06/21/01 Copyright © 2001 WireX Communications, Inc. 1 Autonomix: Component, Network, and System Autonomy Crispin Cowan, Ph.D WireX Communications, Inc.

Slides:



Advertisements
Similar presentations
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Advertisements

Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
02/03/14 Copyright © 2002 WireX Communications, Inc. 1 Autonomix: Autonomic Defenses for Vulnerable Software Crispin Cowan, Ph.D WireX Communications,
Chapter 9 Building a Secure Operating System for Linux.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Software Issues Derived from Dr. Fawcett’s Slides Phil Pratt-Szeliga Fall 2009.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Operating System Organization
Maintaining and Updating Windows Server 2008
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Lecture 11 Intrusion Detection (cont)
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
CS252: Systems Programming Ninghui Li Final Exam Review.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
S E C U R E C O M P U T I N G Intrusion Tolerant Server Infrastructure Dick O’Brien, Tammy Kappel, Clint Bitzer OASIS PI Meeting March 14, 2002.
Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.
Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.
Jan 26, 2004 OS Security CSE 525 Course Presentation Dhanashri Kelkar Department of Computer Science and Engineering OGI School of Science and Engineering.
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Computer Security and Penetration Testing
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.
Secure Operating Systems Lesson C: Linux Security Features.
Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.
CS533 Concepts of Operating Systems Jonathan Walpole.
Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: Operating-System Structures.
WireX Immunix Server Software Autonomix: Component, Network, and System Autonomy Crispin Cowan, Ph.D WireX Communications, Inc wirex.com David Maier &
Linux Networking and Security
Advanced Computer Networks Topic 2: Characterization of Distributed Systems.
(c) University of Technology, Sydney Firewall Architectures.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
SCALABLE EVOLUTION OF HIGHLY AVAILABLE SYSTEMS BY ABHISHEK ASOKAN 8/6/2004.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Virtual Workspaces Kate Keahey Argonne National Laboratory.
RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities Crispin Cowan, Steve Beattie, Chris Wright, and Greg Kroah-Hartman In USENIX Security.
Crispin Cowan, PhD CTO, Immunix Relative Vulnerability: An Empirical Assurance Metric.
Operating Systems Lecture 14 Segments Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software Engineering.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Operating Systems Security
Wireless and Mobile Security
Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.
Application Communities Phase II Technical Progress, Instrumentation, System Design, Plans March 10, 2009.
1 Linux Security Module: General Security Support for the Linux Kernel Presented by Chao-Sheng Lin 2005/11/1.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Role Of Network IDS in Network Perimeter Defense.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Maintaining and Updating Windows Server 2008 Lesson 8.
Lecture 1 Page 1 CS 111 Summer 2013 Important OS Properties For real operating systems built and used by real people Differs depending on who you are talking.
Chapter 6: Securing the Cloud
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
IS3440 Linux Security Unit 6 Using Layered Security for Access Control
Presentation transcript:

06/21/01 Copyright © 2001 WireX Communications, Inc. 1 Autonomix: Component, Network, and System Autonomy Crispin Cowan, Ph.D WireX Communications, Inc wirex.com David Maier & Lois Delcambre Oregon Graduate Institute of Science & Technology

06/21/01 Copyright © 2001 WireX Communications, Inc. 2 Outline Brief recap Component Autonomy FormatGuard RaceGuard Network & System Autonomy Babelfish Adaptation Space Detail recent work Component Autonomy PointGuard CryptoMark LSM: Linux Security Module Network & System Autonomy Experimentation

06/21/01 Copyright © 2001 WireX Communications, Inc. 3 Recap: Component, Network, and System Autonomy Component Autonomy Tight loop Complete loop: –Detection –Decision –Response –Spins off intrusion events WireX Network and System Autonomy Network: Infrastructure tool –IDS event and response protocol translator System: Orchestrator –Adaptation Space OGI

06/21/01 Copyright © 2001 WireX Communications, Inc. 4 Component Autonomy: Technical Objectives Family of tools to guard components against common software vulnerabilities StackGuard: protection from “stack smashing” buffer overflows SubDomain: lightweight mandatory access controls FormatGuard: protection from printf format bugs RaceGuard: protection from temp file races PointGuard: generalized StackGuard IPGuard: protect against invalid packet sequence attacks CryptoMark: kernel-enforced digital signatures for programs Linux Security Module: facilitate kernel loadable security extensions Objective: vulnerability tolerance

06/21/01 Copyright © 2001 WireX Communications, Inc. 5 Technical Approach: Abstract Approach –Local intrusion response –Catch intrusion in process –Halt exploited component The Canary Technique Detect attacks in progress: –Place a sacrificial canary where an attack will show tampering –Monitor canary If canary destroyed, then attack is happening

06/21/01 Copyright © 2001 WireX Communications, Inc. 6 Quick Review Results previous to this project StackGuard: protection from “stack smashing” buffer overflows SubDomain: lightweight mandatory access controls Previously reported Autonomix results FormatGuard: protection from printf format bugs RaceGuard: protection from temp file races Relative Invulnerability: empirical measurement of effectiveness of these tools, individually and in combination

06/21/01 Copyright © 2001 WireX Communications, Inc. 7 StackGuard Problem: buffer overflow vulnerabilities Solution: –Compiler enhancement to detect & halt exploitation of buffer overflows –Approach: integrity check activation records Status: –Complete, working since 1998 –Being forward-ported to GCC 3.0

06/21/01 Copyright © 2001 WireX Communications, Inc. 8 SubDomain Problem: vulnerable over-privileged programs run as root Solution: –Confine programs to a limited set of files Status: –Complete, working since 1999, published in December 2000

06/21/01 Copyright © 2001 WireX Communications, Inc. 9 FormatGuard Problem: printf format string vulnerabilities Solution: –Compile-time CPP macro and wrapper to do argument counting on printf -like function calls Status: –Complete, working since October 2000 –Paper at USENIX Security 2001, August, DC

06/21/01 Copyright © 2001 WireX Communications, Inc. 10 RaceGuard Problem: temporary file race vulnerabilities Solution: detect races in progress –Cache stat() calls that probe for existence of files –Detect creat() calls that match stat() calls, and hit existent files Status: –Complete, working since February 2001 –Paper at USENIX Security 2001, August, DC

06/21/01 Copyright © 2001 WireX Communications, Inc. 11 Major Achievement: Low-Effort Protection These tools are highly transparent: –Performance overhead: under 2% across the board, usually lower –Compatibility issues: minimal Under 5% of all Linux programs need trivial source patches to compile with StackGuard and FormatGuard RaceGuard works on binary code, currently breaks nothing –Administrative overhead: nil

06/21/01 Copyright © 2001 WireX Communications, Inc. 12 Major Achievement: Relative Invulnerability Proposed metric: –Compare a “base” system against a system protected with Immunix tools –Count the number of known vulnerabilities stopped by the technology –“Relative Invulnerability”: % of vulnerabilities stopped

06/21/01 Copyright © 2001 WireX Communications, Inc. 13 Immunix Relative Invulnerability Immunix System 7: –Based on Red Hat 7.0 –Compare Immunix vulnerability to Red Hat’s Errata page (plus a few they don’t talk about :-) October 1, May 25, 2001 –57 vulnerabilities total –16 remote, 41 local –53 penetration, 4 DoS –13 remote penetration

06/21/01 Copyright © 2001 WireX Communications, Inc. 14 Immunix Relative Invulnerability

06/21/01 Copyright © 2001 WireX Communications, Inc. 15 New Stuff New Autonomix Component Technologies PointGuard: generalized StackGuard IPGuard: protect against invalid packet sequence attacks CryptoMark: kernel-enforced digital signatures for programs Linux Security Module: facilitate kernel loadable security extensions

06/21/01 Copyright © 2001 WireX Communications, Inc. 16 PointGuard Generalization of StackGuard –StackGuard protects return address value in activation records –PointGuard protects all pointers Innovative method: the zero space canary –XOR all pointers with a random canary as they are moved from memory to registers & back again

06/21/01 Copyright © 2001 WireX Communications, Inc. 17 PointGuard Implementation Dig into the GCC type system –Mediate all loads & stores of pointers Leveraging a project called “Bounded Pointers” –BP makes a pointer a tuple, checks range on each access –PointGuard’s XOR is faster –XOR less intrusive: data structures don’t change size

06/21/01 Copyright © 2001 WireX Communications, Inc. 18 PointGuard Current Status Mid-way through implementation: –Changing BP’s code generator to emit XOR code instead of bounds checking code Slow going: modifying deep guts of GCC is hard: –Large –Complex –Poorly documented –Moving target

06/21/01 Copyright © 2001 WireX Communications, Inc. 19 PointGuard Future Issues Dealing with non-PointGuard code –Kernel system calls –Mixed libraries –GOT: Global Offset Table Project is long, slow –May not finish without option

06/21/01 Copyright © 2001 WireX Communications, Inc. 20 PointGuard Impact StackGuard used to get most buffer overflows, but declining –Attackers have mined out many stack overflows –New stuff overflows buffers on the heap, static data PointGuard will stop all currently known buffer overflows Compromise: intrusion detection event no longer pretty –Application dumps core instead of a clear-cut syslog event

06/21/01 Copyright © 2001 WireX Communications, Inc. 21 PointGuard Impact PointGuard will bring these to 9/13 (69%) & 6/8 (75%)

06/21/01 Copyright © 2001 WireX Communications, Inc. 22 Code Red vs. Immunix Could Immunix have stopped Code Red? –No, not directly: Immunix is for Linux, Code Red is for Windows However: Immunix can stop similar worms for Linux –StackGuard & FormatGuard stopped all three vulnerabilities in the “Ramen” worm –StackGuard & PointGuard would have stopped the vulnerabilities in the “Lion” worm

06/21/01 Copyright © 2001 WireX Communications, Inc. 23 CryptoMark Problem: malicious code –Trojans, sniffers, DDoS zombies Solution: Digital certificates for programs –Platform vendor or site admin has a private key, signs all executables to be run –Platform stores the public key, checks certificate on each program as it executes –Unauthorized injected code doesn’t get to run

06/21/01 Copyright © 2001 WireX Communications, Inc. 24 CryptoMark Trust Models Meta key: the Authenticode model –Microsoft signs keys used by software vendors –Vendors distribute whatever they want, and it is marked “certified” –Problem: there are hundreds of MS Certified vendors, and you have to trust all of them Single key: only one key signs all programs –Limited flexibility: only one distributor of software –Enhanced security: don’t have to worry about rogue key holders –Good for fixed purpose appliances

06/21/01 Copyright © 2001 WireX Communications, Inc. 25 CryptoMark Implementation & Status CryptoMark 1.0: used GPG crypto software –Difficult to use, because it’s not a library –Slow: CryptoMark 1.0 imposes 200% to 500% overhead CryptoMark 2.0: using OpenSSL –This really is a library –RSA public key should be faster than El Gamal –Work in progress, should be done soon

06/21/01 Copyright © 2001 WireX Communications, Inc. 26 IPGuard Problem: Invalid packet sequence DoS attacks –E.g. Ping of Death, Land, Teardrop, etc. Attacks are actually weak integrity attacks: –Force kernel to crash by exploiting an assumed property of network input –Ping of Death: simple datagram > 64KB in length –Nestea, Teardrop: inconsistent fragmented sequence of packets

06/21/01 Copyright © 2001 WireX Communications, Inc. 27 IPGuard Proposed Solution Modular error recovery within a monolithic kernel –Consider the network stack to be an isolated module –Flip status bit whenever kernel is “in” the network stack –Mediate panic(): if seg fault reference, and kernel was “in” network stack, then try resetting the network code instead of rebooting the machine

06/21/01 Copyright © 2001 WireX Communications, Inc. 28 IPGuard Issues & Status Issues: –May generalize to making many parts of a monolithic kernel recoverable –Hard to make components sufficiently isolated to recover individually Status: –Deferred in favor of LSM –Probably won’t emerge without option

06/21/01 Copyright © 2001 WireX Communications, Inc. 29 LSM: Linux Security Module Standard Linux kernel limited to classical UNIX security model: –root is everything –POSIX.1e Capabilities Linux kernel a common target for security research –Immunix: SubDomain, RaceGuard –SELinux, RSBAC, LIDS, LOMAC, DTE, NAI Wrappers, Janus, SGI CAPP, etc.

06/21/01 Copyright © 2001 WireX Communications, Inc. 30 LSM: Linux Security Module Unfortunately, none are standard to Linux –Maintained as kernel patches –To deploy them, must acquire a custom kernel Linus would like to support advanced security policy, but not willing to endorse one project. –Too political… “My security policy is better than yours.” –Linus is not a security expert, and doesn’t want to be –Linux is about choice anyway Solution: enrich Linux’s module interface to support security policy modules

06/21/01 Copyright © 2001 WireX Communications, Inc. 31 LSM - Design Goal Create a general purpose framework to enable pluggable security modules –Be general enough to support existing security projects Janus, LIDS, SELinux, SubDomain, RSBAC, DTE, SGI CAPP, etc. –Work with community to define each project's needs –Continue to support root/Capabilities, perhaps as a module

06/21/01 Copyright © 2001 WireX Communications, Inc. 32 LSM Community 470 people subscribed to LSM mailing list Active participation (code :-) from: –WireX –SELinux (NAI) –SGI –Harvey Mudd College –Janus (David Wagner, UC Berkeley)

06/21/01 Copyright © 2001 WireX Communications, Inc. 33 LSM - Architecture Framework is agnostic: Always push policy decisions into module Permissive: grant access where kernel would have denied Restrictive: deny access where kernel would have granted Interpose at kernel object access rather than strictly syscall interface –Add opaque security ID to each object

06/21/01 Copyright © 2001 WireX Communications, Inc. 34 LSM - What we have now A general hook method: a structure of function pointers –Pervasive hook placement in VFS layer –IPC and sockets under construction Permissive hooks provide coarse granularity (place hook in capabilities as foundation) –32 bit vector, i.e. capable(CAP_SYS_NICE) Restrictive hooks provide fine granularity –Free form argument list, i.e. setnice(task, nicval) Ability to load a security module to enforce a specific policy, i.e. POSIX.1e Capabilities Ability to stack modules to allow module dependency

06/21/01 Copyright © 2001 WireX Communications, Inc. 35 LSM - What's next Phase 1: –Complete support for access control modules –Submit to Linux 2.5 kernel Phase 2: –Consider extended support for Audit –More permissive hooks beyond Capabilities? –See if Linus is interested

06/21/01 Copyright © 2001 WireX Communications, Inc. 36 Task schedule FormatGuard: delivered RaceGuard: lab prototype works –delivered to DARPA for experimentation –should be in Immunix OS 7.1 by fall 2001 PointGuard: long-term development CryptoMark: expect to deliver in Fall 2001 IPGuard: starving Integrated Drop: prototype delivered, now available for commercial sale LSM: under development

06/21/01 Copyright © 2001 WireX Communications, Inc. 37 Transition of Technology Open source: StackGuard, FormatGuard, and RaceGuard are all GPL’d Commercial: –All being incorporated into WireX Server Appliance products Server appliance: a server for dummies Thus the need for dummy-proof security For sale through eLinux.com, eBiz, FlexiServe (UK) –Immunix OS 7.0: hardened Linux distribution Available for purchase through wirex.com and eLinux.com Licensed by Counterpane

06/21/01 Copyright © 2001 WireX Communications, Inc. 38 Network and System Autonomy (OGI) Network Abstract utility for translating data representations Application: translate incompatible IDS events and responses System Adaptation Space: formal model for reasoning about alternative implementations

06/21/01 Copyright © 2001 WireX Communications, Inc. 39 Network Autonomy: Technical Objective What we are trying to accomplish: –Support a single autonomic response environment that easily accommodates sensors, detectors, analyzers (e.g. an orchestrator) and responders that communicate using a variety of languages/protocols

06/21/01 Copyright © 2001 WireX Communications, Inc. 40 Experiment: Shunning an FTP Client Scenario: –Attacker has compromised a node within our LAN –Now attacking internal FTP servers –StackGuard or FormatGuard intrusion events occurring Response: “shun” that node from FTP servers

06/21/01 Copyright © 2001 WireX Communications, Inc. 41 S.N.A.R.E Testbed (Systemic & Network Autonomic Response) Sensors/ Detectors StackGuard Event Other Events … Orchestrator (e.g., SoSmart CBR) Navigator System State ADF at H i Implementation Alternatives IPChains via SNMP at H j Configured With Adaptation Space(s) TCP Wrappers at H j Kill FTP at H j Do Nothing ( e.g., hardened or not running FTP) at H j xinetd at H j Windows Personal Firewall at H j SARA High-level directive (e.g., “shun FTP requests from H i on LAN”) notify and monitor (where j  i)

06/21/01 Copyright © 2001 WireX Communications, Inc. 42 Experiment: Shunning an FTP Client Shunning options: –ADF firewall NIC: can shun the bad node at that node –TCP Wrappers or other “Personal Firewalls”: requires telling everyone else on the LAN to shun the bad node Adaptation space: chooses the “best” implementation, depending on what is available

06/21/01 Copyright © 2001 WireX Communications, Inc. 43 Summary Component Autonomy: –Largely working software –Running this laptop: StackGuard, FormatGuard, RaceGuard, and SubDomain –Coming soon: CryptoMark –Coming eventually: PointGuard, IPGuard, LSM –Available piece wise, or integrated into Immunix OS and Immunix server appliances, at wirex.com, eLinux.com Network & System Autonomy: –Largely a work in progress

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.