UB 2020 Project

1
Information Assurance and Computer
Security Shambhu Upadhyaya (CSE) UB
Colloquium November 16, 2006
2
Focus of CEISARE

• Funded Research Upadhyaya and Rao (over a
  million dollars)
• Topical Intrusion detection, alert correlation,
  insider threat mitigation, trust in MANETs,
  wireless networks security
• Multidisciplinary Workforce Development,
  Multi-incident emergency response systems
• Infrastructure/Capacity building (over 800,000)
• Information security lab (School of Management)
• Wireless security lab (CSE)
• Scholarship grants from DoD
• Education
• Advanced Certificate in IA
• Dissemination
• Workshops (SKM 2004, SKM 2006)
• Center Webpage http//www.cse.buffalo.edu/caeiae/
  

3
Graduate Certificate in IA

• Effort started with funds from DoD in fall 2003
• Funding was to create a new integrative course in
  IA
• Two tracks technical and managerial
• Requirements
• 6 credits of core courses in the track
• 5-6 credits of elective in the dept.
• 3 credits of required integrative course
• Technical track
• Core Intro. to Crypto, Computer security,
  Wireless networks security (choose two courses)
• Managerial track
• Core Network management, E-Commerce security
• http//www.cse.buffalo.edu/caeiae/advanced_certifi
  cate_program.htm

4
Sample IA Research Projects

• Protecting documents from malicious insiders
  (Upadhyaya)
• Event correlation for cyber attack recognition
  (Upadhyaya, Llinas and Sudit)
• Insider threat modeling and analysis in a
  corporate intranet or federal agency (Upadhyaya,
  Ngo)
• Survivable Wireless LAN architectures (Upadhyaya)
• Runtime safety check in computer programs
  (Upadhyaya and Jayaraman)

5
Multi-phase Approach for Preventing Document
Abuse from Malicious InsidersShambhu Upadhyaya,
Funded by NSA/ARDA, 2003-05
session
Goals
Dynamic Policies in effect
usr1
doc
Profile

• Malicious and masquerading insider threat
  detection in the Document Control domain
• Identify importance of documents
• Identify user roles in organizations
• Prevent circumvention and perform trace-back

Security policy
Forensics Tamper-proof
File Repository
usrn
learn
history
Document Classifier
Anomaly Detector
search
Alerts?
Novel Ideas
Accomplishments/Milestones

• Building user profiles at the application level
• Usage based document classification
• Context information flow based policy
  specification for preventing insider abuse
• Automated generation of dynamic policies
• Papers Published
• IEEE Information Assurance Workshop, West Point,
  NY, June 2004
• 20th Annual Computer Security Applications
  Conference, Tucson, AZ, December 2004
• Int. Conf. on Trust Management, Pisa, Italy, May
  2006
• IEEE Int. Conf. on Communications, Istanbul,
  Turkey, June 2006

• Prototype for Microsoft Word
• Monitor and detect masqueraders based on document
  usage
• Specify and enforce dynamic policies
• Prototype for dynamic policies generation
• http//www.cse.buffalo.edu/DRM
• Future Plans
• Detecting the convergence of disparate role
  structures in collaborating organizations
• Preventing circumvention of the tools

6
Insider Threat Modeling and Analysis Shambhu
Upadhyaya and Hung Ngo, Funded by DARPA, 2004-05
Goals

• Develop a threat modeling and assessment
  methodology
• Pre-Attack Static Analysis and Hardening
• Generation of insider attack scenarios to train
  detection components
• Study the theoretical issues

Novel Ideas
Accomplishments/Milestones

• Concept of a capability acquisition graph (CAG)
• Analysis of CAG (develop heuristics)
• Papers Published
• Chinchani R., A. Iyer, H. Ngo and S. Upadhyaya,
  Towards a Theory of Insider Threat Assessment,
  IEEE International Conference on Dependable
  Systems and Networks (DSN 2005), Yokohama, Japan,
  June 2005.
• Chinchani R., Duc Ha, Anusha Iyer, Hung Q. Ngo,
  and Shambhu Upadhyaya, On the Hardness of
  Approximating the MIN-HACK Problem, Journal of
  Combinatorial Optimization, Springer, Vol. 9, No.
  3, May 2005.

• Be able to answer questions like
• How secure is the current setup?
• What are likely attack strategies?
• Which points are most vulnerable?
• Where must security systems be placed?
• Prototype built for integration into the larger
  system of insider threat mitigation (jointly with
  Telcordia Technologies and Rutgers University)

7
A New Framework for Secure and Trusted
Communications in Wireless Data Networks, Shambhu
Upadhyaya, Funded by NSF/Cisco, 2004-06
Goals
SWEDEN Framework
Ad hoc sensor
Ad hoc networks

• Design decision making framework for nodes to
  establish keys with other unknown nodes
• Use this framework for cluster forming decisions
  in ad-hoc networks
• Improve on existing key management schemes and
  design secure data delivery schemes for enhanced
  reliability in data transfer
• Provide schemes for resiliency against attacks
  and post-failure recovery

Ad hoc, sensor WLAN
Robustness Schemes Post-attack Survivability and
Recovery Schemes
Pre-key Establishment Phase
Normal Network Functioning Phase
Key and Traffic Management Schemes
Trust Framework Basis for Key Management with
Unknown Nodes, Clustering Decisions
Key Management and Encryption Schemes
Secure and Reliable Data Delivery
Novel Ideas
Accomplishments

• Trust between the nodes used as a metric for
  decision making
• Differential encryption (header and payload
  differently) scheme for ad-hoc networks, and
  hashing based lightweight techniques for sensor
  networks
• Evaluating security of paths and nodes based on
  their relative position in the network
• Building in survivability in the network
  architecture proactively for surviving potential
  attacks
• Robustness, Recovery and Survivability Schemes

• Setting up of the NSF and Cisco sponsored
  Wireless Security Lab
• Representative Publications
• IEEE Conference on Local Computer Networks (LCN),
  Tampa, FL, Nov 2004
• IEEE ACM IWIA, College Park, MD, Mar 2005
• IEEE Conference on Knowledge Intensive
  Multi-agent Systems (KIMAS), Boston, MA, Apr 2005
• Secure Knowledge Management (SKM2004, SKM 2006)
• Future Plans
• Security Schemes for IEEE 802.16 and 802.20
  standards
• Performing hands-on experiments at the Wireless
  Security Lab

8
Runtime Environment Driven Program Safety Joint
work with Prof. B. Jayaraman
9
Language-Based Security
Compiler
Source Program
Binary Executable

• Static analysis
• Model-checking
• Type-safety

• Runtime checks
• Anomaly detection

10
Making the case for runtime checking

• Static analysis is one-time but poor coverage
• Runtime checks have good coverage but per
  variable checks are inefficient
• Type-based safety is efficient but can be
  coarse-grained

11
Motivation

• A new vulnerability class
• Recently seen in openssh, pine, Sun RPC and
  several other software
• Cause attacker-controlled integer variable

Integer Overflow Vulnerability
12
Integer Overflow Attack

• alloc_mem(u_short size)
• u_short pad_size 16
• size size pad_size
• return malloc(size)

• size 65535
• size 15 !!
• return smaller memory

13
Program Security Is NOT Portable!
32-bit
Safe
Program Security
Safe
Source or Binary code
Unsafe
16-bit
14
Various Runtime Environments
15
Overall Goal
RE 1
Safe
Program Security
RE 2
Safe
Source or Binary code
Safe
RE 3
16
Basic Methodology

• A Type-Based Safety Approach
• Runtime-dependent interpretation
• Not merely an abstraction, but using actual
  values
• No new types
• Also, can be efficient

17
Prototype Implementation ARCHERR

• Implemented as a parser using flex and bison
• Currently works on 32-bit Intel/Linux platform

18
Detecting Integer Overflows

• Machine word size is an important factor
• Main idea Analyze assignment and arithmetic
  operations in context of machine word size

Intel XScale Processor (now 32-bit version)
16-bit
32-bit
Intel Pentium Processor
19
Integers Classical View

• x int ? x ? I
• x, y int
• x y
• succ(x int) (x 1)
• pred(x int) (x 1)
• where I (-8, 8)

Assignment
Arithmetic
20
Integers Runtime Dependent View
21
Integer Arithmetic Safety Checks

• if x 0 y 0, then
• x y ? assert x ? (MAXINT - y)
• if x 0 y lt 0, then
• x - y ? assert x ? (MAXINT y)
• if x lt 0 y 0, then
• x - y ? assert x (MININT y)
• if x lt 0 y lt 0, then
• x y ? assert x (MININT - y)
• ? x, y,
• x ? y ? assert x ?MININT/y? /\ x ? ?MAXINT/y?
• x ? y ? assert y ? 0
• x y ? assert y ? 0

22
Other Numerical Types

• short, long, unsigned short/long, etc.
• Similar analysis
• float, double, long double
• Floating points use a standard IEEE format
• Analysis is more complex
• But floating point arithmetic is discouraged for
  efficiency reasons

23
Other Operators

• Bitwise operators
• ltlt multiplication by 2
• gtgt division by 2 (is safe)
• Logical operators?
• Not exactly arithmetic in nature

24
In A Program?

• foo(int x, int y)
• VALIDATE_ADD_INT(x,y)
• return (x y)

16-bit check? 32-bit check?
Compile-time Annotations
Runtime Checking
25
A High-Level View

• What have we achieved actually?

Properties of types in classical sense
A programmers view
RE 1
RE 2
Automatic safety conversion
An attackers view
26
Extending Idea To Pointers

• Common concept of segments data, text, stack
• But differences in actual layout

Process Address Map
4 GB (0xFFFFFFFF)
System space
3 GB (0xBFFFFFFF)
User space
0 GB
Windows NT
Linux
27
Pointers Runtime Dependent View

• Safe pointer assignment
• A pointer variable p, which points to variables
  of type ? be denoted by pq(?)
• Safe pointer arithmetic (the following must obey
  the above rule)

28
Pointer Assignment Scenarios
29
Pointer Check Examples

• VALIDATE_PTR(q)
• p q
• VALIDATE_PTR(pi)
• pi 2
• VALIDATE_PTR_ADD(p, 1)
• p

• q is a valid ptr?
• q, sizeof(q) is inside same range?
• pi is a valid ptr?
• pi, sizeof ((pi)) is inside same range?
• p is a valid ptr?
• p, sizeof(p) is inside same range?
• p 1 is a valid ptr and belongs to the same
  address range?

30
Additional Pointer Issues

• Function pointers
• If not protected, can lead to arbitrary code
  execution
• Maintain a separate list of function addresses
  and check against them
• Typecasting is a feature in C
• Private fields in structures through void
• Leads to dynamic types

31
Optimizations

• Remove unnecessary checks using static analysis
• Currently, integer arithmetic
• Speed up memory range lookups
• Maintain separate FIFO lists for stack, data and
  heap
• Pointer assignment is "safe" dereferencing is
  not
• Optimize initialization loops

32
Security Testing

• Does this approach actually work?
• Real-world programs
• Vulnerabilities and exploits available at
  SecurityFocus website

33
Performance Testing

• Scimark2 benchmark
• 32-bit Intel/Linux 2.6.5
• Compared against CCured and BoundsChecker

Performance Hit (slowdown)
34
Impact On Code Size

• Source code annotations cause bloat

35
Features

• Portable safety is runtime environment dependent
• First work to show systematic way to
  detect/prevent integer overflow attacks
• Currently on one architecture
• Extended the idea to detect/prevent memory-based
  attacks
• Again on one architecture
• Security testing and performance evaluation

36
CQUAL
Cyclone
BOON
CCured
Type-Based

Static Analysis
ARCHERR
Runtime Checks
BoundsChecker
StackGuard
37
Current Status And Future Work

• Code to be released soon
• Currently research grade
• Investigating implementation on other runtime
  environments
• 32-bit Intel/Windows PE32
• 32-bit Intel/FreeBSD ELF
• 32-bit SPARC/ELF
• Improve efficiency?
• rndARCHERR randomized runtime checks
• Static analysis driven optimizations

38
Reference

• ARCHERR Runtime Environment Driven Program
  Safety
• Ramkumar Chinchani, Anusha Iyer,
  Bharat Jayaraman, and Shambhu Upadhyaya
• ESORICS 2004
• http//www.cse.buffalo.edu/rc27/publications/chin
  chani-ESORICS04-final.pdf

39
Summary

• Multidisciplinary activity in computer security
  and information assurance
• Wireless Networks (other projects)
• Colluding black hole attacks in MANETs
• Theoretical issues in sensor networks
• Insider Threat in Document Control Systems
• Masquerade detection
• Inferring Source of Information Leakage in
  Document Management Systems
• Spring Offerings
• CSE 566 Wireless Networks Security
• CSE 452/552 VLSI Testing