A Linux Kernel Auditing Tool for Host-Based Intrusion Detection



Similar documents
IDEA: A New Intrusion Detection Data Source

Performance Isolation of a Misbehaving Virtual Machine with Xen, VMware and Solaris Containers

Securely Isolating Malicious OS Kernel Modules Using Hardware Virtualization Support

Is Virtualization Killing SSI Research?

LSM-based Secure System Monitoring Using Kernel Protection Schemes

Intrusion Detection in Virtual Machine Environments

Detecting Computer Worms in the Cloud

Safety measures in Linux

Full and Para Virtualization

Xen Live Migration. Networks and Distributed Systems Seminar, 24 April Matúš Harvan Xen Live Migration 1

Migration of Virtual Machines for Better Performance in Cloud Computing Environment

Models For Modeling and Measuring the Performance of a Xen Virtual Server

Resource Scalability for Efficient Parallel Processing in Cloud

System Security Fundamentals

Performance Profiling in a Virtualized Environment

Linux OS-Level Security Nikitas Angelinas MSST 2015

Dynamic resource management for energy saving in the cloud computing environment

benchmarking Amazon EC2 for high-performance scientific computing

Performance Comparison of VMware and Xen Hypervisor on Guest OS

Eloquence Training What s new in Eloquence B.08.00

Chapter 3 Operating-System Structures

4-2 A Load Balancing System for Mitigating DDoS Attacks Using Live Migration of Virtual Machines

supported Application QoS in Shared Resource Pools

A Dynamic Resource Management with Energy Saving Mechanism for Supporting Cloud Computing

Plan 9 Authentication in Linux

EC2 Performance Analysis for Resource Provisioning of Service-Oriented Applications

A Simple Implementation and Performance Evaluation Extended-Role Based Access Control

Virtual Machines and Security Paola Stone Martinez East Carolina University November, 2013.

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Database high availability

issh v. Auditd: Intrusion Detection in High Performance Computing

Chapter 2 Addendum (More on Virtualization)

Performance Tools for Parallel Java Environments

Attack graph analysis using parallel algorithm

System Behavior Analysis by Machine Learning

Example of Standard API

Replication on Virtual Machines

kvm: the Linux Virtual Machine Monitor

Towards Lightweight Logging and Replay of Embedded, Distributed Systems

HPC performance applications on Virtual Clusters

How To Prevent Network Attacks

Confining the Apache Web Server with Security-Enhanced Linux

Optional custom API wrapper. C/C++ program. M program

A loadable task execution recorder for Linux

Chapter 2 System Structures

Transparent Optimization of Grid Server Selection with Real-Time Passive Network Measurements. Marcia Zangrilli and Bruce Lowekamp

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

COS 318: Operating Systems. Virtual Machine Monitors

Virtualization Technologies (ENCS 691K Chapter 3)

Protection of Components based on a Smart Card Enhanced Security Module

Taming Hosted Hypervisors with (Mostly) Deprivileged Execution

Introduction of Virtualization Technology to Multi-Process Model Checking

Double guard: Detecting Interruptions in N- Tier Web Applications

KVM Security Comparison

A Lightweight Dynamic Performance Monitoring Framework for Embedded Systems

On A Network Forensics Model For Information Security

Outline. Outline. Why virtualization? Why not virtualize? Today s data center. Cloud computing. Virtual resource pool

Transparent Monitoring of a Process Self in a Virtual Environment

A FRAMEWORK FOR MANAGING RUNTIME ENVIRONMENT OF JAVA APPLICATIONS

Simplifying Lustre Operations with Chukwa and Hadoop

Client/Server Computing Distributed Processing, Client/Server, and Clusters

Online Transaction Processing in SQL Server 2008

Application of Data Mining Techniques in Intrusion Detection

Open Source High Availability Writing Resource Agents for your own services. Lars Marowsky-Brée Team Lead SUSE Labs

Virtual Hosting & Virtual Machines

Oracle Audit Vault Oracle FLEXCUBE Universal Banking Release [April] [2014]

Cloud Computing through Virtualization and HPC technologies

A Comparative Study of Open Source Softwares for Virtualization with Streaming Server Applications

Advanced Honeypot Architecture for Network Threats Quantification

nanohub.org An Overview of Virtualization Techniques

Migrating IIS 6.0 Web Application to New Version Guidance

HONE: Correlating Host activities to Network communications to produce insight

Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense

Proteus, a hybrid Virtualization Platform for Embedded Systems

Transcription:

A Linux Kernel Auditing Tool for Host-Based Intrusion Detection William A. Maniatty, Adnan Baykal, Vikas Aggarwal, Joshua Brooks, Aleksandr Krymer and Samuel Maura baykal@cs.albany.edu CSI 424/524, William A. Maniatty, Dept. of Computer Science, University at Albany 1

Security management approaches Prevention - slows down attackers Overview Detection - alert administrators when attacks occur Containment - limit damage of a successful attack Recovery - repair (if feasible) the damage Where to apply these approaches Host based Network based Our focus on host-based intrusion detection. We needed to generate larger amounts of high quality audit data This is a lot like debugging, so extend a debugging tool We chose Yaghmour and Deganais' Linx Trace Toolkit (LTT) [7]) Need to observe all system calls Need to monitor all security credentials of processes CSI 424/524, William A. Maniatty, Dept. of Computer Science, University at Albany 2

Instrumentation Design Choices We instrumented each system call. We did NOT use wrapper functions for systems calls Many tools do this (easy to code, e.g. systrace [4]). But tends to cause conicts when using more than one of these tools. Used conditional compilation and inlining to minimize overhead Has Useful Related Projects/Features RelayFS [6] (we use this) Flight Recorder DProbes [3] Kernel Hooks [2] Allows for native mode tracing Allows for tracing on SMP systems (unlike ReVirt [5]) Eventually, we want optional support for virtualization and replay. Thus, we are considering Xen [1]. CSI 424/524, William A. Maniatty, Dept. of Computer Science, University at Albany 3

Architecture Used Kernel Trace Daemon Streaming Data Analyzer Trace Buffers (PE 0) User Buffers (CPU 0)...... Log File CPU 0 Off Line Post Processing Trace Visualizer System Calls Trace Buffers (PE N 1) User Buffers (CPU N 1) Log File...... CPU N 1 Trace Logic Log Analyzer Configuration and Buffer Control Proc Log /proc file system Process Tree Capture Rules Database CSI 424/524, William A. Maniatty, Dept. of Computer Science, University at Albany 4

Data Management issues We get a lot of data Tracing all system calls on a lightly loaded system gives about 40 GB/24 hours. We use inline compression (zlib), and get around 95 % size reduction Observed run-time slowdown of only 3-5% on I/O intensive tasks. Support misuse detection (e.g. privilege escalation) We are looking into mining techniques for our data Time series based (currently we are trying wavelet based approaches). Sequence based. Clustering and classication (principle component analysis). Challenges of mining The data is highly dimensional and categorical This makes clustering hard. Use relational DB (PosgreSQL) to manage a condensed data representation Need streaming approaches (rst get good accuracy, then stream). CSI 424/524, William A. Maniatty, Dept. of Computer Science, University at Albany 5

Instrumentation details A good audit can log all inputs and results of system calls. Including Security credentials uid_t uid, euid, suid, f s u i d ; gid_t gid, egid, sgid, f s g i d ; i n t ngroups ; gid_t groups [NGROUPS] ; kernel_cap_t cap_effective, cap_inheritable, cap_permitted ; i n t k e e p _ c a p a b i l i t i e s : 1 ; s t r u c t user_struct user ; / Other u s e f u l s e c u r i t y r e l a t e d f i e l d s / i n t did_exec : 1 ; void s e c u r i t y ; CSI 424/524, William A. Maniatty, Dept. of Computer Science, University at Albany 6

Concluding Remarks Policy instrumentation needs dierent from auditing E.g. Linux Security Modules has user exit style programming and lkms. Hooks placed before major changes to kernel state (does not record results). Sometimes not invoked (i.e. if parameters fail sanity checks). Only security related calls have instrumentation so exploitable calls (e.g. mmap) may lack hooks We are investigating combining LSM (policy) and LTT (audit) Virtual Machines provide containment and tamper resistance But many users run native mode, and need logging Ideally a useful tool should work in BOTH virtual and native mode Oers strong misuse detection and response Highly detailed ight recorder dumps Close coupling of mining and acquisition looks promising Begin with traditional clustering, time series and sequence mining Then pick streaming approaches for improved accuracy Responses and policy integration a work in progress CSI 424/524, William A. Maniatty, Dept. of Computer Science, University at Albany 7

Bibliography References [1] B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Wareld, P. Barham, and R. Neugebauer. Xen and the art of virtualization. In Proceedings of the ACM Symposium on Operating Systems Principles, October 2003. [2] R. J. Moore. Generalised kernel hooks interface - a high speed call-back mechanism for the linux kernel. In Proceedings of the UKUUG Linux 2001 Linux Developers' Conference, Manchester, England, July 2001. On line at http://www-124.ibm.com/linux/projects/kernelhooks/. [3] R. J. Moore. A universal dynamic trace for linux and other operating systems. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, Boston, Massachusetts, USA, June 2001. [4] Niels Provos. Improving host security with system call policies. In Proceedings of the 12th USENIX Security Symposium, Washington, DC, August 2003. CSI 424/524, William A. Maniatty, Dept. of Computer Science, University at Albany 8

[5] Peter M. Chen Samuel T. King. Backtracking intrusions. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), pages 223236, Bolton Landing, NY USA, October 2003. [6] K. Yaghmour. RelayFS: An ecient unied approach for trasmitting data from kernel to user space. In Proceedings of the Ottawa Linux Symposium 2003, Ottawa, Ontario, Canada, July 2003. The Linux Symposium's 2003 web page is at http://www.linuxsymposium.org/2003/. [7] K. Yaghmour and M. R. Dagenais. Measuring and characterizing system behavior using kernel-level event logging. In Proc. of the USENIX Annual 2000 Technical Conference, pages 1326. USENIX, June 2000. CSI 424/524, William A. Maniatty, Dept. of Computer Science, University at Albany 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information