Computer Security CSE 543
Popular in Course
Popular in Computer Science and Engineering
This 0 page Class Notes was uploaded by Libby Kuhlman on Sunday November 1, 2015. The Class Notes belongs to CSE 543 at Pennsylvania State University taught by Staff in Fall. Since its upload, it has received 12 views. For similar materials see /class/233115/cse-543-pennsylvania-state-university in Computer Science and Engineering at Pennsylvania State University.
Reviews for Computer Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 11/01/15
CSE 543 Computer Security Lecture 24 Intrusion Detection November 29 2007 URL httpwwwcseIosuedutjaegercse543f07 PENNSTATE Background and Experiment 0 Background 0 Outline the Problem 0 May use an example scenario 0 Material Related to the Solution 0 Why hasn t it been solved 0 Experiment 0 Big Insight Hypothesis Claim 0 Show Why It Would Be Interesting To Test 0 Experimental Approach 0 Expected Results 0 Informal Proof That Claim May Be True I l PENNSTATE Intrusion 0 An Authorized Action 0 That Can Lead 0 To a Compromise 0 And an Attack o Authentication and Access Control Are No Help I l PENNSTATE Types of Intrusions 0 Network 0 Malformed and unauthenticated packet 0 Let through the firewall 0 Reaches the networkfacing daemon 0 Can we detect intrusions from packet contents 0 Host 0 Input to daemon 0 Triggers a vulnerability buffer overflow 0 lnjects attacker code 0 Performs malicious action 0 Can we detect intrusions from process behavior I l PENNSTATE Intrusion Detection def by Forrest 0 An IDS system find anomalies 0 The IDS approach to security is based on the assumption that a system will not be secure but that violations of security policy intrusions can be detected by monitoring and analyzing system behavior Forrest 98 0 However you do it it requires 0 Training the IDS training 0 Looking for anomalies detection o This is an explosive area in computer security that has led to lots of new tools applications industry CSE543 Computer and Network Security Fall 2007 Professor Jaeger PENNStAtE Intrusion Detection Systems 0 IDS systems claim to detect adversary when they are in the act of attack 0 Monitor operation 0 Trigger mitigation technique on detection 0 Monitor Network Host or Application events 0 A tool that discovers intrusions after the fact are called forensic analysis tools 0 Eg from system Iogfiles 0 IDS systems really refer to two kinds of detection technologies 0 Anomaly Detection 0 Misuse Detection CSE543 Computer and Network Security Fall 2007 Professor Jaeger PENNStAfE Anomaly Detection 0 Compares profile of normal systems operation to monitored state 0 Hypothesis any attack oauses enough deviation from profile generally true 0 Q How do you derive normal operation 0 Al learn operational behavior from training data 0 Expert oonstruot profile from domain knowledge 0 Blackbox analysis vs or 0 Q Will a profile from one environment be good for others 0 Pitfall false learning CSE543 Computer and Network Security Fall 2007 Professor Jaeger PENNSTATE Misuse Detection 0 Profile signatures of known attacks 0 Monitor operational state for signature 0 Hypothesis attacks of the same kind has enough similarity to distinguish from normal behavior 0 Q Where do these signatures come from 0 Record recorded progression of known attacks 0 Expert domain knowledge 0 Al Learn by negative and positive feedback PENNSTATE Analyzing IDS Effectiveness What constitutes a Detection Result intrusionanomaly is T F reallyjust a matter of definition A system can exhibit all sorts of behavior True Positive it True Legal 1 Negative gt 039 3 2 3 8 Quality determined by consistency with a given definition context sensitive PENNSTATE Sequences of System Calls o Forrest et al in earlymid 905 understand the characteristics of an intrusion Attack Profile SEND o Idea match sequence of system calls with profiles ngrams of system call sequences learned 0 Match sliding windows of sequences 0 If not found then trigger anomaly 0 Use ngrams of length 5 6 11 o If found then it is normal wrt learned sequences I l PENNSTATE Evaluating Forrest et al I o The qualitative measure of detection is the departure of the trace from the database of ngrams 0 Further they measure how far a particular ngram i departs by computing the minimum Hamming distance of the sample from the database dmin min dij for all normalj in ngram database this is called the anomaly signal 0 Result on lpr sendmail etc 0 About 05O7 false positive rates 0 And SA maximum dmin itiii E PENNSTATE quotgedanken experiment 0 Assume a very good anomaly detector 99 0 And a pretty constant attack rate where you can observe 1 out of 10000 events are malicious o Are you going to detect the adversary well I l PENNSTATE Bayes Rule 0 Prx function probability of eventX o Prsunny 8 80 of sunny day 0 Prxy probability of x given y o Conditional probability 0 Prcavityltoothache 6 0 60 chance of cavity given you have a toothache 0 Bayes Rule of conditional probability PrBIA PrArB PrB 0 Now Prcavity 5 Prtoothache 1 I l PENNSTATE The baserate Bayesian Fallacy 0 Setup 0 PrT is attack probability 110000 0 PrT 0001 o PrF is probability of event flagging unknown 0 PrFlT is 99 accurate much higherthan most known techniques o PrFT 99 0 Deriving PrF PrF PrFlTPrT PrFlTPrT o PrF 99ooo1 019999 010098 0 Now what s PrTF I PENNSTATE The Bayesian Fallacy cont 0 Now plug it in to Bayes Rule PrFT PrT M99 PrOOOl WT39F PrF Pr010098 0098 0 So a 99 accurate detector leads to 0 1 accurate detection 0 With 99 false positives pertrue positive 0 This is a central problem with ID 0 Suppression of false positives real issue 0 Open question makes some systems unusable PENNSTATE Where is Anomaly Detection Useful A 0 1 065 B 000 099 C 0 099 D 00000 099999 PrBA PrArB PrB I l PENNSTATE Where is Anomaly Detection Useful A 0 038 065 07 B 000 00 098 099 0090 64 C 0 0 I08 099 09 I667 D 00000 000002 099999 05 PrBA I l PrAB PrB W The ROC curve Wren o Receiver operating characteristic 0 Curve that shows that detectionfalse positive ratio Ideal o Axelsson talks about the real problem with some authority and shows how this is not unique to CS 0 Medical criminology think superbowl financial CSE543 Computer and Network Security Fall 2007 Professor Jaeger PENNSTATE The reality o Intrusion detections systems are good at catching demonstrably bad behavior and some subtle 0 Alarms are the problem 0 How do you suppress them 0 and not suppress the true positives 0 This is a limitation of probabilistic pattern matching and nothing to do with bad science Beware the fact that an IDS system is not alarming does not mean the network is safe All too often used as a tool to demonstrate all safe but is not really appropriate for that I l CSE 543 Computer Security Fall 2006 Lecture 24 Virtual machine security November 28 2006 URL httpwwwcseIosuedutiaeqercse543f06 PENNSTATE Operating System Quandary 0 Recall SaltzerSchroeder V 0 Q What is the primary goal of system security 0 OS enables multiple usersprograms to share resources on a physical device 0 Access control policies of OS become complex 0 We ll see via SELinux 0 What are we to do CSE543 Computer and Network Security Fall 2006 Professor Jaeger PENNSTATE Virtual Machines 0 Instead of using system software to enable sharing use system software to enable isolation o Virtualization 0 a technique for hiding the physical characteristics of computing resources from the way in which others systems applications and end users interact with those resources 0 Virtual Machines 0 Single physical resource can appear as multiple logical resources CSE543 Computer and Network Security Fall 2006 Professor Jaeger PENNSTATE Virtual Machine Architectures 0 Full system simulation 0 CPU can be simulated o Paravirtualization Xen 0 VM has a special API o Requires OS changes 0 Native virtualization VM Ware 0 Simulate enough HW to run OS 0 OS is for same CPU 0 Application virtualization JVM 0 Application API CSE543 Computer and Network Security Fall 2006 Professor Jaeger Virtual Machine Types 0 Type 0 Lowest layer of software is VMM 0 Eg Xen VAX VMM etc 0 Type II 0 Runs on a host operating system 0 Eg VMWare JVM etc 0 Q What are the trust model issues with Type II compared to Type I VM Security 0 Isolation of VM computing 0 Like a separate machine VM Partitioned Device Resou rces Requests Virtual Machine Monitor Physical Device Controls PENNSTATE VAX VMM Security Kernel 0 A1 assured virtual machine system 0 Virtualization 0 Protect sensitive state 0 Sensitive instructions must be virtualized ie require privilege 0 Access to sensitive data must be virtualized ditto 0 Need to hide Virtualization 0 Systems cannot see that they are being virtualized 0 lO Processing 0 Need to share access to devices correctly 0 Special driver interface all in VMM security kernel 0 SelfVirtualization Run VMM as VM I l VM Security 0 Do VMs need to communicate or share resources 0 How do they do it VAX VMM Access Control 0 Subjects and objects 0 Coarsegrained access control possible 0 VMs are subjects 0 Disk partitions are objects 0 Lattice policies for secrecy and integrity 0 BellLaPadula for secrecy 0 Biba for integrity 0 Privileges for special operations 0 Eg administrative operations 0 Discretionary access controls Aside ME 0 Simple security property 0 Readdown only 0 S can read 0 if and only if S s access class dominates O 0 security property 0 Writeup only 0 S can write to 0 if and only if O s access class dominates S 0 Basic Security Theorem Every protection state satisfies simple and security properties BellLaPadula meets this trivially 0 Q Why is this I l VAX VMM Challenges 55 PENNSTATE Q Why was the project cancelled Drivers In VMM New model Development languagesperformance Pascal Usability Where s X Lack of customers Hardware changes Covert channel defenses Fuzzy time Insanity N e p PENNTE 0 Isolated networks of VMs 0 Alternative to air gap security VM Secret VM Public 39VM Secret VM Public VMWare VMWare MLS MLS SELinux Host OS SELinux Host OS PENNTE o Paravirtualized Hypervisor o Privileged VM VM DomU Partitioned senIces Device Dom 0 Requests M Xen Hypervisor Resou rces PENNSTATE Xen sHype o Controlled information flows among VMs VM DomU Partitioned senIces Device Dom 0 Requests ef Xen Hypervnsor Resou rces PENNSTATE Xen sHype Policies Es 0 Type Enforcement 0 Mandatory access matrix policy associating subject labels with object labels and operations 0 AVM with a subject label L can perform an operation op on an object eg VM memory file system with object label M ifthe TE policy access matrix includes an entry forthis 0 Chinese Wall 0 Conflict of interest restrictions 0 Asubject can access an object labeled L in conflict group C 0 If subject has previously accessed an object labeled L 0 If subject has not previously accessed an object of any label in conflict group C Wh are T e Enforcement and Chinese Wall used PENNSTATE Java Virtual Machine 0 Interpret Java bytecodes 0 Machine specification defined by bytecode 0 On all architectures run same bytecodes 0 Write once run anywhere 0 Can run multiple programs wi JVM simultaneously 0 Different classloaders can result in different protection domains 0 How do we enforce access control 4 9 Java Java Security Architecture Java 10 Applets and Applications Local Code Remote Code H t iVM Fun G Sandbg cegss noted C cess to Reso u rces Security Manager System Resources tilesmetwork h connections etc Java Security Architecture Java 11 Signed code trusted remote think Authenticode Java 12 Flexible access control included in Java 2 Local or Remote Code E39 Securin Policy JVM Full domain 55 to Resources Security Manager System Resources filesnetwork connections etc Stack Inspection Authorize based on protection domains on the stack Union of all sources All must have permission protection i KOOO JQVIbwm java ioFileInputStmam java langSechity N O Do Privileged doPrivileged terminates backtrace Like setuid with similar risks protection class method domain PENNSTATE Virtual Machine Threats How does the insertion of a virtual machine layer change the threats against the system Virtual Machine Rootkit PENNSTATE Rootkit Malicious software installed by an attacker on a system Enable it to run on each boot OS Rootkits Kernel module signal handler When the kernel is booted the module is installed and intercepts user process requests interrupts etc Eg keylogger VM Rootkit Research project from Michigan and Microsoft If security service runs in VM then a rootkit in VMM can evade security Eg Can continue to run even if the system appears to be off PENNSTATE Take Away 0 VM systems focus on isolation 0 Enable reuse but limited by security requirements 0 Enable limited communication 0 The policies are not trivial