Intruders (and How to Keep Them Out) - Course Web Pages · 3 CMP S12,U ant ruz Intruders 5 Overlap...

1

Intruders (and How to Keep Them Out)

Intruders 2CMPS 122, UC Santa Cruz

Overview

• More on intrusions• Detecting intruders• Dealing with intruders once you’ve found them• Firewalls• Computer immunology

2


Why detect intruders?

• Catch them before they cause damage◆ Plug holes◆ Watch how they do it…

• Identify damage• Collect evidence for prosecution• Deterrent


Behavior

Obviously Normal Obviously Malicious

3


Overlap between users & intruders

Measurablebehavior parameter

Probability densityfunction Authorized user

profile

Intruderprofile


Users & intruders: the truth

Measurablebehavior parameter

Probability densityfunction

Authorized userprofile

Intruderprofile

There just aren’t that many intruders!

4


Problems with false positives

• Doctor invents a new, inexpensive test for a deadlydisease that is 99% accurate

• Assume 1 in 2000 people have deadly disease (butdon’t know it yet)

• Should everyone get the test?◆ 2000 people tested◆ Expect .99 + (1999 * .01) positives◆ 21 people will be told they have disease

• If you test positive, there is about a 5% chance youhave disease◆ Higher than 1/2000, but not that high!


Intrusion detection approaches

• Statistical anomaly detection◆ Produce a profile of the normal behavior of each user (or

independent of user)◆ Notice statistical deviations from that behavior

• Rule-based detection◆ Think really hard and make up rules that describe intruder

behavior◆ Hope intruders can’t read and figure out the rules also◆ Lay traps that normal users won’t trigger…

5


Statistical anomaly detection

• Track events and characteristics of the system◆ Network packets (source, size, number, protocol, port)◆ Program behavior

– Which programs are run when– What arguments are given to program

◆ User behavior– Login pattern– Files accessed

• Look for “unusual” patterns◆ Need a background “level” of normal activity◆ Must account for “normal anomalies”

– Example: user decides to try a new program– Example: user works late to finish a project


Attacker VictimSYN

SYN/ACK

ACK

Anomaly detection example

• Common denial of service (DoS) atttack: SYN flood• Normal TCP: SYN, SYN/ACK, ACK• DoS: SYN, SYN/ACK, ignored

◆ SYN/ACK packets queue up on victim◆ Number of queued SYN/ACK packets is limited!◆ No new connections once limit is exceeded

• Can this be detected?

6


Detecting SYN floods

• Firewall (or other gateway) notices large number ofSYN packets but few ACK packets◆ Firewall isn’t actually queueing anything◆ Firewall simply observes the traffic going by

• Firewall decides that hosts behind it will crash ifmore SYN packets come in

• Firewall temporarily suspends delivery of SYNpackets

• Result: hosts are protected◆ Unfortunately, nobody can connect to those hosts while

they’re being protected◆ This is temporary, so situation will recover quickly


Network intrusion detection

• Monitor activity on many hosts• Aggregate audit records to detect anomalous

behavior◆ Innocuous behavior on several (individual) hosts may

signal an intrusion◆ Example: limited (or slow) port scan across many

computers in sequence

• Managed Security Monitoring (Counterpane, Inc.)

7


Network intrusion detection example

• Intruder wants to break into any computer atcompany X

• Rapid port scan on a single computer is easilydetected◆ Computer knows that its ports are being scanned◆ Security system on computer notifies someone

• Solution: scan computer sequentially◆ No individual computer is scanned rapidly◆ Many computers are scanned in a short time

• Protection: firewall that examines all packets◆ Notices sequential port scan because firewall sees all port

scan packets destined for any computer◆ Firewall takes action against the intruder


Network intrusion detection example

• User / password guessing attack• Single computer may impose limits for login

◆ At most n outstanding login attempts at any time◆ At least m seconds between login attempts for a given user

• Multiple computers (with the same users /passwords) may not have such limits◆ Try different users on different computers at the same time◆ All you need is one successful user / password pair…

8


Network intrusion detection solution?

• All of these attacks come from one IP address (or smallrange)

• Solution (?): check for network-type attacks coming from asmall set of IP addresses◆ Protects hosts from attacks originating in a single place◆ Doesn’t stop distributed attacks!

• Intruders often come from many different IP addresses◆ First, hijack many other computers to help

– Often, computers with little useful stuff, but poorly protected◆ Second, run a distributed attack from these computers

• Much harder to detect and deal with◆ No single set of IP addresses to “blame”◆ Activity often looks like normal (if a bit irregular) operation


Rule-based intrusion detection

• Similar to anomaly-based detection◆ Anomaly-based uses shades of gray◆ Rule-based is usually black and white

– If this is done, it’s an intrusion• Most helpful when security system knows more

about the system than the intruder◆ Example: set up fake user accounts and passwords

– Make them more than one character different from “real” usernames

◆ If someone attempts to log into a fake account severaltimes, it’s probably an intruder

• This can be detected regardless of how distributedthe attack is

9


Rule-based intrusion detection example

• Simple rule: all data sent to the SMTP (mail) portmust be textual, and must have line length < 80◆ Allows most normal email to go through

– Take care to encode mail with MIME to follow rules◆ Prevents most stack-smashing attacks against sendmail

• This rule can be enforced by the firewall◆ Examines packets as they go by◆ Knows enough about SMTP to reconstruct incoming data◆ Tests for maximum line length (simple test)◆ Doesn’t test for

– Unknown user– Use of your SMTP host for mail forwarding– Sending large email messages to clog the mailbox


Rule-based intrusion detection example

• Simple rule: incoming HTTP packets may not contain Javaapplets◆ Prevents malicious Web pages from coming in◆ Can be done without detailed knowledge of Web page structure

– Simply recognize HTML that encapsulates Java• Can easily be done by firewall that knows a bit of HTTP• Problem: can’t tell the difference between “good” and “bad”

Java◆ Prevents users from accessing sites with useful Java!◆ May be too restrictive: users will find a way to circumvent

• Instead, try to recognize incoming Java known as malicious• Perhaps also try to recognize attacks by keeping signatures of

Java files that have come in recently◆ Prevent “repeat offenders”…

10


Firewalls: detecting and stopping intruders

• Intrusion detection & prevention is hard!◆ Difficult to do well◆ Difficult to even detect an intrusion, particularly when it

affects multiple computers• One solution: use a firewall• Firewall goals

◆ All traffic between internal network and external network(Internet) must pass through the firewall

◆ Only “authorized” traffic is allowed to pass (more on thisin a bit)

◆ Firewall itself is immune to penetration– This can be easier for a firewall because it doesn’t allow general-

purpose logins– May not have a full operating system…


Firewall techniques

• Service control◆ Determine which services can be accessed◆ Disallow those that might be risky

• Direction control◆ Control the direction in which certain services are available◆ Network Address Translation may help with this…

• User control◆ Control access to services based on user◆ Requires that users authenticate themselves somehow

• Behavior control◆ Disallow dangerous behaviors◆ Example: filter email for viruses◆ Example: allow only certain types of HTTP requests

11


Secure area

Firewall: packet filter

• Filter each packet as it goesthrough

• Apply a set of rules◆ Discard or accept packet

depending on rule matches• Rules based on

◆ IP addresses◆ Protocol◆ Port number◆ Packet content?

• Must set default policy◆ Accept◆ Discard

• Rules can modify thepolicy for particular packets

Internet

Firewall

Internalnetwork


Packet filtering rules: example

Allow ssh in both directions*22***Allow

Allow outbound HTTPS*443**Our hostAllow

Default policy is to block**Our net**Deny

Default is to block outgoing****Our netDeny

Except from our mail server*25**MailhostAllow

Disallow outgoing email…*25**Our netDeny

Allow outbound web*80**Our netAllow

Allow inbound web*80www**Allow

Allow inbound email*25Mailhost**Allow

CommentFlagsPortDestPortSrcAction

12


Limitations to packet filtering

• Packet filtering is nice, but there are limits

• Firewall can only filter on individual packet contents◆ Can’t see the entire session◆ Allows intruder to break up attack to sneak it in◆ Can’t respond to attacks that involve breaking a protocol,

such as SYN floods• May be vulnerable to address spoofing

◆ Packet has incorrect return address• Better solution: allow firewall to filter on entire

sessions, not just individual packets


Stateful Packet Inspection (SPI)

• Keep track of history of packets◆ Allow filtering and actions based upon history!

• Example: inbound packets to “user” ports (>1024)◆ Must allow some of them for any protocol to work◆ SPI: only allow them if an outgoing connection on that port was

previously requested– This is more secure!

• Example: SYN floods◆ TCP connection is set up by three way handshake◆ Attack: do only the first of three, leaving lots of “open” connections◆ Solution: firewall times out unfinished handshakes

• Example: distributed port scan◆ Look for vulnerable network ports◆ Firewall sees lots of activity to similar ports on different machines

13


Application-level gateway (proxy server)

• Only proxy server can talk to external network• Run applications on proxy server that relay

information between inside and outside◆ Example: HTTP proxy◆ Example: mail server

• Monitor proxy server for attacks◆ Log all traffic in and out◆ Attacks still possible, but only against a single machine◆ Response: disable the single point of entry

• Makes security easier: single point to secure• Drawbacks

◆ Slower: two back-to-back circuits◆ Need a proxy for every protocol!


Circuit-level gateway (SOCKS)

• Proxy server requires one proxy per application• Circuit gateway does its work at the TCP level

◆ Each outgoing connection is made to the SOCKS server◆ SOCKS server establishes a separate TCP connection to

the outside server• Advantages

◆ Simpler than using a separate proxy for each service◆ Other advantages of proxy server (monitoring, etc.)

• Drawbacks◆ May require changes on client side◆ Still somewhat slow: SOCKS server acts as relay

14


Bastion host

• Where are proxy servers or circuit gateways run?• Separate servers?

◆ Need to secure each server against intrusion◆ Need to monitor all servers…

• Single server?◆ Put all of the outside services in one place◆ Watch that computer very carefully!

• This single server is often called a bastion host• Bastion host can have simpler, more secure code

◆ Proxies are often smaller than full servers◆ Proxies need not perform disk access◆ Proxies don’t permanently store any sensitive data◆ Proxies can run as normal users (not root)


Using firewalls & bastion hosts: guidelines

• Important: a single line of defense is not enough!◆ It’s difficult to get through a firewall, but not impossible◆ Multiple lines of defense can slow down an attacker

– Allow him to be detected– Allow the network to be cut off before there’s further damage

• Configure multiple lines of defense so that they’re moredifficult than just one

• Protect more important resources with more defenses• Use diverse types of firewalls and bastion hosts!

◆ Three firewalls of the same model may be no harder to compromisethan one firewall

• Disallow logins, particularly from the outside world◆ It’s more difficult to get access to a serial line than to a Web browser

interface◆ Single-purpose OS is more difficult to get into

15


Secure area

Basic firewall & bastion host configuration

• Traffic controlled by firewall• Drawbacks

◆ Firewall has to do a lot of work◆ Bastion host can be bypassed◆ Compromises hard to deal with: isolation is difficult

Internet Firewall

Web server

Bastion host

Privatenetwork


Secure areaDemilitarized zone

One firewall, two zones

• Traffic still controlled by firewall• Traffic between private network and outside must go through

bastion host◆ Must compromise both firewall and bastion host to intrude

• Bastion host and Web server are in a demilitarized zone• Critical resources kept in secure area

Internet Firewall

Web server

Bastion host

Privatenetwork

16


Secure areaDemilitarized zone

Two firewalls, three zones

• Similar to previous configuration• Addition: firewall between bastion host and private network

◆ Allows for more filtering◆ Must now break into two firewalls as well as bastion host

• Private network doesn’t know about Internet• Internet doesn’t know about private network

Internet Firewall1

Web server

Bastion host

PrivatenetworkFirewall2


Honeypots

• To keep the system safe, set up resources that an attacker can(relatively easily) get a hold of

• Make sure that these resources can’t lead to further breakins• Example: fake user & shell

◆ Set up fake user names & passwords with rewritten shell◆ Ensure that these user names are easier to break into

– Simpler passwords– Remote shell

◆ Make fake data available to shell, perhaps using chroot()◆ Install fake programs such as ls and telnet/ssh to track what the

intruder is doing– Programs appear to work, but provide false data

• Keep the intruder on the system as long as possible to tracewhere he’s coming from!

17


More honeypots

• Rather than simply having fake accounts, haveentire fake machines◆ Systems are cheap!◆ Intruders may not know that these systems aren’t useful◆ Install lots of interesting (but fake) data on the computers

• This mechanism can work wonders if the false datais ever leaked…◆ Excellent way to figure out who’s getting the data

“stolen” from your computer system◆ Makes intruders happy because they think they’ve won


Jails and sandboxes

• Honeypots are nice, but how can we ensure that no real damage is done?• Have the OS (or virtual machine) restrict what a user can do

◆ Restrict calls that read or write the file system– Disable writes, or limit them to a particular area– Change the root directory

◆ Limit the ability to create new processes or allocate memory◆ Limit the programs that are available

• Have the OS (or virtual machine) do more checks on activity inside thesandbox or jail◆ May slow down users in the jail◆ Not such a big deal because such users are typically outsiders

• Overhead of jails and sandboxes may be worth it for general use,particularly now that CPU time is becoming free

18


What if an intrusion is detected?

• Do nothing◆ Not a good idea, particularly if data is at risk

• Log intruder’s actions to a “safe” computer◆ Print out messages on the “console”◆ Console is a serial line connected to another computer not attached to

any network– Standalone computer records serial line inputs for later perusal (virtual

printer)– May be possible to break in via serial line, but not easy

• Contact system administrator (email and/or page)◆ System administrator can track down the attacker◆ System administrator can monitor what attacker is doing

• Shut down system◆ May shut down intruder’s processes instead, but this may not go far

enough• Do several of the above


Tell someone about the intrusion!

• Contact system administrator (email and/or page)◆ System administrator can track down the attacker◆ System administrator can monitor what attacker is doing◆ System administrator can shut down the system…

• Shut down system◆ May shut down intruder’s processes instead, but this may

not go far enough◆ Shut down has two main advantages

– Intruder can’t do any further damage to this system– Intruder can’t use the system as a launching pad for further attacks

◆ Shut down disadvantage: your users are inconvenienced– May not be necessary for many attacks

19


Countermeasures

• The intruder’s gotten in; now what?• Actively “observe” him

◆ Lay traps on the fly◆ Correct all (or some) of the changes he makes◆ Ensure that no critical resources are being affected

• Look to see what’s been changed◆ Modification times of files

– Can easily be spoofed!– Not necessarily helpful

◆ Secure hash of files– Harder to fake these, if the hash program is run from CD– “Expected” hash values ought to be on CD too…


Forensic analysis

• After an attack has happened, analyze what went on◆ Figure out what’s been damaged◆ Learn how the attack worked to prevent it (and similar

attacks) from happening again• Tell the world about it!

◆ Keeping it secret may save (your) face◆ Keeping it secret will certainly harm others

– Nobody else knows about how to defend against the intrusion– Others may have more information on how the intruder works

20


Recovering from an attack

• Restore files from a backup◆ You do have a backup, don’t you?◆ Ensure that the backup doesn’t have compromised files…

• Reinstall as much as you can◆ Unlikely that the install CD has compromised files, but…◆ It’s certainly possible—Micro$oft has shipped CDs with

viruses on them!• Use a file system that doesn’t overwrite in place

◆ Many file systems support “snapshots”◆ Use the most recent snapshot that wasn’t damaged


Sample attack

• Lots of books discuss hackers and their exploits◆ Firewalls and Internet Security: Repelling the Wily Hacker,

Cheswick, Bellovin, and Rubin◆ Practical Unix & Internet Security, Garfinkel, Schwartz, and Spafford◆ The Cuckoo’s Egg, Stoll

• Sample exploit from Repelling the Wily Hacker

21


An Evening with Berferd

• Excerpted from Repelling the Wily Hacker

• Attack occurred in 1991• Intruder broke into a little-used system• Attack didn’t cause much damage because

◆ System was largely unused◆ Attack was caught in time◆ Hacker wasn’t all that skilled


First step: get the password file

• Hacker connected to sendmail◆ Asked it to send him the password file◆ File sent to user on another computer he had hacked

– Covers his tracks somewhat◆ Goal: crack some passwords to log into the system

• Responses◆ Sysadmin decided to send him the real password file◆ Sysadmin logged the attack

• Password file quickly moved to France!◆ Another sysadmin notified the original sysadmin

22


Second step: try to log in

• Checked to ensure that target user wasn’t logged in• Attempted to use sendmail to add a new account

with no password◆ Sendmail is very insecure (getting better, but still…)◆ Solution: sysadmin made the machine seem slow so he

could keep up in real time◆ Login succeeds because it was allowed to do so

• At this point, sysadmin monitoring attack in realtime


Third step: do damage

• Get copies of configuration files to see what servicesare active

• Modify daemons (finger, inetd) to more hacker-friendly versions

• Fortunately, all of this took place in a jail that thesysadmin set up!◆ Easier to clean up◆ Hacker’s activities studied in detail◆ Little damage to the real system, which wasn’t all that

important anyway

23


Fourth step: catch the perpetrator

• This proved to be very difficult◆ Attack could come from anywhere in the world◆ Tracing an attack after the fact can be difficult, if not impossible◆ Some information from timing of the attack

• Fortunately, call tracing went on during the attack◆ Calls traced back to Netherlands eventually◆ Dutch phone company refused to trace—not illegal to hack in the

Netherlands!• Prosecution was even more difficult

◆ Hacking not illegal in the Netherlands, so nearly impossible toextradite

◆ Article published in the New York Times◆ Hackers exchanged email about the attack (collected by Dutch

professor tracking hackers)◆ No legal action ever taken…


Challenges in intrusion detection

• The first thing a smart intruder will do is tamperwith the intrusion detection system!◆ Cover his tracks◆ Prevent a warning

• Few activities are either obviously normal orobviously malicious◆ Intruders take steps to avoid being noticed◆ Regular users may do intruder-like things

– I’ve tried to use sudo on machines where I’m not authorized

• False positives dilemma◆ Crying “wolf” too often makes the system useless

24


Immunology

• Study of biological viruses• Applicable to computer science

◆ Computer viruses may act like biological ones◆ Lessons from biology may be relevant

• How do biological viruses work?


Biological inspiration

• Biological systems are incredibly resilient• Most humans survive ~80 years• Before medical advances, most still would survive

~30 years• Operate in a hostile, unpredictable environment• No way to reboot, reinstall operating system,

upgrade software, etc.• Human genome:

◆ 3 Billion base pairs = 6 Gb = 750 MB◆ (Human genome project says 3GB ??)

25


An Overview of the Immune System.© 1997 Steven A Hofmeyr

Immune systems

• Lymphocytes recognizepathogens by binding.◆ Proteins have distinctive

shapes.• Binding is approximate

◆ Sometimes match wrongthings

– Reject organ transplants– Destroy own cells (I’m very

familiar with this one)◆ Tradeoff between

overactivity and underactivity– Overactive: auto-immune

disorders– Underactive: diseases not

detected


Receptor diversity

• Need to recognize all foreign intruders, but DNAcan’t know about all possible intruders

• Gene segments are randomly combined to formdifferent receptors◆ About 108 – 1012 different receptors

26


Affinity maturation

• B-cells in bone marrow –most effective cellsreproduce more quickly

An Overview of the Immune System.© 1997 Steven A Hofmeyr


Can computers do this?

• Programs identified by sequences of system calls• Build a database of normal patterns (how?)• Receptors recognize unusual patterns• Enough unusual patterns is considered an intrusion

27


Fatal flaws?

• Might work okay if no one important is using it• Will it work if an attacker knows about it and is

deliberately constructing an attack to avoiddetection?◆ Do biological viruses evolve to mimic host proteins?

• Biological diversity: many organisms, so virusesmust specialize

• Computers don’t have such diversity◆ Majority of computers run Windoze◆ Majority of computers have x86 processors◆ Result: viruses specific to x86/Windoze are rampant◆ Viruses specific to MS Office/Outlook also common

Intruders (and How to Keep Them Out) - Course Web Pages · 3 CMP S12,U ant ruz Intruders 5 Overlap...

Documents

Transcript of Intruders (and How to Keep Them Out) - Course Web Pages · 3 CMP S12,U ant ruz Intruders 5 Overlap...