A rapid filtering rule management plane implementation using distributed in-memory caching system
With the wide spread of SDN and NFV in progress, network virtualization would benefit from a unified rule management base. However, there are some challenging concerning scalability and diversity in handling filtering rules. In this paper we propose a rapid filtering rule management plane implementation using in-memory data store. We leverage in-memory caching system for achieving functionality, flexibility and scalability for managing virtual networking environment. In experiment, we have prototyped a lightweight management plane for IP filtering. It is shown that proposed method can achieve reasonable utilization in filtering IP packets.
Technical Report, vol. 114, no. 471, ISEC2014-97, pp. 139-147, 2015 March.
A rapid filtering rule management plane implementation using distributed in-memory caching system
With the wide spread of SDN and NFV in progress, network virtualization would benefit from a unified rule management base. However, there are some challenging concerning scalability and diversity in handling filtering rules. In this paper we propose a rapid filtering rule management plane implementation using in-memory data store. We leverage in-memory caching system for achieving functionality, flexibility and scalability for managing virtual networking environment. In experiment, we have prototyped a lightweight management plane for IP filtering. It is shown that proposed method can achieve reasonable utilization in filtering IP packets.
Technical Report, vol. 114, no. 471, ISEC2014-97, pp. 139-147, 2015 March.
The document summarizes various techniques for automated software testing using fuzzing, including coverage-based fuzzing (AFL), directed greybox fuzzing (AflGO), and neural network-based approaches (FuzzGuard). It discusses how genetic algorithms and simulated annealing are used in AFL and AflGO respectively to guide test case mutation towards new code areas. It also provides examples of vulnerabilities found using these fuzzing tools.
「C言語のポインタ(型の変数)は、可変長配列を扱うために使う」という点に絞って、50分間程度の解説をしています。
最終的に下記の12行のプログラムを47分間使って解説します。
(7行目、11行目の”<”は除いています)
1: int size = N;
2: int x[size];
3: int *p;
4:
5: p = x;
6:
7: for ( int = 0; i size; i++)
8: p[i] = i;
9:
10: int y = 0
11: for ( int i = 0; i size; i++)
12: y = y + p[i];
https://www.youtube.com/watch?v=KLFlk1dohKQ&t=1496s
1. The model is a polynomial regression model that fits a polynomial function to the training data.
2. The loss function used is the sum of squares of the differences between the predicted and actual target values.
3. The optimizer used is GradientDescentOptimizer which minimizes the loss function to fit the model parameters.
3. 研究の背景
[1]仮想マシンモニタ(VMM)の普及とセキュリティへの適用
IDSやTPMの運用をVMM固有にする必要がある。メリットがある。
Terra: A Virtual Machine-Based Platform for Trusted Computing
sHype: Building a MAC-based Security Architecture for the Xen
Opensource Hypervisor
[2]仮想マシンモニタ特有の攻撃と防御
Xebek: Towards invisible honeypot monitoring tool
Subvirt: Virtual machine based rootkit 1
Blue pill: Virtual machine based rootkit 2
本論文では、VMMベースのフォレンジクスとハニーポットシステム構築
のためのカーネルモジュールの実装を行った。
4. IDS on Virtual Machine Monitor
• Isolation : Application and kernel of hosted OS
cannot be modified by any modules of hosted
OS or another hosted OS(VM). Nothing on VMM
can be changed by VM.
• Inspection : The VMM has access to all the state
of VM.
• Interposition : VMM has to be interpose on VM’s
operations (trap fault, etc). Almost every action
can be hooked and modified by VMM. VMM
based IPS can leverage this functionality.
7. Five Virtualization technologies
and features of VMM (virtual machine monitor)
main technology consolidation isolation flexibility
Physical Partition firmware 1 5 1
Logical Partition partition monitor 2 4 2
Virtual Machine virtual machine monitor 3 3 3
Virtual OS Host OS 4 2 4
Hosting Resource monitor 5 1 5
Consolidation : how many applications or operating systems could be run.
(or low overhead for virtualization layer).
Isolation : how robust each virtualized systems are. (or high overhead for virtualization
Layer).
There’s tradeoff between consolidation and isolation. In physical partition,
consolidation is high while we cannot prevent performance decrease as more systems
are run on it. In hosting technique, some crashes or infection influence more than other
virtualization techniques.
VMM XEN is trying to solve these trade-offs by backend-frontend device driver design
and para-virtualization.
In detail: see XEN virtual machine monitor
http://www.cl.cam.ac.uk/Research/SRG/netos/xen/
12. 割り込みハンドラ(trap-xen.c)の修正に
よるオーバーランの検出と防止
[1]Inserting INT 0x03 using inline assembler
__asm(“int $0x03”)
[2]modifying exception hander
static void __kprobes do_trap(int trapnr,
int signr, char *str, int vm86,
struct pt_regs * regs,
long error_code,
siginfo_t *info)
[3]save and check instructional pointer
(return address)
return_address=pt_regs->eip.
-- do some procedure --
current_address=pr_regs->eip.
etc..
13. LIDS(Linux Instrusion Detection System)の
修正によるillegal file accessの検出と防止
[1]Inserting event channel (send) into source code of LIDS.
Ids_lsm.c
static int
lids_inode_permission(struct inode *inode, int mask,
struct nameidata *nd)
Case LIDS_READONLY
evtchn_send(evtchn port);
etc …
[2] On the side of domain 0, backend driver
(interrupt handler) is registered to dyn-irq handler.
#cat /proc/interrupts
261: Dynamic-irq timer1
262: Dynamic-irq xenbus
263: Dynamic-irq console
264: Dynamic-irq blkif-backend
265: Dynamic-irq blkif-backend
266: Dynamic-irq vif6.0
267: Dynamic-irq for_lids_handler
14. XM domain management toolを
用いたスナップショットと防御
xm domain U control command is
available on domain 0.
[1]xm shutdown / destroy domain_U
-- shutdown user domain
[2]xm pause domain_U
-- freeze user domain
[3]xm save domain_U
-- save memory and disk image
[4]xm restore domain_U
-- restrore domain image
In proposed system, [1] and [4] is
executed for snapshot and nullification
18. 物理メモリレイアウトと
頻出文字列
name
Frequency
grep time
kernel 4699
driver 4937
module 3476
usr 1651
xen 7544
adore 1780
XEN3にLKM-rootkit adoreをインストール
した直後のメモリスナップショットから、頻出
文字列を抽出した。
カーネルイメージはメモリに常駐するため、
kernel, driver, moduleなどは頻出する。
また、xen やadoreなどの文字列も多く
発見された。
19. 実験内容と結果
the number of string found
47618
strings
grep hits (1-64) with strings found
51908
blocks
grep hits (65-128) with strings
found
36691
blocks
the number of blocks with "adore"
found
27 blocks
grep time (1-64) 22.198s
grep time (65-128) 23.433s
grep time with grep -C N adore (1-
64)
20.681s
grep time with grep -C N adore
(65-128)
20.229s
評価実験では、128MBのメモリ
イメージを、1MBごとに分割
5文字のASCII文字列を抽出
抽出された(見つかった)文字列の
数は、47618
この文字列を元に、GREPをかけた
所、51908/36691のブロックが
ヒットする。
このうち、ADOREが入ったブロック
の数は、27ブロック
全発見ブロックの中から、システム
コールの変更やモジュールの
インストールのキーワード
(filldir, insmod)が
含まれるものを検出することができる。