02/03/14 Copyright © 2002 WireX Communications, Inc. 1 Autonomix: Autonomic Defenses for Vulnerable Software Crispin Cowan, Ph.D WireX Communications,

Slides:



Advertisements
Similar presentations
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Advertisements

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.
SubDomain: Parsimonious Server Security Presenter: Alptekin Küpçü.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Linux-kernel security enhancements Karri Huhtanen.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Chapter 9 Building a Secure Operating System for Linux.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
DISTRIBUTED PROCESS IMPLEMENTAION BHAVIN KANSARA.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
02/07/26 1 Autonomix: Autonomic Defenses for Vulnerable Software Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.
CIS 450 – Network Security Chapter 15 – Preserving Access.
Threads, Thread management & Resource Management.
Jan 26, 2004 OS Security CSE 525 Course Presentation Dhanashri Kelkar Department of Computer Science and Engineering OGI School of Science and Engineering.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
CS 390- Unix Programming Environment CS 390 Unix Programming Environment Topics to be covered: Distributed Computing Fundamentals.
Securing Linux the Immunix Way Crispin Cowan, Ph.D Chief Scientist, WireX Communications, Inc.
06/21/01 Copyright © 2001 WireX Communications, Inc. 1 Autonomix: Component, Network, and System Autonomy Crispin Cowan, Ph.D WireX Communications, Inc.
Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.
Securing Linux the Immunix Way Crispin Cowan, Ph.D Chief Scientist, WireX Communications, Inc.
DEV 303 Visual Studio "Whidbey" Enterprise Tools: Source Control and Work Item Tracking Brian Harry Product Unit Manager Microsoft Visual Studio.
Chapter 14 Part II: Architectural Adaptation BY: AARON MCKAY.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: Operating-System Structures.
WireX Immunix Server Software Autonomix: Component, Network, and System Autonomy Crispin Cowan, Ph.D WireX Communications, Inc wirex.com David Maier &
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.
03/06/18 1 Software Security for Open- Source Systems Crispin Cowan, Ph.D. Chief Scientist, Immunix Inc.
RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities Crispin Cowan, Steve Beattie, Chris Wright, and Greg Kroah-Hartman In USENIX Security.
Crispin Cowan, PhD CTO, Immunix Relative Vulnerability: An Empirical Assurance Metric.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
An Introduction to Device Drivers Ted Baker  Andy Wang COP 5641 / CIS 4930.
Operating Systems Security
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Threads, Thread management & Resource Management.
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
1 Linux Security Module: General Security Support for the Linux Kernel Presented by Chao-Sheng Lin 2005/11/1.
Trusted Operating Systems
Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.
Silberschatz, Galvin and Gagne ©2011 Operating System Concepts Essentials – 8 th Edition Chapter 2: The Linux System Part 1.
Role Of Network IDS in Network Perimeter Defense.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.
SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Protecting Memory What is there to protect in memory?
Chapter 2: System Structures
System calls….. C-program->POSIX call
NSA Security-Enhanced Linux (SELinux)
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Presentation transcript:

02/03/14 Copyright © 2002 WireX Communications, Inc. 1 Autonomix: Autonomic Defenses for Vulnerable Software Crispin Cowan, Ph.D WireX Communications, Inc wirex.com

02/03/14 Copyright © 2002 WireX Communications, Inc. 2 Phase I and Phase II Phase I: WireX and OGI WireX: Component Autonomy –Defend software implementation against common vulnerabilities OGI: Network and Systemic Autonomy –IDS notification translation –IDS response “orchestrate” Phase II: Just WireX More component Autonomy LSM: Linux Security Module

02/03/14 Copyright © 2002 WireX Communications, Inc. 3 Autonomix Technical Objectives Tools to guard legacy components against common software vulnerabilities StackGuard: protection from “stack smashing” buffer overflows SubDomain: lightweight mandatory access controls FormatGuard: protection from printf format bugs RaceGuard: protection from temp file races PointGuard: generalized StackGuard CryptoMark: kernel-enforced digital signatures for programs Linux Security Module: facilitate kernel loadable security extensions Objective: vulnerability tolerance

02/03/14 Copyright © 2002 WireX Communications, Inc. 4 Technical Approach: Abstract Approach –Local intrusion response –Catch intrusion in process –Halt exploited component The Canary Technique Detect attacks in progress: –Make symptoms of attack mode obvious –Place a sacrificial canary where an attack will show tampering –Monitor canary If canary destroyed, then attack is happening

02/03/14 Copyright © 2002 WireX Communications, Inc. 5 Quick Review Results previous to this project StackGuard: protection from “stack smashing” buffer overflows SubDomain: lightweight mandatory access controls Last Year’s Autonomix results FormatGuard: protection from printf format bugs USENIX Security 2001 paper Open source In Immunix 7.0 products RaceGuard: protection from temp file races USENIX Security 2001 paper Didn’t quite make the product cut; in next drop Relative Invulnerability: empirical measurement of effectiveness of these tools, individually and in combination

02/03/14 Copyright © 2002 WireX Communications, Inc. 6 Major Achievement: Low-Effort Protection These tools are highly transparent: –Performance overhead: under 2% across the board, usually lower –Compatibility issues: minimal Under 5% of all Linux programs need trivial source patches to compile with StackGuard and FormatGuard RaceGuard works on binary code, breaks nothing –Administrative overhead: nil

02/03/14 Copyright © 2002 WireX Communications, Inc. 7 Proposed Metric: Relative Invulnerability Compare a “base” system against a system protected with Immunix tools Count the number of known vulnerabilities stopped by the technology “Relative Invulnerability”: % of vulnerabilities stopped

02/03/14 Copyright © 2002 WireX Communications, Inc. 8 Immunix Relative Invulnerability Immunix System 7: –Based on Red Hat 7.0 –Compare Immunix vulnerability to Red Hat’s Errata page (plus a few they don’t talk about :-) October 1, May 25, 2001 –57 vulnerabilities total –16 remote, 41 local –53 penetration, 4 DoS –13 remote penetration

02/03/14 Copyright © 2002 WireX Communications, Inc. 9 Immunix Relative Invulnerability

02/03/14 Copyright © 2002 WireX Communications, Inc. 10 New Stuff Incremental work: FormatGuard: refinement to improve coverage RaceGuard: refinement to close hole New Autonomix Component Technologies PointGuard: generalized StackGuard CryptoMark: kernel-enforced digital signatures for programs Linux Security Module: facilitate kernel loadable security extensions

02/03/14 Copyright © 2002 WireX Communications, Inc. 11 New Stuff Incremental work: FormatGuard: refinement to improve coverage RaceGuard: refinement to close hole New Autonomix Component Technologies PointGuard: generalized StackGuard CryptoMark: kernel-enforced digital signatures for programs Linux Security Module: facilitate kernel loadable security extensions Today’s Focus

02/03/14 Copyright © 2002 WireX Communications, Inc. 12 LSM: Linux Security Module Standard Linux kernel limited to classical UNIX security model: –root is everything –POSIX.1e Capabilities Linux kernel a common target for security research –Immunix: SubDomain, RaceGuard –Others: SELinux, RSBAC, LIDS, LOMAC, DTE, NAI Wrappers, Janus, SGI CAPP, etc.

02/03/14 Copyright © 2002 WireX Communications, Inc. 13 LSM: Linux Security Module Unfortunately, none are standard to Linux –Maintained as kernel patches –To deploy them, must acquire a custom kernel Linus would like to support advanced security policy, but not willing to endorse one project. –Too political… “My security policy is better than yours.” –Linus is not a security expert, and doesn’t want to be –Linux is about choice anyway Solution: enrich Linux’s module interface to support security policy modules

02/03/14 Copyright © 2002 WireX Communications, Inc. 14 LSM - Design Goal Create a general purpose framework to enable pluggable security modules –Be general enough to support existing security projects –Work with community to define each project's needs –Continue to support root/Capabilities, perhaps as a module

02/03/14 Copyright © 2002 WireX Communications, Inc. 15 LSM Community 470 people subscribed to LSM mailing list Active participation (code :-) from: –WireX –SELinux (NAI) –SGI –IBM (at least three different locations) –Janus (David Wagner, UC Berkeley)

02/03/14 Copyright © 2002 WireX Communications, Inc. 16 Constrained Design Space LSM needs to be: –generic enough for existing security modules –simple enough to be acceptable to the Linux core maintainers minimally intrusive patch easy to understand code –able to support POSIX.1e capabilities

02/03/14 Copyright © 2002 WireX Communications, Inc. 17 LSM Design syscall interposition, i.e. wrappers at the syscall interface –not appropriate: leads to module bloat –already available by re-writing Linux syscall table Instead, we mediate access to internal kernel objects “May subject X access object Y for operation Z?”

02/03/14 Copyright © 2002 WireX Communications, Inc. 18 LSM - Architecture User-level process Kernel LSM Module Open syscall Std. error checks Std. Security checks LSM hook: Complete request Policy engine examine context does request pass policy? grant or deny

02/03/14 Copyright © 2002 WireX Communications, Inc. 19 LSM - Architecture User-level process Kernel LSM Module Open syscall Std. error checks Std. Security checks LSM hook: Complete request Policy engine examine context does request pass policy? grant or deny

02/03/14 Copyright © 2002 WireX Communications, Inc. 20 LSM - Architecture User-level process Kernel LSM Module Open syscall Std. error checks Std. Security checks LSM hook: Complete request Policy engine examine context does request pass policy? grant or deny “ok with you?”

02/03/14 Copyright © 2002 WireX Communications, Inc. 21 LSM - Architecture User-level process Kernel LSM Module Open syscall Std. error checks Std. Security checks LSM hook: Complete request Policy engine examine context does request pass policy? grant or deny “ok with you?” Yes or no

02/03/14 Copyright © 2002 WireX Communications, Inc. 22 Hook Style Restrictive: module may only reject a request about to be granted Permissive: module may only permit a request about to be rejected Authoritative: module may totally over-rule standard kernel logic We chose restrictive hooks only, except for capabilities –Simplifies LSM patch for maximum acceptability to Linux community

02/03/14 Copyright © 2002 WireX Communications, Inc. 23 Module Stacking Strong desire to compose modules However, composition in general is intractable Solution: stacking left to modules that want to stack –Stackable module must export an LSM-like interface “out the back” –Stackable module responsible for composing policy by taking down-chain module’s results under advisement

02/03/14 Copyright © 2002 WireX Communications, Inc. 24 Hook Location

02/03/14 Copyright © 2002 WireX Communications, Inc. 25 LSM System Call Many modules need a syscall interface for applications to talk directly to the module LSM provides a generic syscall interface, and makes the module MUX it –lsm(unsigned int id, unsigned int call, unsigned long *args)

02/03/14 Copyright © 2002 WireX Communications, Inc. 26 Kinds of Hooks task hooks program loading hooks IPC hooks FS hooks network hooks meta-hooks

02/03/14 Copyright © 2002 WireX Communications, Inc. 27 Performance Overhead Microbenchmark: lmbench –Tests various critical kernel functions, e.g. open, read/write, context switch, etc. –Worst case: 7% for trivial calls Macro: Khernelstone, i.e. time to make Linux kernel –overhead not measurable –LSM version actually measured faster, but we don’t claim LSM is an optimization :-)

02/03/14 Copyright © 2002 WireX Communications, Inc. 28 Related Work Extensible kernels –Microkernels, SPIN, SCOUT, Synthetix, etc. All about safety: –prevent extensions from corrupting the kernel Insight: LSM doesn’t need that safety –System is completely at the mercy of security policy anyway –Go ahead and just trust LSM modules –Use simple dynamic linking technologies

02/03/14 Copyright © 2002 WireX Communications, Inc. 29 Status & Modules LSM interface implemented & stable –Linux and 2.5.1, actively tracking Modules: SELinux: NSA & NAI project to add RBAC and DTE to Linux DTE: GPL re-implementation of the classic Openwall: prevents various attacks involving symbolic and hard links POSIX.1e capabilities

02/03/14 Copyright © 2002 WireX Communications, Inc. 30 OASIS Projects SCC: using SELinux via LSM Bob Balzer wants to do LSM for Windows Wrappers might consider porting to LSM –restrictive hooks may be a problem Others?

02/03/14 Copyright © 2002 WireX Communications, Inc. 31 LSM - What's next Paper submitted; pending response Phase 1: –Submit to Linux 2.5 kernel –Pending on VFS reorg by Linux people Phase 2: –Consider extended support for Audit –More permissive hooks beyond Capabilities? –See if Linus is interested

02/03/14 Copyright © 2002 WireX Communications, Inc. 32 Transition of Technology Open source: StackGuard, FormatGuard, and RaceGuard are all GPL’d Commercial: –All being incorporated into WireX Server Appliance products Server appliance: a server for dummies Thus the need for dummy-proof security For sale through eLinux.com, FlexiServe (UK) –Immunix OS 7.0: hardened Linux distribution Available for purchase through wirex.com and eLinux.com Licensed by Counterpane

02/03/14 Copyright © 2002 WireX Communications, Inc. 33 Summary Component Autonomy: –Largely working software –Running this laptop: StackGuard, FormatGuard, RaceGuard, and SubDomain –Available piece wise, or integrated into Immunix OS and Immunix server appliances, at wirex.com, eLinux.com

02/03/14 Copyright © 2002 WireX Communications, Inc. 34 LSM Web site: Mailing list: on the web site BOF at USENIX? USENIX Security?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.