Скачать презентацию Automatic Inference and Enforcement of Kernel Data Structure Скачать презентацию Automatic Inference and Enforcement of Kernel Data Structure

3bf950d119785f9b734969248e9b12df.ppt

  • Количество слайдов: 22

Automatic Inference and Enforcement of Kernel Data Structure Invariants Arati Baliga, Vinod Ganapathy and Automatic Inference and Enforcement of Kernel Data Structure Invariants Arati Baliga, Vinod Ganapathy and Liviu Iftode Department of Computer Science Rutgers University

Rootkits, the growing threat ! p Computer systems today face a realistic and growing Rootkits, the growing threat ! p Computer systems today face a realistic and growing threat from rootkits. n n 600% increase from 2004 -2006 (Mc. Afee Avert Labs) Over 200 rootkits in first quarter of 2008 (antirootkit. com) p Collection of tools used by the attacker to conceal his presence on the compromised system. p Rootkits allow the attacker to… n n Maintain long term control Reuse the system’s resources Spy on the system Involve system in malicious activities 10 December 2008 Annual Computer Security and Applications Conference, 2008 2 of 22

Rootkit hiding trends USER SPACE KERNEL SPACE CONTROL DATA System call table Virtual File Rootkit hiding trends USER SPACE KERNEL SPACE CONTROL DATA System call table Virtual File System (VFS) Handlers Shared Libraries /usr/bin/ls /usr/bin/ps /usr/libc. so /usr/bin/netstat /usr/bin/login NON-CONTROL DATA Process Lists p 1 p 2 p 3 p 4 Below the operating system 10 December 2008 User binaries p 5 Cloaker Backdoors, Key Loggers, Log erasers, etc Hypervisor based rootkits (Subvirt, Blue pill) Annual Computer Security and Applications Conference, 2008 3 of 22

Current Approaches p Automated technique, limited in scope n p Manual specification based techniques Current Approaches p Automated technique, limited in scope n p Manual specification based techniques n n p SBCFI [Petroni et al. , CCS 2007] Copilot [Petroni et al. , Usenix Security 2004] Specification based architecture [Petroni et al. , Usenix Security 2006] Challenge 10 December 2008 Annual Computer Security and Applications Conference, 2008 4 of 22

Outline p Introduction p Approach p Attack examples p Design and implementation p Experimental Outline p Introduction p Approach p Attack examples p Design and implementation p Experimental evaluation p Conclusions 10 December 2008 Annual Computer Security and Applications Conference, 2008 5 of 22

Our approach p A comprehensive technique to detect rootkits based on automatic invariant inference. Our approach p A comprehensive technique to detect rootkits based on automatic invariant inference. p Invariant is a property that holds over an individual object (e. g. variable or struct) or a collection of objects (e. g. arrays or linked lists). p Learns invariants over a training phase and enforces them during normal operation. p Works uniformly across control as well as non-control data. 10 December 2008 Annual Computer Security and Applications Conference, 2008 6 of 22

Attacks that violate invariants p We demonstrate four examples in this talk n Two Attacks that violate invariants p We demonstrate four examples in this talk n Two proposed by us [Baliga et al. , Oakland 2007] p Entropy pool contamination p Resource Wastage n Two attacks proposed by others p Hiding Process (Used by the fu rootkit, Butler et al. ) p Adding binary format (Proposed by Shellcode security research group) 10 December 2008 Annual Computer Security and Applications Conference, 2008 7 of 22

Attack 1 – Entropy pool contamination Attack Overview: Attack constantly writes zeroes into all Attack 1 – Entropy pool contamination Attack Overview: Attack constantly writes zeroes into all three pools and the polynomials used to stir the pools Entropy Sources Keyboard Mouse Disk Interrupts Activity Impact: All applications that rely on the random number generator such as tcp sequence numbers, session ids are affected Primary Entropy Pool (512 bytes) Secondary Entropy Pool (128 bytes) Urandom Entropy Pool (128 bytes) 10 December 2008 Annual Computer Security and Applications Conference, 2008 /dev/random /dev/urandom 8 of 22

Attack 1 – Invariants violated Data structures involved. struct poolinfo. This is a member Attack 1 – Invariants violated Data structures involved. struct poolinfo. This is a member of the entropy pool data structures of type struct entropy_store Invariant violated by attack. poolinfo. tap 1 € {26, 103} poolinfo. tap 2 € {20, 76} poolinfo. tap 3 € {14, 51} poolinfo. tap 4 € {7, 25} poolinfo. tap 5 == 1 Secondary Entropy Pool /dev/random (128 bytes) • MEMBERSHIP invariant over a COLLECTION (SIMILAR OBJECTS) Entropy Sources Invariant type Primary Entropy Pool (512 bytes) 10 December 2008 Urandom Entropy Pool (128 bytes) Annual Computer Security and Applications Conference, 2008 /dev/urandom 9 of 22

Attack 2 – Resource wastage attack Attack Overview: Attack manipulates the zone watermarks to Attack 2 – Resource wastage attack Attack Overview: Attack manipulates the zone watermarks to create an impression that most of the memory is full Impact: Resource wastage and performance degradation 10 December 2008 Annual Computer Security and Applications Conference, 2008 10 of 22

Attack 2 – Invariants violated Data structures involved. zone_table[] array. Each element of type Attack 2 – Invariants violated Data structures involved. zone_table[] array. Each element of type struct zone_struct Invariant violated by attack. zone_table[1]. pages_min == 255 zone_table[1]. pages_low == 510 zone_table[1]. pages_high == 765 Invariant type • CONSTANCY invariants over individual OBJECTS 10 December 2008 Annual Computer Security and Applications Conference, 2008 11 of 22

Attack 3 - Hidden process attack run-list Hidden process run_list next_task all-tasks list Invariant Attack 3 - Hidden process attack run-list Hidden process run_list next_task all-tasks list Invariant type Attack Overview: Attack removes malicious process entry from alltasks list but retains in run -list Impact: Malicious process is hidden from accounting tools Data structures involved. Process run-list • SUBSET property over a COLLECTION (LINKED LIST) Process all-tasks list Invariant: run-list 10 December 2008 Annual Computer Security and Applications Conference, 2008 all-tasks 12 of 22

Attack 4 – Adding binary format attack Attack Overview: Attack adds a new binary Attack 4 – Adding binary format attack Attack Overview: Attack adds a new binary format containing a malicious handler. Impact: Malicious code invoked each time a new process is created on the system Invariant type • LENGTH property over a COLLECTION (LINKED LIST) Data structures involved. formats list Invariant: Figure used from Shellcode security research document published at len(formats) == 2 http: //goodfellas. shellcode. com. ar/own/binfmt-en. pdf 10 December 2008 Annual Computer Security and Applications Conference, 2008 13 of 22

Gibraltar architecture Root Symbols Invariant Templates Kernel Data Definitions Invariant Generator 010101 010000 010101 Gibraltar architecture Root Symbols Invariant Templates Kernel Data Definitions Invariant Generator 010101 010000 010101 110011 010000 110011 Page Fetcher Physical Memory Address 10 December 2008 Data Structure Extractor Run-list All-tasks run-list Training all-tasks Invariants Enforcement Monitor Annual Computer Security and Applications Conference, 2008 run-list all-tasks? 14 of 22

Prototype (Gibraltar) p Fetches remote memory pages from the target continuously 10 December 2008 Prototype (Gibraltar) p Fetches remote memory pages from the target continuously 10 December 2008 Annual Computer Security and Applications Conference, 2008 15 of 22

Invariants automatically inferred Total 718, 940 invariants inferred by Gibraltar. These invariants are used Invariants automatically inferred Total 718, 940 invariants inferred by Gibraltar. These invariants are used as data structure integrity specifications during enforcement. 10 December 2008 Annual Computer Security and Applications Conference, 2008 16 of 22

Detection Accuracy p Test suite n n p Results n p Fourteen publicly available Detection Accuracy p Test suite n n p Results n p Fourteen publicly available kernel rootkits Six advanced stealth attacks on the kernel (previously discussed) All of them detected (No false negatives) False positive evaluation n n Benign workload run for half an hour consisting of combination of tasks 0. 65% false positive rate 10 December 2008 # Copying the Linux kernel source code from one folder to another. # Editing a text document # Compiling the Linux kernel # Downloading eight video files from the Internet. # Perform file system operations using the IOZone benchmark Annual Computer Security and Applications Conference, 2008 17 of 22

Performance Evaluation p Training Time n p Detection Time n n p 25 mins Performance Evaluation p Training Time n p Detection Time n n p 25 mins for snapshot collection, 31 minutes for invariant inference (Total of 56 minutes). Ranges from 15 seconds up to 132 seconds. Large variance depending on the number of objects found in memory. Number of objects varies depending on the workload running on the system and system uptime. PCI Overhead n n DMA access creates contention for the memory bus. 0. 49% (Results of the stream benchmark) 10 December 2008 Annual Computer Security and Applications Conference, 2008 18 of 22

Conclusions and future work p Our approach automatically infers invariants over kernel control and Conclusions and future work p Our approach automatically infers invariants over kernel control and non-control data. p Gibraltar could automatically detect publicly available rootkits and advanced stealth attacks using automatically inferred invariants. p As future work, we plan to investigate n n n Improvement of false positive rate (filtering, feedback) Quality of invariants generated Portability of invariants across reboots. 10 December 2008 Annual Computer Security and Applications Conference, 2008 19 of 22

Questions ? Thank you ! 10 December 2008 Annual Computer Security and Applications Conference, Questions ? Thank you ! 10 December 2008 Annual Computer Security and Applications Conference, 2008 20 of 22

Data structure extractor BFS Queue Static data Root 1 Root 2 struct foo { Data structure extractor BFS Queue Static data Root 1 Root 2 struct foo { struct bar * b 1; Root b 1 Root 3 CONTAINER(struct foo, p) p. next; struct list_head * p. next; struct list_head p; struct list_head * p. prev; struct list_head * CONTAINER(struct foo, p) p. prev; … … } } } … struct list_head { Linked list of objects of type “struct foo” b 1 b 1 next_task struct list_head * prev; next_task prev_task struct list_head * next; Root n } 10 December 2008 prev_task Annual Computer Security and Applications Conference, 2008 21 of 22

Invariant generator p We leverage Daikon’s invariant inference engine to extract invariants over kernel Invariant generator p We leverage Daikon’s invariant inference engine to extract invariants over kernel snapshots. p Daikon is a tool for dynamic invariant inference over application programs. p We focus on the following five templates n n n Membership template (var € {a, b, c}). Non-zero template (var != 0). Bounds template (var < const), (var > const). Length template (length(var) == const). Subset template (list 1 list 2). 10 December 2008 Annual Computer Security and Applications Conference, 2008 22 of 22