LibSec: A Security Library for Network Applications - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

LibSec: A Security Library for Network Applications

Description:

... Network Applications. Jayanthkumar Kannan, Ion Stoica, Scott Shenker, Vern Paxson ... Some programs too large for humans or program verification techniques ... – PowerPoint PPT presentation

Number of Views:46
Avg rating:3.0/5.0
Slides: 21
Provided by: mikeh46
Category:

less

Transcript and Presenter's Notes

Title: LibSec: A Security Library for Network Applications


1
LibSec A Security Library for Network
Applications
  • Jayanthkumar Kannan, Ion Stoica, Scott Shenker,
    Vern Paxson

2
Motivation
  • Network apps will need to be protected from
    exploits
  • Some programs too large for humans or program
    verification techniques to prevent bugs
  • Some bugs may allow a remote attacker to
    accomplish her intent
  • State-of-the-art in defense
  • Unknown attacks No fool-proof way known that
    works for all bugs (significant advances in
    memory safety exploits)
  • Known exploits Intrusion Prevention Network
    Intrusion Detection (eg Bro), Host Intrusion
    Prevention (eg Janus, Shield)

3
All IPS systems aim to ..
  • Prevent the application from entering some bad
    state (or) impose a certain policy
  • Input Filtering Sanitizing its input
  • NIDS Bro (network-packet level) uses ACL and DPI
  • HIDS Janus (sys-call level) monitors syscalls
  • HNIDS Shield (network-packet at host) uses ACL
    and DPI

4
Fidelity problem
  • Policies on input are typically expressed in
    terms application semantics
  • Such policies not directly expresseable today
  • NIDS/HNIDS use ACL and DPI and express in terms
    of fields
  • HIDS use sys-call seqns
  • This policy gap leads to
  • Certain policies that cannot even be expressed
  • A sandbox being overly restrictive/permissive
  • Essentially, all approaches impose policies on
    whatever is observable

5
Clean-Slate firewall
  • How would a clean-slate firewall look?
  • Applications rewritten
  • To expose their internal state to help solve the
    fidelity problem
  • Rewritten using LibSec
  • State-aware version of LibASync
  • LibSec used to impose policies and check
    invariants

6
  • Motivation
  • High-Level Approach
  • Related Work
  • Conclusions

7
Diagram
Application
Firewall
LibSec
Network
8
Mechanistic Assumptions
  • Application not compromised yet
  • So, application can be trusted (barring bugs in
    libGestalt itself)
  • Trust internal app, not external app
  • LibSec trusted

9
Gestalt API
  • Addressing
  • Sessions
  • State

10
Addresses Principles
  • Today IP addresses , Port Numbers
  • Problems
  • IP addresses are spoofeable (gt ACL rules are
    subvertable)
  • Soln Introduce self-certifying identifiers at
    the app-layer independent of the IP address
    Application Instance Identifiers (AID)
  • Problems
  • Port numbers used to identify application
  • Soln Replace by Application Version Identifier
    (AVD) which includes hash of binary

11
Addresses Details
  • Server Listening Port Number replaced by
  • Application Identifier (AID) app_id, inst_id
  • app_id hash, inst_id public key
  • Client Ephemeral Port Number replaced by
  • session_id, sub_session_id
  • session_id demultiplexes between multiple clients
    talking to server
  • sub_session_id demultiplexes multiple connections
    within one session
  • Replacement for TCP 4-tuple
  • client-flow-id, server-flow-id
  • client-flow-id app_id , inst_id , session_id ,
    sub_session_id

12
Gestalt API
  • Addressing
  • Sessions
  • State

13
Sessions Definition
  • Session
  • Unit of application interaction
  • Eg HTTP Multiple TCP connections between a
    client and a server to fetch a complete web page
  • Eg BitTorrent A client would establish multiple
    TCP connections to the tracker and other clients
  • Currently, IPS systems try to guess what
    connections belong to the same session
  • Eg Client says allow BitTorrent
  • Leads to difficulty in accounting for traffic,
    and makes configuration to allow certain
    applications difficult

14
Sessions API
  • Session Setup
  • AppInstance ServerInstanceListen(AppVersionID,
    AppInstanceId, SessionCallback, SecPolicy)
  • AppInstance ClientInstance(AppVersionID,
    AppInstanceId, SessionCallback, SecPolicy)
  • SubSessions
  • SubSessionId GrantSubsession(AppInstance,
    Session, SecPolicy, SubSessionCallback)
  • SubSessions Identifiers negotiated in-line
    application requests libSec to open up the port
    appropriately

15
Gestalt API
  • Addressing
  • Sessions
  • State

16
State
  • State of application decoupled into state per
    ongoing session
  • Per-session state exposed by the event-based
    model in LibSec
  • Meaning application can notify the library
    transparently before changing state
  • Eg FTP States Received username, Received
    password, Waiting for command
  • State transition diagram specified via
    configuration file
  • maps old_state to list of all possible
    new_states it can transition to

17
State
  • Security Policy of the form
  • If app is in state S, packet of type T is bad
  • Protocol state machine
  • Represents state of the application wrt the
    client connected on that session
  • Nodes correspond to states, edges correspond to
    events
  • Three types of events
  • App events timers, callbacks etc
  • OS events read/write file, signals etc
  • Network events packets

18
Security Analysis
  • Assuming state diagram is correct, then fidelity
    is guaranteed since all events are intercepted
  • Race condition attacks can be prevented by
    suitably delaying events
  • Side-channel attacks may still be possible
  • If state diagram is incorrect/incomplete, then
    the firewall administrator can patch the
    binary/configuration file to fix it

19
Implementation
  • Applications re-written using Gestalt library
  • Most applications written using lib-async would
    be supported
  • Stub client, server application
  • Currently Re-writing overlay proxy (OCALA), HTTP
    server/proxy
  • Overhead
  • Minimal, if policy is pushed to the observation
    point

20
Conclusion
  • Offers guarantees that cannot be achieved without
    rewriting application
  • Security is limited by the correctness and the
    level of detail in state diagram
  • Trade-off factor
  • Need to evaluate the overhead of specifying state
    transition diagram
Write a Comment
User Comments (0)
About PowerShow.com