Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections



Similar documents
Automatic Discovery of Parasitic Malware

Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense

Secure In-VM Monitoring Using Hardware Virtualization

Firewalls and IDS. Sumitha Bhandarkar James Esslinger

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Firewall Design Principles Firewall Characteristics Types of Firewalls

Run-Time Deep Virtual Machine Introspection & Its Applications

Second-generation (GenII) honeypots

Chapter 9 Firewalls and Intrusion Prevention Systems

Abstract. 1. Introduction. 2. Threat Model

Computer Security: Principles and Practice

Computer Security DD2395

A S B

Firewall Firewall August, 2003

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Firewalls. Chapter 3

Exploiting the x86 Architecture to Derive Virtual Machine State Information

Evasion Resistant Intrusion Detection Framework at Hypervisor Layer in Cloud

Securely Isolating Malicious OS Kernel Modules Using Hardware Virtualization Support

Detecting Computer Worms in the Cloud

ProMoX: A Protocol Stack Monitoring Framework

Advanced Security Services with Trend Micro Deep Security and VMware NSX Platforms

Virtualization System Security

Outline. Introduction. State-of-the-art Forensic Methods. Hardware-based Workload Forensics. Experimental Results. Summary. OS level Hypervisor level

Penetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

CIT 480: Securing Computer Systems. Firewalls

CloudVMI: Virtual Machine Introspection as a Cloud Service

How To Stop A Malicious Process From Running On A Hypervisor

Windows Server Virtualization & The Windows Hypervisor

FIREWALL POLICY DOCUMENT

FORBIDDEN - Ethical Hacking Workshop Duration

Guardian: Hypervisor as Security Foothold for Personal Computers

Internet Security Firewalls

Virtualization for Cloud Computing

Self-service Cloud Computing

High-Availability Using Open Source Software

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

CSCE 465 Computer & Network Security

ThreatSTOP Technology Overview

Host-based Intrusion Prevention System (HIPS)

Seminar Computer Security

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Virtual Computing and VMWare. Module 4

Lares: An Architecture for Secure Active Monitoring Using Virtualization

FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

Firewalls CSCI 454/554

Security: Attack and Defense

Chapter 5 Cloud Resource Virtualization

Honeypot-Architectures using VMI Techniques

Firewalls P+S Linux Router & Firewall 2013

How To Protect A Network From Attack From A Hacker (Hbss)

CIT 668: System Architecture

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

Trusted VM Snapshots in Untrusted Cloud Infrastructures

Firewalls (IPTABLES)

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Assessing the Performance of Virtualization Technologies for NFV: a Preliminary Benchmarking

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Loophole+ with Ethical Hacking and Penetration Testing

Evolving Threat Landscape

Firewalls, Tunnels, and Network Intrusion Detection

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Secure Cloud-Ready Data Centers Juniper Networks

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Stephen Coty Director, Threat Research

OS KERNEL MALWARE DETECTION USING KERNEL CRIME DATA MINING

Cloud computing security

Stateful Inspection Technology

Cloud Operating Systems for Servers

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

CIT 480: Securing Computer Systems. Firewalls

Full and Para Virtualization

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Linux Firewalls (Ubuntu IPTables) II

The QEMU/KVM Hypervisor

Internet Security Firewalls

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Virtual Switching Without a Hypervisor for a More Secure Cloud

RCL: Software Prototype

Kernel Data Integrity Protection via Memory Access Control

Security Considerations in Cloud Deployments Matthew Garrett

Security and Integrity of a Distributed File Storage in a Virtual Environment

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Transcription:

Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections Abhinav Srivastava and Jonathon Giffin School of Computer Science Georgia Institute of Technology

Attacks Victim System Bot Strange processes Strange connections Backdoor Spyware Worm Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 2

Goals Detect and block outbound malicious network connections Detect and prevent remote attackers from connecting to local malware Remain tamper-resistant from direct attacks Victim System Bot Spyware Backdoor Worm Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 3

Network Firewall Internet Victim System Firewall Block Firewall Coarse policies Incomplete view Network App Tamper resistant Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 4

Host Firewall Internet Fine grained policies Complete view Victim System Network App Firewall Not tamper resistant Firewall Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 5

Virtualization-based Firewall Security VM Fine grained policies Complete view Victim VM Network App Driver Firewall Bridge Tamper resistant Driver Backend Shared Memory Driver Frontend Xen Physical Hardware Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 6

Challenges Correlate IP/port and corresponding process in guest VM Solution: Virtual Machine Introspection (VMI) Extract semantic information from raw memory Solution: OS knowledge to parse data structures Impose low overhead Solution: Selective introspection Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 7

Threat Model Hypervisor & security VM are secure Both user and kernel-level attacks are possible Expect to find the data structures at known places Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 8

Prototype System: Security VM User-space Kernel-space User Component Firewall Kernel Component Tamper resistance Independence Lightweight verification Xen Physical Hardware Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 9

Kernel Module Architecture Security VM User-space Kernel-space User Component Firewall Kernel Component Xen Physical Hardware Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 10

Kernel Module Architecture Security VM User-space Kernel-space Kernel Component Firewall Xen Physical Hardware Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 11

Kernel Module Architecture User-space Security VM Kernel-space Kernel Component Rule Table Packet Queue P1 P2 Driver Bridge Driver Backend Xen Physical Hardware Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 12

User Agent Architecture User-space Security VM Kernel-space Kernel Component Rule Table Packet Queue P1 P2 Driver Bridge Driver Backend Xen Physical Hardware Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 13

User Agent Architecture Security VM User Agent User-space Kernel-space Xen Physical Hardware Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 14

User Agent Architecture Security VM Victim VM System. map Whitelist User-space Kernel-space User Agent CR3 Page Directory Page Table User-space Kernel-space Kernel Data Structure Xen Physical Hardware Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 15

Kernel Data Structures Traversal Ports: Process: inet_hashinfo task_struct Linked list iteration hlist_head hlist_head hlist_head hlist_head Array iteration Linked list iteration task_struct hlist_node files_struct fdtable file file file sock Match Array Iteration hlist_node Return: Process information from task_struct Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 16

Security Evaluation Name Type Connection Type Result Blackhole Backdoor Inbound Blocked Gummo Backdoor Inbound Blocked Bdoor Backdoor Inbound Blocked Ovas0n Backdoor Inbound Blocked Cheetah Backdoor Inbound Blocked Apache-ssl Worm Blocked Apache-linux Worm Blocked Backdoor-Rev.b Worm Blocked Q8 Bot Blocked Kaiten Bot Blocked Coromputer Dunno Bot Blocked Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 17

Legitimate Connections Name rcp rsh yum rlogin ssh scp wget tcp client thttpd tcp server sshd Connection Type Inbound Inbound Inbound Result Allowed Allowed Allowed Allowed Allowed Allowed Allowed Allowed Allowed Allowed Allowed Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 18

Performance Evaluation Directions Inbound Connection to Victim VM Connection from Victim VM TCP Introspection Time (µs) 251 1080 UDP Introspection Time (µs) 438 445 Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 19

Performance Evaluation Directions Without Time (s) With Time (s) Overhead File Transfer from Security VM to Victim VM 1.105 1.179 7% File Transfer from Victim VM to Security VM 1.133 1.140 1% Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 20

Performance Evaluation Directions Without Time (µs) With Time (µs) Overhead Time(µs) Connection from Security VM to Victim VM 197 465 268 Connection from Victim VM to Security VM 143 1266 1123 Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 21

Security Analysis Kernel data structures modification attacks Semantic kernel integrity [Petroni et al. Usenix Security 2006] Process renaming attacks Tripwire or disk introspection Code injection attacks DoS attacks Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 22

Conclusions provides tamper-resistant firewalling framework Combines both host and network level views Provides fine grained application-level filtering Imposes low overhead Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 23

Questions?. or send us email: Abhinav Srivastava Jonathon Giffin abhinav@cc.gatech.edu giffin@cc.gatech.edu Thanks to: Steve Dawson (SRI International) Monirul Sharif (Georgia Tech) Bryan D. Payne (Georgia Tech) Andrea Lanzi (Georgia Tech) Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 24

Related Work Distributed Firewalling [Bellovin] Centralized Policy Design Distributed Enforcement of Policy Implementation of Distributed Firewalling [Ioannidis CCS 2000] Flexible OS Support Infrastructure [Garfinkel HotOS 2006] Virtual Machines for supporting distributed firewalling Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 25

Performance Evaluation Directions Without Time (µs) With Time (µs) Overhead Inbound Initiated 434 815 381 Initiated 271 848 577 Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information