SlideShare a Scribd company logo

CS 626 - Feb 2011

R
ruchith
1 of 18
Using Labeling to Prevent Cross-Service Attacks Against Smart Phones C. Mulliner, G. Vigna, D. Dagon, and W. Lee. Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2006 Presented by : Ruchith Fernando 02-10-2011
Context + => CS 626 - Ruchith Fernando 2
Problem Statement ● Cross service attacks ● New network accessible services on the device ● Vulnerable to attacks ● Attacker can obtain access to valuable phone services ● Stack protection ● Was not widely available ● Not enabled by default CS 626 - Ruchith Fernando 3
Contributions ● A proof of concept of cross service attacks ● Policy Language ● Implementation and evaluation CS 626 - Ruchith Fernando 4
Proof of Concept ● Phone : i-mate PDA2k ● Vulnerable application : ftpsvr ● Buffer overflow in strcpy in Session::SendToClient() ● Shell code at a global var (Using error handling mechanism) ● Shell code ● Library calls → addrs specific to device+version ● Making a call : load library and call make call CS 626 - Ruchith Fernando 5
Main Idea ● Labels are associated with interfaces ● Process labels ● Accessing a resource/interface ● Parent process ● Resource labels ● Process accessing the resource ● Monitoring component intercept system calls ● Evaluate against a set of policy rules CS 626 - Ruchith Fernando 6
Formally ● Process : p ● Resource : r ● Interface : i ● Label (assigned to interfaces) : LS(i) = l ● Set of labels associated with process p : LS(p) ● Set of labels associated with process r : LS(r) CS 626 - Ruchith Fernando 7
Formally ● Interface access ● LS(p) = LS(i) ∪ LS(p) ● Resource access ● LS(p) = LS(r) ∪ LS(p) ● Resource and process creation ● LS(p_child) = LS(p_parent) ● LS(r) = LS(p) CS 626 - Ruchith Fernando 8
Policy Language policy => rule* rule => access (interface | resource) action label* action => deny | ask deny – Deny access ask – Prompt user Example : access gsm_voice deny wifi bluetooth  CS 626 - Ruchith Fernando 9
Policy Language ● Exceptions rule => exception path action* path => /(dirname/)* filename action => notlabel | notinherit | notpass notlabel – Don't label when accessing an interface notinherit – Don't inherit when accessing a resource notpass – Don't pass to resources and processes CS 626 - Ruchith Fernando 10
Implementation ● Famlier Linux on HP iPAQ h5500 ● Intercepted system calls ● execve ● socket ● open ● To handle labeling and exception policies ● Labels ● Kernel process descriptor ● File system file structure CS 626 - Ruchith Fernando 11
Label Bit Field Policy example : access wireless_nonfree deny wireless_free CS 626 - Ruchith Fernando 12
Evaluation ● Buggy custom echo server on Linux ● Exploit similar to the proof of concept ● Overhead ● Labeling overhead ● Enforcement overhead ● Tests ● File access only ● Light network usage ● Heavy network usage CS 626 - Ruchith Fernando 13
Evaluation execve open socket Total Overhead grep 1 63 0 435 19% wget 1 20 1 118 26% ftpget 1 54 28 2220 10% CS 626 - Ruchith Fernando 14
Overhead Evaluation CS 626 - Ruchith Fernando 15
Limitations ● Legitimate applications that cross service boundaries ● Example : Bluetooth headset ● How useful is this now? CS 626 - Ruchith Fernando 16
Previous Work ● Mandatory Access Control ● LOMAC - Linux ● Umbrella – Signed binaries for mobile devices ● Deeds - History-based Access Control for Mobile Code CS 626 - Ruchith Fernando 17
Thank You CS 626 - Ruchith Fernando 18

Recommended

Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK
 
DDoS - unstoppable menace
DDoS - unstoppable menaceDDoS - unstoppable menace
DDoS - unstoppable menaceAravind Anbazhagan
 
Chapter 8 security tools ii
Chapter 8 security tools iiChapter 8 security tools ii
Chapter 8 security tools iiSyaiful Ahdan
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol AttacksConferencias FIST
 
LF_DPDK17_Integrating and using DPDK with Open vSwitch
LF_DPDK17_Integrating and using DPDK with Open vSwitchLF_DPDK17_Integrating and using DPDK with Open vSwitch
LF_DPDK17_Integrating and using DPDK with Open vSwitchLF_DPDK
 
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comUnderstanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comRishabh Dangwal
 

Recommended

Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK
 
DDoS - unstoppable menace
DDoS - unstoppable menaceDDoS - unstoppable menace
DDoS - unstoppable menaceAravind Anbazhagan
 
Chapter 8 security tools ii
Chapter 8 security tools iiChapter 8 security tools ii
Chapter 8 security tools iiSyaiful Ahdan
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol AttacksConferencias FIST
 
LF_DPDK17_Integrating and using DPDK with Open vSwitch
LF_DPDK17_Integrating and using DPDK with Open vSwitchLF_DPDK17_Integrating and using DPDK with Open vSwitch
LF_DPDK17_Integrating and using DPDK with Open vSwitchLF_DPDK
 
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comUnderstanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comRishabh Dangwal
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with BroJosh Liburdi
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueChris Sistrunk
 
Securing Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNSecuring Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNA Green
 
Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022QAware GmbH
 
FIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE
 
Varnish extend
Varnish extendVarnish extend
Varnish extendVarnish Software
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesSagi Brody
 
CS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXCS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXruchith
 
Geographically Distributed PostgreSQL
Geographically Distributed PostgreSQLGeographically Distributed PostgreSQL
Geographically Distributed PostgreSQLmason_s
 
GÉANT TURN pilot
GÉANT TURN pilotGÉANT TURN pilot
GÉANT TURN pilotMihály Mészáros
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap WebinarMen and Mice
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhsTim Martin
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRBangladesh Network Operators Group
 
Locationless data science on a modern secure edge
Locationless data science on a modern secure edgeLocationless data science on a modern secure edge
Locationless data science on a modern secure edgeJohn Archer
 
FAQ on developing and deploying applications on MACH11 (Informix Dynamic Serv...
FAQ on developing and deploying applications on MACH11 (Informix Dynamic Serv...FAQ on developing and deploying applications on MACH11 (Informix Dynamic Serv...
FAQ on developing and deploying applications on MACH11 (Informix Dynamic Serv...Keshav Murthy
 
Rete di casa e raspberry pi - Home network and Raspberry Pi
Rete di casa e raspberry pi - Home network and Raspberry Pi Rete di casa e raspberry pi - Home network and Raspberry Pi
Rete di casa e raspberry pi - Home network and Raspberry Pi Daniele Albrizio
 

More Related Content

Similar to CS 626 - Feb 2011

Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with BroJosh Liburdi
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueChris Sistrunk
 
Securing Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNSecuring Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNA Green
 
Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022QAware GmbH
 
FIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesSagi Brody
 
CS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXCS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXruchith
 
Geographically Distributed PostgreSQL
Geographically Distributed PostgreSQLGeographically Distributed PostgreSQL
Geographically Distributed PostgreSQLmason_s
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
Locationless data science on a modern secure edge
Locationless data science on a modern secure edgeLocationless data science on a modern secure edge
Locationless data science on a modern secure edgeJohn Archer
 
FAQ on developing and deploying applications on MACH11 (Informix Dynamic Serv...
FAQ on developing and deploying applications on MACH11 (Informix Dynamic Serv...FAQ on developing and deploying applications on MACH11 (Informix Dynamic Serv...
FAQ on developing and deploying applications on MACH11 (Informix Dynamic Serv...Keshav Murthy
 
Rete di casa e raspberry pi - Home network and Raspberry Pi
Rete di casa e raspberry pi - Home network and Raspberry Pi Rete di casa e raspberry pi - Home network and Raspberry Pi
Rete di casa e raspberry pi - Home network and Raspberry Pi Daniele Albrizio
 

Similar to CS 626 - Feb 2011 (20)

Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with Bro
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
 
Securing Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNSecuring Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPN
 
Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022
 
FIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media Server
 
Varnish extend
Varnish extendVarnish extend
Varnish extend
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
CS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXCS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIX
 
Geographically Distributed PostgreSQL
Geographically Distributed PostgreSQLGeographically Distributed PostgreSQL
Geographically Distributed PostgreSQL
 
GÉANT TURN pilot
GÉANT TURN pilotGÉANT TURN pilot
GÉANT TURN pilot
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
 
Locationless data science on a modern secure edge
Locationless data science on a modern secure edgeLocationless data science on a modern secure edge
Locationless data science on a modern secure edge
 
FAQ on developing and deploying applications on MACH11 (Informix Dynamic Serv...
FAQ on developing and deploying applications on MACH11 (Informix Dynamic Serv...FAQ on developing and deploying applications on MACH11 (Informix Dynamic Serv...
FAQ on developing and deploying applications on MACH11 (Informix Dynamic Serv...
 
Rete di casa e raspberry pi - Home network and Raspberry Pi
Rete di casa e raspberry pi - Home network and Raspberry Pi Rete di casa e raspberry pi - Home network and Raspberry Pi
Rete di casa e raspberry pi - Home network and Raspberry Pi
 

CS 626 - Feb 2011

  • 1. Using Labeling to Prevent Cross-Service Attacks Against Smart Phones C. Mulliner, G. Vigna, D. Dagon, and W. Lee. Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2006 Presented by : Ruchith Fernando 02-10-2011
  • 2. Context + => CS 626 - Ruchith Fernando 2
  • 3. Problem Statement ● Cross service attacks ● New network accessible services on the device ● Vulnerable to attacks ● Attacker can obtain access to valuable phone services ● Stack protection ● Was not widely available ● Not enabled by default CS 626 - Ruchith Fernando 3
  • 4. Contributions ● A proof of concept of cross service attacks ● Policy Language ● Implementation and evaluation CS 626 - Ruchith Fernando 4
  • 5. Proof of Concept ● Phone : i-mate PDA2k ● Vulnerable application : ftpsvr ● Buffer overflow in strcpy in Session::SendToClient() ● Shell code at a global var (Using error handling mechanism) ● Shell code ● Library calls → addrs specific to device+version ● Making a call : load library and call make call CS 626 - Ruchith Fernando 5
  • 6. Main Idea ● Labels are associated with interfaces ● Process labels ● Accessing a resource/interface ● Parent process ● Resource labels ● Process accessing the resource ● Monitoring component intercept system calls ● Evaluate against a set of policy rules CS 626 - Ruchith Fernando 6
  • 7. Formally ● Process : p ● Resource : r ● Interface : i ● Label (assigned to interfaces) : LS(i) = l ● Set of labels associated with process p : LS(p) ● Set of labels associated with process r : LS(r) CS 626 - Ruchith Fernando 7
  • 8. Formally ● Interface access ● LS(p) = LS(i) ∪ LS(p) ● Resource access ● LS(p) = LS(r) ∪ LS(p) ● Resource and process creation ● LS(p_child) = LS(p_parent) ● LS(r) = LS(p) CS 626 - Ruchith Fernando 8
  • 10. Policy Language ● Exceptions rule => exception path action* path => /(dirname/)* filename action => notlabel | notinherit | notpass notlabel – Don't label when accessing an interface notinherit – Don't inherit when accessing a resource notpass – Don't pass to resources and processes CS 626 - Ruchith Fernando 10
  • 11. Implementation ● Famlier Linux on HP iPAQ h5500 ● Intercepted system calls ● execve ● socket ● open ● To handle labeling and exception policies ● Labels ● Kernel process descriptor ● File system file structure CS 626 - Ruchith Fernando 11
  • 12. Label Bit Field Policy example : access wireless_nonfree deny wireless_free CS 626 - Ruchith Fernando 12
  • 13. Evaluation ● Buggy custom echo server on Linux ● Exploit similar to the proof of concept ● Overhead ● Labeling overhead ● Enforcement overhead ● Tests ● File access only ● Light network usage ● Heavy network usage CS 626 - Ruchith Fernando 13
  • 14. Evaluation execve open socket Total Overhead grep 1 63 0 435 19% wget 1 20 1 118 26% ftpget 1 54 28 2220 10% CS 626 - Ruchith Fernando 14
  • 15. Overhead Evaluation CS 626 - Ruchith Fernando 15
  • 16. Limitations ● Legitimate applications that cross service boundaries ● Example : Bluetooth headset ● How useful is this now? CS 626 - Ruchith Fernando 16
  • 17. Previous Work ● Mandatory Access Control ● LOMAC - Linux ● Umbrella – Signed binaries for mobile devices ● Deeds - History-based Access Control for Mobile Code CS 626 - Ruchith Fernando 17
  • 18. Thank You CS 626 - Ruchith Fernando 18