The DNS system is organized in a structure.

Size: px

Start display at page:

Download "The DNS system is organized in a structure."

Jasper Randall
5 years ago
Views:

1 Agenda DNS security review Virtualization fundamentals What defenders can do with virtualization (Livewire) What attackers can do with virtualization (Subvirt) Summary 1/37

2 The DNS system is organized in a structure. A. bitmap B. tree C. matrix D. array E. doubly linked list F. queue 2/37

3 The FactCheck.org and FactCheck.com Story In the 2004 presidential debate between John Edward and the vice president Dick Cheney, Cheney said the following: Well, the reason they keep mentioning Halliburton is because they re trying to throw up a smokescreen. They know the charges are false. They know that if you go, for example, to FactCheck.com, an independent Web site sponsored by the University of Pennsylvania, you can get the specific details with respect to Halliburton. ( in the 41st min.) Unfortunately, Cheney got the FactCheck.org domain name wrong-calling it "FactCheck.com". The debate was broadcasted live on TV. Within a few minutes, a lot of people attemped to access FactCheck.com, however, what they saw was a website owned by George Soros, where the top item was an article by Soros entitled "Why We Must Not Re-Elect President Bush". 3/37

4 In this story, which of the following statements is true? A. The mapping between FactCheck.com and its IP address was stored in those DNS root servers. B. The mapping between FactCheck.com and its IP address was stored in every user s computer. C. In the DNS system, FactCheck.com and FactCheck.org were mapped to the same IP address. D. In the above incident, the traffic to FactCheck.org was redirected to a website owned by Soros. E. In the above incident, the traffic to FactCheck.com was redirected to a website owned by Soros. 4/37

5 The attack of making a DNS server cache false information is called? A. DNS spoofing B. DNS cache poisoning C. DNS ID hacking D. DNS pharming E. DNS amplification 5/37

6 Which of the following is NOT a key factor that makes DNS amplification attack possible? A. Forgeability of source addresses of DNS messages. B. Availability of open DNS resolvers. C. Various DNS software do not conform to the DNS protocol. D. Asymmetry of DNS requests and responses. 6/37

7 Basic Terminology - Virtualization image source: unknown 7/37

8 Why do we need virtualization? 8/37

9 Why do we need virtualization? Reduced capital and operating cost Minimized downtime Better disater recovery No vendor lock-in Better testing Easy backup 8/37

10 Basic Terminology - Virtual Machine Monitor a.k.a. Hypervisor OS running inside the virtual machine is now called Guest OS Properties: Isolation Inspection Interposition 9/37

11 Basic Terminology Host OS: The original OS installed on a computer. Guest OS: The opearting system that you install and run in a virtual machine. 10/37

12 Intrusion Detection System (IDS) Goal: Detect/report whether a host has been compromised. Approach: monitoring the host s observable properties, e.g., internal state, events, and I/O activities. 11/37

13 Existing Intrusion Detection Systems Host-based intrusion detection system (HIDS) Network-based intrusion detection system (NIDS) 12/37

14 Pros/Cons in existing IDS HIDS: High visibility, low attack resistance NIDS: Poor visibility, high attack resistance What if we want achieve both? - high visibility and high attack resistance 13/37

15 Virtual Machine Introspection Definition: inspecting a virtual machine from the outside for the purpose of analyzing the software running inside it. 14/37

16 Threat Model Guest OS may be compromised. Code running inside Guest OS may be totally malicious. Inferring Guest OS state based on a priori knowledge of its data structures. 15/37

17 VMI IDS Architecture (Livewire) Proposed, VMI designed, IDS implemented Architecture by researchers(livewire) from Stanford University. 16/37

18 VMI IDS Architecture (Livewire) OS interface library: Interpret hardware state into OS-level events. Policy Engine: Policy framework: define security policies. Policy modules: implement security policies. Commands: Inspection: examine VM state. Monitor: request notification when certain events occur. Administrative: control VM execution. 17/37

19 Livewire Implementation OS interface library: crash dump tool. Policy Engine: Python. VMM: VMware Workstation for Linux. Hooks are added to VMware to allow inspection of memory, registers, and device state. They also added hooks to allow interposition on certain events, such as interrupts and updates to device and memory state. 18/37

20 Policy Modules - Polling User program integrity detector - Periodically hashes unchanging sections of running programs, compares to those of known good originals. Signature detector - Periodically scans guest memory for substrings belonging to known malware. Finds malware in unexpected places, like filesystem cache. Lie detector - Detects inconsistencies between hardware state and what is reported by user-level programs (ls, netstat,... ). Raw socket detector. 19/37

21 Policy Modules - Event Driven Run in response to a change in hardware state. Memory access enforcer - Prevents sensitive portions of the kernel from being modified. NIC access enforcer - Prevents the guest s network interface card (NIC) from entering promiscuous mode or having a non-authorized MAC address. 20/37

22 Evaluation Effectiveness Name Description nic raw sig int lie mem cdoor Stealth user level remote backdoor D t0rn Precompiled user level rootkit D D Ramen Linux Worm D lrk5 Source based user level rootkit P D D D knark-0.59 LKM based kernel backdoor/rootkit D D P adore-0.42 LKM based kernel backdoor/rootkit D D P dsniff 2.4 All-purpose packet sniffer for switched networks P SUCKIT /dev/kmem patching based kernel backdoor D D P Table 1. Results of Livewire policy modules against common attacks. Within the grid, P designates a prevented attack and D a detected attack /37

23 adore-0.42 dsniff 2.4 Evaluation Performance SUCKIT Overhead LKM based kernel backdoor/roo All-purpose packet sniffer for switched /dev/kmem patching based kernel ba Table 1. Results of Livewire policy modules against com attack and D a detected attack Time (seconds) 18 raw int lie sig baseline Polling Interval (seconds) Figure 2. Performance of Polling Policy Modules prevent the packet sniffers in our test attack suite from operating, based on their reliance on running the NIC in promiscuous mode. 22/37

24 Why can VMI achieve its goal? Because of these Hypervisor properties: Isolation: High Attack Resistance. Inspection: High Visibility. Interposition: IDS can be notified when certain events occur. 23/37

25 Weakness Detect VMM. Attack VMM: a VMM is a simple-enough mechanism that we can reasonably hope to implement it correctly. Fool the IDS. Compromise the OS Library/Policy Engine. 24/37

26 Attacker s Goals Compromise a computer system Remain invisible to defenders 25/37

27 A New Solution for Attackers Virtual Machine Based Rootkit (VMBR), proposed, designed, implemented by researchers from University of Michigan and Microsoft Research. Install a virtual-machine monitor (VMM) underneath an existing operating system and use that VMM to host arbitrary malicious software. 26/37

28 VMM installed below the OS layer Virtual Machine Based Rootkit Malicious OS installed on top of the VMM VMM installed below the OS layer. Malicious OS installed on top of the VMM. 27/37

29 Advantages of VMBR Stealthy malicious states/events invisible to the target OS. More Control. 28/37

30 Installing VMBR Gain root privilege. Load the VMBR on disk. Modify boot sequence - Ensure VMBR loads before the target OS. 29/37

31 Malicious Services Three categories: Need not interact with the target system at all. Observe information about the target system. Intentionally perturb the execution of the target system. 30/37

32 Need not interact with the target system at all Spam relays. Distributed denial-of-service zombies. Phishing web servers. 31/37

33 Observe information about the target system Network packets recorder. Keyloggers: attackers use keystroke loggers to obtain sensitive information, like passwords. 32/37

34 Intentionally perturb the execution of the target system Prevent detection: Redpill: detects the presence of a VMM by using the sidt instruction. Countermeasure to redpill: emulate the sidt instructions when redpill is loaded. 33/37

35 Disadvantage More difficult to install than traditional malware Requires a reboot Impacts performance 34/37

36 Defending against VMBR Software below VMBR Boot from a secure medium: CD-ROM, USB Drive Run a secure VMM Software above VMBR CPU overhead Memory overhead Imperfect virtualization - e.g., sidt instruction. 35/37

37 Summary VMI VMI based IDS: high visibility and high attack resistance. Able to detect real attacks with acceptable performance overhead. VMBR has more control than current malware. Three categories of malicious services can be implemented. 36/37

38 References A large portion of the material is adapted from: A Virtual Machine Introspection Based Architecture for Intrusion Detection - Tal Garfinkel, Mendel Rosenblum. SubVirt: Implementing malware with virtual machines - Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch. 37/37

Agenda. Review: DNS Security Intrusion Detection and Prevention Systems 1/21

Agenda. Review: DNS Security Intrusion Detection and Prevention Systems 1/21 Agenda Review: DNS Security Intrusion Detection and Prevention Systems 1/21 The DNS system is organized in a structure. A. bitmap B. tree C. matrix D. array E. doubly linked list F. queue 2/21 The FactCheck.org