Upload
margaret-greene
View
216
Download
0
Embed Size (px)
Citation preview
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Autonomix:Component, Network, and System Autonomy
Crispin Cowan, Ph.DWireX Communications,
Incwirex.com
David Maier & Lois Delcambre
Oregon Graduate Instituteof
Science & Technology
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Component, Network, and System Autonomy
Component Autonomy
• Tight loop• Complete loop:
Detection Decision Response Spins off intrusion
events
WireX
Network and System Autonomy
• Network: Infrastructure tool IDS event and
response protocol translator
• System: Orchestrator Adaptation Space
OGI
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Component Autonomy:Technical Objectives
• Family of tools to guard components against common software vulnerabilitiesStackGuard: protection from “stack smashing” buffer
overflows
SubDomain: lightweight mandatory access controls
PointGuard: generalized StackGuard
FormatGuard: protection from printf format bugs
RaceGuard: protection from temp file races
Objective: eliminate 90-99% of software vulnerabilities
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Existing Practice:How is it done now?
• Patches Urgent patches Lots of them
• Mandatory access control Argus Pitbull, Type Enforcement, DTE, etc. Contains damage when software is cracked Substantial costs in administration and performance
• A few systematic tools: OpenWall, chroot
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Technical Approach: Abstract
Approach Local intrusion response Catch intrusion in process Halt exploited component
The Canary Technique• Detect attacks in
progress: Place a sacrificial canary where an attack will show
tampering Monitor canary
• If canary destroyed, then attack is happening
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Buffer Overflows:The Basic Problem
• Weak bounds checking in programs• Attackers provide more input than
program can accommodate• Take control of program• Exploit program’s privilege• This is the leading software security
vulnerability Majority of CERT advisories for the last
several years
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Buffer Overflow Attacks• Program normally
expects a short string E.g. for user-ID “fred”User-ID
fred
Server Program
Adjacentstate
Normalnetworkinput
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Buffer Overflow Attacks• Program normally
expects a short string E.g. for user-ID “fred”
• Attacker provides a big string Overflows buffer E.g. “fredjklsjoiwi”
User-ID
fredjklsjoiw
Server Program
Adjacentstate
Attacker’snetworkinput
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Buffer Overflow Attacks• Program normally
expects a short string E.g. for user-ID “fred”
• Attacker provides a big string Overflows buffer E.g. “fredjklsjoiwi”
• Corrupts adjacent program state
User-ID
fredjklsjoiw
Server Program
Adjacentstate
Attacker’snetworkinput
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Buffer Overflow Attacks• Program normally
expects a short string E.g. for user-ID “fred”
• Attacker provides a big string Overflows buffer E.g. “fredjklsjoiwi”
• Corrupts adjacent program state
• Attacker takes control
User-ID
fredjklsjoiw
Server Program
Adjacentstate
Attackerin control
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
StackGuard Defense• Protect objects with
canary integrity checks
User-ID
fred
Server Program
Adjacentstate
Normalnetworkinput
Canary
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
StackGuard Defense• Protect objects with
canary integrity checks
• If canary is obliterated by attacker’s big string ...
User-ID
Server Program
Adjacentstate
Canaryobliterated
fredjklsjoiw
Attacker’snetworkinput
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
StackGuard Defense• Protect objects with
canary integrity checks
• If canary is obliterated by attacker’s big string ...
• Intruder Alert! Raise alarms Shut down process Do not give control to
attacker
User-ID
Server Program
Adjacentstate
Canaryobliterated
fredjklsjoiw
Attacker’snetworkinput
Alert!
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
StackGuard Demo
• Many of you have seen this before …• Fairly current vulnerability: qpopper
POP3 mail server Remote buffer overflow vulnerability
can get a root shell
• Attack produces: Syslog event qpopper aborts Demo
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Generalized StackGuard:PointGuard
StackGuard: protects the return address in function call activation records Good against
majority of buffer overflows
Decreasing fraction of attacks
PointGuard: generalizes to protect all pointers in the program Integrity check all
pointers before dereferencing
Should be good against most forms of buffer overflow
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Format Bugs:The Basic Problem
• Discovered suddenly in June 2000 Remote root vulnerability in WU-FTPD Followed by dozens of similar vulnerabilities
• Basis: arcane %n printf format string directive Tells printf to treat corresponding argument
as an int * and write back number of items formatted so far
• Problem: programs that pass un-filtered user input strings direct to printf
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Format Bug Attacks• Program normally
expects a plain text string E.g. for user-ID “fred”
User-IDfred
Server ProgramNormalnetworkinput
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Format Bug Attacks• Program normally
expects a plain text string E.g. for user-ID “fred”
• Attacker provides a format string E.g. “fred %n”
User-IDfred %n
Server ProgramNormalnetworkinput
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Format Bug Attacks• Program normally
expects a plain text string E.g. for user-ID “fred”
• Attacker provides a format string E.g. “fred %n”
• Program printf’s it Interpreting %n writes to
some other part of the program
User-IDfred %n
Server ProgramNormalnetworkinput
0x1234 CallStack
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Format Bug Attacks• Program normally
expects a plain text string E.g. for user-ID “fred”
• Attacker provides a format string E.g. “fred %n”
• Program printf’s it Interpreting %n writes to
some other part of the program
• Taking control of the program
User-IDfred %n
Server ProgramNormalnetworkinput
0x1234 CallStack
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
FormatGuard
• First general solution to format bugs October 2000
• Wraps *printf style functions for safety (including syslog) Count the number of arguments Count the number of % directives If mis-match, then reject the call
• But counting arguments is hard C’s varargs mechanism does not permit counting
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e FormatGuard:How to Count Arguments
• We use GCC/CPP macros: GCC/CPP lets you condense & expand
variable argument lists, Lisp-style Built an argument_count macro Defined printf(args) ->
safe_printf(arg_count(args), args) safe_printf counts the number of %
directives in the format string reject mis-matched calls
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
FormatGuard Demo
• RPC.statd: remote format vulnerability Can easily get a root shell Many systems run RPC.statd; part of NFS Exploit part of the new “Ramen” Linux
Worm
• Attack a FormatGuard-protected RPC.statd Syslog the event Kill the process
Demo
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e FormatGuard Performance
• Microbenchmark: 37% overhead on calls to printf
• Macrobenchmark: Hard to find a printf-bound program :-) Man2HTML uses a lot of printf’s Batch 79 man pages through 1.3% overhead
• Paper submitted for review
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Temporary File Race Conditions
• Scenario: Root process wants to create a unique /tmp fileStep 1: choose a
nameStep 2: check to
see if it existsStep 3: if not
exists, create
Here’s the Problem:
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Temporary File Race Conditions
• Scenario: Root process wants to create a unique /tmp fileStep 1: choose a
nameStep 2: check to
see if it existsStep 3: if not
exists, create
Here’s the Problem: attacker interrupts
between steps 2 and 3
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Temporary File Race Conditions
• Scenario: Root process wants to create a unique /tmp fileStep 1: choose a
nameStep 2: check to
see if it existsStep 3: if not
exists, create
Here’s the Problem: attacker interrupts
between steps 2 and 3
Creates a link from expected /tmp file name to a major file, I.e. /etc/passwd
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Temporary File Race Conditions
• Scenario: Root process wants to create a unique /tmp fileStep 1: choose a
nameStep 2: check to
see if it existsStep 3: if not
exists, create
Here’s the Problem: attacker interrupts
between steps 2 and 3
Creates a link from expected /tmp file name to a major file, I.e. /etc/passwd
When root process does the create, it stomps /etc/passwd with root’s authority
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
RaceGuard
• Kernel enhancement to detect race attacks mid-way through Cache names presented to stat() If open(O_CREAT) hits an existing file, and
the path is in the RaceGuard cache, then a race attack is in progress
• Response choices: Deny the open: return EPERM Kill the process
Demo
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
RaceGuard Performance
• Microbenchmarks: 104% overhead on stat(): 4.3 s ->8.8 s 13% overhead on fork(): 161 s ->183 s
• Macrobenchmark: Khernelstone Build Linux kernel from source Lots of temp files, lots of forks 0.4% overhead
• Paper submitted for review
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Major Achievement:Low-Effort Protection
• These tools are highly transparent: Performance overhead: under 2% across the
board, usually lower Compatibility issues: minimal
Under 5% of all Linux programs need trivial source patches to compile with StackGuard and FormatGuard
RaceGuard works on binary code, currently breaks nothing
Administrative overhead: nil
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Major Achievement:Relative Invulnerability
• Proposed metric: Compare a “base” system against a
system protected with Immunix tools Count the number of known vulnerabilities
stopped by the technology “Relative Invulnerability”: % of
vulnerabilities stopped
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Immunix Relative Invulnerability
• Immunix System 7: Based on Red Hat 7.0 Compare Immunix vulnerability to Red Hat’s
Errata page (plus a few they don’t talk about :-)
• October 1, 2000 - Feb. 7, 2000 44 vulnerabilities total 11 remote, 33 local 40 penetration, 4 DoS 8 remote penetration
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Immunix Relative Invulnerability
All Penetration RemotePenetration
StackGuard 3/446.8%
3/407.5%
3/837%
FormatGuard 5/4411%
5/4012%
2/825%
RaceGuard 18/4441%
18/4045%
0/80%
*GuardCombination
26/4459%
26/4065%
5/862%
Server ApplianceConfiguration
22/3465%
22/3073%
3/475%
Server Appliance+ SubDomain
25/3473%
25/3083%
4/4100%
PointGuard willbring these to6/8 (75%)& 4/4 (100%)
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Task schedule
StackGuard: delivered
PointGuard: long-term development
FormatGuard: prototype delivered, final copy soon (weeks)
Integrated Drop: prototype delivered, final copy soon (weeks)
RaceGuard: lab prototype works, under development, should be ready for June drop
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Transition of Technology
Open source: StackGuard, FormatGuard, and RaceGuard are all GPL’d
Commercial: all being incorporated into WireX Server Appliance products Server appliance: a server for dummies Thus the need for dummy-proof security
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Jay’s Questions• What threats/attacks is your project
considering? Common software pathologies that create
vulnerabilities
• What assumptions does your project make? That most vulnerabilities fit into a few classes That we can get the source for most/all applications
on a platform (true for Linux)
• What policies can your project enforce? We provide software integrity, allowing policy
enforcement to be meaningful
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Network and System Autonomy (OGI)
Network• Abstract utility for
translating data representations
• Application: translate incompatible IDS events and responses
System• Adaptation Space:
formal model for reasoning about alternative implementations
• Candidate Orchestrator
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Network Autonomy:Technical Objective
• What we are trying to accomplish: Support a single autonomic response
environment that easily accommodates sensors, detectors, and responders that communicate using a variety of languages/protocols.
Participate in the SARA experiment under SWWIM
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Autonomix Navigator Architecture
Swatch
Event Monitor
Navigator
StackGuard
conditions
Syslogalert monitors
notifies (via IDMEF XML)
Scenario Manager
choices
SNMP Manager
SNMP Agent InterfaceIPChain
Configurer
FirewallAdaptation
Space(XML)
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e Three out of Four Questions• What threats/attacks is your project considering?
Those that can be detected (relying on someone else’s IDS)
Those that have a meaningful response
• What assumptions does your project make? That a heterogeneous fabric of intrusion detection
and response components That intrusion response can be effective
• What policies can your project enforce? Can map from any combination of intrusion events to
any available alternative configuration
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Summary
• Component Autonomy: Largely working software Running this laptop: StackGuard,
FormatGuard, and RaceGuard Available piece wise, or integrated into
Immunix, at http://immunix.org
• Network & System Autonomy: Largely a work in progress Aimed at SARA
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Future Work
PointGuard: continue developmentFormatGuard: enhance to catch more
kinds of attacksRaceGuard: finish testing, release by
summerIPGuard: new tool to defend against
network DoS attacksNetwork/System Autonomy: participate
in SARA experiments
11.7.00
Wir
eX I
mm
unix
Ser
ver
Sof
twar
e
Plug: NSPW
• New Security Paradigms Workshop• Actively interested in radical new
ideas, e.g. organic assurance• Papers due March 30, 2001• Info: http://nspw.org