dymo tracking dynamic code identity
Download
Skip this Video
Download Presentation
DYMO : Tracking Dynamic Code Identity

Loading in 2 Seconds...

play fullscreen
1 / 18

DYMO : Tracking Dynamic Code Identity - PowerPoint PPT Presentation


  • 162 Views
  • Uploaded on

DYMO : Tracking Dynamic Code Identity. Bob Gilber , Richard Kemmerer, Christopher Kruegel , Giovanni Vigna University of California, Santa Barbara RAID 2011,9 報告者:張逸文. Outline. Introduction System Overview System Implementation Applications for DYMO Evaluation Security Analysis

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' DYMO : Tracking Dynamic Code Identity' - dougal


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
dymo tracking dynamic code identity

DYMO:Tracking Dynamic Code Identity

Bob Gilber, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna

University of California, Santa Barbara

RAID 2011,9

報告者:張逸文

outline
Outline
  • Introduction
  • System Overview
  • System Implementation
  • Applications for DYMO
  • Evaluation
  • Security Analysis
  • Related Work
  • Conclusions
introduction 1
Introduction(#1)
  • Access control:user-based authorization
  • Code identity
  • Measurements of a process
  • DYMO, a system that provides a dynamic code identity primitive
    • Identity label
    • Network access
introduction 2
Introduction(#2)
  • Track the run-time integrity of a process
  • DYMO
  • Extending DYMO to label network packets
  • Experimental results
system overview 1
System Overview(#1)
  • System requirements
    • Precise
    • Secure
    • Efficient
  • System Design
    • Computing cryptographic hash of each code section as the process’ identity
    • Precise Label computation
system overview 2
System Overview(#2)
  • Handling Dynamically Generated Code
    • Don’t hash dynamic code regions directly
    • dynamically generated code only in certain known parts
  • Secure Label Computation
    • runs at a higher privilege
    • Inside a VMM / as part of the OS
  • Efficient Label Computation
    • Modify Windows memory management routines
    • The label is computed incrementally
system implementation 1
System Implementation(#1)
  • Problems
    • Load DLLs during run-time
    • Arbitrary memory regions
    • DLL reloading
  • System Initialization
    • Register for kernel-provided callbacks
    • Hook the NT kernel system services
    • Hook the page fault handler
    • Use Data Execution Prevention(DEP)
system implementation 2
System Implementation(#2)
  • Identity Label Generation
    • Image hash + region hash = identity label
    • Image Hashes
    • Build process profile
    • Locate the code segment
    • Modifypageprotection
    • DEP exception
    • Page fault handler
system implementation 3
System Implementation(#3)
  • Region Hashes
    • hook NtAllocateVirtualMemory, NtMapViewOfSection, NtProtectVirtualMemory
    • checkexecuteaccess
    • These executable regions are for dynamic code generation
  • Handling Dynamic Code Generation
    • Allocator
    • Writer
    • Caller

regionhash

system implementation 4
System Implementation(#4)
    • Handling the PAGE_EXECUTE_READWRITE protection
      • PAGE_EXECUTE_READWRITE =>

PAGE_READWRITE + PAGE_EXECUTE_READ

  • Establishing Identity
    • Strict matching policy
    • Relaxed matching policy
application for dymo 1
Application for DYMO(#1)
  • Application-Based Access Control
    • accesscontrolbased on the identity
    • global distribution mechanisms
    • whitelistforallusers
  • DYMO Network Extension
    • Inject network packet
    • Label Size Optimization
      • Huffman
      • Split label over multiple packets
application for dymo 2
Application for DYMO(#2)
  • The injector:NDIS Intermediate Filter driver
  • The Broker:TDI Filter driver

TCP/IP transport driver

Modified packet

Network Adapter

Modified packet

injector

Process identity label

broker

Connection ID

evaluation 1
Evaluation(#1)
  • Label Precision
    • Three experimentalenvironment
    • Training database
    • 93% applications’ labels are precision
  • Effect of Process Tampering
    • Tampering by Malware
    • Tampering by Exploits
  • Performance Impact
evaluation 3
Evaluation(#3)
  • PassMarkAppTimer tool

< 1 sec.

security analysis
Security Analysis
  • Create executable memory regions
  • Add code to a trusted program
  • Tamper with the data of a process
  • Non-control-data attack
related work
Related Work
  • Local Identification
    • Patagonix – a hypervisor-based system
    • Tripwire – static code identity
  • Remote Identification
    • Sailerti al. Trusted Platform Module – identify applications for remote attestation
conclusion
Conclusion
  • DYMO, a dynamic code identity primitive
  • Extends DYMO to network packet
  • An acceptable performance overhead
  • Future work
    • Extending DYMO to other platforms
    • Sophisticated network-level policy enforcement mechanism
ad