WireX Immunix Server Software Autonomix: Component, Network, and System Autonomy Crispin Cowan, Ph.D WireX Communications, Inc wirex.com David Maier &

Slides:



Advertisements
Similar presentations
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Advertisements

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Chapter 6 Security Kernels.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.
K. Salah1 Buffer Overflow The crown jewel of attacks.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
02/03/14 Copyright © 2002 WireX Communications, Inc. 1 Autonomix: Autonomic Defenses for Vulnerable Software Crispin Cowan, Ph.D WireX Communications,
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
CS-502 Fall 2006Processes in Unix, Linux, & Windows 1 Processes in Unix, Linux, and Windows CS502 Operating Systems.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
CS252: Systems Programming Ninghui Li Final Exam Review.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”
Jan 26, 2004 OS Security CSE 525 Course Presentation Dhanashri Kelkar Department of Computer Science and Engineering OGI School of Science and Engineering.
Happy Network Administrators  Happy Packets  Happy Users WIRED Position Statement Aman Shaikh AT&T Labs – Research October 16,
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.
Securing Linux the Immunix Way Crispin Cowan, Ph.D Chief Scientist, WireX Communications, Inc.
06/21/01 Copyright © 2001 WireX Communications, Inc. 1 Autonomix: Component, Network, and System Autonomy Crispin Cowan, Ph.D WireX Communications, Inc.
Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.
Securing Linux the Immunix Way Crispin Cowan, Ph.D Chief Scientist, WireX Communications, Inc.
CS 4010 Hacking Samba Server Vulnerabilities. Recon Telnet headers claim the following: –Red Hat Linux release 9 (Shrike) –Kernel smp on an i686.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Intrusion Detection Karthikeyan Mahadevan. Intrusion Detection What is Intrusion? Simply put, an intrusion is someone attempting to break into or misuse.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
03/06/18 1 Software Security for Open- Source Systems Crispin Cowan, Ph.D. Chief Scientist, Immunix Inc.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities Crispin Cowan, Steve Beattie, Chris Wright, and Greg Kroah-Hartman In USENIX Security.
Crispin Cowan, PhD CTO, Immunix Relative Vulnerability: An Empirical Assurance Metric.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
4061 Session 26 (4/19). Today Network security Sockets: building a server.
Defense in Depth. 1.A well-structured defense architecture treats security of the network like an onion. When you peel away the outermost layer, many.
Security Architecture of qmail and Postfix Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar.
Trusted Operating Systems
Computer Security Status C5 Meeting, 2 Nov 2001 Denise Heagerty, CERN Computer Security Officer.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Role Of Network IDS in Network Perimeter Defense.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Common System Exploits Tom Chothia Computer Security, Lecture 17.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Buffer Overflow Defenses
Protecting Memory What is there to protect in memory?
Secure Software Confidentiality Integrity Data Security Authentication
Outline Introduction Characteristics of intrusion detection systems
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Software Security Lesson Introduction
Intrusion Detection system
Processes in Unix, Linux, and Windows
Processes in Unix and Windows
Presentation transcript:

WireX Immunix Server Software Autonomix: Component, Network, and System Autonomy Crispin Cowan, Ph.D WireX Communications, Inc wirex.com David Maier & Lois Delcambre Oregon Graduate Institute of Science & Technology

WireX Immunix Server Software Component, Network, and System Autonomy Component Autonomy Tight loop Complete loop:  Detection  Decision  Response  Spins off intrusion events WireX Network and System Autonomy Network: Infrastructure tool  IDS event and response protocol translator System: Orchestrator  Adaptation Space OGI

WireX Immunix Server Software Component Autonomy: Technical Objectives Family of tools to guard components against common software vulnerabilities StackGuard: protection from “stack smashing” buffer overflows SubDomain: lightweight mandatory access controls PointGuard: generalized StackGuard FormatGuard: protection from printf format bugs RaceGuard: protection from temp file races Objective: eliminate 90-99% of software vulnerabilities

WireX Immunix Server Software Existing Practice: How is it done now? Patches  Urgent patches  Lots of them Mandatory access control  Argus Pitbull, Type Enforcement, DTE, etc.  Contains damage when software is cracked  Substantial costs in administration and performance A few systematic tools:  OpenWall, chroot

WireX Immunix Server Software Technical Approach: Abstract Approach  Local intrusion response  Catch intrusion in process  Halt exploited component The Canary Technique Detect attacks in progress:  Place a sacrificial canary where an attack will show tampering  Monitor canary If canary destroyed, then attack is happening

WireX Immunix Server Software Buffer Overflows: The Basic Problem Weak bounds checking in programs Attackers provide more input than program can accommodate Take control of program Exploit program’s privilege This is the leading software security vulnerability  Majority of CERT advisories for the last several years

WireX Immunix Server Software Buffer Overflow Attacks Program normally expects a short string  E.g. for user-ID “ fred ” User-ID fred Server Program Adjacent state Normal network input

WireX Immunix Server Software Buffer Overflow Attacks Program normally expects a short string  E.g. for user-ID “ fred ” Attacker provides a big string  Overflows buffer  E.g. “ fredjklsjoiwi ” User-ID fredjklsjoiw Server Program Adjacent state Attacker’s network input

WireX Immunix Server Software Buffer Overflow Attacks Program normally expects a short string  E.g. for user-ID “ fred ” Attacker provides a big string  Overflows buffer  E.g. “ fredjklsjoiwi ” Corrupts adjacent program state User-ID fredjklsjoiw Server Program Adjacent state Attacker’s network input

WireX Immunix Server Software Buffer Overflow Attacks Program normally expects a short string  E.g. for user-ID “ fred ” Attacker provides a big string  Overflows buffer  E.g. “ fredjklsjoiwi ” Corrupts adjacent program state Attacker takes control User-ID fredjklsjoiw Server Program Adjacent state Attacker in control

WireX Immunix Server Software StackGuard Defense Protect objects with canary integrity checks User-ID fred Server Program Adjacent state Normal network input Canary

WireX Immunix Server Software StackGuard Defense Protect objects with canary integrity checks If canary is obliterated by attacker’s big string... User-ID Server Program Adjacent state Canary obliterated fredjklsjoiw Attacker’s network input

WireX Immunix Server Software StackGuard Defense Protect objects with canary integrity checks If canary is obliterated by attacker’s big string... Intruder Alert!  Raise alarms  Shut down process  Do not give control to attacker User-ID Server Program Adjacent state Canary obliterated fredjklsjoiw Attacker’s network input Alert!

WireX Immunix Server Software StackGuard Demo Many of you have seen this before … Fairly current vulnerability: qpopper  POP3 mail server  Remote buffer overflow vulnerability can get a root shell Attack produces:  Syslog event  qpopper aborts Demo

WireX Immunix Server Software Generalized StackGuard: PointGuard StackGuard: protects the return address in function call activation records  Good against majority of buffer overflows  Decreasing fraction of attacks PointGuard: generalizes to protect all pointers in the program  Integrity check all pointers before dereferencing  Should be good against most forms of buffer overflow

WireX Immunix Server Software Format Bugs: The Basic Problem Discovered suddenly in June 2000  Remote root vulnerability in WU-FTPD  Followed by dozens of similar vulnerabilities Basis: arcane %n printf format string directive  Tells printf to treat corresponding argument as an int * and write back number of items formatted so far Problem: programs that pass un-filtered user input strings direct to printf

WireX Immunix Server Software Format Bug Attacks Program normally expects a plain text string  E.g. for user-ID “ fred ” User-ID fred Server Program Normal network input

WireX Immunix Server Software Format Bug Attacks Program normally expects a plain text string  E.g. for user-ID “ fred ” Attacker provides a format string  E.g. “ fred %n ” User-ID fred %n Server Program Normal network input

WireX Immunix Server Software Format Bug Attacks Program normally expects a plain text string  E.g. for user-ID “ fred ” Attacker provides a format string  E.g. “ fred %n ” Program printf ’s it  Interpreting %n writes to some other part of the program User-ID fred %n Server Program Normal network input 0x1234 Call Stack

WireX Immunix Server Software Format Bug Attacks Program normally expects a plain text string  E.g. for user-ID “ fred ” Attacker provides a format string  E.g. “ fred %n ” Program printf ’s it  Interpreting %n writes to some other part of the program Taking control of the program User-ID fred %n Server Program Normal network input 0x1234 Call Stack

WireX Immunix Server Software FormatGuard First general solution to format bugs  October 2000 Wraps * printf style functions for safety (including syslog)  Count the number of arguments  Count the number of % directives  If mis-match, then reject the call But counting arguments is hard  C’s varargs mechanism does not permit counting

WireX Immunix Server Software FormatGuard: How to Count Arguments We use GCC/CPP macros:  GCC/CPP lets you condense & expand variable argument lists, Lisp-style  Built an argument_count macro  Defined printf(args) -> safe_printf(arg_count(args), args)  safe_printf counts the number of % directives in the format string  reject mis-matched calls

WireX Immunix Server Software FormatGuard Demo RPC.statd: remote format vulnerability  Can easily get a root shell  Many systems run RPC.statd; part of NFS  Exploit part of the new “Ramen” Linux Worm Attack a FormatGuard-protected RPC.statd  Syslog the event  Kill the process Demo

WireX Immunix Server Software FormatGuard Performance Microbenchmark:  37% overhead on calls to printf Macrobenchmark:  Hard to find a printf-bound program :-)  Man2HTML uses a lot of printf’s  Batch 79 man pages through  1.3% overhead Paper submitted for review

WireX Immunix Server Software Temporary File Race Conditions Scenario: Root process wants to create a unique /tmp file Step 1: choose a name Step 2: check to see if it exists Step 3: if not exists, create Here’s the Problem:

WireX Immunix Server Software Temporary File Race Conditions Scenario: Root process wants to create a unique /tmp file Step 1: choose a name Step 2: check to see if it exists Step 3: if not exists, create Here’s the Problem:  attacker interrupts between steps 2 and 3

WireX Immunix Server Software Temporary File Race Conditions Scenario: Root process wants to create a unique /tmp file Step 1: choose a name Step 2: check to see if it exists Step 3: if not exists, create Here’s the Problem:  attacker interrupts between steps 2 and 3  Creates a link from expected /tmp file name to a major file, I.e. /etc/passwd

WireX Immunix Server Software Temporary File Race Conditions Scenario: Root process wants to create a unique /tmp file Step 1: choose a name Step 2: check to see if it exists Step 3: if not exists, create Here’s the Problem:  attacker interrupts between steps 2 and 3  Creates a link from expected /tmp file name to a major file, I.e. /etc/passwd  When root process does the create, it stomps /etc/passwd with root’s authority

WireX Immunix Server Software RaceGuard Kernel enhancement to detect race attacks mid-way through  Cache names presented to stat()  If open(O_CREAT) hits an existing file, and the path is in the RaceGuard cache, then a race attack is in progress Response choices:  Deny the open: return EPERM  Kill the process Demo

WireX Immunix Server Software RaceGuard Performance Microbenchmarks:  104% overhead on stat(): 4.3 s - >8.8 s  13% overhead on fork(): 161 s - >183 s Macrobenchmark: Khernelstone  Build Linux kernel from source  Lots of temp files, lots of forks  0.4% overhead Paper submitted for review

WireX Immunix Server Software Major Achievement: Low-Effort Protection These tools are highly transparent:  Performance overhead: under 2% across the board, usually lower  Compatibility issues: minimal  Under 5% of all Linux programs need trivial source patches to compile with StackGuard and FormatGuard  RaceGuard works on binary code, currently breaks nothing  Administrative overhead: nil

WireX Immunix Server Software Major Achievement: Relative Invulnerability Proposed metric:  Compare a “base” system against a system protected with Immunix tools  Count the number of known vulnerabilities stopped by the technology  “Relative Invulnerability”: % of vulnerabilities stopped

WireX Immunix Server Software Immunix Relative Invulnerability Immunix System 7:  Based on Red Hat 7.0  Compare Immunix vulnerability to Red Hat’s Errata page (plus a few they don’t talk about :-) October 1, Feb. 7, 2000  44 vulnerabilities total  11 remote, 33 local  40 penetration, 4 DoS  8 remote penetration

WireX Immunix Server Software Immunix Relative Invulnerability PointGuard will bring these to 6/8 (75%) & 4/4 (100%)

WireX Immunix Server Software Task schedule StackGuard: delivered PointGuard: long-term development FormatGuard: prototype delivered, final copy soon (weeks) Integrated Drop: prototype delivered, final copy soon (weeks) RaceGuard: lab prototype works, under development, should be ready for June drop

WireX Immunix Server Software Transition of Technology Open source: StackGuard, FormatGuard, and RaceGuard are all GPL’d Commercial: all being incorporated into WireX Server Appliance products  Server appliance: a server for dummies  Thus the need for dummy-proof security

WireX Immunix Server Software Jay’s Questions What threats/attacks is your project considering?  Common software pathologies that create vulnerabilities What assumptions does your project make?  That most vulnerabilities fit into a few classes  That we can get the source for most/all applications on a platform (true for Linux) What policies can your project enforce?  We provide software integrity, allowing policy enforcement to be meaningful

WireX Immunix Server Software Network and System Autonomy (OGI) Network Abstract utility for translating data representations Application: translate incompatible IDS events and responses System Adaptation Space: formal model for reasoning about alternative implementations Candidate Orchestrator

WireX Immunix Server Software Network Autonomy: Technical Objective What we are trying to accomplish:  Support a single autonomic response environment that easily accommodates sensors, detectors, and responders that communicate using a variety of languages/protocols.  Participate in the SARA experiment under SWWIM

WireX Immunix Server Software Autonomix Navigator Architecture Swatch Event Monitor Navigator Stack Guard conditions Syslog alertmonitors notifies (via IDMEF XML) Scenario Manager choices SNMP Manager SNMP AgentInterface IPChain Configurer Firewall Adaptation Space (XML)

WireX Immunix Server Software Three out of Four Questions What threats/attacks is your project considering?  Those that can be detected (relying on someone else’s IDS)  Those that have a meaningful response What assumptions does your project make?  That  a heterogeneous fabric of intrusion detection and response components  That intrusion response can be effective What policies can your project enforce?  Can map from any combination of intrusion events to any available alternative configuration

WireX Immunix Server Software Summary Component Autonomy:  Largely working software  Running this laptop: StackGuard, FormatGuard, and RaceGuard  Available piece wise, or integrated into Immunix, at Network & System Autonomy:  Largely a work in progress  Aimed at SARA

WireX Immunix Server Software Future Work PointGuard: continue development FormatGuard: enhance to catch more kinds of attacks RaceGuard: finish testing, release by summer IPGuard: new tool to defend against network DoS attacks Network/System Autonomy: participate in SARA experiments

WireX Immunix Server Software Plug: NSPW New Security Paradigms Workshop Actively interested in radical new ideas, e.g. organic assurance Papers due March 30, 2001 Info:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.