WireX Immunix Server Software
Autonomix:
Component, Network, and
System Autonomy
Crispin Cowan, Ph.D
WireX Communications,
Inc
wirex.com
David Maier & Lois
Delcambre
Oregon Graduate Institute
of
Science & Technology
WireX Immunix Server Software
Component, Network, and
System Autonomy
Component
Autonomy
• Tight loop
• Complete loop:




Detection
Decision
Response
Spins off intrusion
events
WireX
11.7.00
Network and System
Autonomy
• Network:
Infrastructure tool
 IDS event and
response protocol
translator
• System:
Orchestrator
 Adaptation Space
OGI
WireX Immunix Server Software
Component Autonomy:
Technical Objectives
• Family of tools to guard components against
common software vulnerabilities
StackGuard: protection from “stack smashing”
buffer overflows
SubDomain: lightweight mandatory access controls
PointGuard: generalized StackGuard
FormatGuard: protection from printf format bugs
RaceGuard: protection from temp file races
Objective: eliminate 90-99% of software
vulnerabilities
11.7.00
WireX Immunix Server Software
Existing Practice:
How is it done now?
• Patches
 Urgent patches
 Lots of them
• Mandatory access control
 Argus Pitbull, Type Enforcement, DTE, etc.
 Contains damage when software is cracked
 Substantial costs in administration and performance
• A few systematic tools:
 OpenWall, chroot
11.7.00
WireX Immunix Server Software
Technical Approach: Abstract
Approach
 Local intrusion response
 Catch intrusion in process
 Halt exploited component
The Canary Technique
• Detect attacks in
progress:
 Place a sacrificial canary where an attack will show
tampering
 Monitor canary
• If canary destroyed, then attack is happening
11.7.00
WireX Immunix Server Software
Buffer Overflows:
The Basic Problem
• Weak bounds checking in programs
• Attackers provide more input than
program can accommodate
• Take control of program
• Exploit program’s privilege
• This is the leading software security
vulnerability
 Majority of CERT advisories for the last
several years
11.7.00
WireX Immunix Server Software
Buffer Overflow Attacks
Server Program
Normal
network
input
User-ID
fred
Adjacent
state
11.7.00
• Program normally
expects a short
string
 E.g. for user-ID
“fred”
WireX Immunix Server Software
Buffer Overflow Attacks
Server Program
User-ID
fredjklsjoiw
Adjacent
state
11.7.00
Attacker’s
network
input
• Program normally
expects a short
string
 E.g. for user-ID
“fred”
• Attacker provides a
big string
 Overflows buffer
 E.g. “fredjklsjoiwi”
WireX Immunix Server Software
Buffer Overflow Attacks
Server Program
User-ID
fredjklsjoiw
Adjacent
state
Attacker’s
network
input
• Program normally
expects a short
string
 E.g. for user-ID
“fred”
• Attacker provides a
big string
 Overflows buffer
 E.g. “fredjklsjoiwi”
• Corrupts adjacent
program state
11.7.00
WireX Immunix Server Software
Buffer Overflow Attacks
Server Program
• Program normally
expects a short
Attacker
string
in control
 E.g. for user-ID
“fred”
User-ID
fredjklsjoiw
Adjacent
state
11.7.00
• Attacker provides a
big string
 Overflows buffer
 E.g. “fredjklsjoiwi”
• Corrupts adjacent
program state
• Attacker takes
control
WireX Immunix Server Software
StackGuard Defense
Server Program
Normal
network
input
User-ID
fred
Adjacent
state
Canary
11.7.00
• Protect objects with
canary integrity
checks
WireX Immunix Server Software
StackGuard Defense
Server Program
User-ID
fredjklsjoiw
Adjacent
state
Canary
obliterated
11.7.00
Attacker’s
network
input
• Protect objects with
canary integrity
checks
• If canary is
obliterated by
attacker’s big string
...
WireX Immunix Server Software
StackGuard Defense
Server Program
User-ID
Attacker’s
network
input
fredjklsjoiw
Adjacent
state
Canary
obliterated
11.7.00
Alert!
• Protect objects with
canary integrity
checks
• If canary is
obliterated by
attacker’s big string
...
• Intruder Alert!
 Raise alarms
 Shut down process
 Do not give control to
attacker
WireX Immunix Server Software
StackGuard Demo
• Many of you have seen this before
…
• Fairly current vulnerability:
qpopper
 POP3 mail server
 Remote buffer overflow vulnerability
can get a root shell
• Attack produces:
 Syslog event
 qpopper aborts
11.7.00
Demo
WireX Immunix Server Software
Generalized StackGuard:
PointGuard
StackGuard:
protects the
return address in
function call
activation records
 Good against
majority of buffer
overflows
 Decreasing
fraction of attacks
11.7.00
PointGuard:
generalizes to
protect all
pointers in the
program
 Integrity check all
pointers before
dereferencing
 Should be good
against most
forms of buffer
overflow
WireX Immunix Server Software
Format Bugs:
The Basic Problem
• Discovered suddenly in June 2000
 Remote root vulnerability in WU-FTPD
 Followed by dozens of similar vulnerabilities
• Basis: arcane %n printf format string
directive
 Tells printf to treat corresponding
argument as an int * and write back
number of items formatted so far
• Problem: programs that pass un-filtered
user input strings direct to printf
11.7.00
WireX Immunix Server Software
Format Bug Attacks
Server Program
fred
Normal
network
input
User-ID
11.7.00
• Program normally
expects a plain text
string
 E.g. for user-ID “fred”
WireX Immunix Server Software
Format Bug Attacks
Server Program
Normal
network
input
• Program normally
expects a plain text
string
 E.g. for user-ID “fred”
• Attacker provides a
format string
 E.g. “fred %n”
fred %n
User-ID
11.7.00
WireX Immunix Server Software
Format Bug Attacks
Server Program
Normal
network
input
Call
0x1234
Stack
fred %n
User-ID
11.7.00
• Program normally
expects a plain text
string
 E.g. for user-ID “fred”
• Attacker provides a
format string
 E.g. “fred %n”
• Program printf’s it
 Interpreting %n writes
to some other part of
the program
WireX Immunix Server Software
Format Bug Attacks
Server Program
Normal
network
input
Call
0x1234
Stack
fred %n
User-ID
11.7.00
• Program normally
expects a plain text
string
 E.g. for user-ID “fred”
• Attacker provides a
format string
 E.g. “fred %n”
• Program printf’s it
 Interpreting %n writes
to some other part of
the program
• Taking control of the
program
WireX Immunix Server Software
FormatGuard
• First general solution to format bugs
 October 2000
• Wraps *printf style functions for
safety (including syslog)
 Count the number of arguments
 Count the number of % directives
 If mis-match, then reject the call
• But counting arguments is hard
 C’s varargs mechanism does not permit counting
11.7.00
WireX Immunix Server Software
FormatGuard:
How to Count Arguments
• We use GCC/CPP macros:
 GCC/CPP lets you condense & expand
variable argument lists, Lisp-style
 Built an argument_count macro
 Defined printf(args) ->
safe_printf(arg_count(args), args)
 safe_printf counts the number of %
directives in the format string
 reject mis-matched calls
11.7.00
WireX Immunix Server Software
FormatGuard Demo
• RPC.statd: remote format vulnerability
 Can easily get a root shell
 Many systems run RPC.statd; part of NFS
 Exploit part of the new “Ramen” Linux
Worm
• Attack a FormatGuard-protected
RPC.statd
 Syslog the event
 Kill the process
11.7.00
WireX Immunix Server Software
FormatGuard
Performance
• Microbenchmark:
 37% overhead on calls to printf
• Macrobenchmark:
 Hard to find a printf-bound program
:-)
 Man2HTML uses a lot of printf’s
 Batch 79 man pages through
 1.3% overhead
• Paper submitted for review
11.7.00
WireX Immunix Server Software
Temporary File Race
Conditions
• Scenario: Root
process wants to
create a unique
/tmp file
Step 1: choose a
name
Step 2: check to
see if it exists
Step 3: if not
exists, create
11.7.00
Here’s the Problem:
WireX Immunix Server Software
Temporary File Race
Conditions
• Scenario: Root
process wants to
create a unique
/tmp file
Step 1: choose a
name
Step 2: check to
see if it exists
Step 3: if not
exists, create
11.7.00
Here’s the Problem:
 attacker interrupts
between steps 2
and 3
WireX Immunix Server Software
Temporary File Race
Conditions
• Scenario: Root
process wants to
create a unique
/tmp file
Step 1: choose a
name
Step 2: check to
see if it exists
Step 3: if not
exists, create
11.7.00
Here’s the Problem:
 attacker interrupts
between steps 2
and 3
 Creates a link
from expected
/tmp file name to
a major file, I.e.
/etc/passwd
WireX Immunix Server Software
Temporary File Race
Conditions
• Scenario: Root
process wants to
create a unique
/tmp file
Step 1: choose a
name
Step 2: check to
see if it exists
Step 3: if not
exists, create
11.7.00
Here’s the Problem:
 attacker interrupts
between steps 2
and 3
 Creates a link
from expected
/tmp file name to
a major file, I.e.
/etc/passwd
 When root process
does the create, it
stomps
/etc/passwd with
WireX Immunix Server Software
RaceGuard
• Kernel enhancement to detect race
attacks mid-way through
 Cache names presented to stat()
 If open(O_CREAT) hits an existing file, and
the path is in the RaceGuard cache, then a
race attack is in progress
• Response choices:
 Deny the open: return EPERM
 Kill the process
11.7.00
Demo
WireX Immunix Server Software
RaceGuard Performance
• Microbenchmarks:
 104% overhead on stat(): 4.3 s >8.8 s
 13% overhead on fork(): 161 s >183 s
• Macrobenchmark: Khernelstone
 Build Linux kernel from source
 Lots of temp files, lots of forks
 0.4% overhead
• Paper submitted for review
11.7.00
WireX Immunix Server Software
Major Achievement:
Low-Effort Protection
• These tools are highly transparent:
 Performance overhead: under 2% across
the board, usually lower
 Compatibility issues: minimal
 Under 5% of all Linux programs need trivial
source patches to compile with StackGuard
and FormatGuard
 RaceGuard works on binary code, currently
breaks nothing
 Administrative overhead: nil
11.7.00
WireX Immunix Server Software
Major Achievement:
Relative Invulnerability
• Proposed metric:
 Compare a “base” system against a
system protected with Immunix tools
 Count the number of known vulnerabilities
stopped by the technology
 “Relative Invulnerability”: % of
vulnerabilities stopped
11.7.00
WireX Immunix Server Software
Immunix Relative
Invulnerability
• Immunix System 7:
 Based on Red Hat 7.0
 Compare Immunix vulnerability to Red Hat’s
Errata page (plus a few they don’t talk
about :-)
• October 1, 2000 - Feb. 7, 2000




44 vulnerabilities total
11 remote, 33 local
40 penetration, 4 DoS
8 remote penetration
11.7.00
WireX Immunix Server Software
Immunix Relative
Invulnerability
A ll
S ta c k G u a rd
F o rm a tG u a rd
R a c e G u a rd
*G u a rd
C o m b in a tio n
S e rv e r A p p lia n c e
C o n fig u ra tio n
S e rv e r A p p lia n c e
+ S u b D o m a in
11.7.00
3 /4 4
6 .8 %
5 /4 4
11%
1 8 /4 4
41%
2 6 /4 4
59%
2 2 /3 4
65%
2 5 /3 4
73%
P e n e tra tio n R e m o te
P e n e tra tio n
3 /4 0
3 /8
7 .5 %
37%
5 /4 0
2 /8
12%
25%
1 8 /4 0
0 /8
45%
0%
2 6 /4 0
5 /8
65%
62%
2 2 /3 0
3 /4
73%
75%
2 5 /3 0
4 /4
83%
100%
PointGuard wil
bring these to
6/8 (75%)
& 4/4 (100%)
WireX Immunix Server Software
Task schedule
StackGuard: delivered
PointGuard: long-term development
FormatGuard: prototype delivered, final copy
soon (weeks)
Integrated Drop: prototype delivered, final
copy soon (weeks)
RaceGuard: lab prototype works, under
development, should be ready for June drop
11.7.00
WireX Immunix Server Software
Transition of Technology
Open source: StackGuard,
FormatGuard, and RaceGuard are all
GPL’d
Commercial: all being incorporated into
WireX Server Appliance products
 Server appliance: a server for dummies
 Thus the need for dummy-proof security
11.7.00
WireX Immunix Server Software
Jay’s Questions
• What threats/attacks is your project
considering?
 Common software pathologies that create
vulnerabilities
• What assumptions does your project make?
 That most vulnerabilities fit into a few classes
 That we can get the source for most/all applications
on a platform (true for Linux)
• What policies can your project enforce?
 We provide software integrity, allowing policy
enforcement to be meaningful
11.7.00
WireX Immunix Server Software
Network and System
Autonomy (OGI)
Network
• Abstract utility for
translating data
representations
• Application:
translate
incompatible IDS
events and
responses
11.7.00
System
• Adaptation
Space: formal
model for
reasoning about
alternative
implementations
• Candidate
Orchestrator
WireX Immunix Server Software
Network Autonomy:
Technical Objective
• What we are trying to accomplish:
 Support a single autonomic response
environment that easily
accommodates sensors, detectors,
and responders that communicate
using a variety of
languages/protocols.
 Participate in the SARA experiment
under SWWIM
11.7.00
WireX Immunix Server Software
Autonomix Navigator
Architecture
Stack alert
Guard
monitors
Syslog
Swatch
notifies (via IDMEF XML)
Event Monitor
conditions
Adaptation
Space
(XML)
Navigator
Firewall
choices
Scenario Manager
SNMP Manager
SNMP Agent
11.7.00
Interface
IPChain
Configurer
WireX Immunix Server Software
Three out of Four
Questions
• What threats/attacks is your project
considering?
 Those that can be detected (relying on someone
else’s IDS)
 Those that have a meaningful response
• What assumptions does your project make?
 That  a heterogeneous fabric of intrusion detection
and response components
 That intrusion response can be effective
• What policies can your project enforce?
 Can map from any combination of intrusion events to
any available alternative configuration
11.7.00
WireX Immunix Server Software
Summary
• Component Autonomy:
 Largely working software
 Running this laptop: StackGuard,
FormatGuard, and RaceGuard
 Available piece wise, or integrated
into Immunix, at
http://immunix.org
• Network & System Autonomy:
 Largely a work in progress
 Aimed at SARA
11.7.00
WireX Immunix Server Software
Future Work
PointGuard: continue development
FormatGuard: enhance to catch more
kinds of attacks
RaceGuard: finish testing, release by
summer
IPGuard: new tool to defend against
network DoS attacks
Network/System Autonomy:
participate in SARA experiments
11.7.00
WireX Immunix Server Software
Plug: NSPW
• New Security Paradigms Workshop
• Actively interested in radical new
ideas, e.g. organic assurance
• Papers due March 30, 2001
• Info: http://nspw.org
11.7.00
Descargar

Autonomix - Tolerant Systems