0
System Support for Rapid Recovery and Attack Resistance A Friday ATC-NY Talk by   Todd Deshane
Overview <ul><li>Motivation </li></ul><ul><li>Goals </li></ul><ul><li>Background </li></ul><ul><li>Architecture </li></ul>...
Motivation <ul><li>Computers on the Internet are vulnerable </li></ul><ul><ul><li>Even with latest updates and virus defin...
&quot;New methods are being invented, new tricks, and every year it gets worse... We are losing the battle... Most compani...
&quot;Very sophisticated tools are commercially available in black markets... This has made [the Internet] more attractive...
Ooooh! I got some pics from my buddy Joe :)‏ John is a typical desktop user that uses his computer to communicate with fri...
Without the Rapid Recovery System 010010000100000101000011010010110100010101 Credit Card Numbers, Email Contacts, Passwords
With the Rapid Recovery System John tries to load the pictures in his photo VM, but the action is denied, since the “pics”...
With the Rapid Recovery System John really wants to see the pics, so he ignores the error and copies the “pics” to his Int...
Either of these actions cause the Internet VM to be reset. The built-in firewall of the Rapid Recovery System disallows th...
<ul><li>Notice a slow down of the machine, unsure of cause. </li></ul><ul><li>Reboot machine, still slow. </li></ul><ul><l...
<ul><li>The attachment is written into the email log. </li></ul><ul><li>The NET-VM flags a violation of the network contra...
<ul><li>A malicious program scans the hard drive for credit card numbers. </li></ul><ul><li>The user does not notice any s...
<ul><li>The malicious programs begins to read the hard drive for credit card numbers. </li></ul><ul><li>The FS-VM triggers...
<ul><li>After the update, several applications cannot find some required components. </li></ul><ul><li>The user calls tech...
<ul><li>After the update, several applications cannot find some required components. </li></ul><ul><li>The user calls tech...
Goals <ul><li>Provide attack resistance and rapid recovery </li></ul><ul><li>Isolate and protect user data from attacks </...
Background: Security <ul><li>Early Internet based on openness/trust </li></ul><ul><li>First documented Internet worm – 198...
Background: Virtualization <ul><li>Virtual Machine Monitor  </li></ul><ul><ul><li>Pioneered by IBM </li></ul></ul><ul><ul>...
Background: Virtualization+Security <ul><li>VMs used as sandboxes  </li></ul><ul><li>VMs can be monitored from below  </li...
Background: System Reset Facilities <ul><li>DeepFreeze </li></ul><ul><ul><li>Restore to trusted checkpoint on each boot </...
Internet Hardware Xen Hypervisor NIC NET-VM Internal Network  VMA 1 VMA 2 VMA N Isolated Network  FS-VM Disk Domain 0 Mana...
Benefits <ul><li>Intrusion detection and attack prevention </li></ul><ul><li>Protection of user data </li></ul><ul><li>Che...
Evaluation <ul><li>Resistance/protection against attacks </li></ul><ul><ul><li>Categorize attacks </li></ul></ul><ul><ul><...
Evaluation: Attacks <ul><li>Backdoor attacks  </li></ul><ul><ul><li>Initiate/listen for connections </li></ul></ul><ul><ul...
Evaluation: Defenses <ul><li>Block unused ports </li></ul><ul><ul><li>Backdoor attacks can't access the Internet </li></ul...
Evaluation: Performance
Plan of Work <ul><li>Construction and integration of a separate NET-VM component </li></ul><ul><li>Tight integration of NE...
Internet Hardware Xen Hypervisor NIC NET-VM Internal Network  VMA 1 VMA 2 VMA N Isolated Network  FS-VM Disk Domain 0 Mana...
Plan: Construct and Integrate NET-VM <ul><li>Network Intrusion Detection System (snort)‏ </li></ul><ul><li>Firewall (iptab...
<ul><li>NET-VM already possible (driver domain)‏ </li></ul><ul><li>FS-VM granted file system access/control </li></ul><ul>...
Plan: Comprehensive Contract System <ul><li>Virtual machine appliance contracts </li></ul><ul><ul><li>Specify the behavior...
Plan: Evaluation of Modified System <ul><li>Performance  </li></ul><ul><ul><li>I/O: read, write </li></ul></ul><ul><ul><li...
Related/Proposed Projects at Clarkson <ul><li>Log-Structured File System (LFS) for FS-VM </li></ul><ul><ul><li>Enable roll...
Questions/Comments?
 
Backup Slides This won't fit in the presentation, but if there are questions, some of these slides might help
Virtualization Motivation Backup Slides More virtualization basics and why to use virtualization
Terminology <ul><li>Virtual Machine Monitor (VMM)‏ </li></ul><ul><ul><li>Also know as: hypervisor </li></ul></ul><ul><ul><...
VMM with a Picture
Virtualization Predictions <ul><li>9 of 10 enterprises will have virtualization by 2007 - Yankee Group  (August 2007)‏ </l...
Virtualization Predictions <ul><li>25% of enterprise data center servers to be virtual by 2010 - Intel (July 2007)‏ </li><...
Virtualization Predictions <ul><li>Virtualization and multicore will cost $2.4 billion in customer spending between 2006 a...
Performance Backup Slides Xen vs. VMware performance
System Performance
Guest Configuration File Backup Slides More details of the syntax
Plan: File System Rule Language # Example file system rule set for an email client. fs_rule = [ 'id=1, read, 1024, 5' ]  #...
Plan: Network Rule Language #Email client example continued network_rule = ['id=1, iptables, file=/etc/iptables/email_clie...
Attacks Backup Slides More details/example attacks looked at
Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Backdoor attacks initiate and listen for connections to send a...
Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Attacks that copy infected executables to shared folders or at...
Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Attacks that harvest email addresses and other personal data <...
Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Attacks that exploit vulnerability in specific server software...
 
Upcoming SlideShare
Loading in...5
×

Atc ny friday-talk_20080808

210

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
210
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • The seemingly innocent things you can do to render your PC unusable
  • Transcript of "Atc ny friday-talk_20080808"

    1. 1. System Support for Rapid Recovery and Attack Resistance A Friday ATC-NY Talk by Todd Deshane
    2. 2. Overview <ul><li>Motivation </li></ul><ul><li>Goals </li></ul><ul><li>Background </li></ul><ul><li>Architecture </li></ul><ul><li>Evaluation </li></ul><ul><li>Plan of Work </li></ul>
    3. 3. Motivation <ul><li>Computers on the Internet are vulnerable </li></ul><ul><ul><li>Even with latest updates and virus definitions </li></ul></ul><ul><ul><ul><li>Zero day exploits </li></ul></ul></ul><ul><li>Malware effects </li></ul><ul><ul><li>User data compromised </li></ul></ul><ul><ul><li>System controlled by attacker </li></ul></ul><ul><li>Restoration of system and user data </li></ul><ul><ul><li>Time-consuming </li></ul></ul><ul><ul><li>Difficult for users </li></ul></ul><ul><ul><li>Not always possible (i.e. digital photos)‏ </li></ul></ul>
    4. 4. &quot;New methods are being invented, new tricks, and every year it gets worse... We are losing the battle... Most companies don't know they have been attacked.&quot; - Bruce Schneier &quot;The average top executive doesn't understand security, but we have to change that... Security is an imperative. It's no longer just a good idea.&quot; - Allen Kerr &quot;Virus incidences had surged between 2003, when they detected just over 10,000, and 2006, when they found 80,000. Criminal activity accounted for most of that increase.&quot; - Kaspersky Labs Motivation
    5. 5. &quot;Very sophisticated tools are commercially available in black markets... This has made [the Internet] more attractive for organized crime: [criminals] no longer have to be geeks.&quot; - James Lewis &quot;Although security awareness continues to improve, hackers and malicious code authors are releasing threats faster than ever before, with approximately 200 per cent more malicious threats per day than two years ago.&quot; - Stuart McClure (2006)‏ &quot;Over one third [of IT Companies] were hit by a denial-of-service attack while over 44 percent had experienced either a pharming or cache poisoning attack.&quot; - 2007 Secure64 Survey Motivation
    6. 6. Ooooh! I got some pics from my buddy Joe :)‏ John is a typical desktop user that uses his computer to communicate with friends on IM and email, and surf the web. Motivation
    7. 7. Without the Rapid Recovery System 010010000100000101000011010010110100010101 Credit Card Numbers, Email Contacts, Passwords
    8. 8. With the Rapid Recovery System John tries to load the pictures in his photo VM, but the action is denied, since the “pics” are actually executables. An error message is displayed to John.
    9. 9. With the Rapid Recovery System John really wants to see the pics, so he ignores the error and copies the “pics” to his Internet VM and clicks on them. The executable runs and it instantly tries to run its built-in IRC server and starts scanning for personal data.
    10. 10. Either of these actions cause the Internet VM to be reset. The built-in firewall of the Rapid Recovery System disallows the Internet VM to create a server. An error message appears when the Internet VM restarts. John finds out that these were not pics. With the Rapid Recovery System
    11. 11. <ul><li>Notice a slow down of the machine, unsure of cause. </li></ul><ul><li>Reboot machine, still slow. </li></ul><ul><li>Look in process list, attempt to kill suspicious process, regenerates itself. </li></ul><ul><li>Call tech support, make an appointment to take the computer to be fixed. </li></ul><ul><li>Newest backup is 1 month old, some recent reports and pictures lost. </li></ul><ul><li>3 weeks later get the machine back with the OS re-installed. </li></ul>THE MINEFIELD OF PERSONAL COMPUTER USE Scenario: Open an attachment containing a mass emailing virus Without the Rapid Recovery System
    12. 12. <ul><li>The attachment is written into the email log. </li></ul><ul><li>The NET-VM flags a violation of the network contract and pauses the VM. </li></ul><ul><li>The system asks the user if they want to rollback to the last known good image. </li></ul><ul><li>Rollback and remount personal data store. </li></ul><ul><li>Some system data (logs, etc.) in VM appliance is lost, but no personal data is lost. </li></ul><ul><li>The machine is back in working order in less than 1 hour. </li></ul>With the Rapid Recovery System Scenario: Open an attachment containing a mass emailing virus THE MINEFIELD OF PERSONAL COMPUTER USE
    13. 13. <ul><li>A malicious program scans the hard drive for credit card numbers. </li></ul><ul><li>The user does not notice any sign of trouble. </li></ul><ul><li>The program sends out a small amount of data containing the information discovered. </li></ul><ul><li>The program installs a backdoor for later use by the attacker. </li></ul>Scenario: Surf to the wrong website Without the Rapid Recovery System THE MINEFIELD OF PERSONAL COMPUTER USE
    14. 14. <ul><li>The malicious programs begins to read the hard drive for credit card numbers. </li></ul><ul><li>The FS-VM triggers a violation of the data access contract and pauses the VM. </li></ul><ul><li>The system asks the user if they want to rollback to the last known good image. </li></ul><ul><li>Rollback and remount personal data store. </li></ul><ul><li>The scan is not completed, the information is not sent, the backdoor is prevented. </li></ul>With the Rapid Recovery System Scenario: Surf to the wrong website THE MINEFIELD OF PERSONAL COMPUTER USE
    15. 15. <ul><li>After the update, several applications cannot find some required components. </li></ul><ul><li>The user calls tech support and they confirm the problems with the patch. </li></ul><ul><li>The best recommendation is to completely uninstall and re-install the applications. </li></ul><ul><li>It takes a few hours to assemble the installation media, to find the product keys, and to follow the instructions. </li></ul>Scenario: Install a required software update Without the Rapid Recovery System THE MINEFIELD OF PERSONAL COMPUTER USE
    16. 16. <ul><li>After the update, several applications cannot find some required components. </li></ul><ul><li>The user calls tech support and they confirm the problems with the patch. </li></ul><ul><li>The user decides to rollback to the last known good image. </li></ul><ul><li>The machine is back up in running in minutes. </li></ul>With the Rapid Recovery System Scenario: Install a required software update THE MINEFIELD OF PERSONAL COMPUTER USE
    17. 17. Goals <ul><li>Provide attack resistance and rapid recovery </li></ul><ul><li>Isolate and protect user data from attacks </li></ul><ul><li>Provide automatic and user-triggered checkpoints </li></ul><ul><li>Safe testing of system and application updates </li></ul><ul><li>Facilitate forensic analysis </li></ul>
    18. 18. Background: Security <ul><li>Early Internet based on openness/trust </li></ul><ul><li>First documented Internet worm – 1988 </li></ul><ul><li>Malware: large scale problem – late 1990s </li></ul><ul><li>Criminal malware networks (botnets)‏ </li></ul><ul><ul><li>DDOS, digital blackmail, account/credit info </li></ul></ul><ul><li>Attack defenses </li></ul><ul><ul><li>Antivirus software </li></ul></ul><ul><ul><li>Firewalls </li></ul></ul><ul><ul><li>Intrusion detection systems </li></ul></ul>
    19. 19. Background: Virtualization <ul><li>Virtual Machine Monitor </li></ul><ul><ul><li>Pioneered by IBM </li></ul></ul><ul><ul><li>Software/hardware co-evolution </li></ul></ul><ul><li>Intel VT and AMD-V </li></ul><ul><ul><li>Software/hardware co-evolution (again)‏ </li></ul></ul><ul><ul><li>Next generation virtualization hardware </li></ul></ul><ul><li>Xen hypervisor (VMM)‏ </li></ul><ul><ul><li>Paravirtual guests (i.e. Linux, *BSD)‏ </li></ul></ul><ul><ul><li>HVM guests (i.e. Microsoft Windows)‏ </li></ul></ul>
    20. 20. Background: Virtualization+Security <ul><li>VMs used as sandboxes </li></ul><ul><li>VMs can be monitored from below </li></ul><ul><li>System security and fault tolerance </li></ul><ul><ul><li>Replicate system state to a backup VM </li></ul></ul><ul><ul><li>Secure logging and replay </li></ul></ul><ul><ul><li>Backtracking intrusions </li></ul></ul><ul><ul><li>Safe testing/integration of untrusted code </li></ul></ul><ul><ul><li>Protection against root kits </li></ul></ul>
    21. 21. Background: System Reset Facilities <ul><li>DeepFreeze </li></ul><ul><ul><li>Restore to trusted checkpoint on each boot </li></ul></ul><ul><li>Windows System Restore </li></ul><ul><ul><li>Keep checkpoints of system state for rollback </li></ul></ul><ul><li>Both of these lack: </li></ul><ul><ul><li>User data protection/rollback </li></ul></ul><ul><ul><li>Attack prevention/detection </li></ul></ul>
    22. 22. Internet Hardware Xen Hypervisor NIC NET-VM Internal Network VMA 1 VMA 2 VMA N Isolated Network FS-VM Disk Domain 0 Management Management System Architecture Management
    23. 23. Benefits <ul><li>Intrusion detection and attack prevention </li></ul><ul><li>Protection of user data </li></ul><ul><li>Checkpoint and restart of virtual machine appliances </li></ul><ul><li>Rapid first time installation </li></ul><ul><li>Model for software distribution </li></ul><ul><li>Complement and enhance backups </li></ul>
    24. 24. Evaluation <ul><li>Resistance/protection against attacks </li></ul><ul><ul><li>Categorize attacks </li></ul></ul><ul><ul><li>Defense strategies against attacks </li></ul></ul><ul><li>Performance overhead </li></ul><ul><ul><li>Overhead of virtualization technology </li></ul></ul><ul><ul><li>Overhead of file system virtual machine </li></ul></ul>
    25. 25. Evaluation: Attacks <ul><li>Backdoor attacks </li></ul><ul><ul><li>Initiate/listen for connections </li></ul></ul><ul><ul><li>Send and receive data </li></ul></ul><ul><li>Malicious attacks </li></ul><ul><ul><li>Copy infected executables to shared folders </li></ul></ul><ul><ul><li>Attempt to destroy data </li></ul></ul><ul><li>Spyware attacks </li></ul><ul><ul><li>Harvest email addresses and other personal data </li></ul></ul><ul><li>Vulnerability attacks </li></ul><ul><ul><li>Exploit vulnerability in specific server software </li></ul></ul>
    26. 26. Evaluation: Defenses <ul><li>Block unused ports </li></ul><ul><ul><li>Backdoor attacks can't access the Internet </li></ul></ul><ul><ul><li>Vulnerable services are not running </li></ul></ul><ul><li>Restrictions on read, write, and/or append access </li></ul><ul><ul><li>Malicious attacks can't write/delete user data </li></ul></ul><ul><ul><li>Spyware attacks can't read user data </li></ul></ul><ul><li>Detect unexpected behavior and rollback </li></ul><ul><ul><li>Anomalies raise errors/warnings </li></ul></ul><ul><ul><li>Prompt user or automatic rollback </li></ul></ul>
    27. 27. Evaluation: Performance
    28. 28. Plan of Work <ul><li>Construction and integration of a separate NET-VM component </li></ul><ul><li>Tight integration of NET-VM and FS-VM into virtual machine support layer of Xen </li></ul><ul><li>A comprehensive virtual machine appliance contract system </li></ul><ul><li>Evaluation of system </li></ul><ul><ul><li>Performance </li></ul></ul><ul><ul><li>Functionality </li></ul></ul>
    29. 29. Internet Hardware Xen Hypervisor NIC NET-VM Internal Network VMA 1 VMA 2 VMA N Isolated Network FS-VM Disk Domain 0 Management Management System Architecture Management
    30. 30. Plan: Construct and Integrate NET-VM <ul><li>Network Intrusion Detection System (snort)‏ </li></ul><ul><li>Firewall (iptables)‏ </li></ul><ul><li>Xen driver domain </li></ul>
    31. 31. <ul><li>NET-VM already possible (driver domain)‏ </li></ul><ul><li>FS-VM granted file system access/control </li></ul><ul><li>Xen communicates rules to NET-VM and FS-VM when new domain created </li></ul><ul><li>NET-VM and FS-VM detect violations </li></ul><ul><ul><li>Violations enforced/communicated to Xen </li></ul></ul><ul><ul><li>Appropriate actions taken by Xen </li></ul></ul><ul><ul><ul><li>Shutdown </li></ul></ul></ul><ul><ul><ul><li>Restart </li></ul></ul></ul><ul><ul><ul><li>Restore guest </li></ul></ul></ul><ul><ul><ul><li>Notify user </li></ul></ul></ul><ul><ul><ul><li>Prepare guest for forensic analysis </li></ul></ul></ul>Plan: Xen Support for NET-VM/FS-VM
    32. 32. Plan: Comprehensive Contract System <ul><li>Virtual machine appliance contracts </li></ul><ul><ul><li>Specify the behavior of appliances </li></ul></ul><ul><ul><ul><li>Network access </li></ul></ul></ul><ul><ul><ul><li>File system access </li></ul></ul></ul><ul><li>Use existing NIDS and firewall rules </li></ul><ul><li>Build upon existing Xen configuration file </li></ul><ul><ul><li>Add file system and network rule support </li></ul></ul>
    33. 33. Plan: Evaluation of Modified System <ul><li>Performance </li></ul><ul><ul><li>I/O: read, write </li></ul></ul><ul><ul><li>Network: send, receive </li></ul></ul><ul><ul><li>CPU overhead </li></ul></ul><ul><li>Functionality </li></ul><ul><ul><li>Resistance to attack </li></ul></ul><ul><ul><li>Recovery from attack </li></ul></ul><ul><li>Construct virtual machine appliances </li></ul>
    34. 34. Related/Proposed Projects at Clarkson <ul><li>Log-Structured File System (LFS) for FS-VM </li></ul><ul><ul><li>Enable rollback of writes with LFS </li></ul></ul><ul><li>Isolation testing of virtualization systems </li></ul><ul><ul><li>Performance isolation testing methodology and results </li></ul></ul><ul><li>Power testing of virtualization systems </li></ul><ul><ul><li>Recommend/improve power-friendly VMMs </li></ul></ul><ul><li>Tools for forensic analysis </li></ul><ul><ul><li>Capture/export compromised VM </li></ul></ul><ul><ul><li>Recommend defense strategies </li></ul></ul><ul><li>Tools for contract inspection </li></ul><ul><ul><li>Visualize access granted by contract </li></ul></ul>
    35. 35. Questions/Comments?
    36. 37. Backup Slides This won't fit in the presentation, but if there are questions, some of these slides might help
    37. 38. Virtualization Motivation Backup Slides More virtualization basics and why to use virtualization
    38. 39. Terminology <ul><li>Virtual Machine Monitor (VMM)‏ </li></ul><ul><ul><li>Also know as: hypervisor </li></ul></ul><ul><ul><li>Thin software layer between the hardware and “guest” operating system </li></ul></ul><ul><ul><li>First to the hardware </li></ul></ul><ul><li>Examples of VMMs: </li></ul><ul><ul><li>VMware, Xen, Parallels, Z/vm, MS Viridian, Qemu, KVM, ... </li></ul></ul>
    39. 40. VMM with a Picture
    40. 41. Virtualization Predictions <ul><li>9 of 10 enterprises will have virtualization by 2007 - Yankee Group (August 2007)‏ </li></ul><ul><li>Physical servers growth near zero within 2012 - Bernstein (August 2007)‏ </li></ul><ul><li>Over 50% physical servers will be virtualized in 2011 - IDC (July 2007)‏ </li></ul><ul><li>Virtualization services market to reach $11.7 billion by 2011 - IDC (July 2007)‏ </li></ul><ul><li>Server market to hardly grow over 2% annually through 2011 because of virtualization - IDC (July 2007)‏ </li></ul>
    41. 42. Virtualization Predictions <ul><li>25% of enterprise data center servers to be virtual by 2010 - Intel (July 2007)‏ </li></ul><ul><li>A Microsoft hypervisor for Vista expected in mid-2009 - Gartner (July 2007)‏ </li></ul><ul><li>Virtualization will be part of nearly every aspect of IT by 2015 – Gartner (May 2007)‏ </li></ul><ul><li>3 million virtual machines expected in 2009 - Gartner (May 2007)‏ </li></ul>
    42. 43. Virtualization Predictions <ul><li>Virtualization and multicore will cost $2.4 billion in customer spending between 2006 and 2010 - IDC (March 2007)‏ </li></ul><ul><li>OS Virtualization to become mainstream by 2010 - Gartner (December 2006)‏ </li></ul><ul><li>Virtualization market to grow to $15 billion worldwide by 2009 - IDC (October 2006)‏ </li></ul>
    43. 44. Performance Backup Slides Xen vs. VMware performance
    44. 45. System Performance
    45. 46. Guest Configuration File Backup Slides More details of the syntax
    46. 47. Plan: File System Rule Language # Example file system rule set for an email client. fs_rule = [ 'id=1, read, 1024, 5' ] # read at most 1024 bytes of data in 5 seconds fs_rule = [ 'id=2, append, 1024, 3' ] # append at most 1024 bytes of data in 3 seconds. fs_rule = [ 'id=3, write, 320, 3' ] # write at most 320 bytes in 3 seconds # The email mount point is accessible to the email client, and fs_rules # with id=1 and id=2 are applied disk = [ 'fsvm:/mnt/email, /home/user/mail,fs_rule=1:2' ] # The email mount point is accessible to the email client, and fs_rules # with id=1 and id=3 are applied. disk = [ 'fsvm:/mnt/email, /home/user/attachments,fs_rule=1:3' ]
    47. 48. Plan: Network Rule Language #Email client example continued network_rule = ['id=1, iptables, file=/etc/iptables/email_client'] network_rule = ['id=2, snort, file=/etc/snort/rules/email_client'] vif = [ 'rate=2Mb/s, network_rule=1:2' ]
    48. 49. Attacks Backup Slides More details/example attacks looked at
    49. 50. Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Backdoor attacks initiate and listen for connections to send and receive data </li></ul><ul><li>Examples: W32.MyDoom, W32.Bagel </li></ul><ul><li>Defenses: </li></ul><ul><ul><li>Block unused ports </li></ul></ul><ul><ul><li>Detect unexpected behavior and rollback to trusted image </li></ul></ul>
    50. 51. Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Attacks that copy infected executables to shared folders or attempt to destroy data </li></ul><ul><li>Examples: W32.Netsky, W32.Netad </li></ul><ul><li>Defenses: </li></ul><ul><ul><li>Restrictions on write access to personal data </li></ul></ul><ul><ul><li>Detect unexpected behavior and rollback to trusted image </li></ul></ul>
    51. 52. Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Attacks that harvest email addresses and other personal data </li></ul><ul><li>Examples: W32.Zafi.D, PWSteal.Ldpinch.E </li></ul><ul><li>Defenses: </li></ul><ul><ul><li>Restrictions on read access to personal data </li></ul></ul><ul><ul><li>Detect unexpected behavior and rollback to trusted image </li></ul></ul>
    52. 53. Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Attacks that exploit vulnerability in specific server software </li></ul><ul><li>Examples: MySQL UDF, Blaster, Slammer </li></ul><ul><li>Defenses: </li></ul><ul><ul><li>Block unused ports (if not running the server software)‏ </li></ul></ul><ul><ul><li>Detect unexpected behavior and rollback to trusted image (if running the server software)‏ </li></ul></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×