System Support for Rapid Recovery and Attack Resistance  A Proposal Defense by   Todd Deshane   Advisor: Jeanna Matthews
Overview <ul><li>Motivation </li></ul><ul><li>Goals </li></ul><ul><li>Background </li></ul><ul><li>Prototype Architecture ...
Motivation <ul><li>Computers on the Internet are vulnerable </li></ul><ul><ul><li>Even with latest updates and virus defin...
&quot;New methods are being invented, new tricks, and every year it gets worse... We are losing the battle... Most compani...
&quot;Very sophisticated tools are commercially available in black markets... This has made [the Internet] more attractive...
Goals <ul><li>Provide attack resistance and rapid recovery from exploits </li></ul><ul><li>Isolate and protect user data f...
Background: Security <ul><li>Early Internet based on openness/trust </li></ul><ul><li>First documented Internet worm – 198...
Background: Virtualization <ul><li>Virtual Machine Monitor  </li></ul><ul><ul><li>Pioneered by IBM </li></ul></ul><ul><ul>...
Background: Virtualization+Security <ul><li>VMs used as sandboxes  </li></ul><ul><li>VMs can be monitored from below  </li...
Background: System Reset Facilities <ul><li>DeepFreeze </li></ul><ul><ul><li>Restore to trusted checkpoint on each boot </...
Prototype Architecture
Benefits of Prototype <ul><li>Intrusion detection and attack prevention </li></ul><ul><li>Protection of user data </li></u...
Evaluation of Prototype <ul><li>Resistance/protection against attacks </li></ul><ul><ul><li>Categorize attacks </li></ul><...
Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Backdoor attacks initiate and listen for connections to send a...
Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Attacks that copy infected executables to shared folders or at...
Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Attacks that harvest email addresses and other personal data <...
Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Attacks that exploit vulnerability in specific server software...
Evaluation of Prototype: Performance
Plan of Work <ul><li>Construction and integration of a separate NET-VM component </li></ul><ul><li>Tight integration of NE...
Plan: Construct and Integrate NET-VM <ul><li>Network Intrusion Detection System (snort) </li></ul><ul><li>Firewall (iptabl...
Plan: Modified Architecture
Plan: Xen Support for NET-VM/FS-VM <ul><li>NET-VM already possible (driver domain) </li></ul><ul><li>FS-VM granted file sy...
Plan: Comprehensive Contract System <ul><li>Virtual machine appliance contracts </li></ul><ul><ul><li>Specify the behavior...
Plan: File System Rule Language # Example file system rule set for an email client. fs_rule = [ 'id=1, read, 1024, 5' ]  #...
Plan: Network Rule Language #Email client example continued network_rule = ['id=1, iptables, file=/etc/iptables/email_clie...
Plan: Evaluation of Modified System <ul><li>Performance  </li></ul><ul><ul><li>I/O: read, write </li></ul></ul><ul><ul><li...
Related Projects at Clarkson <ul><li>Log-Structured File System for FS-VM </li></ul><ul><ul><li>Enable rollback of writes ...
Questions/Comments?
Upcoming SlideShare
Loading in …5
×

Ph d proposal_20070809

461 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
461
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ph d proposal_20070809

  1. 1. System Support for Rapid Recovery and Attack Resistance A Proposal Defense by Todd Deshane Advisor: Jeanna Matthews
  2. 2. Overview <ul><li>Motivation </li></ul><ul><li>Goals </li></ul><ul><li>Background </li></ul><ul><li>Prototype Architecture </li></ul><ul><li>Evaluation of Prototype </li></ul><ul><li>Plan of Work </li></ul>
  3. 3. Motivation <ul><li>Computers on the Internet are vulnerable </li></ul><ul><ul><li>Even with latest updates and virus definitions </li></ul></ul><ul><ul><ul><li>Zero day exploits </li></ul></ul></ul><ul><li>Malware effects </li></ul><ul><ul><li>User data compromised </li></ul></ul><ul><ul><li>System controlled by attacker </li></ul></ul><ul><li>Restoration of system and user data </li></ul><ul><ul><li>Time-consuming </li></ul></ul><ul><ul><li>Difficult for users </li></ul></ul><ul><ul><li>Not always possible (i.e. digital photos) </li></ul></ul>
  4. 4. &quot;New methods are being invented, new tricks, and every year it gets worse... We are losing the battle... Most companies don't know they have been attacked.&quot; - Bruce Schneier &quot;The average top executive doesn't understand security, but we have to change that... Security is an imperative. It's no longer just a good idea.&quot; - Allen Kerr &quot;Virus incidences had surged between 2003, when they detected just over 10,000, and 2006, when they found 80,000. Criminal activity accounted for most of that increase.&quot; - Kaspersky Labs
  5. 5. &quot;Very sophisticated tools are commercially available in black markets... This has made [the Internet] more attractive for organized crime: [criminals] no longer have to be geeks.&quot; - James Lewis &quot;Although security awareness continues to improve, hackers and malicious code authors are releasing threats faster than ever before, with approximately 200 per cent more malicious threats per day than two years ago.&quot; - Stuart McClure &quot;Over one third [of IT Companies] hit by a denial-of-service attack while over 44 percent had experienced either a pharming or cache poisoning attack.&quot; - Recent Secure64 Survey
  6. 6. Goals <ul><li>Provide attack resistance and rapid recovery from exploits </li></ul><ul><li>Isolate and protect user data from attacks </li></ul><ul><li>Provide automatic and user-triggered checkpoints of system/application state </li></ul><ul><li>Safe testing of system and application updates </li></ul><ul><li>Facilitate forensic analysis </li></ul>
  7. 7. Background: Security <ul><li>Early Internet based on openness/trust </li></ul><ul><li>First documented Internet worm – 1988 </li></ul><ul><li>Malware: large scale problem – late 1990s </li></ul><ul><li>Criminal malware networks (botnets) </li></ul><ul><ul><li>DDOS, digital blackmail, account/credit info </li></ul></ul><ul><li>Attack defenses </li></ul><ul><ul><li>Antivirus software </li></ul></ul><ul><ul><li>Firewalls </li></ul></ul><ul><ul><li>Intrusion detection systems </li></ul></ul>
  8. 8. Background: Virtualization <ul><li>Virtual Machine Monitor </li></ul><ul><ul><li>Pioneered by IBM </li></ul></ul><ul><ul><li>Software/hardware co-evolution </li></ul></ul><ul><li>Intel VT-x and AMD-V </li></ul><ul><ul><li>Software/hardware co-evolution (again) </li></ul></ul><ul><ul><li>Next generation virtualization hardware </li></ul></ul><ul><li>Xen hypervisor (VMM) </li></ul><ul><ul><li>Paravirtual guests (i.e. Linux, *BSD) </li></ul></ul><ul><ul><li>HVM guests (i.e. Microsoft Windows) </li></ul></ul>
  9. 9. Background: Virtualization+Security <ul><li>VMs used as sandboxes </li></ul><ul><li>VMs can be monitored from below </li></ul><ul><li>System security and fault tolerance </li></ul><ul><ul><li>Replicate system state to a backup VM </li></ul></ul><ul><ul><li>Secure logging and replay </li></ul></ul><ul><ul><li>Backtracking intrusions </li></ul></ul><ul><ul><li>Safe testing/integration of untrusted code </li></ul></ul><ul><ul><li>Protection against root kits </li></ul></ul>
  10. 10. Background: System Reset Facilities <ul><li>DeepFreeze </li></ul><ul><ul><li>Restore to trusted checkpoint on each boot </li></ul></ul><ul><li>Windows System Restore </li></ul><ul><ul><li>Keep checkpoints of system state for rollback </li></ul></ul><ul><li>Both of these lack: </li></ul><ul><ul><li>User data protection/rollback </li></ul></ul><ul><ul><li>Attack prevention/detection </li></ul></ul>
  11. 11. Prototype Architecture
  12. 12. Benefits of Prototype <ul><li>Intrusion detection and attack prevention </li></ul><ul><li>Protection of user data </li></ul><ul><li>Checkpoint and restart of virtual machine appliances </li></ul><ul><li>Rapid first time installation </li></ul><ul><li>Model for software distribution </li></ul><ul><li>Complement and enhance backups </li></ul>
  13. 13. Evaluation of Prototype <ul><li>Resistance/protection against attacks </li></ul><ul><ul><li>Categorize attacks </li></ul></ul><ul><ul><li>Defense strategies against attacks </li></ul></ul><ul><li>Performance overhead </li></ul><ul><ul><li>Overhead of virtualization technology </li></ul></ul><ul><ul><li>Overhead of file system virtual machine </li></ul></ul>
  14. 14. Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Backdoor attacks initiate and listen for connections to send and receive data </li></ul><ul><li>Examples: W32.MyDoom, W32.Bagel </li></ul><ul><li>Defenses: </li></ul><ul><ul><li>Block unused ports </li></ul></ul><ul><ul><li>Detect unexpected behavior and rollback to trusted image </li></ul></ul>
  15. 15. Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Attacks that copy infected executables to shared folders or attempt to destroy data </li></ul><ul><li>Examples: W32.Netsky, W32.Netad </li></ul><ul><li>Defenses: </li></ul><ul><ul><li>Restrictions on write access to personal data </li></ul></ul><ul><ul><li>Detect unexpected behavior and rollback to trusted image </li></ul></ul>
  16. 16. Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Attacks that harvest email addresses and other personal data </li></ul><ul><li>Examples: W32.Zafi.D, PWSteal.Ldpinch.E </li></ul><ul><li>Defenses: </li></ul><ul><ul><li>Restrictions on read access to personal data </li></ul></ul><ul><ul><li>Detect unexpected behavior and rollback to trusted image </li></ul></ul>
  17. 17. Evaluation of Prototype: Attacks <ul><li>Category/Behavior: Attacks that exploit vulnerability in specific server software </li></ul><ul><li>Examples: MySQL UDF, Blaster, Slammer </li></ul><ul><li>Defenses: </li></ul><ul><ul><li>Block unused ports (if not running the server software) </li></ul></ul><ul><ul><li>Detect unexpected behavior and rollback to trusted image (if running the server software) </li></ul></ul>
  18. 18. Evaluation of Prototype: Performance
  19. 19. Plan of Work <ul><li>Construction and integration of a separate NET-VM component </li></ul><ul><li>Tight integration of NET-VM and FS-VM into virtual machine support layer of Xen </li></ul><ul><li>A comprehensive virtual machine appliance contract system </li></ul><ul><li>Evaluation of system </li></ul><ul><ul><li>Performance </li></ul></ul><ul><ul><li>Functionality </li></ul></ul>
  20. 20. Plan: Construct and Integrate NET-VM <ul><li>Network Intrusion Detection System (snort) </li></ul><ul><li>Firewall (iptables) </li></ul><ul><li>Xen driver domain </li></ul>
  21. 21. Plan: Modified Architecture
  22. 22. Plan: Xen Support for NET-VM/FS-VM <ul><li>NET-VM already possible (driver domain) </li></ul><ul><li>FS-VM granted file system access/control </li></ul><ul><li>Xen communicates rules to NET-VM and FS-VM when new domain created </li></ul><ul><li>NET-VM and FS-VM detect violations </li></ul><ul><ul><li>Violations enforced/communicated to Xen </li></ul></ul><ul><ul><li>Appropriate actions taken by Xen </li></ul></ul><ul><ul><ul><li>Shutdown/restart/restore guest, notify user, prepare guest for forensic analysis, etc. </li></ul></ul></ul>
  23. 23. Plan: Comprehensive Contract System <ul><li>Virtual machine appliance contracts </li></ul><ul><ul><li>Specify the behavior of appliances </li></ul></ul><ul><ul><ul><li>Network access </li></ul></ul></ul><ul><ul><ul><li>File system access </li></ul></ul></ul><ul><li>Use existing NIDS and firewall rules </li></ul><ul><li>Build upon existing Xen configuration file </li></ul><ul><ul><li>Add file system and network rule support </li></ul></ul>
  24. 24. Plan: File System Rule Language # Example file system rule set for an email client. fs_rule = [ 'id=1, read, 1024, 5' ] # read at most 1024 bytes of data in 5 seconds fs_rule = [ 'id=2, append, 1024, 3' ] # append at most 1024 bytes of data in 3 seconds. fs_rule = [ 'id=3, write, 320, 3' ] # write at most 320 bytes in 3 seconds # The email mount point is accessible to the email client, and fs_rules # with id=1 and id=2 are applied disk = [ 'fsvm:/mnt/email, /home/user/mail,fs_rule=1:2' ] # The email mount point is accessible to the email client, and fs_rules # with id=1 and id=3 are applied. disk = [ 'fsvm:/mnt/email, /home/user/attachments,fs_rule=1:3' ]
  25. 25. Plan: Network Rule Language #Email client example continued network_rule = ['id=1, iptables, file=/etc/iptables/email_client'] network_rule = ['id=2, snort, file=/etc/snort/rules/email_client'] vif = [ 'rate=2Mb/s, network_rule=1:2' ]
  26. 26. Plan: Evaluation of Modified System <ul><li>Performance </li></ul><ul><ul><li>I/O: read, write </li></ul></ul><ul><ul><li>Network: send, receive </li></ul></ul><ul><ul><li>CPU overhead </li></ul></ul><ul><li>Functionality </li></ul><ul><ul><li>Resistance to attack </li></ul></ul><ul><ul><li>Recovery from attack </li></ul></ul><ul><li>Construct virtual machine appliances </li></ul>
  27. 27. Related Projects at Clarkson <ul><li>Log-Structured File System for FS-VM </li></ul><ul><ul><li>Enable rollback of writes with LFS </li></ul></ul><ul><li>Design and application of advanced file system rules </li></ul><ul><li>Tools for forensic analysis </li></ul><ul><ul><li>Capture/export compromised VM </li></ul></ul><ul><ul><li>Recommend defense strategies </li></ul></ul><ul><li>Tools for contract inspection </li></ul><ul><ul><li>Visualize access granted by contract </li></ul></ul>
  28. 28. Questions/Comments?

×