Title: Protecting Your Local Host From Remote Security Attacks
1Protecting Your Local Host From Remote Security
Attacks
- Jonathon Giffin, Somesh Jha, Bart Miller
- University of Wisconsin
2Overview
- How to Easily do Dangerous and Malicious Things
to a Running Job - How to Detect Manipulations of Your Jobs with
Pre-Execution Static Analysis and Runtime
Monitoring
3A New View
- Running programs are objects to be easily
manipulated - The vehicle the DynInst API
4DynInst Dynamic Instrumentation
- Machine independent library for instrumentation
of running processes - Modify control flow of the process
- Load new code into the process
- Remove, replace, or redirect function calls
- Asynchronously call any function in the process
5Condor Attack Lurking Jobs
Shadow Process giffin
Malicious User Job nobody
system calls
Submitting Host
Execution Host
6Condor Attack Lurking Jobs
Shadow Process giffin
Malicious User Job nobody
system calls
Lurker Process nobody
Submitting Host
Execution Host
7Condor Attack Lurking Jobs
Lurker Process nobody
Submitting Host
Execution Host
8Condor Attack Lurking Jobs
Shadow Process bart
Innocent User Job nobody
system calls
Lurker Process nobody
Submitting Host
Execution Host
9Condor Attack Lurking Jobs
Shadow Process bart
Innocent User Job nobody
system calls
attach
Lurker Process nobody
Submitting Host
Execution Host
10Condor Attack Lurking Jobs
Shadow Process bart
Innocent User Job nobody
system calls
Control remote system calls
attach
Lurker Process nobody
Submitting Host
Execution Host
11Condor Attack Lurking Jobs
Shadow Process bart
Innocent User Job nobody
system calls
rm -rf
rm -rf
Control remote system calls
attach
Lurker Process nobody
Submitting Host
Execution Host
12Can We Safely ExecuteOur Jobs Remotely?
- The threats
- 1. Cause the job to make improper remote system
calls. - 2. Cause the job to calculate an incorrect
answer. - 3. Steal data from the remote job.
- Threat protection strategies
- Monitor execution of remote job (threat 1)
- File or system call sand-boxing (1)
- Obfuscate or encode remote job (1, 3)
- Replicate remote job (2)
13Countering Remote Attacks
- Goal Even if an intruder can see, examine, and
fully control the remote job, no harm can come to
the local machine. - Method Model all possible sequences of remote
system calls. At runtime, update the model with
each received call. - Key technology Static analysis of binary code.
14Execution Monitoring
User Job
Analyzer
Checking Shadow
Modified User Job
15Execution Monitoring
Modified User Job
Checking Shadow
system calls
Job Model
Submitting Host
Execution Host
16Execution Monitoring
Modified User Job
Checking Shadow
system calls
Call 1
Call 2
Call 3
X
Job Model
Submitting Host
Execution Host
17Model Construction
User Job
Analyzer
Checking Shadow
Modified User Job
Control Flow Graphs
Binary Program
Global Automaton
Local Automata
18Control Flow Graph Generation
- function( int a )
- if( a lt 0 )
- read( 0, 15 )
- line()
- else
- read( a, 15 )
- close( a )
-
19Control Flow GraphTranslation
20Interprocedural ModelGeneration
A
read
read
close
line
21Interprocedural ModelGeneration
A
read
read
line
write
close
line
22Interprocedural ModelGeneration
B
A
line
read
read
line
write
close
close
line
23Interprocedural ModelGeneration
B
A
line
read
read
line
write
close
close
24Interprocedural ModelGeneration
B
A
read
read
line
write
close
close
25PossiblePaths
B
A
read
read
line
write
close
close
26PossiblePaths
B
A
read
read
line
write
close
close
27ImpossiblePaths
B
A
read
read
line
write
close
close
28ImpossiblePaths
B
A
read
read
line
write
close
close
29Adding ContextSensitivity
B
A
read
Y
read
line
X
write
close
close
Y
X
30Rewriting User Job
User Job
Analyzer
Checking Shadow
Modified User Job
Binary Program
Rewritten Binary
31Null CallInsertion
B
A
read
read
line
write
close
close
32Null CallInsertion
B
A
read
read
line
write
close
null_2
close
null_1
33Call Site Renaming
- Give each monitored call site a unique name
- Captures arguments
- Obfuscation
- Limits attack call set
- Reduces nondeterminism
function( int a ) if( a lt 0 ) read( 0, 15
) line() else read( a, 15 ) close(
a )
34Call Site Renaming
- Give each monitored call site a unique name
- Captures arguments
- Obfuscation
- Limits attack call set
- Reduces nondeterminism
function( int a ) if( a lt 0 )
_638() line() else read( a, 15
) close( a )
35Call Site Renaming
- Give each monitored call site a unique name
- Captures arguments
- Obfuscation
- Limits attack call set
- Reduces nondeterminism
function( int a ) if( a lt 0 )
_638() line() else _83( a
) close( a )
36Call Site Renaming
- Give each monitored call site a unique name
- Captures arguments
- Obfuscation
- Limits attack call set
- Reduces nondeterminism
function( int a ) if( a lt 0 )
_638() line() else _83( a
) _1920( a )
37Call Site Renaming
- Give each monitored call site a unique name
- Captures arguments
- Obfuscation
- Limits attack call set
- Reduces nondeterminism
_638
_83
_1920
line
38Prototype Implementation
- Simulates remote execution environment
- Null calls inserted at function entries
- Measure null call overheads
- Measure null call bandwidth use
- Measure model precision
39Test Programs
40Precision Metric
chown
getpid
open
41(No Transcript)
42Null Call CostsMonitoring Overhead Bandwidth
43(No Transcript)
44Important Ideas
- Running jobs remotely enables malicious attacks
against the shadow process. - Pre-execution static analysis to construct a
model of the remote call sequences addresses this
threat. - Improving model precision is a hard problem. Null
calls are an effective and reasonable
optimization.
45Protecting Your Local Host From Remote Security
Attacks
- Jonathon Giffin, Somesh Jha, Bart Miller
- University of Wisconsin