Presentation is loading. Please wait.

Presentation is loading. Please wait.

WireX Immunix Server Software Autonomix: Component, Network, and System Autonomy Crispin Cowan, Ph.D WireX Communications, Inc wirex.com David Maier &

Published byMargaret Greene Modified over 9 years ago

Similar presentations

Presentation on theme: "WireX Immunix Server Software Autonomix: Component, Network, and System Autonomy Crispin Cowan, Ph.D WireX Communications, Inc wirex.com David Maier &"— Presentation transcript:

1 WireX Immunix Server Software Autonomix: Component, Network, and System Autonomy Crispin Cowan, Ph.D WireX Communications, Inc wirex.com David Maier & Lois Delcambre Oregon Graduate Institute of Science & Technology

2 WireX Immunix Server Software 11.7.00 Component, Network, and System Autonomy Component Autonomy Tight loop Complete loop:  Detection  Decision  Response  Spins off intrusion events WireX Network and System Autonomy Network: Infrastructure tool  IDS event and response protocol translator System: Orchestrator  Adaptation Space OGI

3 WireX Immunix Server Software 11.7.00 Component Autonomy: Technical Objectives Family of tools to guard components against common software vulnerabilities StackGuard: protection from “stack smashing” buffer overflows SubDomain: lightweight mandatory access controls PointGuard: generalized StackGuard FormatGuard: protection from printf format bugs RaceGuard: protection from temp file races Objective: eliminate 90-99% of software vulnerabilities

4 WireX Immunix Server Software 11.7.00 Existing Practice: How is it done now? Patches  Urgent patches  Lots of them Mandatory access control  Argus Pitbull, Type Enforcement, DTE, etc.  Contains damage when software is cracked  Substantial costs in administration and performance A few systematic tools:  OpenWall, chroot

5 WireX Immunix Server Software 11.7.00 Technical Approach: Abstract Approach  Local intrusion response  Catch intrusion in process  Halt exploited component The Canary Technique Detect attacks in progress:  Place a sacrificial canary where an attack will show tampering  Monitor canary If canary destroyed, then attack is happening

6 WireX Immunix Server Software 11.7.00 Buffer Overflows: The Basic Problem Weak bounds checking in programs Attackers provide more input than program can accommodate Take control of program Exploit program’s privilege This is the leading software security vulnerability  Majority of CERT advisories for the last several years

7 WireX Immunix Server Software 11.7.00 Buffer Overflow Attacks Program normally expects a short string  E.g. for user-ID “ fred ” User-ID fred Server Program Adjacent state Normal network input

8 WireX Immunix Server Software 11.7.00 Buffer Overflow Attacks Program normally expects a short string  E.g. for user-ID “ fred ” Attacker provides a big string  Overflows buffer  E.g. “ fredjklsjoiwi ” User-ID fredjklsjoiw Server Program Adjacent state Attacker’s network input

9 WireX Immunix Server Software 11.7.00 Buffer Overflow Attacks Program normally expects a short string  E.g. for user-ID “ fred ” Attacker provides a big string  Overflows buffer  E.g. “ fredjklsjoiwi ” Corrupts adjacent program state User-ID fredjklsjoiw Server Program Adjacent state Attacker’s network input

10 WireX Immunix Server Software 11.7.00 Buffer Overflow Attacks Program normally expects a short string  E.g. for user-ID “ fred ” Attacker provides a big string  Overflows buffer  E.g. “ fredjklsjoiwi ” Corrupts adjacent program state Attacker takes control User-ID fredjklsjoiw Server Program Adjacent state Attacker in control

11 WireX Immunix Server Software 11.7.00 StackGuard Defense Protect objects with canary integrity checks User-ID fred Server Program Adjacent state Normal network input Canary

12 WireX Immunix Server Software 11.7.00 StackGuard Defense Protect objects with canary integrity checks If canary is obliterated by attacker’s big string... User-ID Server Program Adjacent state Canary obliterated fredjklsjoiw Attacker’s network input

13 WireX Immunix Server Software 11.7.00 StackGuard Defense Protect objects with canary integrity checks If canary is obliterated by attacker’s big string... Intruder Alert!  Raise alarms  Shut down process  Do not give control to attacker User-ID Server Program Adjacent state Canary obliterated fredjklsjoiw Attacker’s network input Alert!

14 WireX Immunix Server Software 11.7.00 StackGuard Demo Many of you have seen this before … Fairly current vulnerability: qpopper  POP3 mail server  Remote buffer overflow vulnerability can get a root shell Attack produces:  Syslog event  qpopper aborts Demo

15 WireX Immunix Server Software 11.7.00 Generalized StackGuard: PointGuard StackGuard: protects the return address in function call activation records  Good against majority of buffer overflows  Decreasing fraction of attacks PointGuard: generalizes to protect all pointers in the program  Integrity check all pointers before dereferencing  Should be good against most forms of buffer overflow

16 WireX Immunix Server Software 11.7.00 Format Bugs: The Basic Problem Discovered suddenly in June 2000  Remote root vulnerability in WU-FTPD  Followed by dozens of similar vulnerabilities Basis: arcane %n printf format string directive  Tells printf to treat corresponding argument as an int * and write back number of items formatted so far Problem: programs that pass un-filtered user input strings direct to printf

17 WireX Immunix Server Software 11.7.00 Format Bug Attacks Program normally expects a plain text string  E.g. for user-ID “ fred ” User-ID fred Server Program Normal network input

18 WireX Immunix Server Software 11.7.00 Format Bug Attacks Program normally expects a plain text string  E.g. for user-ID “ fred ” Attacker provides a format string  E.g. “ fred %n ” User-ID fred %n Server Program Normal network input

19 WireX Immunix Server Software 11.7.00 Format Bug Attacks Program normally expects a plain text string  E.g. for user-ID “ fred ” Attacker provides a format string  E.g. “ fred %n ” Program printf ’s it  Interpreting %n writes to some other part of the program User-ID fred %n Server Program Normal network input 0x1234 Call Stack

20 WireX Immunix Server Software 11.7.00 Format Bug Attacks Program normally expects a plain text string  E.g. for user-ID “ fred ” Attacker provides a format string  E.g. “ fred %n ” Program printf ’s it  Interpreting %n writes to some other part of the program Taking control of the program User-ID fred %n Server Program Normal network input 0x1234 Call Stack

21 WireX Immunix Server Software 11.7.00 FormatGuard First general solution to format bugs  October 2000 Wraps * printf style functions for safety (including syslog)  Count the number of arguments  Count the number of % directives  If mis-match, then reject the call But counting arguments is hard  C’s varargs mechanism does not permit counting

22 WireX Immunix Server Software 11.7.00 FormatGuard: How to Count Arguments We use GCC/CPP macros:  GCC/CPP lets you condense & expand variable argument lists, Lisp-style  Built an argument_count macro  Defined printf(args) -> safe_printf(arg_count(args), args)  safe_printf counts the number of % directives in the format string  reject mis-matched calls

23 WireX Immunix Server Software 11.7.00 FormatGuard Demo RPC.statd: remote format vulnerability  Can easily get a root shell  Many systems run RPC.statd; part of NFS  Exploit part of the new “Ramen” Linux Worm Attack a FormatGuard-protected RPC.statd  Syslog the event  Kill the process Demo

24 WireX Immunix Server Software 11.7.00 FormatGuard Performance Microbenchmark:  37% overhead on calls to printf Macrobenchmark:  Hard to find a printf-bound program :-)  Man2HTML uses a lot of printf’s  Batch 79 man pages through  1.3% overhead Paper submitted for review

25 WireX Immunix Server Software 11.7.00 Temporary File Race Conditions Scenario: Root process wants to create a unique /tmp file Step 1: choose a name Step 2: check to see if it exists Step 3: if not exists, create Here’s the Problem:

26 WireX Immunix Server Software 11.7.00 Temporary File Race Conditions Scenario: Root process wants to create a unique /tmp file Step 1: choose a name Step 2: check to see if it exists Step 3: if not exists, create Here’s the Problem:  attacker interrupts between steps 2 and 3

27 WireX Immunix Server Software 11.7.00 Temporary File Race Conditions Scenario: Root process wants to create a unique /tmp file Step 1: choose a name Step 2: check to see if it exists Step 3: if not exists, create Here’s the Problem:  attacker interrupts between steps 2 and 3  Creates a link from expected /tmp file name to a major file, I.e. /etc/passwd

28 WireX Immunix Server Software 11.7.00 Temporary File Race Conditions Scenario: Root process wants to create a unique /tmp file Step 1: choose a name Step 2: check to see if it exists Step 3: if not exists, create Here’s the Problem:  attacker interrupts between steps 2 and 3  Creates a link from expected /tmp file name to a major file, I.e. /etc/passwd  When root process does the create, it stomps /etc/passwd with root’s authority

29 WireX Immunix Server Software 11.7.00 RaceGuard Kernel enhancement to detect race attacks mid-way through  Cache names presented to stat()  If open(O_CREAT) hits an existing file, and the path is in the RaceGuard cache, then a race attack is in progress Response choices:  Deny the open: return EPERM  Kill the process Demo

30 WireX Immunix Server Software 11.7.00 RaceGuard Performance Microbenchmarks:  104% overhead on stat(): 4.3 s - >8.8 s  13% overhead on fork(): 161 s - >183 s Macrobenchmark: Khernelstone  Build Linux kernel from source  Lots of temp files, lots of forks  0.4% overhead Paper submitted for review

31 WireX Immunix Server Software 11.7.00 Major Achievement: Low-Effort Protection These tools are highly transparent:  Performance overhead: under 2% across the board, usually lower  Compatibility issues: minimal  Under 5% of all Linux programs need trivial source patches to compile with StackGuard and FormatGuard  RaceGuard works on binary code, currently breaks nothing  Administrative overhead: nil

32 WireX Immunix Server Software 11.7.00 Major Achievement: Relative Invulnerability Proposed metric:  Compare a “base” system against a system protected with Immunix tools  Count the number of known vulnerabilities stopped by the technology  “Relative Invulnerability”: % of vulnerabilities stopped

33 WireX Immunix Server Software 11.7.00 Immunix Relative Invulnerability Immunix System 7:  Based on Red Hat 7.0  Compare Immunix vulnerability to Red Hat’s Errata page (plus a few they don’t talk about :-) October 1, 2000 - Feb. 7, 2000  44 vulnerabilities total  11 remote, 33 local  40 penetration, 4 DoS  8 remote penetration

34 WireX Immunix Server Software 11.7.00 Immunix Relative Invulnerability PointGuard will bring these to 6/8 (75%) & 4/4 (100%)

35 WireX Immunix Server Software 11.7.00 Task schedule StackGuard: delivered PointGuard: long-term development FormatGuard: prototype delivered, final copy soon (weeks) Integrated Drop: prototype delivered, final copy soon (weeks) RaceGuard: lab prototype works, under development, should be ready for June drop

36 WireX Immunix Server Software 11.7.00 Transition of Technology Open source: StackGuard, FormatGuard, and RaceGuard are all GPL’d Commercial: all being incorporated into WireX Server Appliance products  Server appliance: a server for dummies  Thus the need for dummy-proof security

37 WireX Immunix Server Software 11.7.00 Jay’s Questions What threats/attacks is your project considering?  Common software pathologies that create vulnerabilities What assumptions does your project make?  That most vulnerabilities fit into a few classes  That we can get the source for most/all applications on a platform (true for Linux) What policies can your project enforce?  We provide software integrity, allowing policy enforcement to be meaningful

38 WireX Immunix Server Software 11.7.00 Network and System Autonomy (OGI) Network Abstract utility for translating data representations Application: translate incompatible IDS events and responses System Adaptation Space: formal model for reasoning about alternative implementations Candidate Orchestrator

39 WireX Immunix Server Software 11.7.00 Network Autonomy: Technical Objective What we are trying to accomplish:  Support a single autonomic response environment that easily accommodates sensors, detectors, and responders that communicate using a variety of languages/protocols.  Participate in the SARA experiment under SWWIM

40 WireX Immunix Server Software 11.7.00 Autonomix Navigator Architecture Swatch Event Monitor Navigator Stack Guard conditions Syslog alertmonitors notifies (via IDMEF XML) Scenario Manager choices SNMP Manager SNMP AgentInterface IPChain Configurer Firewall Adaptation Space (XML)

41 WireX Immunix Server Software 11.7.00 Three out of Four Questions What threats/attacks is your project considering?  Those that can be detected (relying on someone else’s IDS)  Those that have a meaningful response What assumptions does your project make?  That  a heterogeneous fabric of intrusion detection and response components  That intrusion response can be effective What policies can your project enforce?  Can map from any combination of intrusion events to any available alternative configuration

42 WireX Immunix Server Software 11.7.00 Summary Component Autonomy:  Largely working software  Running this laptop: StackGuard, FormatGuard, and RaceGuard  Available piece wise, or integrated into Immunix, at http://immunix.org http://immunix.org Network & System Autonomy:  Largely a work in progress  Aimed at SARA

43 WireX Immunix Server Software 11.7.00 Future Work PointGuard: continue development FormatGuard: enhance to catch more kinds of attacks RaceGuard: finish testing, release by summer IPGuard: new tool to defend against network DoS attacks Network/System Autonomy: participate in SARA experiments

44 WireX Immunix Server Software 11.7.00 Plug: NSPW New Security Paradigms Workshop Actively interested in radical new ideas, e.g. organic assurance Papers due March 30, 2001 Info: http://nspw.org http://nspw.org

Download ppt "WireX Immunix Server Software Autonomix: Component, Network, and System Autonomy Crispin Cowan, Ph.D WireX Communications, Inc wirex.com David Maier &"

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.

Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
02/03/14 Copyright © 2002 WireX Communications, Inc. 1 Autonomix: Autonomic Defenses for Vulnerable Software Crispin Cowan, Ph.D WireX Communications,

02/03/14 Copyright © 2002 WireX Communications, Inc. 1 Autonomix: Autonomic Defenses for Vulnerable Software Crispin Cowan, Ph.D WireX Communications,
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
CS-502 Fall 2006Processes in Unix, Linux, & Windows 1 Processes in Unix, Linux, and Windows CS502 Operating Systems.

CS-502 Fall 2006Processes in Unix, Linux, & Windows 1 Processes in Unix, Linux, and Windows CS502 Operating Systems.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
CS252: Systems Programming Ninghui Li Final Exam Review.

CS252: Systems Programming Ninghui Li Final Exam Review.

Similar presentations

Ads by Google