David Evans University of Virginia Computer Security Research CS696 Fall 2007 17 September 2007.

Slides:



Advertisements
Similar presentations
Thank you to IT Training at Indiana University Computer Malware.
Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
University of VirginiaDARPA SRS - 27 Jan Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.
Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Software Certification and Attestation Rajat Moona Director General, C-DAC.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Wednesday, June 07, 2006 “Unix is user friendly … it’s just picky about it’s friends”. - Anonymous.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
DroidKungFu and AnserverBot
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Device Drivers.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
1 Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and.
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
1 Higher Computing Topic 8: Supporting Software Updated
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
N-Variant Systems A Secretless Framework for Security through Diversity Institute of Software Chinese Academy of Sciences 29 May 2006 David Evans
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
1 Redundant Computing for Security David Evans University of Virginia TRUST Seminar UC Berkeley 25 September 2008 Work with Ben Cox, Anh Nguyen-Tuong,
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Disk-Level Behavioral Virus Detection David Evans University of Virginia work with Nathanael Paul, Adrienne Felt, and Sudhanva Gurumurthi
Security Vulnerabilities in A Virtual Environment
Wireless and Mobile Security
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
W elcome to our Presentation. Presentation Topic Virus.
N-Variant Systems A Secretless Framework for Security through Diversity Benjamin Cox David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson,
CSCE 201 Identification and Authentication Fall 2015.
1 Redundant Computing for Security David Evans University of Virginia Yahoo! Tech Talk 16 October 2008 Work with Ben Cox, Anh Nguyen-Tuong, Jonathan Rowanhill,
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
ANTIVIRUS ANTIVIRUS Author: Somnath G. Kavalase Junior Software developer at PBWebvsion PVT.LTD.
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.
Application Communities
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Virtual Memory - Part II
University of Virginia
Techniques, Tools, and Research Issues
Chap 10 Malicious Software.
        Jefferson’s Polygraph
Hardware Security – Highlevel Survey Review for Exam 4
Chap 10 Malicious Software.
Chapter-1 Computer is an advanced electronic device that takes raw data as an input from the user and processes it under the control of a set of instructions.
Presentation transcript:

David Evans University of Virginia Computer Security Research CS696 Fall September 2007

2 Computer Security Study of computing systems in the presence of adversaries about what happens when people don’t follow the rules

3 Security in Context Security Uses tools and methods from: Theory Programming Languages Software Engineering Operating Systems Architecture Cryptography

4 Security in Context Security Uses tools and methods from: Theory Programming Languages Software Engineering Operating Systems Architecture Cryptography Addresses problems in: Applications Systems Embedded Computing Graphics Networks

5 Menu (2) Malware Detection (with Sudhanva Gurumurthi, Nate Paul, Adrienne Felt) (0) RFID Privacy (Karsten Nohl) (1) User Intent Based Policies (Jeff Shirley) (3) Security through Diversity (w/John Knight, Jack Davidson,..., UC Davis, UNM, UCSB)

6 RFID Privacy - Karsten Nohl 10k gates Cryptographic Hash Function 2k gates RFID tag 5¢ Can we provide adequate privacy and authenticity with simple, cheap primitives?

7 User-Intent Based Access Control Jeff Shirley

8 Michael Sinz’s Comic

9 Jennifer Kahng’s undergraduate thesis experiment 37% clicked Continue 31% clicked Continue 2% typed in “yes”

10 Radical Assumption Most users are not COMPLETE MORONS!

11

12 User-Intent Based Access Control For desktop systems: the user is not the enemy, the programs are How users interact with programs indicates what they trust them to do Polices that incorporate user intent: –More precise –(Mostly) Universal –Dynamic –Understandable

13 Example: Universal File Policy FileOpen(file $f)  read($f) FileSave(file $f)  write($f) InstallCreate(file $f)  read($f), write($f)

14 Network Policy EnterInSmallBox(host $h)  connect($h)

15 Challenges Securely recording user actions Inferring intentions from actions Finding and evaluating interesting policies Automatically deriving policies

Disk-Level Behavioral Virus Detection work with Nathanael Paul, Adrienne Felt, and Sudhanva Gurumurthi

17 Stereotypical Malwarist, circa 2000 David Smith “Melissa” 1999 Onel de GuzmanMichael Buen “ILoveYou” Worm, 2000

18 rem barok -loveletter(vbe) rem by: spyder / Group / Manila,Philippines … x=1 for ctrentries=1 to a.AddressEntries.Count set male=out.CreateItem(0) male.Recipients.Add(a.AddressEntries(x)) male.Body = “kindly check the attached LOVELETTER …” male.Attachments.Add(dirsystem &“\LOVE-LETTER-FOR-YOU.TXT.vbs”) male.Send x=x+1 next “ILoveYou” Worm Code Thoughtful message Hid location Creative speller Good understanding of for loops

19 Detecting “ILoveYou” Group”) Signature Scanning –Database of strings that are found in known viruses –A/V scanner examines opened files (on- access) or stored files (on-demand) for that string

20 Stereotypical Malwarist, 2007 Picture by Tobic,

21 The Organized Malware Industry Multi-million dollar industry Vulnerability black market –Zero-day exploits sell for ~$4000 Virus “professionals” –Sell viruses, or use them to build botnets and rent spamming/phishing service Bad news for society, but great news for security researchers!

22 Modern Viruses Multi-threaded, stealthy, parasitic Self-encrypted: each infection is encrypted with a new key –No static strings to match except decryption code Metamorphic: the decryption code is modified with each infection –Modify instructions Below host level: rootkits

23 Traditional Detection is Doomed Reactive: signatures only detect known viruses Static: code is easy to change and hard to analyze Circumventable: malware can get below the detector

24 Our Goal Detect viruses: –At a level malware can’t compromise –Without disrupting non-malicious applications –Without (overly) impacting performance Recognize the fundamental behavior of viruses, instead of relying on blacklists of known viruses

25 Semi-Obvious Riddle What is: Available on almost every computer Able to see all disk activity And has processing power and memory comparable to ~2000 Apple II’s? The disk processor. 200MHz ARM Processor, 16-32MB Cache

26 Even More Obvious Riddle What behavior do all file-infecting viruses have in common? They infect files.

27 Disk-Level Behavioral Detection Executing Program Program makes file requests to OS OS issues Read/Write requests to disk Disk processor analyzes request stream for malicious behavior Operating System

28 Advantages Proactive –General techniques to detect new viruses Difficult to Evade –Can’t hide disk events from disk –Dynamic: Hard to change disk-level behavior Difficult to Circumvent –Runs below host OS

29 Executing Program Disk processor analyzes request stream for malicious behavior Operating System read(file, buf, numbytes); Semantic Mapper <R, gaim.exe, 0, length> Rule Detectors gaim.exe:... R:0 W:0 *

30 Windows PE File MS-DOS Header PE Header Section Headers Section 0Section 1 … Section N

31 Infecting a Windows PE File MS-DOS Header PE Header Section Headers Section 0Section 1 … Section N Read Write

32 RWW Rule read write write  ]+, -separated events in any order ; -separated groups are ordered name is an executable file (starts with MZ or ZM )

33 Detection Results VirusRRWWRWWRWW Alcaul.o, Chiton.b, Detnat, Enerlam.b, Ganda, Harrier, Jetto, Magic.1590, Matrix.750, Maya.4108, NWU, Oroch.5420, Parite.b*, Resur.f, Sality.l*, Savior.1832, Seppuku.2764, Simile, Tuareg (19 viruses) All infections detected Aliser %83% All infections detected Efish*87%All infections detected Evyl91%All infections detected

34 False Positives Experiments with 8 users, 100 million events –RRWW: 3, RWW: 15, RW: 35, W: 118 Few Causes: updates, system restores, program installs, software development Solutions – if we can change some hard to change things

35 Helix Project: Security through Dynamic Diversity with Jack Davidson, John Knight, Anh Nguyen-Tuong and University of New Mexico, UC Davis, UC Santa Barbara

36

37 Security Through Diversity Today’s Computing Monoculture –Exploit can compromise billions of machines since they are all running the same software Biological Diversity Computer security research: [Cohen 92], [Forrest + 97], [Cowan ], [Barrantes ], [Kc ], [Bhatkar ], [Just ], [Bhatkar, Sekar, DuVarney 2005]

38 N-Variant Systems Avoid secrets! –Keeping them is hard –They can be broken or stolen Prove security properties without relying on assumptions about secrets or probabilistic arguments Allows low-entropy variations

Variant System Input (Possibly Malicious) Server Variant 0 Server Variant 1 Monitor Output Polygrapher

40 N-Version N-Variant Programming Systems Multiple teams of programmers implement same spec Voter compares results and selects most common No guarantees: teams may make same mistake Transformer automatically produces diverse variants Monitor compares results and detects attack Guarantees: variants behave differently on particular input classes [Avizienis & Chen, 1977]

41 N-Variant System Framework Polygrapher –Replicates input to all variants Variants –N processes that implement the same service –Vary property you hope attack depends on: memory locations, instruction set, system call numbers, scheduler, calling convention, … Variant 0 Variant 1 Monitor Poly- grapher Monitor –Observes variants –Delays external effects until all variants agree –Initiates recovery if variants diverge

42 Variants Requirements Detection Property Any attack that compromises Variant 0 causes Variant 1 to “crash” (behave in a way that is noticeably different to the monitor) Normal Equivalence Property Under normal inputs, the variants stay in equivalent states: A 0 (S 0 )  A 1 (S 1 ) Actual states are different, but abstract states are equivalent

43 Memory Partitioning Variation –Variant 0: addresses all start with 0 –Variant 1: addresses all start with 1 Normal Equivalence –Map addresses to same address space Detection Property –Any absolute load/store is invalid on one of the variants

44 Instruction Set Tagging Variation: add an extra bit to all opcodes –Variation 0: tag bit is a 0 –Variation 1: tag bit is a 1 –At run-time check bit and remove it Low-overhead software dynamic translation using Strata [Scott, et al., CGO 2003] Normal Equivalence: Remove the tag bits Detection Property –Any (tagged) opcode is invalid on one variant –Injected code (identical on both) cannot run on both

45 Ideal Implementation Polygrapher –Identical inputs to variants at same time Monitor –Continually examine variants completely Variants –Fully isolated, behave identically on normal inputs Too expensive for real systems

46 Implementation Modified Linux kernel Run variants as processes Create 2 new system calls –n_variant_fork –n_variant_execve Wrap existing system calls –Replicate input –Monitor system calls V0V0 V1V1 V2V2 Kernel Hardware

47 Wrapping System Calls I/O system calls (process interacts with external state) (e.g., open, read, write) –Make call once, send same result to all variants Reflective system calls (e.g, fork, execve, wait) –Make call once per variant, adjusted accordingly Dangerous –Some calls break isolation (mmap) or escape framework (execve) –Disallow unsafe calls

Results Unmodified Apache 2-Variant, Address Partitioning 2-Variant, Instruction Tagging (1 WebBench client) (5 hosts * 6 each WebBench clients) Apache 1.3 on Linux Latency increase from 2.35 to 2.77 ms 34.2 ms 48.3 ms 17.6 ms

49 Big Research Challenges Useful variations: diversity effectiveness depends on adversary –Change some property important attack classes rely on –Don’t change properties application relies on What do we do after detecting attack? –Recover state, generate signatures, fix vulnerabilities

50 Summary Computer Security studies computing systems in the presence of adversaries –Cross-cuts all areas of CS –Projects involving disk drives, RFIDs, OS kernel, user-level applications, dynamic analysis Security Lunches (Wednesdays, 1pm) Stop by my office Wednesday, 9:30- 10:30am or to set up a time