Security Issues in Distributed Heterogeneous Systems

1
Security Issues in Distributed Heterogeneous
Systems

• Somesh Jha
• Computer Sciences Department
• University of Wisconsin
• Madison, WI 53706

2
General Issues

• Vulnerability and information-flow analysis
• detecting malicious code
• safety
• crashes your machine or wipes data
• privacy
• leaks sensitive information
• code executing on malicious host
• distributed vulnerability analysis
• Intrusion Detection
• statistical models of user behavior/network
  traffic
• using statistical models for anomaly detection
• explaining the anomalies

3
General Issues (Contd)

• Authentication and Authorization
• seamless cross-administrative authentication
• kerberos
• passwords
• time-varying passwords
• smartcards
• public keys
• but the real question is authorization
• a person can only buy beer from www.booze.com
• if he/she is about eighteen years of age

4
Vulnerability and information-flow analysis

• want to perform these analysis on machine code
• suitable for COTS
• will require an analysis infrastructure
• for machine code
• collaborators
• B. Miller
• T. Reps

5
Vulnerability analysis (Safety)

• use static analysis to discover program behavior
• that lead to vulnerabilities
• examples
• buffer overflows
• unutilized pointers
• initial success reported by
• Z. Xu, B. Miller, and T. Reps

6
Information-flow analysis (Privacy)

• initial work provided discretionary access
  control
• we want mandatory access control
• consider the following
• x y
• security-level(y) security-level(x)
• want to perform these forms of analysis on
  machine code

7
Benign host and malicious code

• Job foo-bar comes to my host
• need to make sure that foo-bar does not
• do anything nasty
• solution is sandboxing

8
Malicious host and benign code

• Job foo-bar migrates to host A
• A is malicious
• hijack foo-bar and instrument the
• code to send harmful system calls
• note inverse of the previous problem

9
Multi-pronged attack

• Build a model of the code
• static analysis
• dynamic analysis
• replication
• obfuscation
• collaborators
• Bart Miller
• Hong Lin

10
Sandboxing the home machine
Model of job A
Job A
Malicious Host
Home Machine
11
Building program models

• Deterministic models
• use static analysis of the code
• derive a finite automata with system
• calls as the alphabet set
• statistical models
• monitor traffic at the home machines
• build a statistical model from the
• sequence of system calls
• Hybrid models

12
Replication
Replica 1
Replica 2
Agreement Protocol
Replica 3
13
Program obfuscation

• obfuscate the program
• so that hard for adversary to reverse engineer
• inverse of good software engineering practices
• randomize all system call names
• randomly permute all the system call parameters
• randomly insert benign calls

14
Distributed vulnerability analysis

• Existing techniques good at finding local
  vulnerabilities
• see http//www.iss.net
• we want to find global attacks
• from local information provided by
• existing tools

15
Attacking Fidelity
setup web proxy www.gs.com
exploit poor passwords
break into the DNS Server
Fidelity
access control
access DNS configuration
ignore errors
Acquire password
16
Cross-administrative authentication

• Various authentication mechanisms
• kerberos
• hashed passwords
• smartcards
• public key infrastructures
• goal to provide seamless cross-administrative
  authentication
• collaborator
• Hao Wang

17
Motivating scenario

• Job A is authenticated using Kerberos on host A
• Job A runs on host A for a while
• migrates to host B, where
• smartcard based authentication is required
• should job A authenticate again?
• Has to reauthenticate every time crosses an
  authentication boundary

18
Obvious solution

• translate results of an authentication mechanism
  to
• a common one
• convert everything to a X.509 certificate
• translate back X.509 certificates as needed

19
Drawbacks

• different authentication schemes have different
  trust models
• hashed passwords are weaker than time-varying
  passwords
• many technical problems
• how is credential expiration/revocation handled?
• how is delegation handled?

20
Authorization

• authentication binds a person to a digital entity
• such as a credential
• the real question is authorization
• is a certain person allowed to
• perform specific actions on a host

21
Approaches to Authorization

• examples are
• SPKI
• Keynote
• express statements of the following form
• Miron says (somesh can read files in directory X)
• support following features
• compliance checking
• delegation
• majority decisions

22
Extensions to authorization infrastructures

• support revocation
• can state negative statements
• credential extraction problem
• given a request r
• a set of statements representing the policy P
• what credentials does X need so
• that request r will be authorized

23
Conclusion

• all the problems mentioned before are crucial
• for making security more usable in a
• distributed heterogeneous setting
• crucial that we work on it