Environment-Sensitive Intrusion Detection

Size: px

Start display at page:

Download "Environment-Sensitive Intrusion Detection"

Augustus Berry
6 years ago
Views:

1 Environment-Sensitive Intrusion Detection Jonathon T. Giffin Somesh Jha Barton P. Miller University of Wisconsin David Dagon Wenke Lee Georgia Institute of Technology RAID 2005

Worldview Process system calls Operating System Trusted computing base Running processes make operating system requests Changes to trusted

2 Worldview Process system calls Operating System Trusted computing base Running processes make operating system requests Changes to trusted computing base done via these requests Attacker subverts process to generate malicious requests 8 September 2005 Environment-Sensitive Intrusion Detection 2

3 Model-Based Anomaly Detection User Process Detect deviations from normal execution behavior Operating System [Ko et al. 1994] [Forrest et al. 1996] [Lee et al. 1997] [Ghosh et al. 1999] [Sekar et al. 2001] [Wagner & Dean 2001] [Kruegel et al. 2003] [Giffin et al. 2004] [Feng et al. 2004] [Lam & Chiueh 2004] [Gao et al. 2004] [Gopalakrishna et al. 2005] [Abadi et al. 2005] 8 September 2005 Environment-Sensitive Intrusion Detection 3

4 Models from Static Binary Analysis Actual Program Execution Allowed Execution Statically-Constructed Model Model overapproximates correct execution Close gap between model & correct execution System call argument recovery Context-sensitive models restrict system call sequences 8 September 2005 Environment-Sensitive Intrusion Detection 4

5 Drive Through the Holes Overwrite program data to alter execution [Chen, Xu, & Sezer 2005] mailx memory contents: Environment Variables Command-Line Arguments 8 September 2005 Environment-Sensitive Intrusion Detection 5

6 Drive Through the Holes Evasion attack Mailx executed in receive mail mode mailx memory contents: Environment Variables Check for Check for new mail new mail 8 September 2005 Environment-Sensitive Intrusion Detection 6

7 Drive Through the Holes Evasion attack Mailx executed in receive mail mode Attacker exploits vulnerability to alter command-line args Reenters execution at argument processing routine mailx memory contents: Environment Variables Send /private/data Check for to new attacker mail Undetected by current models 8 September 2005 Environment-Sensitive Intrusion Detection 7

8 New Contributions Static analysis infrastructure: Model construction for dynamically-linked binaries Model accuracy: Context-sensitive data-flow analysis for system call argument recovery Environment-sensitive program models Model evaluation: Average reachability measure 8 September 2005 Environment-Sensitive Intrusion Detection 8

9 Example void parse_args (int argc, char *argv[]) { char *workfile = tempnam(getenv( TMP ), Mx ); int execmode = 1; char c; unlink( /home/user/tmpfile ); while ((c = getopt(argc, argv, L: ))!= -1) switch (c) { case L : execmode = 0; unlink(workfile); link(optarg, workfile); break; } } if (execmode) exec( /sbin/mail ); 8 September 2005 Environment-Sensitive Intrusion Detection 9

10 Prior Model Construction Unable to construct model for dynamically-linked program 8 September 2005 Environment-Sensitive Intrusion Detection 10

11 Prior Model Construction unlink unlink exec( /sbin/mail ) link Attack: unlink( /home/user/tmpfile ) unlink( /sbin/mail ) link( /bin/sh, /sbin/mail ) exec( /sbin/mail ) 8 September 2005 Environment-Sensitive Intrusion Detection 11

12 Prior Model Construction unlink unlink exec( /sbin/mail ) link Limited recovered arguments No correlated branching 8 September 2005 Environment-Sensitive Intrusion Detection 12

13 Context-Insensitive Argument Recovery callsite 1 unlink( /home/user/tmpfile ) argument 1 is /home/user/tmpfile callsite 2 unlink(workfile) argument 1 is unknown libc:unlink entry argument 1 is unknown unlink kernel trap 8 September 2005 Environment-Sensitive Intrusion Detection 13

14 Context-Insensitive Argument Recovery /home/user/tmpfile, /tmp/mx { /home/user/tmpfile } { /tmp/mx } Anything = 8 September 2005 Environment-Sensitive Intrusion Detection 14

15 Context-Sensitive Argument Recovery Augment lattice values with calling context maintains context Value X in context 1 in context 2 = Value X in context 1 8 September 2005 Environment-Sensitive Intrusion Detection 15

16 Context-Sensitive Argument Recovery unlink( /home/user/tmpfile ) argument 1 is /home/user/tmpfile via callsite 1 callsite 1 callsite 2 unlink(workfile) argument 1 is unknown via callsite 2 libc:unlink entry unlink kernel trap argument 1 is /home/user/tmpfile via callsite 1 8 September 2005 Environment-Sensitive Intrusion Detection 16

17 Context-Sensitive Argument Recovery unlink( /home/user/tmpfile ) unlink(?) exec( /sbin/mail ) link(?,?) Attack: unlink( /home/user/tmpfile ) unlink( /sbin/mail ) link( /bin/sh, /sbin/mail ) exec( /sbin/mail ) 8 September 2005 Environment-Sensitive Intrusion Detection 17

18 Environment Sensitivity Three sources of data used in a program Statically encoded in binary Runtime input from user, network, disk, Load-time input from command-line, environment variables, & configuration files Static analyzer constructs model template Execution monitor instantiates model at program load time 8 September 2005 Environment-Sensitive Intrusion Detection 18

19 Model Template Encode environment dependencies into model Data-flow dependencies unlink( [TMP]/Mx.* ) link( [L], [TMP]/Mx.* ) Control-flow dependencies L absent: L present: L L ε ε 8 September 2005 Environment-Sensitive Intrusion Detection 19

20 Model Template unlink( /home/user/tmpfile ) L L unlink( [TMP]/Mx.* ) exec( /sbin/mail ) link( [L], [TMP]/Mx.* ) 8 September 2005 Environment-Sensitive Intrusion Detection 20

21 Model Instantiation Environment: unlink( /home/user/tmpfile )./a.out L L unlink( [TMP]/Mx.* ) exec( /sbin/mail ) link( [L], [TMP]/Mx.* ) 8 September 2005 Environment-Sensitive Intrusion Detection 21

22 Model Instantiation Environment: unlink( /home/user/tmpfile )./a.out L exec( /sbin/mail ) 8 September 2005 Environment-Sensitive Intrusion Detection 22

23 Model Instantiation Environment: unlink( /home/user/tmpfile )./a.out ε exec( /sbin/mail ) 8 September 2005 Environment-Sensitive Intrusion Detection 23

24 Model Instantiation Environment: unlink( /home/user/tmpfile )./a.out ε exec( /sbin/mail ) unlink( /home/user/tmpfile ) unlink( /sbin/mail ) link( /bin/sh, /sbin/mail ) exec( /sbin/mail ) 8 September 2005 Environment-Sensitive Intrusion Detection 24

25 Model Instantiation Environment: unlink( /home/user/tmpfile )./a.out ε exec( /sbin/mail ) unlink( /home/user/tmpfile ) unlink( /sbin/mail ) link( /bin/sh, /sbin/mail ) exec( /sbin/mail ) 8 September 2005 Environment-Sensitive Intrusion Detection 25

26 Model Template unlink( /home/user/tmpfile ) L L unlink( [TMP]/Mx.* ) exec( /sbin/mail ) link( [L], [TMP]/Mx.* ) 8 September 2005 Environment-Sensitive Intrusion Detection 26

27 Model Instantiation unlink( /home/user/tmpfile ) Environment: TMP=/tmp./a.out L /home/user/log L L unlink( [TMP]/Mx.* ) exec( /sbin/mail ) link( [L], [TMP]/Mx.* ) 8 September 2005 Environment-Sensitive Intrusion Detection 27

28 Model Instantiation unlink( /home/user/tmpfile ) Environment: TMP=/tmp./a.out L /home/user/log L unlink( [TMP]/Mx.* ) link( [L], [TMP]/Mx.* ) 8 September 2005 Environment-Sensitive Intrusion Detection 28

29 Model Instantiation unlink( /home/user/tmpfile ) Environment: TMP=/tmp./a.out L /home/user/log ε unlink( [TMP]/Mx.* ) link( [L], [TMP]/Mx.* ) 8 September 2005 Environment-Sensitive Intrusion Detection 29

30 Model Instantiation unlink( /home/user/tmpfile ) Environment: TMP=/tmp./a.out L /home/user/log ε unlink( /tmp/mx.* ) link( [L], /tmp/mx.* ) 8 September 2005 Environment-Sensitive Intrusion Detection 30

31 Model Instantiation unlink( /home/user/tmpfile ) Environment: TMP=/tmp./a.out L /home/user/log ε unlink( /tmp/mx.* ) link( /home/user/log, /tmp/mx.* ) Relinking attack again not possible 8 September 2005 Environment-Sensitive Intrusion Detection 31

32 Program models that Result Encode data flows among shared objects Enforce arguments in specific calling contexts Adapt to execution environment 8 September 2005 Environment-Sensitive Intrusion Detection 32

33 Test Programs Program procmail mailx gzip cat Instruction Count 374, , , ,844 Environment Dependencies Program branching System call arguments open Program branching System call arguments open, creat, unlink System call arguments unlink, chown, chmod System call arguments open 8 September 2005 Environment-Sensitive Intrusion Detection 33

34 Average Reachability Measure Average opportunity for attacker to insert malicious system call, with CFL-reachability unlink getpid link Known argument constraints convert malicious calls to safe calls 8 September 2005 Environment-Sensitive Intrusion Detection 34

35 Average Reachability Measure Average opportunity for attacker to insert malicious system call, with CFL-reachability unlink( /home/user/tmpfile ) getpid link Known argument constraints convert malicious calls to safe calls 8 September 2005 Environment-Sensitive Intrusion Detection 35

36 Average Reachability Measure Model Precision Lower bars indicate improved precision Dyck Model Prior Data-Flow Analysis New Data-Flow Analysis Environment-Sensitive 0 procmail mailx (send) mailx (recv) gzip cat 8 September 2005 Environment-Sensitive Intrusion Detection 36

37 Summary Need to close the gap between behavior allowed by models & actual possible execution. Context-sensitive argument recovery improves constraints on attacks via better program analysis. Environment-sensitive program models restrict evasion attacks by customizing model to execution environment. 8 September 2005 Environment-Sensitive Intrusion Detection 37

38 Questions? or send us Jonathon T. Giffin David Dagon Somesh Jha Wenke Lee Barton P. Miller 8 September 2005 Environment-Sensitive Intrusion Detection 38

Detecting Manipulated Remote Call Streams

Detecting Manipulated Remote Call Streams Jonathon Giffin, Somesh Jha, Barton Miller Computer Sciences Department University of Wisconsin giffin@cs.wisc.edu Intrusion Detection and Specification-Based