csce 815 network security lecture 20 intruders / intrusion detection april 3, 2003
TRANSCRIPT
CSCE 815 Network Security CSCE 815 Network Security Lecture 20 Lecture 20CSCE 815 Network Security CSCE 815 Network Security Lecture 20 Lecture 20
Intruders / Intrusion DetectionIntruders / Intrusion Detection
April 3, 2003
The Stages of a Network IntrusionThe Stages of a Network Intrusion1. 1. Scan the network to:Scan the network to:
• • locate which IP addresses are in use, locate which IP addresses are in use, • • what operating system is in use, what operating system is in use, • • what TCP or UDP ports are “open” (being what TCP or UDP ports are “open” (being listened to by Servers).listened to by Servers).
2. Run “Exploit” scripts against open ports2. Run “Exploit” scripts against open ports3. Get access to Shell program which is “suid” (has 3. Get access to Shell program which is “suid” (has
“root” privileges).“root” privileges).4. Download from Hacker Web site special versions 4. Download from Hacker Web site special versions
of systems files that will let Cracker have free of systems files that will let Cracker have free access in the future without his cpu time or disk access in the future without his cpu time or disk storage space being noticed by auditing storage space being noticed by auditing programs.programs.
5. Use IRC (Internet Relay Chat) to invite friends to 5. Use IRC (Internet Relay Chat) to invite friends to the feast.the feast.
2
Intrusion DetectionIntrusion Detection
The intruder can be identified and ejected from the The intruder can be identified and ejected from the system.system.
An effective intrusion detection can prevent intrusions.An effective intrusion detection can prevent intrusions.
Intrusion detection enables the collection of Intrusion detection enables the collection of information about intrusion techniques that can be information about intrusion techniques that can be used to strengthen the intrusion prevention facility.used to strengthen the intrusion prevention facility.
Profiles of Behavior of Intruders and Authorized UsersProfiles of Behavior of Intruders and Authorized Users
Intrusion DetectionIntrusion Detection
Statistical anomaly detectionStatistical anomaly detection Treshold detection Profile based
Rule based detectionRule based detection Anomaly detection Penetration identidication
Measures used for Intrusion Detection Measures used for Intrusion Detection
Login frequency by day and time.Login frequency by day and time.
Frequency of login at different locations.Frequency of login at different locations.
Time since last login.Time since last login.
Password failures at login.Password failures at login.
Execution frequency.Execution frequency.
Execution denials.Execution denials.
Read, write, create, delete frequency.Read, write, create, delete frequency.
Failure count for read, write, create and delete.Failure count for read, write, create and delete.
Audit RecordsAudit Records
An audit record is a tool for intrusion detectionAn audit record is a tool for intrusion detection
Reasonable activity of users is an input to a IDSReasonable activity of users is an input to a IDS
Two methods used in producing information on users:Two methods used in producing information on users:
1.1. Native audit records Operating systems provide Native audit records Operating systems provide logging of user activity: e.g. Unix utmp, wtmp logslogging of user activity: e.g. Unix utmp, wtmp logs
2.2. Detection-Specific audit records – a tailored made Detection-Specific audit records – a tailored made collection facilty collecting the specific information collection facilty collecting the specific information needed for the Intrusion Detection Systemneeded for the Intrusion Detection System
Audit Records Example [Denning 87]Audit Records Example [Denning 87]
Subject: initiator of the actionSubject: initiator of the action
Action: read, write, execute, login, logout, cd Action: read, write, execute, login, logout, cd
Object: file, programs, messages …Object: file, programs, messages …
Exception-Condition: errors notedException-Condition: errors noted
Resource-Usage: CPU timeResource-Usage: CPU time
Time-Stamp: time/dateTime-Stamp: time/date
These can then be put in a database that is used to These can then be put in a database that is used to model normal and perhaps “abnormal” behaviormodel normal and perhaps “abnormal” behavior
Denning’s Audit Records UsageDenning’s Audit Records Usage
Mean and Standard deviationMean and Standard deviation
MultivariateMultivariate
Markov ProcessMarkov Process
Time SeriesTime Series
OperationalOperational
Distributed Intrusion Detection Distributed Intrusion Detection
Developed at University of California at Davis
Distributed Intrusion Detection Distributed Intrusion Detection
Viruses and ”Malicious Programs”Viruses and ”Malicious Programs”
Computer “VirusesComputer “Viruses” and related programs have the ” and related programs have the ability to replicate themselves on an ever increasing ability to replicate themselves on an ever increasing number of computers. They originally spread by number of computers. They originally spread by people sharing floppy disks. Now they spread people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”).primarily over the Internet (a “Worm”).
Other “Other “Malicious ProgramsMalicious Programs” may be installed by hand ” may be installed by hand on a single machine. They may also be built into on a single machine. They may also be built into widely distributed commercial software packages. widely distributed commercial software packages. These are very hard to detect before the payload These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic activates (Trojan Horses, Trap Doors, and Logic Bombs).Bombs).
Taxanomy of Malicious ProgramsTaxanomy of Malicious Programs
Need Host Program
Independent
Trapdoors Logic Bombs
TrojanHorses
Viruses Bacteria Worms
Malicious Programs
DefinitionsDefinitions
VirusVirus - code that copies itself into other - code that copies itself into other programs.programs.
A “A “BacteriaBacteria” replicates until it fills all disk ” replicates until it fills all disk space, or CPU cycles.space, or CPU cycles.
PayloadPayload - harmful things the malicious program - harmful things the malicious program does, after it has had time to spread. does, after it has had time to spread.
WormWorm - a program that replicates itself across - a program that replicates itself across the network (usually riding on email the network (usually riding on email messages or attached documents (e.g., messages or attached documents (e.g., macro viruses). macro viruses).
DefinitionsDefinitions
Trojan HorseTrojan Horse - instructions in an otherwise good - instructions in an otherwise good program that cause bad things to happen (sending program that cause bad things to happen (sending your data or password to an attacker over the net). your data or password to an attacker over the net).
Logic BombLogic Bomb - malicious code that activates on an event - malicious code that activates on an event (e.g., date). (e.g., date).
Trap DoorTrap Door (or Back Door) - undocumented entry point (or Back Door) - undocumented entry point written into code for debugging that can allow written into code for debugging that can allow unwanted users. unwanted users.
Easter EggEaster Egg - extraneous code that does something - extraneous code that does something “cool.” A way for programmers to show that they “cool.” A way for programmers to show that they control the product.control the product.
Virus PhasesVirus Phases
Dormant phase - the virus is idleDormant phase - the virus is idle
Propagation phase - the virus places an Propagation phase - the virus places an identical copy of itself into other programsidentical copy of itself into other programs
Triggering phase – the virus is activated to Triggering phase – the virus is activated to perform the function for which it was perform the function for which it was intendedintended
Execution phase – the function is performedExecution phase – the function is performed
Virus ProtectionVirus Protection
Have a well-known virus protection program, configured to
scan disks and downloads automatically for known viruses.
Do not execute programs (or "macro's") from unknown
sources (e.g., PS files, Hypercard files, MS Office documents,
Avoid the most common operating systems and email
programs, if possible.
Virus StructureVirus Structure
A Compression VirusA Compression Virus
Types of VirusesTypes of VirusesParasitic VirusParasitic Virus - attaches itself to executable files as part of their code. Runs - attaches itself to executable files as part of their code. Runs
whenever the host program runs.whenever the host program runs.
Memory-resident VirusMemory-resident Virus - Lodges in main memory as part of the residual operating - Lodges in main memory as part of the residual operating system.system.
Boot Sector VirusBoot Sector Virus - infects the boot sector of a disk, and spreads when the operating - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).system boots up (original DOS viruses).
Stealth VirusStealth Virus - explicitly designed to hide from Virus Scanning programs. - explicitly designed to hide from Virus Scanning programs.
Polymorphic VirusPolymorphic Virus - mutates with every new host to prevent signature detection. - mutates with every new host to prevent signature detection.
Macro VirusesMacro Viruses
Microsoft Office applications allow “macros” to be part of the Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is document. The macro could run whenever the document is opened, or when a certain command is selected (Save File). opened, or when a certain command is selected (Save File).
Platform independent.Platform independent.
Infect documents, delete files, generate email and edit letters.Infect documents, delete files, generate email and edit letters.
Antivirus ApproachesAntivirus Approaches1st Generation, Scanners: searched files for any of a library of known 1st Generation, Scanners: searched files for any of a library of known
virus “signatures.” Checked executable files for length changes.virus “signatures.” Checked executable files for length changes.
2nd Generation, Heuristic Scanners: looks for more general signs 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes.viruses). Checked files for checksum or hash changes.
3rd Generation, Activity Traps: stay resident in memory and look for 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files).certain patterns of software behavior (e.g., scanning files).
4th Generation, Full Featured: combine the best of the techniques 4th Generation, Full Featured: combine the best of the techniques above.above.
Advanced Antivirus TechniquesAdvanced Antivirus Techniques
Generic Decryption (GD)Generic Decryption (GD) CPU Emulator Virus Signature Scanner Emulation Control Module
For how long should a GD scanner run each For how long should a GD scanner run each interpretation?interpretation?
Advanced Antivirus TechniquesAdvanced Antivirus Techniques
On Trusting Trust On Trusting Trust
Ken ThompsonKen Thompson
http://www.acm.org/classics/sep95/http://www.acm.org/classics/sep95/
Buffer Overflow Stack Example
Buffer Overflow Stack Example
Before call to gets
unix> gdb bufdemo(gdb) break echoBreakpoint 1 at 0x8048583(gdb) runBreakpoint 1, 0x8048583 in echo ()(gdb) print /x *(unsigned *)$ebp$1 = 0xbffff8f8(gdb) print /x *((unsigned *)$ebp + 1)$3 = 0x804864d
8048648: call 804857c <echo> 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point
Return Address
Saved %ebp
[3][2][1][0] buf
%ebp
StackFrame
for main
StackFrame
for echo
0xbffff8d8
Return Address
Saved %ebp
[3][2][1][0] buf
StackFrame
for main
StackFrame
for echo
bf ff f8 f8
08 04 86 4d
xx xx xx xx
Malicious Use of Buffer OverflowMalicious Use of Buffer Overflow
Input string contains byte representation of executable code Overwrite return address with address of buffer When bar() executes ret, will jump to exploit code
void bar() { char buf[64]; gets(buf); ... }
void foo(){ bar(); ...}
Stack after call to gets()
B
returnaddress
A
foo stack frame
bar stack frame
B
exploitcode
pad
data written
bygets()
Avoiding Overflow VulnerabilityAvoiding Overflow Vulnerability
Use Library Routines that Limit String LengthsUse Library Routines that Limit String Lengths fgets instead of gets strncpy instead of strcpy Don’t use scanf with %s conversion specification
Use fgets to read the string
/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf);}
Recommended Reading and WEB SitesRecommended Reading and WEB Sites
Denning, P. Denning, P. Computers Under Attack: Intruders, Computers Under Attack: Intruders, Worms, and Viruses.Worms, and Viruses. Addison-Wesley, 1990 Addison-Wesley, 1990
CERT Coordination Center (WEB Site)CERT Coordination Center (WEB Site)
AntiVirus Online (IBM’s site)AntiVirus Online (IBM’s site)