Embed Size (px)
Citation preview
1
Information Assurance and Computer Security
Shambhu Upadhyaya (CSE)
UB Colloquium November 16, 2006
2
Focus of CEISARE • Funded Research – Upadhyaya and Rao (over a million dollars)
– Topical: Intrusion detection, alert correlation, insider threat mitigation, trust in MANETs, wireless networks security
– Multidisciplinary: Workforce Development, Multi-incident emergency response systems
• Infrastructure/Capacity building (over $800,000)– Information security lab (School of Management)
– Wireless security lab (CSE)
– Scholarship grants from DoD
• Education– Advanced Certificate in IA
• Dissemination– Workshops (SKM 2004, SKM 2006)
• Center Webpage: http://www.cse.buffalo.edu/caeiae/
3
Graduate Certificate in IA
• Effort started with funds from DoD in fall 2003– Funding was to create a new integrative course in IA
• Two tracks – technical and managerial
• Requirements– 6 credits of core courses in the track
– 5-6 credits of elective in the dept.
– 3 credits of required integrative course
• Technical track– Core – Intro. to Crypto, Computer security, Wireless networks security
(choose two courses)
• Managerial track– Core – Network management, E-Commerce security
• http://www.cse.buffalo.edu/caeiae/advanced_certificate_program.htm
4
Sample IA Research Projects
• Protecting documents from malicious insiders (Upadhyaya)
• Event correlation for cyber attack recognition (Upadhyaya, Llinas and Sudit)
• Insider threat modeling and analysis in a corporate intranet or federal agency (Upadhyaya, Ngo)
• Survivable Wireless LAN architectures (Upadhyaya)
• Runtime safety check in computer programs (Upadhyaya and Jayaraman)
5
• Building user profiles at the application level
• Usage based document classification
• Context & information flow based policy specification for preventing insider abuse
• Automated generation of dynamic policies
• Papers Published:– IEEE Information Assurance Workshop, West Point, NY, June 2004
– 20th Annual Computer Security Applications Conference, Tucson, AZ, December 2004
– Int. Conf. on Trust Management, Pisa, Italy, May 2006
– IEEE Int. Conf. on Communications, Istanbul, Turkey, June 2006
Novel Ideas Accomplishments/Milestones
Goals
Multi-phase Approach for Preventing Document Abuse from Malicious InsidersShambhu Upadhyaya, Funded by NSA/ARDA, 2003-05
Malicious and masquerading insider threat detection in
the Document Control domain Identify importance of documents Identify user roles in organizations Prevent circumvention and perform trace-back
Security policyPro
filedocsession
File Repository
Anomaly Detector
history
Alerts?
Document Classifier
Dynamic Policies in
effect
Forensics & Tamper-proof
usr1
usrn
search
learn
Prototype for Microsoft Word Monitor and detect masqueraders based on document usage Specify and enforce dynamic policies
Prototype for dynamic policies generation http://www.cse.buffalo.edu/DRM Future Plans
Detecting the convergence of disparate role structures in collaborating organizations
Preventing circumvention of the tools
6
• Concept of a capability acquisition graph (CAG)
• Analysis of CAG (develop heuristics)
• Papers Published:– Chinchani R., A. Iyer, H. Ngo and S. Upadhyaya, “Towards a
Theory of Insider Threat Assessment”, IEEE International Conference on Dependable Systems and Networks (DSN 2005), Yokohama, Japan, June 2005.
– Chinchani R., Duc Ha, Anusha Iyer, Hung Q. Ngo, and Shambhu Upadhyaya, “On the Hardness of Approximating the MIN-HACK Problem”, Journal of Combinatorial Optimization, Springer, Vol. 9, No. 3, May 2005.
Novel Ideas Accomplishments/Milestones
Goals
Insider Threat Modeling and Analysis Shambhu Upadhyaya and Hung Ngo, Funded by DARPA, 2004-05
Develop a threat modeling and assessment
methodology
• Pre-Attack Static Analysis and Hardening
• Generation of insider attack scenarios to train detection components
• Study the theoretical issues
• Be able to answer questions like:– How secure is the current setup?– What are likely attack strategies?– Which points are most vulnerable?– Where must security systems be placed?
• Prototype built for integration into the larger system of insider threat mitigation (jointly with Telcordia Technologies and Rutgers University)
Network entity rules
Cost Rules
MAPIT EngineNetwork topology
Key challenge graph
Vulnerabilities
Authentication mechanismSocial Eng. Awareness
Sensitivity analysis
Defense centric
analysis
7
• Trust between the nodes used as a metric for decision making
• Differential encryption (header and payload differently) scheme for ad-hoc networks, and hashing based lightweight techniques for sensor networks
• Evaluating security of paths and nodes based on their relative position in the network
• Building in survivability in the network architecture proactively for surviving potential attacks
• Robustness, Recovery and Survivability Schemes
Novel Ideas Accomplishments
Goals
A New Framework for Secure and Trusted Communications in Wireless Data Networks, Shambhu Upadhyaya, Funded by NSF/Cisco, 2004-06
Design decision making framework for nodes to
establish keys with other unknown nodes Use this framework for cluster forming decisions in ad-
hoc networks Improve on existing key management schemes and
design secure data delivery schemes for enhanced
reliability in data transfer Provide schemes for resiliency against attacks and
post-failure recovery
Setting up of the NSF and Cisco sponsored Wireless Security Lab
Representative Publications: IEEE Conference on Local Computer Networks (LCN), Tampa,
FL, Nov 2004 IEEE ACM IWIA, College Park, MD, Mar 2005 IEEE Conference on Knowledge Intensive Multi-agent Systems
(KIMAS), Boston, MA, Apr 2005 Secure Knowledge Management (SKM2004, SKM 2006)
Future Plans Security Schemes for IEEE 802.16 and 802.20 standards Performing hands-on experiments at the Wireless Security Lab
SWEDEN
Framework
Key and Traffic Management
Schemes
Trust Framework: Basis for Key
Management with Unknown Nodes,
Clustering Decisions
Robustness SchemesPost-attack
Survivability and Recovery Schemes
Pre-key Establishment
Phase
Normal Network Functioning Phase
Key Management and Encryption Schemes
Secure and Reliable Data
Delivery
Ad hoc networks
Ad hoc & sensor
Ad hoc, sensor & WLAN
8
Runtime Environment Driven Program Safety
Joint work with Prof. B. Jayaraman
9
Language-Based Security
• Static analysis
• Model-checking
• Type-safety
• Runtime checks
• Anomaly detection
Source Program Binary Executable
Compiler
10
Making the case for runtime checking
• Static analysis is one-time but poor coverage
• Runtime checks have good coverage but per variable checks are inefficient
• Type-based safety is efficient but can be coarse-grained
11
• A new vulnerability class:
• Recently seen in openssh, pine, Sun RPC and several other software
• Cause: attacker-controlled integer variable
Motivation
Integer Overflow Vulnerability
12
Integer Overflow Attack
alloc_mem(u_short size)
{
u_short pad_size = 16;
size = size + pad_size;
return malloc(size);
}
size = 65535
size = 15 !!
return smaller memory
13
Program Security Is NOT Portable!
Source or Binary code
Program Security
Safe
Safe
32-bit
16-bitUnsafe
14
Various Runtime Environments
15
Overall Goal
Source or Binary code
Program Security
Safe
Safe
RE 1
Safe
RE 2
RE 3
16
Basic Methodology
• A Type-Based Safety Approach– Runtime-dependent interpretation– Not merely an abstraction, but using actual values– No new types– Also, can be efficient
17
Prototype Implementation: ARCHERR
• Implemented as a parser using flex and bison
• Currently works on 32-bit Intel/Linux platform
18
Detecting Integer Overflows
• Machine word size is an important factor
• Main idea: Analyze assignment and arithmetic operations in context of machine word size
16-bit
32-bit
Intel XScale Processor
(now 32-bit version)
Intel Pentium Processor
19
x : int → x є I
x, y : int
x = y
succ(x : int) = (x + 1)
pred(x : int) = (x – 1)
where I = (-∞, +∞)
Integers : Classical View
Assignment:
Arithmetic:
20
Integers: Runtime Dependent View
21
Integer Arithmetic Safety Checks
if x ≥ 0; y ≥ 0, then x + y assert : x (MAXINT - y)
if x ≥ 0; y < 0, then x - y assert : x (MAXINT + y)
if x < 0; y ≥ 0, then x - y assert : x ≥ (MININT + y)
if x < 0; y < 0, then x + y assert : x ≥ (MININT - y)
x, y,x y assert : x ≥ MININT/y /\ x MAXINT/yx y assert : y ≠ 0x % y assert : y ≠ 0
22
Other Numerical Types
• short, long, unsigned short/long, etc.– Similar analysis
• float, double, long double– Floating points use a standard IEEE format– Analysis is more complex– But floating point arithmetic is discouraged for efficiency reasons
23
Other Operators
• Bitwise operators– << : multiplication by 2– >> : division by 2 (is safe)
• Logical operators?– Not exactly arithmetic in nature
24
In A Program?
foo(int x, int y)
{
VALIDATE_ADD_INT(x,y);
return (x + y);
}
16-bit check?32-bit check?
Compile-time Annotations
Runtime Checking
25
A High-Level View
• What have we achieved actually?
RE 1RE 2
A programmer’s view
An attacker’s view
Properties of types in classical sense
Automatic safety conversion
26
Extending Idea To Pointers
• Common concept of segments – data, text, stack
• But differences in actual layout
Windows NT
Process Address Map
Linux
4 GB
(0xFFFFFFFF)
3 GB
(0xBFFFFFFF)
0 GB
System space
User space
27
Pointers : Runtime Dependent View
• Safe pointer assignment– A pointer variable p, which points to variables of type be
denoted by p:q(
• Safe pointer arithmetic (the following must obey the above rule)
28
Pointer Assignment Scenarios
29
Pointer Check Examples
VALIDATE_PTR(q);
p = q;
VALIDATE_PTR(&p[i]);
p[i] = 2;
VALIDATE_PTR_ADD(p, 1);
p++;
q is a valid ptr?
[q, sizeof(*q)] is inside same range?
&p[i] is a valid ptr?
[&p[i], sizeof (*(&p[i]))] is inside same range?
p is a valid ptr?
[p, sizeof(*p)] is inside same range?
p + 1 is a valid ptr and belongs to the same address range?
30
Additional Pointer Issues
• Function pointers– If not protected, can lead to arbitrary code execution– Maintain a separate list of function addresses and check against
them
• Typecasting is a feature in C– Private fields in structures through void *– Leads to dynamic types
31
Optimizations
• Remove unnecessary checks using static analysis– Currently, integer arithmetic
• Speed up memory range lookups– Maintain separate FIFO lists for stack, data and heap
• Pointer assignment is "safe"; dereferencing is not
• Optimize initialization loops
32
Security Testing
• Does this approach actually work?
• Real-world programs
• Vulnerabilities and exploits available at SecurityFocus website
Program Vulnerability Detected?
sendmail (8.11.6) Stack-based buffer overflow YES
GNU indent (2.2.9) Heap-based buffer overflow YES
man (1.5.1) Format string NO
pine (4.56) Integer overflow YES
33
Performance Testing
• Scimark2 benchmark
• 32-bit Intel/Linux 2.6.5
• Compared against CCured and BoundsChecker
CCured 1.5 x
BoundsChecker 35 x
ARCHERR w/o pointer checks 2.3 x
ARCHERR with pointer checks 2.5 x
Performance Hit (slowdown)
34
Impact On Code Size
• Source code annotations cause bloat
Source Code Bloat 1.5 – 2.5 x
Runtime Image Bloat 1.2 – 1.4 x
35
Features
• Portable safety is runtime environment dependent
• First work to show systematic way to detect/prevent integer overflow attacks – Currently on one architecture
• Extended the idea to detect/prevent memory-based attacks– Again on one architecture
• Security testing and performance evaluation
36
Static Analysis
Type-Based
Runtime Checks
Pros
• One-time effort
Cons
• Undecidability of
aliasing
• False negatives
Pros
• One-time effort
• Efficient
Cons
• Weak type system• Arbitrary typecasting
Pros
• Coverage
• Few false positives
Cons
• Inefficient
BOON
CycloneCQUAL
BoundsChecker
StackGuard
CCured
ARCHERR
37
Current Status And Future Work
• Code to be released soon– Currently research grade
• Investigating implementation on other runtime environments– 32-bit Intel/Windows PE32– 32-bit Intel/FreeBSD ELF– 32-bit SPARC/ELF
• Improve efficiency?– rndARCHERR – randomized runtime checks– Static analysis driven optimizations
38
Reference
• ARCHERR: Runtime Environment Driven Program Safety – Ramkumar Chinchani, Anusha Iyer, Bharat Jayaraman, and
Shambhu Upadhyaya – ESORICS 2004– http://www.cse.buffalo.edu/~rc27/publications/chinchani-
ESORICS04-final.pdf
39
Summary
• Multidisciplinary activity in computer security and information assurance
• Wireless Networks (other projects)– Colluding black hole attacks in MANETs– Theoretical issues in sensor networks
• Insider Threat in Document Control Systems– Masquerade detection– Inferring Source of Information Leakage in Document
Management Systems
• Spring Offerings– CSE 566: Wireless Networks Security– CSE 452/552: VLSI Testing
