Protecting Your Local Host From Remote Security Attacks

1
Protecting Your Local Host From Remote Security
Attacks

• Jonathon Giffin, Somesh Jha, Bart Miller
• University of Wisconsin

2
Overview

• How to Easily do Dangerous and Malicious Things
  to a Running Job
• How to Detect Manipulations of Your Jobs with
  Pre-Execution Static Analysis and Runtime
  Monitoring

3
A New View

• Running programs are objects to be easily
  manipulated
• The vehicle the DynInst API

4
DynInst Dynamic Instrumentation

• Machine independent library for instrumentation
  of running processes
• Modify control flow of the process
• Load new code into the process
• Remove, replace, or redirect function calls
• Asynchronously call any function in the process

5
Condor Attack Lurking Jobs
Shadow Process giffin
Malicious User Job nobody
system calls
Submitting Host
Execution Host
6
Condor Attack Lurking Jobs
Shadow Process giffin
Malicious User Job nobody
system calls
Lurker Process nobody
Submitting Host
Execution Host
7
Condor Attack Lurking Jobs
Lurker Process nobody
Submitting Host
Execution Host
8
Condor Attack Lurking Jobs
Shadow Process bart
Innocent User Job nobody
system calls
Lurker Process nobody
Submitting Host
Execution Host
9
Condor Attack Lurking Jobs
Shadow Process bart
Innocent User Job nobody
system calls
attach
Lurker Process nobody
Submitting Host
Execution Host
10
Condor Attack Lurking Jobs
Shadow Process bart
Innocent User Job nobody
system calls
Control remote system calls
attach
Lurker Process nobody
Submitting Host
Execution Host
11
Condor Attack Lurking Jobs
Shadow Process bart
Innocent User Job nobody
system calls
rm -rf
rm -rf
Control remote system calls
attach
Lurker Process nobody
Submitting Host
Execution Host
12
Can We Safely ExecuteOur Jobs Remotely?

• The threats
• 1. Cause the job to make improper remote system
  calls.
• 2. Cause the job to calculate an incorrect
  answer.
• 3. Steal data from the remote job.
• Threat protection strategies
• Monitor execution of remote job (threat 1)
• File or system call sand-boxing (1)
• Obfuscate or encode remote job (1, 3)
• Replicate remote job (2)

13
Countering Remote Attacks

• Goal Even if an intruder can see, examine, and
  fully control the remote job, no harm can come to
  the local machine.
• Method Model all possible sequences of remote
  system calls. At runtime, update the model with
  each received call.
• Key technology Static analysis of binary code.

14
Execution Monitoring
User Job
Analyzer
Checking Shadow
Modified User Job
15
Execution Monitoring
Modified User Job
Checking Shadow
system calls
Job Model
Submitting Host
Execution Host
16
Execution Monitoring
Modified User Job
Checking Shadow
system calls
Call 1
Call 2
Call 3
X
Job Model
Submitting Host
Execution Host
17
Model Construction
User Job
Analyzer
Checking Shadow
Modified User Job
Control Flow Graphs
Binary Program
Global Automaton
Local Automata
18
Control Flow Graph Generation

• function( int a )
• if( a lt 0 )
• read( 0, 15 )
• line()
• else
• read( a, 15 )
• close( a )

19
Control Flow GraphTranslation
20
Interprocedural ModelGeneration
A
read
read
close
line
21
Interprocedural ModelGeneration
A
read
read
line
write
close
line
22
Interprocedural ModelGeneration
B
A
line
read
read
line
write
close
close
line
23
Interprocedural ModelGeneration
B
A
line
read
read
line
write
close
close
24
Interprocedural ModelGeneration
B
A
read
read
line
write
close
close
25
PossiblePaths
B
A
read
read
line
write
close
close
26
PossiblePaths
B
A
read
read
line
write
close
close
27
ImpossiblePaths
B
A
read
read
line
write
close
close
28
ImpossiblePaths
B
A
read
read
line
write
close
close
29
Adding ContextSensitivity
B
A
read
Y
read
line
X
write
close
close
Y
X
30
Rewriting User Job
User Job
Analyzer
Checking Shadow
Modified User Job
Binary Program
Rewritten Binary
31
Null CallInsertion
B
A
read
read
line
write
close
close
32
Null CallInsertion
B
A
read
read
line
write
close
null_2
close
null_1
33
Call Site Renaming

• Give each monitored call site a unique name
• Captures arguments
• Obfuscation
• Limits attack call set
• Reduces nondeterminism

function( int a ) if( a lt 0 ) read( 0, 15
) line() else read( a, 15 ) close(
a )
34
Call Site Renaming

• Give each monitored call site a unique name
• Captures arguments
• Obfuscation
• Limits attack call set
• Reduces nondeterminism

function( int a ) if( a lt 0 )
_638() line() else read( a, 15
) close( a )
35
Call Site Renaming

• Give each monitored call site a unique name
• Captures arguments
• Obfuscation
• Limits attack call set
• Reduces nondeterminism

function( int a ) if( a lt 0 )
_638() line() else _83( a
) close( a )
36
Call Site Renaming

• Give each monitored call site a unique name
• Captures arguments
• Obfuscation
• Limits attack call set
• Reduces nondeterminism

function( int a ) if( a lt 0 )
_638() line() else _83( a
) _1920( a )
37
Call Site Renaming

• Give each monitored call site a unique name
• Captures arguments
• Obfuscation
• Limits attack call set
• Reduces nondeterminism

_638
_83
_1920
line
38
Prototype Implementation

• Simulates remote execution environment
• Null calls inserted at function entries
• Measure null call overheads
• Measure null call bandwidth use
• Measure model precision

39
Test Programs
40
Precision Metric

• Average branching factor

chown
getpid
open
41
(No Transcript)
42
Null Call CostsMonitoring Overhead Bandwidth
43
(No Transcript)
44
Important Ideas

• Running jobs remotely enables malicious attacks
  against the shadow process.
• Pre-execution static analysis to construct a
  model of the remote call sequences addresses this
  threat.
• Improving model precision is a hard problem. Null
  calls are an effective and reasonable
  optimization.

45
Protecting Your Local Host From Remote Security
Attacks

• Jonathon Giffin, Somesh Jha, Bart Miller
• University of Wisconsin