System Health and Intrusion Monitoring Using a Hierarchy of Constraints

Transcription

1 System Health and Intrusion Monitoring Using a Hierarchy of Constraints Calvin Ko NAI Labs, Network Associates, Inc. Jeff Rowe University of California, Davis October 2001

2 Historical Behavior Attacks / Vulnerabilities Intended/Expected Behavior Abstract IDS Model Rules Detect Detect effect/manifestation actions by theof the attacker s attackersactions ID Engine Result Audit Data (e.g., Kernel Audit trails, Network packets, Syslog, ) RAID

3 System Health and Intrusion Monitoring (SHIM) Extend existing specification-based detection work Employ a hierarchy of constraints/specifications describe healthy/correct operation of a system capture static behavior, dynamic behavior, timedependent behavior of different components at different levels of abstraction detect manifestations of attacks or security errors regardless of the cause Utilize data at all levels network, host, OS kernel, application Reason about the specifications RAID

4 Top Level Threats addressed by SHIM Remote-to-Local, Remote-to-Root User-to-Root Insider exceeding his/her privileges misusing his/her privileges Trojan Horses Denial of Services Masqueraders & Probing Privileged processes setuid root programs, servers/daemons, administrator processes RAID

5 System-wide System Services Host Programs and Network Protocols Applications Constraint Model Access Data Integrity Operational Integrity Temporal/Interaction Resource Usage RAID

6 Security Policies, Design Principles Higher Level Constraints Constraint Development Functionality & System Semantics Hierarchical Constraint Model Attack / Vulnerability Models Configuration, historical behavior, & system policy Constraints RAID

7 Technical objective Approach and Rationale Roadmap Useful types of constraints Program constraints Protocol constraints High level constraints Ongoing and Future Work RAID

8 Useful Types of Constraints Policy on Users Files a user can access Resources a user is allowed to possess Protocol Specifications -- operational view Defines allowable transitions Defines allowable time in a given state Protocol Specifications -- message content Mappings delivered by DNS should accurately represent view of authoritative router IP addresses are not spoofed RAID

9 Useful Types of Constraints (cont.) Protocols -- Invariant and assumptions IP Routers approximate Kirchoff s law Packets are not sniffed by third-party Packet source must be a non-congested/non-dosed host Programs -- valid access constraints Programs access only certain objects Programs - Interaction constraints program interaction should not change the semantic Data Integrity e.g., passwords, other authentication information authorization information, process table RAID

10 Access Constraints for Programs Can Detect remote users gain local accesses local users gain additional privileges Trojan Horses Work well for many programs, e.g., passwd, lpr, lprm, lpq, fingerd, at, atq, Some program can potentially access many files, e.g., httpd, ftpd break the execution into pieces (or threadlets). Define the valid access for each threadlets. Threadlet defined by transition operations RAID

11 Component-Specific Constraints Privileged programs e.g., Ftp daemon Read files that are world readable Write files that are owned by the user Execute only /bin/ls, /bin/gzip, /bin/tar, /bin/compress Critical Data E.g., The password file in a Unix system should be in the correct form and each user should have a password. RAID

12 General Constraints A privileged process should discard all its privileges and capabilities before it gives control to a user. The temporary file for a program should be accessible only by the program execution and should be removed when the program exits An application should read only configuration files owned by the user that it is running as RAID

13 Constraints / Specifications Prototype SHIM Host Monitor SHIM Compiler SHIM Analyzer Modules Other sources SHIM Monitor Control SHIM Analyzer Module Linux or Solaris Kernel Agile Kernel Auditor RAID

14 Protocol Constraints Address Resolution Protocol (ARP) For mapping between the Ethernet layer and the IP layer Hosts on the network query all machines for their Ethernet-to- IP assignments before sending to a new IP address. Hosts typically keep a local list of mappings ( the ARP cache ) to avoid repetitive queries ARP Cache Poisoning Unsolicited Response Bogus Request Bogus Response Both a spurious Request and a spurious Response RAID

15 An ARP Specification ARP Request ARP Request ARP Response i reply_wait cached ARP cache timeout RAID

16 Unsolicited ARP Response ARP REPLY to victim blanc.cs.ucdavis.edu IS-AT 08:00:20:23:71:52 ARP reply will be accepted by a victim machine, even though it hasn t sent a request. Sending a arbitrary IP to Ethernet mapping will poison the victim s ARP cache. Sending an unsolicited response to the broadcast Ethernet address poisons the cache of all machines (Solaris, Windows, Linux). RAID

17 Bogus ARP Request ARP REQUEST WHO-HAS olympus.cs.ucdavis.edu TELL blanc.cs.ucdavis.edu at 08:00:20:23:71:52 ARP implementations cache entries based upon broadcast requests. Even if the host isn t involved in any resolution their cache will update with the information contained in third-party requests. Sending out an request with bogus sender information poisons everyone s cache. RAID

18 Unsolicited ARP Response An ARP Specification Malformed Request alarm ARP Request Bogus ARP Response ARP Request ARP Response i reply_wait cached ARP cache timeout RAID

19 ARP Monitor Implementation Built on the snort open-source IDS platform - Uses the snort preprocessor plug-in feature - No measurable difference in baseline IDS performance due to the low volume of ARP traffic. Single ARP correctness specification catches all five ARP vulnerabilities RAID

20 A DHCP Specification Dynamic Host Configuration Protocol (DHCP) provides centralized management of client workstation configuration parameters Distributed servers cooperatively allocate client parameters, even across sub-networks. DHCP typically configures IP address allocation Gateway router address DNS servers RAID

21 DHCP Messages From Server Message Use DHCPOFFER Server to client in response to DHCPDISCOVER with offer of configuration parameters. DHCPACK Server to client with configuration parameters, including committed network address. DHCPNAK Server to client indicating client's notion of network address is incorrect (e.g., client has moved to new subnet) or client's lease as expired From Clients Message Use DHCPDISCOVER Client broadcast to locate available servers. DHCPREQUEST Client message to servers either (a) requesting offered parameters from one server and implicitly declining offers from all others, (b) confirming correctness of previously allocated address after, e.g., system reboot, or (c) extending the lease on a particular network address. DHCPDECLINE Client to server indicating network address is already in use. DHCPRELEASE Client to server relinquishing network address and cancelling remaining lease. DHCPINFORM Client to server, asking only for local configuration parameters; client already has externally configured network address. RAID

22 DHCP Protocol Misuse DHCP built upon UDP making IP spoofing trivial. DHCP traffic is passed by routers and can traverse remote networks Denial-of-Service Fake client DHCPRELEASE causes server to assign same IP address to multiple clients. Multiple fake DHCPREQUEST messages consume all available IP addresses. Falsification of network services Fake DHCP server feeds clients false gateway router address for DOS or to intercept traffic. Fake DHCP server feeds clients a false DNS server and supplies it s own malicious mappings. RAID

23 Init-Reboot -/Send DHCPREQUEST Rebooting DHCPACK/Record lease, set T1, T2 DHCPNAK/Restart DHCPNAK/Discard Offer DHCP Protocol DHCPAK(not accepted)/send DHCPDECLINE Select Offer/Send DHCPREQUEST Init -/Send DHCPDISCOVER Selecting DHCPOFFER/Collect Offers DHCPNAK/Lease expired DHCPNAK/Halt Network DHCPOFFER/ Discard Requesting DHCPOFFER, DHCPACK, DHCPNAK /Discard DHCPACK/Record lease, set T1, T2 Bound DHCPACK/Record lease, set T1, T2 T1 Expires/Send DHCPREQUEST DHCPACK/Record lease, set T1, T2 Rebinding T2 Expires/ Broadcast DHCPREQUEST Renewing RAID

24 DHCP Protocol Monitor DHCP protocol monitor is implemented as a Snort IDS plug-in. Based upon the DHCP client state diagram Monitors for DHCPRELEASE messages Monitors for multiple server replies indicating the presence of a rogue DHCP server. RAID

25 High-Level Constraints Concerned with the system or a services May not be directly detectable, need to project down to lower-level constraints e.g., Only valid users can login from valid remote hosts. Combining host-based and protocol constraints RAID

26 rlogind allows only authorized attempt Projections Only authorized remote user can rlogin to a host Rlogin packet came from the true remote host Remote host not compromised DNS name not spoofed IP address not spoofed ARP address not spoofed RAID

27 Ongoing and Future Work Investigate constraints for other components Projections of constraints Verification of constraints Interaction constraints High level constraints RAID