Dymo tracking dynamic code identity
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

DYMO : Tracking Dynamic Code Identity PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on
  • Presentation posted in: General

DYMO : Tracking Dynamic Code Identity. Bob Gilber , Richard Kemmerer, Christopher Kruegel , Giovanni Vigna University of California, Santa Barbara RAID 2011,9 報告者:張逸文. Outline. Introduction System Overview System Implementation Applications for DYMO Evaluation Security Analysis

Download Presentation

DYMO : Tracking Dynamic Code Identity

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Dymo tracking dynamic code identity

DYMO:Tracking Dynamic Code Identity

Bob Gilber, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna

University of California, Santa Barbara

RAID 2011,9

報告者:張逸文


Outline

Outline

  • Introduction

  • System Overview

  • System Implementation

  • Applications for DYMO

  • Evaluation

  • Security Analysis

  • Related Work

  • Conclusions


Introduction 1

Introduction(#1)

  • Access control:user-based authorization

  • Code identity

  • Measurements of a process

  • DYMO, a system that provides a dynamic code identity primitive

    • Identity label

    • Network access


Introduction 2

Introduction(#2)

  • Track the run-time integrity of a process

  • DYMO

  • Extending DYMO to label network packets

  • Experimental results


System overview 1

System Overview(#1)

  • System requirements

    • Precise

    • Secure

    • Efficient

  • System Design

    • Computing cryptographic hash of each code section as the process’ identity

    • Precise Label computation


System overview 2

System Overview(#2)

  • Handling Dynamically Generated Code

    • Don’t hash dynamic code regions directly

    • dynamically generated code only in certain known parts

  • Secure Label Computation

    • runs at a higher privilege

    • Inside a VMM / as part of the OS

  • Efficient Label Computation

    • Modify Windows memory management routines

    • The label is computed incrementally


System implementation 1

System Implementation(#1)

  • Problems

    • Load DLLs during run-time

    • Arbitrary memory regions

    • DLL reloading

  • System Initialization

    • Register for kernel-provided callbacks

    • Hook the NT kernel system services

    • Hook the page fault handler

    • Use Data Execution Prevention(DEP)


System implementation 2

System Implementation(#2)

  • Identity Label Generation

    • Image hash + region hash = identity label

    • Image Hashes

    • Build process profile

    • Locate the code segment

    • Modifypageprotection

    • DEP exception

    • Page fault handler


System implementation 3

System Implementation(#3)

  • Region Hashes

    • hook NtAllocateVirtualMemory, NtMapViewOfSection, NtProtectVirtualMemory

    • checkexecuteaccess

    • These executable regions are for dynamic code generation

  • Handling Dynamic Code Generation

    • Allocator

    • Writer

    • Caller

regionhash


System implementation 4

System Implementation(#4)

  • Handling the PAGE_EXECUTE_READWRITE protection

    • PAGE_EXECUTE_READWRITE =>

      PAGE_READWRITE + PAGE_EXECUTE_READ

  • Establishing Identity

    • Strict matching policy

    • Relaxed matching policy


  • Application for dymo 1

    Application for DYMO(#1)

    • Application-Based Access Control

      • accesscontrolbased on the identity

      • global distribution mechanisms

      • whitelistforallusers

    • DYMO Network Extension

      • Inject network packet

      • Label Size Optimization

        • Huffman

        • Split label over multiple packets


    Application for dymo 2

    Application for DYMO(#2)

    • The injector:NDIS Intermediate Filter driver

    • The Broker:TDI Filter driver

    TCP/IP transport driver

    Modified packet

    Network Adapter

    Modified packet

    injector

    Process identity label

    broker

    Connection ID


    Evaluation 1

    Evaluation(#1)

    • Label Precision

      • Three experimentalenvironment

      • Training database

      • 93% applications’ labels are precision

    • Effect of Process Tampering

      • Tampering by Malware

      • Tampering by Exploits

    • Performance Impact


    Evaluation 2

    Evaluation(#2)


    Evaluation 3

    Evaluation(#3)

    • PassMarkAppTimer tool

    < 1 sec.


    Security analysis

    Security Analysis

    • Create executable memory regions

    • Add code to a trusted program

    • Tamper with the data of a process

    • Non-control-data attack


    Related work

    Related Work

    • Local Identification

      • Patagonix – a hypervisor-based system

      • Tripwire – static code identity

    • Remote Identification

      • Sailerti al. Trusted Platform Module – identify applications for remote attestation


    Conclusion

    Conclusion

    • DYMO, a dynamic code identity primitive

    • Extends DYMO to network packet

    • An acceptable performance overhead

    • Future work

      • Extending DYMO to other platforms

      • Sophisticated network-level policy enforcement mechanism


  • Login