LibSec: A Security Library for Network Applications

1
LibSec A Security Library for Network
Applications

• Jayanthkumar Kannan, Ion Stoica, Scott Shenker,
  Vern Paxson

2
Motivation

• Network apps will need to be protected from
  exploits
• Some programs too large for humans or program
  verification techniques to prevent bugs
• Some bugs may allow a remote attacker to
  accomplish her intent
• State-of-the-art in defense
• Unknown attacks No fool-proof way known that
  works for all bugs (significant advances in
  memory safety exploits)
• Known exploits Intrusion Prevention Network
  Intrusion Detection (eg Bro), Host Intrusion
  Prevention (eg Janus, Shield)

3
All IPS systems aim to ..

• Prevent the application from entering some bad
  state (or) impose a certain policy
• Input Filtering Sanitizing its input
• NIDS Bro (network-packet level) uses ACL and DPI
• HIDS Janus (sys-call level) monitors syscalls
• HNIDS Shield (network-packet at host) uses ACL
  and DPI

4
Fidelity problem

• Policies on input are typically expressed in
  terms application semantics
• Such policies not directly expresseable today
• NIDS/HNIDS use ACL and DPI and express in terms
  of fields
• HIDS use sys-call seqns
• This policy gap leads to
• Certain policies that cannot even be expressed
• A sandbox being overly restrictive/permissive
• Essentially, all approaches impose policies on
  whatever is observable

5
Clean-Slate firewall

• How would a clean-slate firewall look?
• Applications rewritten
• To expose their internal state to help solve the
  fidelity problem
• Rewritten using LibSec
• State-aware version of LibASync
• LibSec used to impose policies and check
  invariants

6

• Motivation
• High-Level Approach
• Related Work
• Conclusions

7
Diagram
Application
Firewall
LibSec
Network
8
Mechanistic Assumptions

• Application not compromised yet
• So, application can be trusted (barring bugs in
  libGestalt itself)
• Trust internal app, not external app
• LibSec trusted

9
Gestalt API

• Addressing
• Sessions
• State

10
Addresses Principles

• Today IP addresses , Port Numbers
• Problems
• IP addresses are spoofeable (gt ACL rules are
  subvertable)
• Soln Introduce self-certifying identifiers at
  the app-layer independent of the IP address
  Application Instance Identifiers (AID)
• Problems
• Port numbers used to identify application
• Soln Replace by Application Version Identifier
  (AVD) which includes hash of binary

11
Addresses Details

• Server Listening Port Number replaced by
• Application Identifier (AID) app_id, inst_id
• app_id hash, inst_id public key
• Client Ephemeral Port Number replaced by
• session_id, sub_session_id
• session_id demultiplexes between multiple clients
  talking to server
• sub_session_id demultiplexes multiple connections
  within one session
• Replacement for TCP 4-tuple
• client-flow-id, server-flow-id
• client-flow-id app_id , inst_id , session_id ,
  sub_session_id

12
Gestalt API

• Addressing
• Sessions
• State

13
Sessions Definition

• Session
• Unit of application interaction
• Eg HTTP Multiple TCP connections between a
  client and a server to fetch a complete web page
• Eg BitTorrent A client would establish multiple
  TCP connections to the tracker and other clients
• Currently, IPS systems try to guess what
  connections belong to the same session
• Eg Client says allow BitTorrent
• Leads to difficulty in accounting for traffic,
  and makes configuration to allow certain
  applications difficult

14
Sessions API

• Session Setup
• AppInstance ServerInstanceListen(AppVersionID,
  AppInstanceId, SessionCallback, SecPolicy)
• AppInstance ClientInstance(AppVersionID,
  AppInstanceId, SessionCallback, SecPolicy)
• SubSessions
• SubSessionId GrantSubsession(AppInstance,
  Session, SecPolicy, SubSessionCallback)
• SubSessions Identifiers negotiated in-line
  application requests libSec to open up the port
  appropriately

15
Gestalt API

• Addressing
• Sessions
• State

16
State

• State of application decoupled into state per
  ongoing session
• Per-session state exposed by the event-based
  model in LibSec
• Meaning application can notify the library
  transparently before changing state
• Eg FTP States Received username, Received
  password, Waiting for command
• State transition diagram specified via
  configuration file
• maps old_state to list of all possible
  new_states it can transition to

17
State

• Security Policy of the form
• If app is in state S, packet of type T is bad
• Protocol state machine
• Represents state of the application wrt the
  client connected on that session
• Nodes correspond to states, edges correspond to
  events
• Three types of events
• App events timers, callbacks etc
• OS events read/write file, signals etc
• Network events packets

18
Security Analysis

• Assuming state diagram is correct, then fidelity
  is guaranteed since all events are intercepted
• Race condition attacks can be prevented by
  suitably delaying events
• Side-channel attacks may still be possible
• If state diagram is incorrect/incomplete, then
  the firewall administrator can patch the
  binary/configuration file to fix it

19
Implementation

• Applications re-written using Gestalt library
• Most applications written using lib-async would
  be supported
• Stub client, server application
• Currently Re-writing overlay proxy (OCALA), HTTP
  server/proxy
• Overhead
• Minimal, if policy is pushed to the observation
  point

20
Conclusion

• Offers guarantees that cannot be achieved without
  rewriting application
• Security is limited by the correctness and the
  level of detail in state diagram
• Trade-off factor
• Need to evaluate the overhead of specifying state
  transition diagram