Embed Size (px)
Citation preview
Ad
van
ced
Sec
uri
ty R
esea
rch
System Health and Intrusion MonitoringUsing a Hierarchy of Constraints
System Health and Intrusion MonitoringUsing a Hierarchy of Constraints
Calvin KoCalvin KoNAI LabsNAI Labs, , Network Associates, Inc.Network Associates, Inc.
Jeff RoweJeff RoweUniversity of California, DavisUniversity of California, Davis
October 2001
RAID 2001-2
Ad
van
ced
Sec
uri
ty R
esea
rch Abstract IDS ModelAbstract IDS Model
Rules
IDEngine
Audit Data(e.g., Kernel Audit trails,
Network packets, Syslog, …)
Intended/ExpectedBehavior
Attacks /Vulnerabilities
HistoricalBehavior
Result
Detect actions by theattackers
Detecteffect/manifestation ofthe attacker’s actions
RAID 2001-3
Ad
van
ced
Sec
uri
ty R
esea
rch System Health and Intrusion Monitoring (SHIM)System Health and Intrusion Monitoring (SHIM)
• Extend existing specification-based detection work• Employ a hierarchy of constraints/specifications
– describe healthy/correct operation of a system– capture static behavior, dynamic behavior, time-
dependent behavior of different components at differentlevels of abstraction
– detect manifestations of attacks or security errorsregardless of the cause
• Utilize data at all levels– network, host, OS kernel, application
• Reason about the specifications
RAID 2001-4
Ad
van
ced
Sec
uri
ty R
esea
rch Top Level Threats addressed by SHIMTop Level Threats addressed by SHIM
• Remote-to-Local, Remote-to-Root• User-to-Root• Insider
– exceeding his/her privileges– misusing his/her privileges
• Trojan Horses• Denial of Services• Masqueraders & Probing• Privileged processes
– setuid root programs, servers/daemons, administratorprocesses
RAID 2001-5
Ad
van
ced
Sec
uri
ty R
esea
rch Constraint ModelConstraint Model
System Services
System-wide
Host Programs andNetwork Protocols
Applications
Operational Integrity
Resource U
sage
Access
Data Integrity
Tem
po
ral/Interactio
n
RAID 2001-6
Ad
van
ced
Sec
uri
ty R
esea
rch Constraint DevelopmentConstraint Development
Attack /Vulnerability
Models
Configuration,historical behavior,& system policy
Constraints
Functionality &System
Semantics
SecurityPolicies, Design
Principles
HierarchicalConstraint
Model
Higher LevelConstraints
RAID 2001-7
Ad
van
ced
Sec
uri
ty R
esea
rch RoadmapRoadmap
• Technical objective• Approach and Rationale• Useful types of constraints• Program constraints• Protocol constraints• High level constraints• Ongoing and Future Work
RAID 2001-8
Ad
van
ced
Sec
uri
ty R
esea
rch Useful Types of ConstraintsUseful Types of Constraints
• Policy on Users– Files a user can access– Resources a user is allowed to possess
• Protocol Specifications -- operational view– Defines allowable transitions– Defines allowable time in a given state
• Protocol Specifications -- message content– Mappings delivered by DNS should accurately represent
view of authoritative router– IP addresses are not spoofed
RAID 2001-9
Ad
van
ced
Sec
uri
ty R
esea
rch Useful Types of Constraints (cont.)Useful Types of Constraints (cont.)
• Protocols -- Invariant and assumptions– IP Routers approximate Kirchoff’s law– Packets are not sniffed by third-party– Packet source must be a non-congested/non-DOSed host
• Programs -- valid access constraints– Programs access only certain objects
• Programs - Interaction constraints– program interaction should not change the semantic
• Data Integrity– e.g., passwords, other authentication information– authorization information, process table
RAID 2001-10
Ad
van
ced
Sec
uri
ty R
esea
rch Access Constraints for ProgramsAccess Constraints for Programs
• Can Detect– remote users gain local accesses– local users gain additional privileges– Trojan Horses
• Work well for many programs, e.g., passwd, lpr,lprm, lpq, fingerd, at, atq, …
• Some program can potentially access many files,e.g., httpd, ftpd– break the execution into pieces (or threadlets). Define the
valid access for each threadlets.– Threadlet defined by transition operations
RAID 2001-11
Ad
van
ced
Sec
uri
ty R
esea
rch Component-Specific ConstraintsComponent-Specific Constraints
• Privileged programs– e.g., Ftp daemon
• Read files that are world readable• Write files that are owned by the user• Execute only /bin/ls, /bin/gzip, /bin/tar, /bin/compress
• Critical Data– E.g., The password file in a Unix system should be in the
correct form and each user should have a password.
RAID 2001-12
Ad
van
ced
Sec
uri
ty R
esea
rch General ConstraintsGeneral Constraints
• A privileged process should discard all its privileges andcapabilities before it gives control to a user.
• The temporary file for a program should be accessible onlyby the program execution and should be removed when theprogram exits
• An application should read only configuration files ownedby the user that it is running as
RAID 2001-13
Ad
van
ced
Sec
uri
ty R
esea
rch Prototype SHIM Host MonitorPrototype SHIM Host Monitor
Linux or Solaris Kernel
AgileKernelAuditor
SHIMCompiler
Constraints /
Specifications
SHIM AnalyzerModule
SHIMSHIMMonitorMonitor
Othersources
Control
SHIM Analyzer Modules
RAID 2001-14
Ad
van
ced
Sec
uri
ty R
esea
rch Protocol ConstraintsProtocol Constraints
• Address Resolution Protocol (ARP)– For mapping between the Ethernet layer and the IP layer– Hosts on the network query all machines for their Ethernet-to-
IP assignments before sending to a new IP address. Hoststypically keep a local list of mappings ( the ARP cache ) toavoid repetitive queries
• ARP Cache Poisoning– Unsolicited Response– Bogus Request– Bogus Response– Both a spurious Request and a spurious Response
RAID 2001-15
Ad
van
ced
Sec
uri
ty R
esea
rch An ARP SpecificationAn ARP Specification
i reply_wait cachedARP Request ARP Response
ARP cache timeout
ARP Request
RAID 2001-16
Ad
van
ced
Sec
uri
ty R
esea
rch Unsolicited ARP ResponseUnsolicited ARP Response
• ARP reply will be accepted by a victim machine, eventhough it hasn’t sent a request.
• Sending a arbitrary IP to Ethernet mapping will poison thevictim’s ARP cache.
• Sending an unsolicited response to the broadcast Ethernetaddress poisons the cache of all machines (Solaris,Windows, Linux).
ARP REPLY to victim blanc.cs.ucdavis.edu IS-AT 08:00:20:23:71:52
RAID 2001-17
Ad
van
ced
Sec
uri
ty R
esea
rch Bogus ARP RequestBogus ARP Request
• ARP implementations cache entries based uponbroadcast requests.
• Even if the host isn’t involved in any resolutiontheir cache will update with the informationcontained in third-party requests.
• Sending out an request with bogus senderinformation poisons everyone’s cache.
ARP REQUEST WHO-HAS olympus.cs.ucdavis.edu TELLblanc.cs.ucdavis.edu at 08:00:20:23:71:52
RAID 2001-18
Ad
van
ced
Sec
uri
ty R
esea
rch An ARP SpecificationAn ARP Specification
i reply_wait cachedARP Request ARP Response
ARP cache timeout
alarmUnsolicited ARPResponse
Bogus ARPResponse
MalformedRequest ARP Request
RAID 2001-19
Ad
van
ced
Sec
uri
ty R
esea
rch ARP Monitor ImplementationARP Monitor Implementation
• Built on the snort open-source IDS platform- Uses the snort preprocessor plug-in feature- No measurable difference in baseline IDS performance due
to the low volume of ARP traffic.
• Single ARP correctness specification catchesall five ARP vulnerabilities
RAID 2001-20
Ad
van
ced
Sec
uri
ty R
esea
rch A DHCP SpecificationA DHCP Specification
• Dynamic Host Configuration Protocol (DHCP)– provides centralized management of client workstation
configuration parameters– Distributed servers cooperatively allocate client
parameters, even across sub-networks.
• DHCP typically configures– IP address allocation– Gateway router address– DNS servers
RAID 2001-21
Ad
van
ced
Sec
uri
ty R
esea
rch DHCP MessagesDHCP Messages
From ServerMessage Use
• DHCPOFFER Server to client in response to DHCPDISCOVER with offer of configuration parameters.
• DHCPACK Server to client with configuration parameters, including committednetwork address.
• DHCPNAK Server to client indicating client's notion of network address isincorrect (e.g., client has moved to new subnet) or client's lease asexpired
From ClientsMessage Use
• DHCPDISCOVER Client broadcast to locate available servers.• DHCPREQUEST Client message to servers either (a) requesting offered parameters
from one server and implicitly declining offers from all others, (b)confirming correctness of previously allocated address after, e.g.,system reboot, or (c) extending the lease on a particular networkaddress.
• DHCPDECLINE Client to server indicating network address is already in use.• DHCPRELEASE Client to server relinquishing network address and cancelling
remaining lease.• DHCPINFORM Client to server, asking only for local configuration parameters;
client already has externally configured network address.
RAID 2001-22
Ad
van
ced
Sec
uri
ty R
esea
rch DHCP Protocol MisuseDHCP Protocol Misuse
• DHCP built upon UDP making IP spoofing trivial.• DHCP traffic is passed by routers and can traverse remote
networks• Denial-of-Service
– Fake client DHCPRELEASE causes server to assign same IPaddress to multiple clients.
– Multiple fake DHCPREQUEST messages consume all available IPaddresses.
• Falsification of network services– Fake DHCP server feeds clients false gateway router address for
DOS or to intercept traffic.– Fake DHCP server feeds clients a false DNS server and supplies it’s
own malicious mappings.
RAID 2001-23
Ad
van
ced
Sec
uri
ty R
esea
rch
Init-Reboot Init
Rebooting Selecting
RequestingRebinding
Bound
Renewing
-/Send DHCPREQUEST
DHCPACK/Recordlease, set T1, T2
DH
CPN
AK
/Res
tart
DH
CPN
AK
/Dis
card
Off
er
DH
CPA
K(n
ot a
ccep
ted)
/Sen
dD
HC
PDE
CL
INE
-/Send DHCPDISCOVER
DHCPOFFER/CollectOffers
Select Offer/SendDHCPREQUEST
DHCPOFFER/Discard
DHCPACK/Recordlease, set T1, T2
DHCPNAK/Leaseexpired
DHCPACK/Recordlease, set T1, T2
DHCPOFFER,DHCPACK,
DHCPNAK /Discard T1 Expires/SendDHCPREQUEST
DHCPACK/Recordlease, set T1, T2
T2 Expires/ BroadcastDHCPREQUEST
DHCPNAK/HaltNetwork
DHCP ProtocolDHCP Protocol
RAID 2001-24
Ad
van
ced
Sec
uri
ty R
esea
rch DHCP Protocol MonitorDHCP Protocol Monitor
• DHCP protocol monitor is implemented as a SnortIDS plug-in.
• Based upon the DHCP client state diagram• Monitors for DHCPRELEASE messages• Monitors for multiple server replies indicating the
presence of a rogue DHCP server.
RAID 2001-25
Ad
van
ced
Sec
uri
ty R
esea
rch High-Level ConstraintsHigh-Level Constraints
• Concerned with the system or a services• May not be directly detectable, need to project
down to lower-level constraints• e.g., Only valid users can login from valid remote
hosts.• Combining host-based and protocol constraints
RAID 2001-26
Ad
van
ced
Sec
uri
ty R
esea
rch ProjectionsProjections
Only authorizedremote user can rlogin
to a host
rlogind allowsonly authorized
attempt
Remote host notcompromised
Rlogin packetcame from the
true remote host
DNS name notspoofed
IP address notspoofed
ARP addressnot spoofed
RAID 2001-27
Ad
van
ced
Sec
uri
ty R
esea
rch Ongoing and Future WorkOngoing and Future Work
• Investigate constraints for other components• Projections of constraints• Verification of constraints• Interaction constraints• High level constraints
