Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich
description
Transcript of Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich
Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich
Present by JW
Motivation
• Computer break-ins increasing • Computer forensics is important– How did they get in
Current Forensic Methods
• Manual inspection of existing logs• System, application logs– Not enough information
• Network log– May be encrypted
• Disk image– Only shows final state
• Machine level logs– No semantic information
• No way to separate out legitimate actions
BackTracker
• Can we help figure out what was exploited? • Track back to exploited application• Record causal dependencies between objects
Process
File
Socket
Detection point
Fork event
Read/write event
BackTracker
• Online component, log objects and events• Offline component to generate graphs
BackTracker runs, shows source of intrusion
intrusion detected
intrusion occurs
BackTracker Objects
• Process• File• Filename
Dependency-Forming Events
• Process / Process– fork, clone, vfork
• Process / File– read, write, mmap, exec
• Process / Filename– open, creat, link, unlink, mkdir, rmdir, stat,
chmod, …
Constructing Dependency Graph
Raw log Complete graph Graph by GraphGen
Graph could be still VERY large!
Prioritizing Dependency Graphs
• Hide read-only files
• Eliminate helper processes
• Filter “low-control” events
/bin/bash
/lib/libcbash
proc
backdoor
Prioritizing Dependency Graphs
id
pipe
• Hide read-only files
• Eliminate helper processes
• Filter “low-control” events
bash
proc
backdoor
Prioritizing Dependency Graphs
bash
proc login_a
utmp
login_b
backdoor
• Hide read-only files
• Eliminate helper processes
• Filter “low-control” events
Process
File
Socket
Detection point
Fork event
Read/write event
Implementation
• Prototype built on Linux 2.4.18• Both stand-alone and virtual machine• Hook system call handler• Inspect state of OS directly
Guest OS
Host OS
VMM EventLogger
Guest Apps
Host OS
EventLogger
Host Apps
Virtual Machine Implementation Stand-Alone Implementation
Evaluation
• Determine effectiveness of Backtracker• Set up Honeypot virtual machine• Intrusion detection using standard tools– TripWire, Ethereal, Snort
• Attacks evaluated with six default filtering rules
Evaluation
BackTracker Limitations
• Layer-below attack (e.g. VMM)• Use “low control” events or filtered objects to carry
out attack• Hidden channels– e.g. steal password and log in next time
• Create large dependency graph– Perform a large number of steps– Implicate innocent processes
• Single host without network dependency• 1.2GB/day/host is too large
Process
File
Socket
Detection point
Fork event
Read/write event
Process
File
Socket
Detection point
Fork event
Read/write event
BackTracker Limitations
• Layer-below attack (e.g. VMM)• Use “low control” events or filtered objects to carry
out attack• Hidden channels– e.g. steal password and log in next time
• Create large dependency graph– Perform a large number of steps– Implicate innocent processes
• Single host without network dependency• 1.2GB/day/host is too large
Cross-host multi-hop attacks
• Backward causal graphs can be used to find which host allowed a multi-hop attack (such as a worm) to enter a local network
• Forward causal graphs can be used to find the other hosts that were affected by the multi-hop attack
Attacker
/etc/passwd
ls
user
A C D
B
ssh log in
modify some filesdownload/replace exes
detection point
Backtracker
Enriching intrusion alerts through multi-host causality, NDSS’05
BackTracker Limitations
• Layer-below attack (e.g. VMM)• Use “low control” events or filtered objects to carry
out attack• Hidden channels– e.g. steal password and log in next time
• Create large dependency graph– Perform a large number of steps– Implicate innocent processes
• Single host without network dependency• 1.2GB/day/host is too large
Dependency explosion
BEEP: High Accuracy Attack Provenance via Binary-based Execution Partition, NDSS’13
Insight•The execution of a wide range of applications (both server-side and client-side) is dominated by a small number of loops (with large number of iterations for each loop).•Each iteration of such a loop can be considered a semantically autonomous unit as it often operates on an independent input object.
Technique•Reverse engineer such loops from application binaries.•Reverse engineer instructions that could cause workflow between units.•Perform selective logging for unit boundaries and unit dependences (memory dependence).
An example
References
• S. T. King and P. M. Chen. Backtracking intrusions. In SOSP 2003.
• King, Samuel T., Zhuoqing Morley Mao, Dominic G. Lucchetti, and Peter M. Chen. "Enriching Intrusion Alerts Through Multi-Host Causality." In NDSS. 2005.
• Lee, Kyu Hyung, Xiangyu Zhang, and Dongyan Xu. "High Accuracy Attack Provenance via Binary-based Execution Partition." In NDSS 2013.