200 likes | 208 Views
Backtracking Intrusions. By King & Chen Presented by : Sebastian Tomaszewski Mike DeSantis. Backtracker Presentation Agenda. Introduction Research Problem Key Ideas / Approaches Evaluation Conclusion. Backtracker Introduction.
E N D
Backtracking Intrusions By King & Chen Presented by: Sebastian Tomaszewski Mike DeSantis
Backtracker Presentation Agenda • Introduction • Research Problem • Key Ideas / Approaches • Evaluation • Conclusion
Backtracker Introduction • This paper discusses a new software tool to aid system administrators in providing system security. • Backtracker’s goal is to reconstruct a timeline of events that occur in an attack, and to generate a visual representation of actions taken by a system intruder. This is a upgrade from previously existing software.
Research Problem • Identify source of intrusion on a computer system • Analyze sequence of actions taken by intruder • Identify files & processes that have been effected • Minimize system overhead to achieve tracking
Research Problem - Importance Once an attack has occurred: • Identify venerability point that attacker exploited • Fix system venerability that attacker gained access through • Undue damage that attacker inflicted
Key Idea – Detection • Identify a ‘detection point’ on one or more levels (ie. file modification, firewall, port scanning, process that is behaving in an unusual or suspicious manner) • Tools providing ability to achieve a detection point: Tripwire, Snort, Coroner’s Toolkit (each is endorsed by Backtracker)
Key Idea - Differentiation • Other software package exists, but suffer from limitations: • Limited data & easily disabled logging • Encrypted data used by attacker • Backtracker addresses these limitations and provides many tools to analyze attacking transactions
Application - Differentiation • Works by observing OS-level objects (files, filenames, processes) through a compromise between application level and machine level, tracking by process ID and version number - Application level: Semantically rich, easily disabled by an attacker - Machine level: Semantically poor, hard to disable by an attacker
Key Idea – Graph generation • Generate a dependency graph through OBJECTS: • Log objects and dependency-causing events during runtime. • Save enough information to build a graph that depicts the dependency relationships between all objects seen over that execution. • Backtracker keeps track of a process from the time it is created by a fork or clone system call, to the point where it exits. • Prioritize all parts of the dependency graph for easy of searching for an attacker’s actions
Application – Graph Generation[Object definitions] • A file object is identified uniquely by a device, inode number, version number (Backtracker treats pipes as normal files) • A filename object refer to the directory data that maps a name to a file object • A process is identified uniquely by a process ID and version number
Application – Graph Generation [Dependency causing events] • One process directly effects the execution of another process object • A process effects or is effected by data or attributes associated with a file object • A process effects or is effected by a filename object Note: Effecting an object is not the same as controlling an object!
Application – Graph Generation [Prioritizing dependency graph] • Dependency graphs for a busy system will be too large to scrutinize each object/event • Ignore certain objects & events: • Ignore all child events from a specific event • Ignore read but not written files in a time period • Ignore helper processes • Choose several detection points to scrutinize
Application - Graph Generation “PTrace Attack” Analysis Exploits a race condition in Linux PTrace code to gain root access 1) Attacker caused Apache web server (httpd) to create a command shell (bash) 2) Downloaded and unpacked an executable 3) Run the executable using a different group identity
Key Idea – Dependency & Event Tracking • A tracking system must examine higher level events instead of low level events to minimize system overhead • Examples of high-level events: • Changing contents of a file • Creating a child process • Examples of low-level events: • Changing a file’s access time • Creating a filename in a directory
Application – Dependency & Event Tracking • Backtracker is able to provide useful analysis without tracking low level events even if low level events are used in the attack • Backtracker logs & analyzes: • Process creation through fork or clone • Load and store to shared memory • Read and write of files and pipes • Receive data from a socket • Perform execve of files • Load and store to m-map’ed files • Opening a file Note: Backtracker produces a 9% running time overhead and 1.2GB of log data per day for an operating system intensive workload
Application – Dependency & Event Tracking[In virtual machine environments] • Virtual machine monitor prevents intruders in the guest OS from interfering with event tracking • Virtual machine monitor notifies Backtracker whenever a guest application performs a high level event
Evaluation - Introduction • To test Backtracker, a default installation of RedHat 7.0 was setup on a Honeypot machine • RedHat: Vulnerable to several remote and local attacks • Honeypot: Vulnerable to at least two attacks (Apache) • A “Bind” attack was run on this system • Files read but not written are ignored • Ignore files in /root/.bash_history, lastlog, utmp, mtab • Ignore helper processes
Evaluation - Results 1) Gain access through httpd (Apache) 2) Downloaded a rootkit using wget 3) Write the rootkit to the file “/tmp/ /bind”
Evaluation - Shortcomings • Backtracker can be circumvented by: • Attacking the layers upon which Backtracker’s analysis or logging depend • Using a hidden channel to break the chain of events that Backtracker tracks • An attacker carrying out an attack sequence of steps over a long period of time • Attacking the Virtual machine monitor layer or host OS (Much harder than attacking guest kernel)
Conclusion • Data integrity and security is vital as computing becomes more widespread. Backtracker allows system administrators to analyze an attack, and avoid future vulnerability. • An everyday applications of this technology might be for a banking system administration team to protect their clients accounts. • Questions?