Bob Gilber, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara RAID 2011,9 報告者：張逸文 1.

Slides:

Advertisements

Similar presentations

CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The.

Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

GridRPC Sources / Credits: IRISA/IFSIC IRISA/INRIA Thierry Priol et. al papers.

Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.

Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.

Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr.

Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Figure 1.1 Interaction between applications and the operating system.

Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.

CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

An Introduction to Device Drivers Sarah Diesburg COP 5641 / CIS 4930.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人：張逸文.

Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”

Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions.

PRECIP: Towards Practical and Retrofittable Confidential Information Protection XiaoFeng Wang (IUB), Zhuowei Li (IUB), Ninghui Li (Purdue) and Jong Youl.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

Native Client: A Sandbox for Portable, Untrusted x86 Native Code

Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011.

Windows 2000 Course Summary Computing Department, Lancaster University, UK.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis Carsten Willems 1, Thorsten Holz 1, Felix Freiling 2 1 Ruhr-University.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

Colorama: Architectural Support for Data-Centric Synchronization Luis Ceze, Pablo Montesinos, Christoph von Praun, and Josep Torrellas, HPCA 2007 Shimin.

出處 :2010 2nd International Conference on Signal Processing Systems (ICSPS) 作者 :Zhidong Shen 、 Qiang Tong 演講者 : 碩研資管一甲吳俊逸.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

SAM-21 Fortress Model and Defense in Depth Some revision on Computer Architecture.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Unit OS A: Windows Networking A.4. Lab Manual. 2 Copyright Notice © David A. Solomon and Mark Russinovich These materials are part of the Windows.

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM

WINDOWS NT Network Architecture Amy, Mei-Hsuan Lu CML/CSIE/NTU August 19, 1998.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

Wireless and Mobile Security

Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.

Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.

VMM Based Rootkit Detection on Android

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Kernel Modules – Introduction CSC/ECE 573, Sections 001 Fall, 2012.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

HookScout: Proactive Binary-Centric Hook Detection

Chapter 1: Introduction

Trusted Computing and the Trusted Platform Module

Chapter 3: Windows7 Part 4.

An Introduction to Device Drivers

Introduction to Operating Systems

Detecting Targeted Attacks Using Shadow Honeypots

Bastion secure processor architecture

Sai Krishna Deepak Maram, CS 6410

Shielding applications from an untrusted cloud with Haven

Co-designed Virtual Machines for Reliable Computer Systems

Resource Allocation for Distributed Streaming Applications

A Virtual Machine Monitor for Utilizing Non-dedicated Clusters

Presentation transcript:

Bob Gilber, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara RAID 2011,9 報告者：張逸文 1

Outline Introduction System Overview System Implementation Applications for DYMO Evaluation Security Analysis Related Work Conclusions 2

Introduction （ #1 ） Access control ： user-based authorization Code identity Measurements of a process DYMO, a system that provides a dynamic code identity primitive Identity label Network access 3

Introduction （ #2 ） Track the run-time integrity of a process DYMO Extending DYMO to label network packets Experimental results 4

System Overview （ #1 ） System requirements Precise Secure Efficient System Design Computing cryptographic hash of each code section as the process’ identity Precise Label computation 5

System Overview （ #2 ） Handling Dynamically Generated Code Don’t hash dynamic code regions directly dynamically generated code only in certain known parts Secure Label Computation runs at a higher privilege Inside a VMM / as part of the OS Efficient Label Computation Modify Windows memory management routines The label is computed incrementally 6

System Implementation （ #1 ） Problems Load DLLs during run-time Arbitrary memory regions DLL reloading System Initialization 1. Register for kernel-provided callbacks 2. Hook the NT kernel system services 3. Hook the page fault handler 4. Use Data Execution Prevention(DEP)DEP 7

System Implementation （ #2 ） Identity Label Generation Image hash + region hash = identity label Image Hashes 1. Build process profile 2. Locate the code segment 3. Modify page protection 4. DEP exception 5. Page fault handler 8

System Implementation （ #3 ） Region Hashes 1. hook NtAllocateVirtualMemory, NtMapViewOfSection, NtProtectVirtualMemory 2. check execute access These executable regions are for dynamic code generation Handling Dynamic Code Generation Allocator Writer Caller 9 region hash

System Implementation （ #4 ） Handling the PAGE_EXECUTE_READWRITE protection PAGE_EXECUTE_READWRITE => PAGE_READWRITE + PAGE_EXECUTE_READ Establishing Identity Strict matching policy Relaxed matching policy 10

Application for DYMO （ #1 ） Application-Based Access Control access control based on the identity global distribution mechanisms whitelist for all users DYMO Network Extension Inject network packet Label Size Optimization Huffman Split label over multiple packets 11

Application for DYMO （ #2 ） The injector ： NDIS Intermediate Filter driver The Broker ： TDI Filter driver 12 Connection ID TCP/IP transport driver Network Adapter broker Process identity label injector Modified packet

Evaluation （ #1 ） Label Precision Three experimental environment Training database 93% applications’ labels are precision Effect of Process Tampering Tampering by Malware Tampering by Exploits Performance Impact 13

Evaluation （ #2 ） 14

Evaluation （ #3 ） 15 PassMark AppTimer tool < 1 sec.

Security Analysis Create executable memory regions Add code to a trusted program Tamper with the data of a process Non-control-data attack 16

Related Work Local Identification Patagonix – a hypervisor-based system Patagonix Tripwire – static code identity Remote Identification Sailer ti al. Trusted Platform Module – identify applications for remote attestation Sailer ti al. Trusted Platform Module 17

Conclusion DYMO, a dynamic code identity primitive Extends DYMO to network packet An acceptable performance overhead Future work Extending DYMO to other platforms Sophisticated network-level policy enforcement mechanism 18