SlideShare a Scribd company logo

Automated defense from rootkit attacks

U
UltraUploader
1 of 49
Download to read offline
1 Automated Defense from Rootkit Attacks Arati Baliga and Liviu Iftode Computer Science Department Rutgers University 110 Frelinghuysen Road, Piscataway, NJ Xiaoxin (Mike) Chen VMware Inc. 3145 Porter Drive Palo Alto, CA
2 About Us Laboratory of Distributed Computing (DISCO Lab) Headed by Prof. Liviu Iftode 10 graduate students http://discolab.rutgers.edu Projects Remote Healing Using Backdoors Remote repair/recovery of operating system and application state. Defensive Architectures Automated defense against attacks and intrusions
3 Outline Motivation Background Our Approach Prototype Work in Progress Future Work Related Work Conclusion
4 Motivation With the increasing attack trends, human response to intrusions is too slow or not possible Software and OS vulnerabilities Fast spreading worms (SQL Slammer) We need systems that can detect intrusions automatically as early as possible and recover
5 Outline Motivation Background Our Approach Prototype Work in Progress Future Work Related Work Conclusion
6 Viruses and Worms Viruses replicate by modifying a normal program/file with a copy of itself. Execution in the host program/file results in the execution of the virus Usually needs human action to execute infected progam Worms are stand-alone programs that spread through the network by exploiting vulnerabilities in services.
7 Rootkits Collection of tools used by the attacker to hold root privileges on the compromised system. Rootkit hiding mechanism: User-level rootkits Replace system binaries like ps and netstat Shared library rootkits Replace shared libraries Kernel-level rootkits Replace entries in system call table Replace entries in interrupt descriptor table Replace kernel/module text. Compromise system integrity
8 Stealth Malware Increasing number of virus/worm writers use rootkits to evade detection from anti-virus software. Stealth AOL worm In this talk, we refer to this group of malware that hide using rootkit techniques as “stealth malware”.
9 Intrusion Timeline Damage done to the system from t1-t3 needs to be discovered and undone – this takes time! Ideally intrusion should be detected at t1(Prevention) Easier for known attacks Hard for new/unknown attacks Intrusion Detection Systems Move t3 closer to t2 Recover (undo damage) Can t3 be moved between t1 and t2? Happens at time t1 Manifests at time t2 Detected at time t3 Damage done to the system
10 Intrusion Detection Systems (IDS) Detection methods Signature based detection Misuse detection Anomaly detection Detection Location Host Based IDS Network Based IDS
11 IDS Implementation Stand-alone systems: Copilot[Arbaugh et al], Backdoors[Bohra et al] Independent secure device Polling based approaches Does not consume CPU cycles Virtualized Environment [VMI, Mendel et al] Can intercept events in the virtual machine Can interpose/change virtual machine state to perform preventive/healing actions
12 Ideal IDS Properties Prevent system from being compromised Detect intrusion asap if prevention is not possible. Once intrusion is detected, recover the system to restore faith in the system. Transparently Reveal to the user the damage that has occurred. Generate an attack profile
13 Outline Motivation Background Our Approach Prototype Work in Progress Future Work Related Work Conclusion
14 Our Approach Detect malicious process when it performs illegal access to protected zones. Track dependencies between files and processes to undo damage automatically Undo damage
15 Protected Zones Fig. 1. Figure shows the protected parts of the memory and filesystem that are shaded in pink. This represents the core of the system, which is always protected. The unshaded portions consist of all other files and running programs, which can be compromised at any time.
16 Protected Zones (cont’d) Core System Files Normally do not change during the lifetime of the system Examples: ps, ls, netstat, etc. Service Files Can be added by administrator depending on which service needs to be protected. Example: apache binary
17 Our Approach Detect malicious process when it performs illegal access to protected zones. Track dependencies between files and processes to undo damage automatically Undo damage
18 Track Dependencies Infer dependencies Dependencies between files and processes. Parent-child relationships between processes. Store dependencies Create a tree of dependencies (Dependency tree) Dependency tree is stored in a database. Dependency tree size has to be small enough to provide fast undo.
19 Infer Dependencies Get system call data (number, arguments) Page directory base identifies process uniquely cr3 register on the x86 platform File identified by full pathname
20 Infer Dependencies (cont’d) On fork Child has same <esp,eip> but different cr3 When processes executed from the same program, fork at a given point, all children have same <esp,eip> Ambiguities are resolved using physical page number of stack page Relies on Linux fork copy-on-write semantics Apply dependency rules
21 Dependency Tree P3 P2 P1 P4 F1 c P1 creates P2 P2 exits P2 P1 creates P3 P1 creates P4 P3 creates F1 P4 creates F2F2 c F1 is deleted P4 exits P1 exits
22 Dependency Storage Size of the dependency tree created is proportional to the number of new files and processes created on the file system. Storage requirements are modest Dependency rules prune entries that are no longer required The dependency tree lives until system is rebooted
23 Our Approach Detect malicious process when it performs illegal access to protected zones. Track dependencies between files and processes to undo damage automatically Undo damage Identify and kill malicious processes using the dependency tree Files not deleted
24 Containment Steps Assumes a process resident set that always exists in the system. Refer to dependency tree and locate malicious subtree Kill all possible malicious processes Prevents ill-effects Installation/Existence of backdoors. Keyloggers
25 Containment Algorithm P3 P1 P4 F1 c P2 F2 c P0 P0 in the resident set Malicious subtree Malicious write
26 Outline Motivation Background Our Approach Prototype Work in Progress Future Work Related Work Conclusion
27 Paladin Prototype
28 System Calls mmap, sockets, named pipes will be added later
29 Implementation Details Guest OS must be non-pageable Paladin driver Has knowledge of Guest OS kernel Performs symbol lookup of kernel text and jump tables Also responsible for carrying out undo actions
30 Performance Evaluation 56 mins and 7 secs 8 mins 30 secs System calls (slow path) With Paladin 31 mins and 54 secs53 mins and 3 secsCompile Kernel 3 mins and 46 secs7 mins and 29 secsKernel Copy Optimized VMM (Fast path syscalls) System calls (slow path) Without Paladin • VMware workstation software • Database: MySQL • Guest OS and Host OS: Linux 2.4 kernel.
31 System Calls Tracked Total system calls v/s system calls processed by Paladin Performance of individual system calls
32 Test Cases User level rootkit Ambient Rootkit (ARK) Kernel level rootkit SuckIt Linux Worm Lion
33 User-Level Rootkit: Ambient (ARK) The security framework prevents corruption of all the system tools Point of detection /bin/login
34 Kernel-Level Rootkit: SuckIt Modifies instructions in sys_call to redirect to it’s own system call table. Does not touch original system call table Works even when kernel module support is disabled Provides covert backdoor that is activated on receiving a special packet. The security framework prevents corruption of kernel text and installation of the backdoor.
35 Worm: Lion /bin/ps c Detection point /bin/mv c
36 Limitations Current implementation does not prevent Corruption of resident processes Overwriting disk blocks. Rootkit attacks that corrupt data without changing any kernel code or tables are not detected Ex: FU rootkit (Next generation rootkits ?)
37 Outline Motivation Background Our Approach Prototype Work in Progress Future Work Related Work Conclusion
38 Work in Progress: Fingerprinting Early attack identification through fingerprint matching Find them before they hide Automated identification of attacker’s files
39 Fingerprinting Steps Dynamic cloning Spawn a clone upon attack detection Sandboxing Reconfigure network properties Fine-grained monitoring Watch the processes in the malicious subtree Finer control possible.
40 Example: ARK Fingerprint Files created /dev/capi20.20 /sbin/syslogd /usr/lib/.ark? /bin/login /usr/sbin/sshd /bin/ls /usr/bin/du /bin/ps /usr/bin/pstree /usr/bin/killall /usr/bin/top /bin/netstat /var/run/syslogd.pid /var/spool/clientmqueue/dfj99KxukX001449 /var/spool/clientmqueue/tfj99KxukX001449 /var/spool/clientmqueue/dfj99L0HiX001457 /var/spool/clientmqueue/tfj99L0HiX001457 /var/spool/clientmqueue/dfj99L0cv1001466 /var/spool/clientmqueue/tfj99L0cv1001466 /var/spool/clientmqueue/dfj99L0w2M001475 /var/spool/clientmqueue/tfj99L0w2M001475 Processes: /tmp/ark1.01/ark /bin/rm /sbin/syslogd /bin/cp /usr/sbin/sshd /bin/chmod /bin/cat /bin/hostname /sbin/ifconfig /bin/grep /bin/awk /bin/sed /sbin/modprobe /usr/lib/sendmail /usr/lib/libhesiod.so.0
41 Future Work Intrusion detection through system call anomalies Generate behavioural profiles using statistical/learning techniques Intrusion detection through network packet monitoring Collaborative detection across VMs Sharing attack fingerprints Cross node detection
42 Outline Motivation Background Our Approach Prototype Future Work Related Work Conclusion
43 Related Work Model for Intrusion Detection VMI Automated Detection Copilot, Strider Ghostbuster, Tripwire Automated Post-Intrusion Analysis and Repair Repairable File Service Backtracker Automated Online Defense Introvert, Vigilante
44 Model for Intrusion Detection VMI Virtual Machine based Introspection (VMI) for Intrusion Detection [NDSS ‘03]
45 Detection Tools available for rootkit detection Kstat, Chkrootkit, St. Michael, Samhain, F-Secure BlackLight, RootkitRevealer, Tripwire, AIDE Copilot Automated detection from an independent PCI device [Security ‘03] Strider Ghostbuster A cross-view diff-based approach. [DSN ‘05]
46 Post-Intrusion Analysis and Repair Aid to the administrator Fix the filesystem and keep good changes Find how the intrusion happened RFS, Taser Design, Implementation and Evaluation of Repairable File Service [DSN ‘03] The Taser Intrusion Recovery System [SOSP ‘05] BackTracker Backtracking Intrusions [SOSP ‘03]
47 Online Defense Provides online defense against intrusions Introvert Detecting Past and Present Intrusions Through Vulnerability-Specific Predicates [SOSP ‘05] Vigilante Vigilante: End-to End Containment of Internet Worms [SOSP ’05]
48 Conclusion The steadily increasing rate of attacks and intrusions requires a robust automated solution We have designed an approach that protects the system from rootkit attacks and contains the effects of stealth malware that use rootkits to hide. We developed a prototype that demonstarted our approach that could sucessfully counter a user-level rootkit, a kernel-level rootkit and a worm that used rootkit techniques to hide
49 Thank You ! http://discolab.rutgers.edu This work is supported by NSF CCR #0133366

Recommended

SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Chapter 09
Chapter 09Chapter 09
Chapter 09 Google
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 

Recommended

SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Chapter 09
Chapter 09Chapter 09
Chapter 09 Google
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart StuxnetGil Megidish
 
Lecture 3
Lecture 3Lecture 3
Lecture 3Education
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
Spectre & Meltdown
Spectre & MeltdownSpectre & Meltdown
Spectre & MeltdownMurray Security Services
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitIOSR Journals
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Ch11
Ch11Ch11
Ch11Raja Waseem Akhtar
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Realityamiable_indian
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsAsep Sopyan
 
Honeypotdeploy Ieee2005
Honeypotdeploy Ieee2005Honeypotdeploy Ieee2005
Honeypotdeploy Ieee2005seguridadutpl
 
Dll injection
Dll injectionDll injection
Dll injectionKarlFrank99
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Ch19
Ch19Ch19
Ch19saurabhmittal79
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
Op Sy 03 Ch 61
Op Sy 03 Ch 61Op Sy 03 Ch 61
Op Sy 03 Ch 61 Google
 

More Related Content

What's hot

Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitIOSR Journals
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Realityamiable_indian
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsAsep Sopyan
 
Honeypotdeploy Ieee2005
Honeypotdeploy Ieee2005Honeypotdeploy Ieee2005
Honeypotdeploy Ieee2005seguridadutpl
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 

What's hot (20)

I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
 
Lecture 3
Lecture 3Lecture 3
Lecture 3
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
 
Spectre & Meltdown
Spectre & MeltdownSpectre & Meltdown
Spectre & Meltdown
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensics
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploit
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 
Ch11
Ch11Ch11
Ch11
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Reality
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and worms
 
Honeypotdeploy Ieee2005
Honeypotdeploy Ieee2005Honeypotdeploy Ieee2005
Honeypotdeploy Ieee2005
 
Dll injection
Dll injectionDll injection
Dll injection
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Ch19
Ch19Ch19
Ch19
 

Similar to Automated defense from rootkit attacks

hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
Op Sy 03 Ch 61
Op Sy 03 Ch 61Op Sy 03 Ch 61
Op Sy 03 Ch 61 Google
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMfaraz hussain
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]Phil Huggins FBCS CITP
 
Cisco Security Agent - Theory, Practice, and Policy
Cisco Security Agent - Theory, Practice, and PolicyCisco Security Agent - Theory, Practice, and Policy
Cisco Security Agent - Theory, Practice, and PolicyMike Pruett
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajaliwebhostingguy
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethicsArgie242424
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowTyler Shields
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervChapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervEstelaJeffery653
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxZain Abid
 
Ethical hacking Chapter 9 - Linux Vulnerabilities - Eric Vanderburg
Ethical hacking Chapter 9 - Linux Vulnerabilities - Eric VanderburgEthical hacking Chapter 9 - Linux Vulnerabilities - Eric Vanderburg
Ethical hacking Chapter 9 - Linux Vulnerabilities - Eric VanderburgEric Vanderburg
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 

Similar to Automated defense from rootkit attacks (20)

hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
Op Sy 03 Ch 61
Op Sy 03 Ch 61Op Sy 03 Ch 61
Op Sy 03 Ch 61
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEM
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]
 
Cisco Security Agent - Theory, Practice, and Policy
Cisco Security Agent - Theory, Practice, and PolicyCisco Security Agent - Theory, Practice, and Policy
Cisco Security Agent - Theory, Practice, and Policy
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethics
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and Now
 
UNIT-4.docx
UNIT-4.docxUNIT-4.docx
UNIT-4.docx
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervChapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || Linux
 
Ethical hacking Chapter 9 - Linux Vulnerabilities - Eric Vanderburg
Ethical hacking Chapter 9 - Linux Vulnerabilities - Eric VanderburgEthical hacking Chapter 9 - Linux Vulnerabilities - Eric Vanderburg
Ethical hacking Chapter 9 - Linux Vulnerabilities - Eric Vanderburg
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 

More from UltraUploader

01 le 10 regole dell'hacking
01 le 10 regole dell'hacking01 le 10 regole dell'hacking
01 le 10 regole dell'hackingUltraUploader
 
00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)UltraUploader
 
[E book ita] php manual
[E book ita] php manual[E book ita] php manual
[E book ita] php manualUltraUploader
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...UltraUploader
 
[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manualeUltraUploader
 
(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)UltraUploader
 
(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)UltraUploader
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoriaUltraUploader
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorUltraUploader
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applicationsUltraUploader
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worriesUltraUploader
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...UltraUploader
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyUltraUploader
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesUltraUploader
 
Biological versus computer viruses
Biological versus computer virusesBiological versus computer viruses
Biological versus computer virusesUltraUploader
 
Biological aspects of computer virology
Biological aspects of computer virologyBiological aspects of computer virology
Biological aspects of computer virologyUltraUploader
 
Biological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksBiological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksUltraUploader
 

More from UltraUploader (20)

1 (1)
1 (1)1 (1)
1 (1)
 
01 intro
01 intro01 intro
01 intro
 
01 le 10 regole dell'hacking
01 le 10 regole dell'hacking01 le 10 regole dell'hacking
01 le 10 regole dell'hacking
 
00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)
 
[E book ita] php manual
[E book ita] php manual[E book ita] php manual
[E book ita] php manual
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
 
[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale
 
(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)
 
(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
 
Blast off!
Blast off!Blast off!
Blast off!
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
 
Biological versus computer viruses
Biological versus computer virusesBiological versus computer viruses
Biological versus computer viruses
 
Biological aspects of computer virology
Biological aspects of computer virologyBiological aspects of computer virology
Biological aspects of computer virology
 
Biological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksBiological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networks
 

Automated defense from rootkit attacks

  • 1. 1 Automated Defense from Rootkit Attacks Arati Baliga and Liviu Iftode Computer Science Department Rutgers University 110 Frelinghuysen Road, Piscataway, NJ Xiaoxin (Mike) Chen VMware Inc. 3145 Porter Drive Palo Alto, CA
  • 2. 2 About Us Laboratory of Distributed Computing (DISCO Lab) Headed by Prof. Liviu Iftode 10 graduate students http://discolab.rutgers.edu Projects Remote Healing Using Backdoors Remote repair/recovery of operating system and application state. Defensive Architectures Automated defense against attacks and intrusions
  • 3. 3 Outline Motivation Background Our Approach Prototype Work in Progress Future Work Related Work Conclusion
  • 4. 4 Motivation With the increasing attack trends, human response to intrusions is too slow or not possible Software and OS vulnerabilities Fast spreading worms (SQL Slammer) We need systems that can detect intrusions automatically as early as possible and recover
  • 5. 5 Outline Motivation Background Our Approach Prototype Work in Progress Future Work Related Work Conclusion
  • 6. 6 Viruses and Worms Viruses replicate by modifying a normal program/file with a copy of itself. Execution in the host program/file results in the execution of the virus Usually needs human action to execute infected progam Worms are stand-alone programs that spread through the network by exploiting vulnerabilities in services.
  • 7. 7 Rootkits Collection of tools used by the attacker to hold root privileges on the compromised system. Rootkit hiding mechanism: User-level rootkits Replace system binaries like ps and netstat Shared library rootkits Replace shared libraries Kernel-level rootkits Replace entries in system call table Replace entries in interrupt descriptor table Replace kernel/module text. Compromise system integrity
  • 8. 8 Stealth Malware Increasing number of virus/worm writers use rootkits to evade detection from anti-virus software. Stealth AOL worm In this talk, we refer to this group of malware that hide using rootkit techniques as “stealth malware”.
  • 9. 9 Intrusion Timeline Damage done to the system from t1-t3 needs to be discovered and undone – this takes time! Ideally intrusion should be detected at t1(Prevention) Easier for known attacks Hard for new/unknown attacks Intrusion Detection Systems Move t3 closer to t2 Recover (undo damage) Can t3 be moved between t1 and t2? Happens at time t1 Manifests at time t2 Detected at time t3 Damage done to the system
  • 10. 10 Intrusion Detection Systems (IDS) Detection methods Signature based detection Misuse detection Anomaly detection Detection Location Host Based IDS Network Based IDS
  • 11. 11 IDS Implementation Stand-alone systems: Copilot[Arbaugh et al], Backdoors[Bohra et al] Independent secure device Polling based approaches Does not consume CPU cycles Virtualized Environment [VMI, Mendel et al] Can intercept events in the virtual machine Can interpose/change virtual machine state to perform preventive/healing actions
  • 12. 12 Ideal IDS Properties Prevent system from being compromised Detect intrusion asap if prevention is not possible. Once intrusion is detected, recover the system to restore faith in the system. Transparently Reveal to the user the damage that has occurred. Generate an attack profile
  • 13. 13 Outline Motivation Background Our Approach Prototype Work in Progress Future Work Related Work Conclusion
  • 14. 14 Our Approach Detect malicious process when it performs illegal access to protected zones. Track dependencies between files and processes to undo damage automatically Undo damage
  • 15. 15 Protected Zones Fig. 1. Figure shows the protected parts of the memory and filesystem that are shaded in pink. This represents the core of the system, which is always protected. The unshaded portions consist of all other files and running programs, which can be compromised at any time.
  • 16. 16 Protected Zones (cont’d) Core System Files Normally do not change during the lifetime of the system Examples: ps, ls, netstat, etc. Service Files Can be added by administrator depending on which service needs to be protected. Example: apache binary
  • 17. 17 Our Approach Detect malicious process when it performs illegal access to protected zones. Track dependencies between files and processes to undo damage automatically Undo damage
  • 18. 18 Track Dependencies Infer dependencies Dependencies between files and processes. Parent-child relationships between processes. Store dependencies Create a tree of dependencies (Dependency tree) Dependency tree is stored in a database. Dependency tree size has to be small enough to provide fast undo.
  • 19. 19 Infer Dependencies Get system call data (number, arguments) Page directory base identifies process uniquely cr3 register on the x86 platform File identified by full pathname
  • 20. 20 Infer Dependencies (cont’d) On fork Child has same <esp,eip> but different cr3 When processes executed from the same program, fork at a given point, all children have same <esp,eip> Ambiguities are resolved using physical page number of stack page Relies on Linux fork copy-on-write semantics Apply dependency rules
  • 21. 21 Dependency Tree P3 P2 P1 P4 F1 c P1 creates P2 P2 exits P2 P1 creates P3 P1 creates P4 P3 creates F1 P4 creates F2F2 c F1 is deleted P4 exits P1 exits
  • 22. 22 Dependency Storage Size of the dependency tree created is proportional to the number of new files and processes created on the file system. Storage requirements are modest Dependency rules prune entries that are no longer required The dependency tree lives until system is rebooted
  • 23. 23 Our Approach Detect malicious process when it performs illegal access to protected zones. Track dependencies between files and processes to undo damage automatically Undo damage Identify and kill malicious processes using the dependency tree Files not deleted
  • 24. 24 Containment Steps Assumes a process resident set that always exists in the system. Refer to dependency tree and locate malicious subtree Kill all possible malicious processes Prevents ill-effects Installation/Existence of backdoors. Keyloggers
  • 25. 25 Containment Algorithm P3 P1 P4 F1 c P2 F2 c P0 P0 in the resident set Malicious subtree Malicious write
  • 26. 26 Outline Motivation Background Our Approach Prototype Work in Progress Future Work Related Work Conclusion
  • 28. 28 System Calls mmap, sockets, named pipes will be added later
  • 29. 29 Implementation Details Guest OS must be non-pageable Paladin driver Has knowledge of Guest OS kernel Performs symbol lookup of kernel text and jump tables Also responsible for carrying out undo actions
  • 30. 30 Performance Evaluation 56 mins and 7 secs 8 mins 30 secs System calls (slow path) With Paladin 31 mins and 54 secs53 mins and 3 secsCompile Kernel 3 mins and 46 secs7 mins and 29 secsKernel Copy Optimized VMM (Fast path syscalls) System calls (slow path) Without Paladin • VMware workstation software • Database: MySQL • Guest OS and Host OS: Linux 2.4 kernel.
  • 31. 31 System Calls Tracked Total system calls v/s system calls processed by Paladin Performance of individual system calls
  • 32. 32 Test Cases User level rootkit Ambient Rootkit (ARK) Kernel level rootkit SuckIt Linux Worm Lion
  • 33. 33 User-Level Rootkit: Ambient (ARK) The security framework prevents corruption of all the system tools Point of detection /bin/login
  • 34. 34 Kernel-Level Rootkit: SuckIt Modifies instructions in sys_call to redirect to it’s own system call table. Does not touch original system call table Works even when kernel module support is disabled Provides covert backdoor that is activated on receiving a special packet. The security framework prevents corruption of kernel text and installation of the backdoor.
  • 36. 36 Limitations Current implementation does not prevent Corruption of resident processes Overwriting disk blocks. Rootkit attacks that corrupt data without changing any kernel code or tables are not detected Ex: FU rootkit (Next generation rootkits ?)
  • 37. 37 Outline Motivation Background Our Approach Prototype Work in Progress Future Work Related Work Conclusion
  • 38. 38 Work in Progress: Fingerprinting Early attack identification through fingerprint matching Find them before they hide Automated identification of attacker’s files
  • 39. 39 Fingerprinting Steps Dynamic cloning Spawn a clone upon attack detection Sandboxing Reconfigure network properties Fine-grained monitoring Watch the processes in the malicious subtree Finer control possible.
  • 40. 40 Example: ARK Fingerprint Files created /dev/capi20.20 /sbin/syslogd /usr/lib/.ark? /bin/login /usr/sbin/sshd /bin/ls /usr/bin/du /bin/ps /usr/bin/pstree /usr/bin/killall /usr/bin/top /bin/netstat /var/run/syslogd.pid /var/spool/clientmqueue/dfj99KxukX001449 /var/spool/clientmqueue/tfj99KxukX001449 /var/spool/clientmqueue/dfj99L0HiX001457 /var/spool/clientmqueue/tfj99L0HiX001457 /var/spool/clientmqueue/dfj99L0cv1001466 /var/spool/clientmqueue/tfj99L0cv1001466 /var/spool/clientmqueue/dfj99L0w2M001475 /var/spool/clientmqueue/tfj99L0w2M001475 Processes: /tmp/ark1.01/ark /bin/rm /sbin/syslogd /bin/cp /usr/sbin/sshd /bin/chmod /bin/cat /bin/hostname /sbin/ifconfig /bin/grep /bin/awk /bin/sed /sbin/modprobe /usr/lib/sendmail /usr/lib/libhesiod.so.0
  • 41. 41 Future Work Intrusion detection through system call anomalies Generate behavioural profiles using statistical/learning techniques Intrusion detection through network packet monitoring Collaborative detection across VMs Sharing attack fingerprints Cross node detection
  • 43. 43 Related Work Model for Intrusion Detection VMI Automated Detection Copilot, Strider Ghostbuster, Tripwire Automated Post-Intrusion Analysis and Repair Repairable File Service Backtracker Automated Online Defense Introvert, Vigilante
  • 44. 44 Model for Intrusion Detection VMI Virtual Machine based Introspection (VMI) for Intrusion Detection [NDSS ‘03]
  • 45. 45 Detection Tools available for rootkit detection Kstat, Chkrootkit, St. Michael, Samhain, F-Secure BlackLight, RootkitRevealer, Tripwire, AIDE Copilot Automated detection from an independent PCI device [Security ‘03] Strider Ghostbuster A cross-view diff-based approach. [DSN ‘05]
  • 46. 46 Post-Intrusion Analysis and Repair Aid to the administrator Fix the filesystem and keep good changes Find how the intrusion happened RFS, Taser Design, Implementation and Evaluation of Repairable File Service [DSN ‘03] The Taser Intrusion Recovery System [SOSP ‘05] BackTracker Backtracking Intrusions [SOSP ‘03]
  • 47. 47 Online Defense Provides online defense against intrusions Introvert Detecting Past and Present Intrusions Through Vulnerability-Specific Predicates [SOSP ‘05] Vigilante Vigilante: End-to End Containment of Internet Worms [SOSP ’05]
  • 48. 48 Conclusion The steadily increasing rate of attacks and intrusions requires a robust automated solution We have designed an approach that protects the system from rootkit attacks and contains the effects of stealth malware that use rootkits to hide. We developed a prototype that demonstarted our approach that could sucessfully counter a user-level rootkit, a kernel-level rootkit and a worm that used rootkit techniques to hide
  • 49. 49 Thank You ! http://discolab.rutgers.edu This work is supported by NSF CCR #0133366