hilarie orman purple streak, inc. and consulting to pnp networks eitan fenson, rich howard, phil...
TRANSCRIPT
Hilarie Orman
Purple Streak, Inc.
And consulting to
PnP Networks
Eitan Fenson, Rich Howard, Phil Straw
Collaboration for the Common Collaboration for the Common GoodGood
• People like to donate CPU cycles– Breaking a cipher (DES)– Factoring large numbers– Data sifting for extraterrestrial intelligence
• People like to protect their computers– Viruses– Trojan Horses
• People should like to donate CPU cycles for searching for secure application software configurations
• Disclaimer: we haven’t started this yet!
The Search for Extraterrestrial The Search for Extraterrestrial Security ConfigurationsSecurity Configurations
• SETI uses thousands of volunteer computers for data mining astrophysical signals
• Easy to sign up and get an assignment
• Can we use this approach to discover how to securely configure our computers ?
Least PrivilegeLeast Privilege
• No more capability than is necessary to get the job done
• Classic failures surround Unix and root privileges• Examples:
– File permissions: read but not write– Temporary files: readable by owner only– Subjobs only if content and application are trusted
• A multi-dimensional min/max problem– Too little privilege too little functionality– Too much privilege too little security
How to Rank Privileges?How to Rank Privileges?
• Strict ordering: Administrator trumps user*, root trumps user*
• Subsets: (read, write) trumps (read)• Set size: (execute, *) trumps (execute, /bin)• Visibility: writing to the network trumps writing
to hard drive• Information flow: “create executable with A
permissions” and “A permissions allow network server connections” leads to “proprietary data release”
Negative InformationNegative Information• If the privilege levels are too high, what goes wrong?
– Privilege escalation– Unauthorized information use– Resource misappropriation
• Detection methods:– Virus scanning– Intrusion detection software– Environment monitoring (storage side-effects)– Execution monitoring (writing files in system areas,
network access, etc.)– Anything unusual
Learning from Event RecordsLearning from Event Records• Collect application privilege information
– Configuration files, registry settings, observed usage
• Collect monitored data– Watchers monitor task lists, new files, network connections,
etc.
• Anonymize and index it• Learning
– Cluster– Min/max
• Distribute recommended privileges for common usage patterns
Large-Scale ArchitectureLarge-Scale Architecture
• Distributed P2P database: Volunteer machines contribute their own, anonymized event records
• Higher tier of P2P “Planners” develop data mining tasks and assign them to volunteers
• Volunteers retrieve required database records and crunch the data
• Higher tier analyzes results and finds optimal configuration sets
• Publish results on webpage or in P2P system
Collaborative Black-box Collaborative Black-box Execution MonitoringExecution Monitoring
Application NameVersionResourceParametersAction/EventResultSummaryAnonymized ID
Upper Tier Analysis and Upper Tier Analysis and Computation PlanComputation Plan
Cluster Analysis of SummariesAssignments for parcels of machine learning from database portions
Distributed LearningDistributed LearningWork assignmentDatabase piecesAlgorithmReport station
Work assignmentDatabase pieces
AlgorithmReport station
Fetch database records
Application
Profile
Parameter/value
Resource/value
Learned quantum
Research QuestionsResearch Questions• Can we get enough information from configurations
and monitoring to do this?– Fine-grained (system call) monitoring necessary?– Is there enough “ground truth” to learn?
• Will the learning algorithms find useful optimal points?• Can we distribute the learning algorithm over
thousands of machines? Will the resulting traffic create hot spots?
• Are the learning algorithms vulnerable to manipulation?
What Other Uses?What Other Uses?
Grass roots healthInformation, trends,treatments, outcomes
Geneaology throughDNA matching (becareful about whatyou wish for!)
Whole worldonline realtimemapping project;Coordinated GPS,webcams, photos