backtracking intrusions, sosp '03, sam king and peter chen, umich
DESCRIPTION
Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich. Present by JW. Motivation. Computer break-ins increasing Computer forensics is important How did they get in. Current Forensic Methods. Manual inspection of existing logs System, application logs Not enough information - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/1.jpg)
Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich
Present by JW
![Page 2: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/2.jpg)
Motivation
• Computer break-ins increasing • Computer forensics is important– How did they get in
![Page 3: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/3.jpg)
Current Forensic Methods
• Manual inspection of existing logs• System, application logs– Not enough information
• Network log– May be encrypted
• Disk image– Only shows final state
• Machine level logs– No semantic information
• No way to separate out legitimate actions
![Page 4: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/4.jpg)
BackTracker
• Can we help figure out what was exploited? • Track back to exploited application• Record causal dependencies between objects
![Page 5: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/5.jpg)
Process
File
Socket
Detection point
Fork event
Read/write event
![Page 6: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/6.jpg)
BackTracker
• Online component, log objects and events• Offline component to generate graphs
BackTracker runs, shows source of intrusion
intrusion detected
intrusion occurs
![Page 7: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/7.jpg)
BackTracker Objects
• Process• File• Filename
![Page 8: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/8.jpg)
Dependency-Forming Events
• Process / Process– fork, clone, vfork
• Process / File– read, write, mmap, exec
• Process / Filename– open, creat, link, unlink, mkdir, rmdir, stat,
chmod, …
![Page 9: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/9.jpg)
Constructing Dependency Graph
Raw log Complete graph Graph by GraphGen
![Page 10: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/10.jpg)
Graph could be still VERY large!
![Page 11: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/11.jpg)
Prioritizing Dependency Graphs
• Hide read-only files
• Eliminate helper processes
• Filter “low-control” events
/bin/bash
/lib/libcbash
proc
backdoor
![Page 12: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/12.jpg)
Prioritizing Dependency Graphs
id
pipe
• Hide read-only files
• Eliminate helper processes
• Filter “low-control” events
bash
proc
backdoor
![Page 13: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/13.jpg)
Prioritizing Dependency Graphs
bash
proc login_a
utmp
login_b
backdoor
• Hide read-only files
• Eliminate helper processes
• Filter “low-control” events
![Page 14: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/14.jpg)
Process
File
Socket
Detection point
Fork event
Read/write event
![Page 15: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/15.jpg)
Implementation
• Prototype built on Linux 2.4.18• Both stand-alone and virtual machine• Hook system call handler• Inspect state of OS directly
Guest OS
Host OS
VMM EventLogger
Guest Apps
Host OS
EventLogger
Host Apps
Virtual Machine Implementation Stand-Alone Implementation
![Page 16: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/16.jpg)
Evaluation
• Determine effectiveness of Backtracker• Set up Honeypot virtual machine• Intrusion detection using standard tools– TripWire, Ethereal, Snort
• Attacks evaluated with six default filtering rules
![Page 17: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/17.jpg)
Evaluation
![Page 18: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/18.jpg)
BackTracker Limitations
• Layer-below attack (e.g. VMM)• Use “low control” events or filtered objects to carry
out attack• Hidden channels– e.g. steal password and log in next time
• Create large dependency graph– Perform a large number of steps– Implicate innocent processes
• Single host without network dependency• 1.2GB/day/host is too large
![Page 19: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/19.jpg)
Process
File
Socket
Detection point
Fork event
Read/write event
![Page 20: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/20.jpg)
Process
File
Socket
Detection point
Fork event
Read/write event
![Page 21: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/21.jpg)
BackTracker Limitations
• Layer-below attack (e.g. VMM)• Use “low control” events or filtered objects to carry
out attack• Hidden channels– e.g. steal password and log in next time
• Create large dependency graph– Perform a large number of steps– Implicate innocent processes
• Single host without network dependency• 1.2GB/day/host is too large
![Page 22: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/22.jpg)
Cross-host multi-hop attacks
• Backward causal graphs can be used to find which host allowed a multi-hop attack (such as a worm) to enter a local network
• Forward causal graphs can be used to find the other hosts that were affected by the multi-hop attack
Attacker
/etc/passwd
ls
user
A C D
B
ssh log in
modify some filesdownload/replace exes
detection point
Backtracker
![Page 23: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/23.jpg)
Enriching intrusion alerts through multi-host causality, NDSS’05
![Page 24: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/24.jpg)
BackTracker Limitations
• Layer-below attack (e.g. VMM)• Use “low control” events or filtered objects to carry
out attack• Hidden channels– e.g. steal password and log in next time
• Create large dependency graph– Perform a large number of steps– Implicate innocent processes
• Single host without network dependency• 1.2GB/day/host is too large
![Page 25: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/25.jpg)
Dependency explosion
![Page 26: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/26.jpg)
BEEP: High Accuracy Attack Provenance via Binary-based Execution Partition, NDSS’13
Insight•The execution of a wide range of applications (both server-side and client-side) is dominated by a small number of loops (with large number of iterations for each loop).•Each iteration of such a loop can be considered a semantically autonomous unit as it often operates on an independent input object.
Technique•Reverse engineer such loops from application binaries.•Reverse engineer instructions that could cause workflow between units.•Perform selective logging for unit boundaries and unit dependences (memory dependence).
![Page 27: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/27.jpg)
An example
![Page 28: Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich](https://reader035.vdocument.in/reader035/viewer/2022081504/568148e0550346895db5f988/html5/thumbnails/28.jpg)
References
• S. T. King and P. M. Chen. Backtracking intrusions. In SOSP 2003.
• King, Samuel T., Zhuoqing Morley Mao, Dominic G. Lucchetti, and Peter M. Chen. "Enriching Intrusion Alerts Through Multi-Host Causality." In NDSS. 2005.
• Lee, Kyu Hyung, Xiangyu Zhang, and Dongyan Xu. "High Accuracy Attack Provenance via Binary-based Execution Partition." In NDSS 2013.