy composer?

} Shadow memory } Taint label (byte) IDSource : : } <!DOCTYPE html PUBLIC... “/tmp/attach.pdf, :443” Fine when there is no ambiguity about the source But what about ambiguous ports? Address space

Ambiguous ports Search process memory for AES s-boxes ‣ S-boxes are set by algorithm designer ‣ S-boxes are unlikely to appear randomly ‣ (also look for well-known transformations)

Ambiguous ports If we find s-boxes in a library data section ‣ Assume image is a crypto library ‣ Vast majority of crypto libraries include AES implementation Instrument lib to set “crypto bit” of inbound taint labels ‣ If crypto bit == 1, network data was “routed” through crypto lib ‣ If crypto bit == 0, assume network data was not decrypted Also use s-boxes as taint source ‣ Data derived from s-boxes have “AES bit” set ‣ Can use to gauge strength of crypto algorithm Taint label (byte) } ID index AES bitCrypto bit

RedFlag system overview Monitor sockets Inspect process Compose rules

Compose rules Taint-tracking gives three pieces of info ‣ Description of network source ‣ If data was routed through crypto library ‣ If data was derived from AES s-box Can use this to compose policies

Compose rules Same source ‣ Allow sensitive files to be copied back to their source ‣ Raise alert otherwise ‣ Generalize hostnames (e.g., *.google.com) Obfuscation vs. confidentiality ‣ Many P2P clients use crypto to obfuscate ‣ Aren’t trying to protect data so use weak algorithms ‣ (e.g., BitTorrent and LimeWire explicitly do not support AES) ‣ If ambiguous port + no AES, then ignore file

RedFlag implementation Runs on Ubuntu 8.10 Modified Jockey for logging/replay ‣ Supports multi-threaded programs ‣ User-level thread library PIN tool for tainting ‣ Based on sequential taint tracker from Speck ‣ Modified to allow tainting during replay ‣ Implemented s-box search, crypto and AES bits in taint label

Evaluation Accuracy ‣ How well can RedFlag identify crypto libraries using s-boxes? ‣ How well does RedFalg categorize sensitive files? Performance ‣ Will asynchronous taint-tracking fall behind?

Identifying crypto libraries Looked at 10 Ubuntu programs ‣ checkgmail, thunderbird ‣ IM: pidgin ‣ P2P: Azureus, Limewire, Skype, Transmission ‣ Web: Firefox, Opera, wget Successfully identified crypto libs in all ‣ Including custom implementations, plugins (flash player) ‣ Interesting case: Opera folds crypto into exectable

Categorizing sensitive files Non-sensitive files ‣ Used Firefox ‣ Loaded 30 most popular webistes (alexa) ‣ RedFlag produced no false positives/negatives Sensitive files ‣ Downloaded 17 representative sensitive docs ‣ Firefox, thunderbird, pidgin

Categorizing sensitive files

Taint-tracking performance

Conclusions RedFlag automates policy specification ‣ Heuristic-based approach ‣ Monitor process behavior, not file content ‣ Sensitive files usually downloaded using crypto ‣ Deal with ambiguous ports using entropy scores, AES s-boxes Evaluation highlights ‣ Automatically identified crypto libraries ‣ Correctly categorized files in 45/47 scenarios ‣ No false positives, three false negatives ‣ Sufficient idle time in long-running process

Thanks! I’m happy to take questions