1 APOD 10/5/2015 NCA 2003Christopher Jones APOD Network Mechanisms and the APOD Red-team Experiments...
-
Upload
ethan-richard -
Category
Documents
-
view
215 -
download
0
Transcript of 1 APOD 10/5/2015 NCA 2003Christopher Jones APOD Network Mechanisms and the APOD Red-team Experiments...
1 APOD 04/19/23 NCA 2003 Christopher Jones
APOD Network Mechanisms and the APOD Red-team Experiments
Chris Jones Michael Atighetchi, Partha Pal, Franklin Webber
BBN Technologies
QuO & APODQuO & APOD
2 APOD 04/19/23 NCA 2003 Christopher Jones
Outline
• Motivating Scenario and APOD Overview
• QuO Overview
• APOD Description– Example APOD Strategies
– Example APOD Tactics
– Example APOD Mechanisms
• Red-team Experiments
• Concluding Remarks
3 APOD 04/19/23 NCA 2003 Christopher Jones
Motivating Scenario and APOD Description
• Applications that Participate in their Own Defense (APOD)
– Demonstrates that dynamic defense and adaptive responses increase an application’s resiliency to certain kinds of attacks.
– A toolkit of mechanism wrappers and adaptation strategies that allows an application to defend itself by dynamically adapting to a hostile environment.
– Uses QuO, which provides middleware support for mechanism integration and adaptation.
ApplicationHost
ApplicationHost
ApplicationHost
Attacker’sHost
4 APOD 04/19/23 NCA 2003 Christopher Jones
Outline
• Motivating Scenario and APOD Overview
• QuO Overview
• APOD Description– Example APOD Strategies
– Example APOD Tactics
– Example APOD Mechanisms
• Red-team Experiments
• Concluding Remarks
5 APOD 04/19/23 NCA 2003 Christopher Jones
Quality Objects(QuO) Architecture
ApplicationDeveloper
MechanismDeveloper
CLIENT
Network
operation()
in args
out args + return value
IDLSTUBS
IDLSKELETON
OBJECTADAPTER
ORB IIOP ORBIIOP
CLIENT OBJECT(SERVANT)OBJECT(SERVANT)
OBJREF
CLIENT
DelegateContract
SysCond
Contract
Network
MECHANISM/PROPERTYMANAGER
operation()
in args
out args + return value
IDLSTUBS
Delegate
SysCond
SysCond
SysCond
IDLSKELETON
OBJECTADAPTER
ORB IIOP ORBIIOP
CLIENT OBJECT(SERVANT)OBJECT(SERVANT)
OBJREF
ApplicationDeveloper
QoSDeveloper
MechanismDeveloper
CO
RB
A D
OC
MO
DE
LQ
UO
/CO
RB
A D
OC
MO
DE
L
Qosket
6 APOD 04/19/23 NCA 2003 Christopher Jones
QuO Overview
• QuO is a middleware framework that supports the development and execution of adaptation and adding it to an application.
• Adaptation can be driven by changes in an application’s operating environment.
– Host resources (CPU and memory) usage.
– Network resource availability.
– Host and Network Intrusion status.
• The adaptive code is encapsulated in a middleware component called “qosket”.
– A qosket is a set of specifications and implementations that defines a reusable module of specific adaptive behavior.
• It can be added into a distributed object application with minimum impact on the application.
7 APOD 04/19/23 NCA 2003 Christopher Jones
QuO Overview (cont.)
• Quality Description Languages (QDL)– Contract description language, adaptive behavior description
language.– Code generators that generate Java and C++ code for
contracts, delegates, creation, and initialization.
• System Condition Objects– Provide interfaces to resources, managers, and mechanisms.
• QuO Runtime Kernel– Contract evaluator.– Factory object which instantiates contract and system condition
objects.
8 APOD 04/19/23 NCA 2003 Christopher Jones
Outline
• Motivating Scenario and APOD Overview
• QuO Overview
• APOD Description– Example APOD Strategies
– Example APOD Tactics
– Example APOD Mechanisms
• Red-team Experiments
• Concluding Remarks
9 APOD 04/19/23 NCA 2003 Christopher Jones
APOD Description
• Key Idea: by adapting to and trying to control its environment, an application can increase its chances of survival under attack.
– Use QuO to integrate multiple security mechanisms into a coherent strategy for adaptive defense.
– This is complementary to the usual hardening or protection of applications, resources, or services where available and practical.
• Ties security information to the adaptation of an application through the QuO system condition objects.
• APOD has sensor mechanisms that feed defense tactics and strategies.– Actuator mechanisms implement tactic and strategy reactions.
• APOD tactics integrate sensors and actuator mechanisms to mount a local defensive response.
• Combining individual mechanisms and tactics into higher-level defense strategies helps applications meet survivability requirements.
• The following slides are examples, not an exhaustive list of the possibilities or the mechanisms, tactics, and strategies that we are using.
10 APOD 04/19/23 NCA 2003 Christopher Jones
APOD Strategies
• Use QuO middleware to coordinate all available defense mechanisms in a coherent strategy.
• Examples of APOD strategies have been created:– “outrun”: move application components off corrupted hosts and on to
good ones at a rate faster than the hosts go bad.» Slow down the attacker’s ability to corrupt host by quarantine.
– “contain”: quarantine bad hosts and bad LANs by limiting or blocking network traffic from them and, within limits, shutting them down.
» Respond quickly with locally gathered information.
» Can only quarantine so many hosts or LANs before application performance becomes affected.
» In follow on projects we are looking at having backup hosts to replenish application capabilities depleted by quarantining bad application hosts.
11 APOD 04/19/23 NCA 2003 Christopher Jones
APOD Tactics• Examples of APOD tactics that are implemented
used in strategies• Block Suspicious Traffic
– Combines network intrustion detection system and firewall mechanisms to catch attacker reconnaissance traffic and block further malicious traffic from the attacker host.
• Choking TCP Connection Floods– Joins TCP Connection counting with a firewall to
block hosts that request large numbers of connections to a single port.
• Containing ARP Cache Poisoning– Incorporates an ARP cache poisoning sensor and
firewall to monitor mapping of MAC to IP addresses and resets any mapping if they change as well as blocking traffic from offending MAC address.
• Squelching Insider Flooding– Uses network traffic accounting to keep track of
packets/second and bits/second, and comparing means between observed and expected to determine a spike in outgoing traffic.
– If spike occurs, rate limiting is applied to outgoing traffic of a LAN.
12 APOD 04/19/23 NCA 2003 Christopher Jones
APOD Network Sensor Mechanisms• Network Intrusion Detection
– Attacker can run live attacks and known scripted network attacks on hosts.– Use Snort, a lightweight network intrusion detection system.– Extract the offending host addresses to pass to an APOD strategy.
• TCP Connection Flood sensor– Attacker can flood port with many connections making it very difficult or
impossible for legitimate clients to connect. – Have a mechanism using netstat to determine number of connections to a
given port.– Mechanism monitors application ports for “too many” connections and will
warn an APOD strategy of any host that has gone over the connection threshold.
• ARP cache poisoning detection– Attacker with access to a subnet can use ARP cache poisoning to disrupt or
intercept network traffic.– Tool to detect changes in MAC/IP pairings and notify an APOD tactic or
strategy of changes.– Uses ping and arp commands to get pairings and compares previously
collected pairing for changes.
13 APOD 04/19/23 NCA 2003 Christopher Jones
APOD Network Actuator Mechanisms
• Network traffic filters – Uses iptables for blocking and rate-limiting traffic from hosts believed to be
malicious.
• Bandwidth Management– Intserv (RSVP, SecureRSVP)
» Uses an enhanced RSVP version of Darmstadt’s RSVP implementation.
» Enhanced version done at North Carolina State University.
– Bandwidth Broker» Tool using tc command to make changes in queuing policies of routers.
• Secure network traffic– Uses FreeS/WAN IPSec for protecting network traffic.
– Dynamically bring up IPSec between two hosts.
• Dynamic endpoint mechanism– Uses a NAT gateway to hide the real endpoints, address and port, of
application.
– The “fake” endpoints are chosen randomly and changed periodically.
14 APOD 04/19/23 NCA 2003 Christopher Jones
Outline
• Motivating Scenario and APOD Overview
• QuO Overview
• APOD Description– Example APOD Strategies
– Example APOD Tactics
– Example APOD Mechanisms
• Red-team Experiments
• Concluding Remarks
15 APOD 04/19/23 NCA 2003 Christopher Jones
APOD Red-teaming Experimentation
• Reasons for experiments.– Validate APOD idea that dynamic adaptation defenses can prolong
an applications usefulness in a hostile environment.
– Also, analyzing the overhead of APOD.
• Sandia Labs red-team tasked with validating APOD.– Outside, independent team.
– Given full knowledge of application, APOD defenses added, and test network.
• Red-teaming happened in two distinct experiments.– Each experiment consisted of multiple runs of the defended
application.
– During each run, the red-team would try different attacks.» Started with single attacks per run to multiple attacks per run.
16 APOD 04/19/23 NCA 2003 Christopher Jones
Application Used in APOD Experiments
ImageDisplay
ImageServer
BrokerBroker
ImageDisplay
ImageServer
Replicationgroup
query
serve image
registerAPOD
Defenses
APODDefenses
APODDefenses
APODDefensesAPOD
Defenses
APODDefenses
APODDefenses
APODDefenses
APODDefenses
17 APOD 04/19/23 NCA 2003 Christopher Jones
Experimentation Configuration
IPNET4IPNET3
IPNET1 IPNET2
broker2_1 broker2_2 broker1_1 broker1_2 server1
broker4_1 broker4_2 server4broker3_1 broker3_2 server3
client2
client3
bc_ipnet_2
router_1
attack2
attack1
bc_ipnet_1
bc_ipnet_3bc_ipnet_4
router_2
router_3 router_4
ExperimentControl Host
APOD Exp Network
18 APOD 04/19/23 NCA 2003 Christopher Jones
APOD Experiment Strategies
• A third strategy was added, Flood prevention and Traceback.– make static SE-RSVP reservations up-front to protect network paths from being flooded.– quarantine hosts by blocking traffic from/to them closer to their source (added to contain
strategy on boundary controllers).
IPNET3
broker3_1 broker3_2 server3client3
bc_ipnet_3
Outrun &Contain
Strategies
Outrun &Contain
Strategies
App.ContainStrategy
App.ContainStrategy
BCContainStrategy
19 APOD 04/19/23 NCA 2003 Christopher Jones
Red-teaming Attacks and Results
• APOD defenses blocked or impeded the red-team’s progress.– The APOD defenses overcame or blocked many of the single attack runs.
– The red-team was forced to combine different attacks to cause a denial of service of the broker on the defense enabled application.
– Of the attack runs that ended with the application in a denial of service, the average time-to-denial was approximately 45 minutes from start of attacks, with a minimum of roughly 10 minutes. Without APOD defenses, service was denied immediately.
Time to Denial by Live Attack
0
10
2030
40
50
60
7080
90
100
Tim
e (
min
ute
s)
client 2 client 3
Runs
20 APOD 04/19/23 NCA 2003 Christopher Jones
Results
• The cost of adding the APOD defenses to image latency was approximately 5% to 20% depending which tactics and strategies were in place.
– We concluded that most of the latency increase was caused by the containment strategy and accompanying mechanisms that ran on the boundary control routers.
21 APOD 04/19/23 NCA 2003 Christopher Jones
Concluding Remarks
• Conclusion.– Dynamic adaptation has added value for an application by giving it
the ability to prolong its usefulness in the presents of attacks.
– This prolonged usefulness has a reasonable cost.
– Red-team experiments are beneficial for validating and “stress testing” our defenses.
• APOD is being used in other survivability projects. – Using and expanding of APOD mechanisms, tactics, and strategies.
– Other projects include ITUA, DPASA, and Dynamic Quarantine.
• Websites:– QuO: quo.bbn.com
– APOD: apod.bbn.com
– ITUA: itua.bbn.com