Embed Size (px)
Citation preview
Glavlit: Preventing Exfiltration at
Wire Speed
Nabil Schear†*, Carmelo Kintana†, Qing Zhang†, Amin Vahdat†
†Department of Computer Science and Engineering,University of California at San Diego
*Los Alamos National Laboratory
ГУОГТП
Hotnets V - Irvine, CA - November 30, 2006
ГУ
ОГ
ТП
2
Information Leaks and Exfiltration Exfiltration – type of information leak; malicious theft of valuable information
Leaks affect customer confidence, regulatory compliance, profits, etc…
Leaks are inevitable Targeted attacks, insiders, accidents, etc…
Goal: Minimize leaks NO MATTER how or why they happen.
ГУ
ОГ
ТП
3
How Does Data Get Out?
Boundary
External Network
External Network
Web servers
Protected Network
User WorkstationsEmail server
File
Didn’t Know file was sensitive ______or An honest mistake
FileEmail
Accidentally
ГУ
ОГ
ТП
4
What about Malicious Exfiltration?
Boundary
External Network
External Network
Web servers
Protected Network
User WorkstationsEmail server
File
File
Attacker, malware, or insider uses existing Web server
ГУ
ОГ
ТП
5
More Malicious Leaks
Boundary
External Network
External Network
Web servers
Protected Network
User WorkstationsEmail server
Attacker uses hidden channel in protocol to encode sensitive data File2
HTTP
File2HTTP
File
HTTP
ГУ
ОГ
ТП
6
-Expensive
-Granularity _too coarse
-Hard to use
Previous Solutions
Policy
Boundary
External Network
External Network
Web servers
Protected Network
User WorkstationsEmail server
Private Stand-alone LAN
-Difficult to _enforce
ГУ
ОГ
ТП
7
Previous Solutions
Packet Filter (Firewall)
Boundary
External Network
External Network
Web servers
Protected Network
User WorkstationsEmail server
Firewall
Passive Monitoring
Analysis / Audit
-Can’t actively _stop leaks in _progress
-High speed _limits analysis _complexity
-Works on _packets not _files
ГУ
ОГ
ТП
8
Previous Solutions
Proxies
Boundary
External Network
External Network
Protected Network
User Workstations
Web servers
Email server
Proxy
Proxy
-High overhead
-Difficult and _complicated _to configure
ГУ
ОГ
ТП
9
Boundary
External Network
External Network
Web servers
Protected Network
User Workstations
Decouple
Guard
Our Solution: Glavlit
-Transparent
-High speed
-Actively stop _leaks
vettingfromverification
-Arbitrary and powerful analysis
-off critical network path
File
Warden
ГУ
ОГ
ТП
10
Boundary
External Network
External Network
Web servers
Protected Network
User Workstations
Guard
Our Solution: Glavlit
-Prevents a subset _of covert channels
-Limits bandwidth _of others
Mitigate covert channels in the application layer protocol
File2HTTPHTTP
Warden
ГУ
ОГ
ТП
11
What is Glavlit? Prevent unauthorized release from HTTP servers while allowing authorized data to pass unhindered
Enforces complex exit policy Operates at granularity of whole files
Covers wide range of threats Does not depend on host security Only trust the Warden and Guard
Key Contributions:
1) Ensure that only authorized objects cross the network boundary in payload
2) Mitigate a class of covert channels in application layer protocols
ГУ
ОГ
ТП
12
Glavlit is NOT…
Just a firewall For outgoing HTTP browser requests
Designed to prevent leaks from covert channels below layer 7
Capable of stopping ALL potential covert channels In general this is intractable
ГУ
ОГ
ТП
13
Two Complementary Techniques for
Mitigating Leaks1) Content Control
Hash network content against known list of good releasable data
2) HTTP Protocol Channel Mitigation Restrict HTTP RFC and parse protocol
for syntactic correctness Check field values for semantic
validity Enforce ordering and normalize
timing
ГУ
ОГ
ТП
14Warden
Vetting at the Warden Vetting – authoritative review to decide
if an object (a file) is ok to release Arbitrarily complex and time-consuming
Warden performs arbitrary vetting process
File
Content Provider
Guard
File
Vetting Complete File
Approved
ГУ
ОГ
ТП
15Warden
Vetting at the Warden
Content Provider
Guard
File
Generates signatures Split the file into 1KB chunks Calculate secure hash of each chunk Collect file metadata
Share table of signatures for vetted objects with Guard
Signatures
ГУ
ОГ
ТП
16
Verification at the Guard Verification - Ensure object
crossing network boundary is pre-vetted
1) Locate object within network stream2) Lookup object in signature table
based upon hash of first 256 bytes of the file
3) Verify file content Hash and check each chunk Packets can egress as soon as all their
chunks are verified Can actively stop invalid data by
dropping packets and injecting TCP RESET packets
ГУ
ОГ
ТП
17
Need an In-order TCP Stream How to verify data in lost, retransmitted, or out of order packets?
Keep a sliding window of packet content and cache for old packets
TCP/IPHeader
TCP/IPHeader
TCP/IPHeader
TCP/IPHeader
TCP/IPHeader
Packet Header Queue
Packet Cache Pending Data Unused Buffer Space
Send
ГУ
ОГ
ТП
18
Protocol Channels Protocol Channel
Unauthorized communication channel Present in L7 protocol or its operation
Channel Carrier Cover data holding the channel
Types of carriers in protocol channelsStructuredUnstructured
ГУ
ОГ
ТП
19
HTTP/1.1 200 OKDate: Thu, 23 Nov 2006 03:45:23 GMTServer: ApacheLast-Modified: Fri, 10 Mar 2006 05:56:06 GMTAccept-Ranges: bytesContent-Length: 255Connection: closeContent-Type: text/html; charset=UTF-8
Structured Protocol Channels Attackers can encode data in structured protocol fields in an HTTP response
Key Insight: most fields are verifiable
Credit-Card-Num: 1234-5678-9012-3456
Content-Length: 255
254
ГУ
ОГ
ТП
20
Verifying Structured Data Does it look right? (Syntactic)
Check syntax against restricted RFC specification
Pre-specified headers and order Does it make sense? (Semantic)
Check against corresponding request Restrict server responses to aid verification
Check metadata against Warden Info Content-Length, Last-Modified, etc…
ГУ
ОГ
ТП
21
Unstructured Carriers
Attackers can also encode information in network order or timing
Correlate request/response pairs to enforce ordering
Actively alter timing behavior by delaying server responses
Model server response behavior and block deviations
ГУ
ОГ
ТП
22
Evaluation Setup How fast is Glavlit verification relative to Direct connection Linux software bridge Glavlit Guard with verification off
No hashing or protocol parsing TCP reassembly and packet forwarding only
Apache 2.2.2 Web Server
Linux Host Running Guard
Custom HTTP Client
Gigabit Ethernet Gigabit Ethernet
Network Boundary
ГУ
ОГ
ТП
23
System Throughput
ГУ
ОГ
ТП
24
Evaluation Discussion Guard and Web server both pay the
price for more connections on small files
Per-connection overhead reduces performance for small files (~50%)
1) Parsing2) TCP Connection/Stream/State Allocation3) pcap and libnet kernel switching
overhead For common Web files (~10KB+)
performance is comparable to direct connect and Linux kernel bridge
Total request latency NOT affected
ГУ
ОГ
ТП
25
Conclusions Content control prevents information that is not explicitly allowed from exiting Prevents inadvertent disclosure
Protocol Channel Mitigation prevents many channels and limits others Raises the Bar for attackers wanting to steal valuable data
Performance overhead acceptable in un-tuned prototype
FIRST system to actively limit application layer covert channels
Thank youQUESTIONS?
Author Contact Info{nschear, ckintana, qzhang, vahdat}
@cs.ucsd.edu
ГУ
ОГ
ТП
27
Guard CPU Usage
ГУ
ОГ
ТП
28
Guard No-Verify CPU Usage
ГУ
ОГ
ТП
29
Verifying Dynamically Generated Content Goal: Leverage static content verification as much as possible
Rolling Checksum (ala rsync) Rabin Fingerprints for variable sized chunks
High speed analysis engine for mismatch regions
Self describing templates
ГУ
ОГ
ТП
30
Related Work Content Control
Commercial Solutions (Entrust, Fidelis, Vontu, PortAuthority)
Covert Channels Web Tap, Eraser, Infranet Detection of Layer 3 and 4 Channels (NUSHU, Loki, etc…)
Murdoch et al., Fisk et al., Tumoian et al.
Vetting Review Tools Wetstone StegoSuite Los Alamos National Lab - File Scrub
ГУ
ОГ
ТП
31
Future Work
Dynamic Content Fuzzy Fingerprinting matching Self Describing Web Language (JWig)
Support More Protocols SMTP, IM, etc…
SSL Traffic Support More tuning for better performance Possible hardware acceleration?
