Embed Size (px)
Citation preview
INSE 6130 O ti S t S itINSE 6130 Operating System Security
Logging/Auditing and Vulnerability/Defenseogg g/ ud t g a d u e ab ty/ e e se
Prof. Lingyu Wanggy g
1
OutlineOutline
Logging and AuditingLogging and AuditingVulnerability and Defense
2
OverviewOverviewMotivation
Normal users - trust, but verify (Доверяй, но проверяй)Attacker – track down what has happened
LoggingRecord events or statistics (summary) to logsExample: failed logins, failed su’s, last logins, system calls network traffic etccalls, network traffic, etc.
AuditingAnalyze log records for meaningful resultsAnalyze log records for meaningful resultsExample: manual inspection, intrusion detection (IDS), alert correlation, IP trace back, etc.
3
alert correlation, IP trace back, etc.
Overview (Cont’d)Overview (Cont d)
RelationshipRelationshipLogging provides inputs to auditingAuditing makes sense out of logsAuditing makes sense out of logs
ChallengeLogging: Attackers will alter or delete logs of theirLogging: Attackers will alter or delete logs of their activities Auditing: Heavily depend on human interventionAuditing: Heavily depend on human intervention
Good research topic: How to automatically extract useful information from logs
4
Logging Example: WindowsLogging Example: WindowsThree logs for different types of eventsg yp
System event log: system crashes, component failures, etcApplication event log: as requested by applicationsSecurity event log: logging in and out, system file accesses, etc
Log files are binaryU E t Vi t dUse Event Viewer to read
Default location: C:\WINNT\system32\config\(AppEvent Evt SecEvent Evt SysEvent Evt)(AppEvent.Evt, SecEvent.Evt, SysEvent.Evt)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
Default size 512KDefault size 512KCan set to overwrite events when exceeding a certain size
5
Logging Example: Windows (Cont’d)Logging Example: Windows (Cont d)
6
Logging Example: Windows (Cont’d)Logging Example: Windows (Cont d)
Performance logsPerformance logsPerformance data from local or remote computersIn a comma-separated or tab-separated format aIn a comma separated or tab separated format, a binary log-file format, or SQL database formatBecause logging runs as a service, data collection ecause ogg g u s as a se ce, data co ect ooccurs regardless of whether any user is logged onThree typesyp
Counter: e.g., cpu usage, memory, etc.Trace: begin logging only after an event occur, e.g., crashAlert: a message be sent, a program be run, an entry be made to the application event log, etc.
7
Auditing Example - BacktrackerAuditing Example - Backtracker
Question:Question: When break-ins happen, how can we figure out which application was exploited? pp p
Backtracker solution:In operating systems causal dependencies existIn operating systems, causal dependencies exist between processes and files/file names (e.g., read/write a common file))Use the causal dependency to track from detected event (e.g., using Tripwire) back to exploited applications
8Based on Sam King and Peter Chen’s Slides here
BackTrackerBackTracker
intrusionintrusion intrusion detected
intrusion occurs
BackTracker runs, shows source of intrusion
Online component logs objects and events - LoggingOffline component find entry point and sequences of events leading to the detecting point - Auditing
9
What Dependency To Track?What Dependency To Track?
Process / ProcessProcess / Processfork, clone, etc (creating, sharing memory, signaling)
Process / FileProcess / Fileread, write, exec
P / FilProcess / Filenameopen, creat, link, unlink, mkdir, rmdir, chmod, etc
10
ProcessProcess
File
SocketSocket
Detection point
F kFork event
Read/write event
11
OutlineOutline
Logging and AuditingLogging and AuditingVulnerability and Defense
12
Top Vulnerabilities - WindowsTop Vulnerabilities - Windows
Top Vulnerabilities in Windows SystemsTop Vulnerabilities in Windows SystemsInternet Explorer (buffer overflowed by examples)Microsoft Office (buffer overflowed by examples)Microsoft Office (buffer overflowed by examples)Windows Libraries, for example:
.WMF image causes remote execution (CVE-2005-4560).WMF image causes remote execution (CVE 2005 4560)Buffer overflow DOS in HTML help (.hhp) (CVE-2006-3357)
Windows Services, for example:pBuffer overflow in Server Service (CVE-2006-3439)
Windows Configuration WeaknessesNTLM password hashes
13http://www.sans.org/top20
Top Vulnerabilities - UNIXTop Vulnerabilities - UNIX Top Vulnerabilities in UNIX Systemsp y
UNIX Configuration WeaknessesE.g., Brute-force attack on SSH passwords
Mac OS XE.g., Safari, when rendering RTF files, can directly access URLs without performing the normal security checks (CVE-2005-without performing the normal security checks (CVE 20052516)Securing Mac OS X 10.4 Tiger (http://www corsaire com/white-papers/050819-securing-mac-(http://www.corsaire.com/white papers/050819 securing macos-x-tiger.pdf)
Resources for vulnerabilityCVE, Bugtraq, Nessus plugin DB, NVD, etc.
14
, g q, p g , ,
http://www.sans.org/top20
Vulnerability ExampleVulnerability Example
PHP open basedir race condition vulnerabilityPHP open_basedir race condition vulnerabilityRelease Date: 2006/10/04Author: Stefan Esser [sesser@hardened-php net]Author: Stefan Esser [sesser@hardened php.net]Application: PHP 4/5 Risk: CriticalRisk: CriticalThe successful exploitation of this vulnerability allows access to files normally not accessible due to theaccess to files normally not accessible due to the open_basedir restriction
E.g., /etc/shadow
15http://www.hardened-php.net/advisory_082006.132.html
BackgroundBackground
PHP open basedir configuration directivePHP open_basedir configuration directiveIt tells PHP only files within the specified directory trees can be opened by scriptsp y pSymbolic links are fully parsed, so no get around (well, let’s see)
ExampleIf my web space’s root is /www/home/w/wang, thenIf my web space s root is /www/home/w/wang, then my php scripts cannot visit /etcYou cannot even create a symbolic link to /etc using y / gfunction symlink(), eitherBut…
16
Create the Link to /Create the Link to /Symbolic links are fully parsed y y p
So no easy get aroundSuppose we are in /www/home/w/wang and we pp / / / / gwant to take a look at / through php scripts<?php mkdir("a/a/a/a"); symlink("a/a/a/a", "dummy"); symlink("dummy/../../../../", “mylnk");unlink("dummy");
l k(" " "d ")symlink(".", "dummy"); ?>Now mylnk points to /
17
Let’s RaceLet s Race
Run two scripts simultaneouslyRun two scripts simultaneouslya.php: keeps alternating a symbolic link ‘newlnk’between ‘mylnk’ and ‘/www/home/w/wang’ in a loopy / / / / g pb.php: keeps listing directory “newlnk” in a loop
Sooner or laterSooner or laterb.php gives you the content in /
18
Race ConditionRace Condition
There is a small time span between php checksThere is a small time span between php checks permissions and it actually opens a file
When php check for permission, newlnk points toWhen php check for permission, newlnk points to ‘/www/home/w/wang’, which is allowedWhen php opens the directory, newlnk points to p p p y, p‘mylnk’, which in turn points to ‘/’
open_basediropenb php
p
/www/hom
okayp
/
b.php
/www/home/w/wang/www/hom
/
a.php
19/
/www/home/w/wang
Defense - ObjectivesDefense - Objectives
Detect intrusionsDetect intrusionsPreviously known attacksZero-day attacksZero day attacks
In a timely fashionReal timeReal-time
Present accurate resultsFalse positives, false negatives
In an easy-to-understand formatAlerts versus attack scenarios
20
Classification of Intrusion DetectionClassification of Intrusion Detection
(We are considering Host-Based IDS)(We are considering Host Based IDS)Anomaly detection
Assumption: attacks vary from normal behaviorsAssumption: attacks vary from normal behaviorsMethod: statistics, data mining, Machine learning, etc.Advantage: potentially detect zero day attacksAdvantage: potentially detect zero-day attacksDisadvantage: (theoretically) less accurate
Mi d t tiMisuse detectionAssumption: attacks can be identified with a signatureMethod: state transition, colored Petri net, etc.Advantage: more accurate
21
Disadvantage: can only detect modeled attacks
Example of Anomaly DetectionExample of Anomaly Detection
Sequence of system calls (Forrest 1996)Sequence of system calls (Forrest 1996)Training
Training data:Training data: open read write open mmap write fchmod close
Sliding window of size 1+3 (1 followed by 3)Sliding window of size 1+3 (1 followed by 3)open read write open
open mmap write fchmod
read write open mmap
write open mmap write
write fchmod closewrite fchmod close
mmap write fchmod close
fchmod close
l
22
close
This is the normal behavior
Example of Anomaly DetectionExample of Anomaly DetectionDetection
open read write openopen mmap write fchmodread write open mmapwrite open mmap writewrite open mmap writewrite fchmod closemmap write fchmod closefchmod closeclose
open read read open mmap write fchmod closeDiffers in 5 places:
Second read should be write (1st line)Second read should be write (1st line)Second read should be write (3rd line)Second open should be write (3rd line)mmap should be open (3rd line)p p ( )write should be mmap (3rd line)
18 possible places of difference18=5*3+2+1Mismatch rate 5/18 28% ? A pre defined threshold
23
Mismatch rate 5/18 ≈ 28% ? A pre-defined threshold
Difficulty w/ Anomaly DetectionDifficulty w/ Anomaly Detection
Question: Is an 99% accurate IDS any good?Question: Is an 99% accurate IDS any good?Intuitively
Answer: maybe?Answer: maybe?
Counter-intuitivelyA il !Answer: not necessarily!If attack rate is one attack per 1,000,000 calls
Whi h i blWhich is reasonable
The base rate fallacy says the IDS will generate about 10 000 false positives for every real attack it detects10,000 false positives for every real attack it detects
Which is absolutely not acceptable
Why?
24
Why?
Base Rate FallacyBase Rate Fallacy
What does the attack rate mean?What does the attack rate mean?In 100,000,000 calls, there are 100 real attacks
What does 99% accuracy mean?What does 99% accuracy mean? False positives: (100,000,100 - 100)*1/100= 1,000,000False negatives: 100*1/100 1False negatives: 100*1/100= 1
100 000 000-100attack but not d t t d100,000,000-100
normal and not detected1,000,000
detected
99
1
normal but detected attack and
detected
99
251,000,000 false positives per 99 detected attacks!
false negativefalse positive
Example of Misuse DetectionExample of Misuse Detectiont1 %cp /bin/csh /usr/spool/mail/rootp / / / / p / /t2 %chmod4755 /usr/spool/mail/roott3 %touch xt4 %mail root<xt5 %/usr/spool/mail/roott5 %/usr/spool/mail/roott6 $
t1,t2 create a SUID shell ‘/usr/spool/mail/root’t3 t4 let mail to change the shell’s owner to be roott3,t4 let mail to change the shell s owner to be rootThen you have an executable root’s shell
26Cool, but how do we create a signature for this attack?
Colored Petri NetColored Petri Net
The attack steps are partially orderedThe attack steps are partially orderedt1<t2, t3<t4, t1<t5, …?Modeled with a colored Petri netModeled with a colored Petri net
27
Colored Petri Net (Cont’d)Colored Petri Net (Cont d)
Will these be detected?Will these be detected?t3, t1, t2, t4t1 t3 t2 t4t1, t3, t2, t4t2, t1, t3, t4t1 t2 t4t1, t2, t4
28
Difficulty of Misuse DetectionDifficulty of Misuse Detection
Zero day exploitZero day exploitExploit is on the same day or before the vulnerability is publicizedy pIt has no signature
Other defense methods, for example,Buffer overflow overwrite memory from the bufferBuffer overflow overwrite memory from the buffer to the return address So put a ‘canary word’ before return addressSo put a canary word before return addressIf it’s been changed, the function won’t returnThe canary word must be random why?
29
The canary word must be random, why?
Other OS Defense MethodsOther OS Defense Methods
NX bitNX bitNo eXecute bit (last bit of the paging table entry)Can be used to mark stack as non-executable toCan be used to mark stack as non executable to prevent buffer overflow attacksPentium 4 or later, AMD64e t u o ate , 6Many OS support this or emulate it via software
Linux, Solaris 10, WinXP SP2, Win2003 SP1, etc. , , , ,
Vulnerable to return-to-libc attackNo need to return to shell code on stack, but return to existing function
30
Other OS Defense MethodsOther OS Defense Methods
Memory randomizationMemory randomizationMake buffer overflow, including return-to-libc, more difficultBasic idea:
Buffer overflow and return-to-libc exploits need to know the address of attack code in the buffer, or address of a standard kernel library routineSame address is used on many machinesSame address is used on many machines
Slammer infected 75,000 MS-SQL servers using same code
So introduce artificial diversity Make stack addresses, addresses of library routines, random
Supported by OpenBSD, Windows vista, PaX, H d d G t t
31
Hardened Gentoo, etc.
w/o Randomizationw/o Randomization
Stack Frame
ret
retc
od
bu a
ddr
addr
de
uf
Exploit!Exploit!
3 GB
32
w/ Randomizationw/ Randomization
Stack Frame
ret
retc
o b baddr
addr
ode
uf
uf
crash
3 GB
33
De-RandomizationDe-Randomization
The amount of randomness is limitedThe amount of randomness is limitedPaX only uses 16 bit of random shift
Subject to de-randomization attacksSubject to de-randomization attacksRepetitively guess randomized addressSpraying injected attack codeSpraying injected attack code
34
De-Randomization 1De-Randomization 1
Stack Frame
ret
retc
od
bu Pada
ddr
addr
de
uf
Pad
crashcrash
Step 1
35
De-Randomization 2De-Randomization 2
Stack Frame
ret
retc
od
bu Pada
ddr
addr
de
uf
Pad
crashcrash
Step 2
36
De-Randomization 3De-Randomization 3
Stack Frame
ret
a
ret
acod
bu Pada
ddr
addr
de
uf
Exploit!
Pad
Exploit!
216 seconds (avg ) to de-Step 3
216 seconds (avg.) to de-randomize!
37http://www.stanford.edu/~blp/papers/asrandom.pdf
Spraying AttacksSpraying AttacksExploit a buggy application and “spray” attack code in p ggy pp p ywrite-able user-level memory areas
cod
bud
euf
Exploit!p
38
