security issues in distributed heterogeneous systems somesh jha computer sciences department...
TRANSCRIPT
Security Issues in Distributed Heterogeneous Systems
Somesh Jha
Computer Sciences Department
University of Wisconsin
Madison, WI 53706
General Issues
• Vulnerability and information-flow analysis
– detecting malicious code
• safety
– crashes your machine or wipes data
• privacy
– leaks sensitive information
– code executing on malicious host
– distributed vulnerability analysis
• Intrusion Detection
– statistical models of user behavior/network traffic
– using statistical models for anomaly detection
– explaining the anomalies
General Issues (Contd)
• Authentication and Authorization– seamless cross-administrative authentication
• kerberos• passwords• time-varying passwords• smartcards• public keys
– but the real question is authorization• a person can only buy beer from www.booze.com• if he/she is about eighteen years of age
Vulnerability and information-flow analysis
• want to perform these analysis on machine code• suitable for COTS• will require an analysis infrastructure• for machine code• collaborators
– B. Miller– T. Reps
Vulnerability analysis (Safety)
• use static analysis to discover program behavior• that lead to vulnerabilities• examples
– buffer overflows– unutilized pointers
• initial success reported by• Z. Xu, B. Miller, and T. Reps
Information-flow analysis (Privacy)
• initial work provided discretionary access control• we want mandatory access control• consider the following
– x := y
– security-level(y) security-level(x)
• want to perform these forms of analysis on machine code
Benign host and malicious code
• Job foo-bar comes to my host• need to make sure that foo-bar does not• do anything nasty• solution is sandboxing
Malicious host and benign code
• Job foo-bar migrates to host A• A is malicious• hijack foo-bar and instrument the• code to send harmful system calls• note: inverse of the previous problem
Multi-pronged attack
• Build a model of the code– static analysis– dynamic analysis
• replication• obfuscation• collaborators
– Bart Miller– Hong Lin
Sandboxing the home machine
Job A
Malicious HostHome Machine
Model of job A
Building program models
• Deterministic models– use static analysis of the code– derive a finite automata with system– calls as the alphabet set
• statistical models– monitor traffic at the home machines– build a statistical model from the– sequence of system calls
• Hybrid models
Replication
Agreement Protocol
Replica 1
Replica 2
Replica 3
Program obfuscation
• obfuscate the program• so that hard for adversary to reverse engineer• inverse of good software engineering practices• randomize all system call names• randomly permute all the system call parameters• randomly insert “benign” calls
Distributed vulnerability analysis
• Existing techniques good at finding local vulnerabilities– see http://www.iss.net
• we want to find global attacks• from local information provided by• existing tools
Attacking Fidelity
break into the DNS Server
Fidelity
Acquire password
access DNSconfiguration
setup web proxywww.gs.com
exploit poor passwords
access control
ignore errors
Cross-administrative authentication
• Various authentication mechanisms– kerberos– hashed passwords– smartcards– public key infrastructures
• goal: to provide seamless cross-administrative authentication
• collaborator– Hao Wang
Motivating scenario
• Job A is authenticated using Kerberos on host A• Job A runs on host A for a while• migrates to host B, where• smartcard based authentication is required• should job A authenticate again?• Has to reauthenticate every time crosses an
“authentication boundary”
Obvious solution
• translate results of an authentication mechanism to• a common one• convert everything to a X.509 certificate• translate back X.509 certificates as needed
Drawbacks
• different authentication schemes have different trust models– hashed passwords are weaker than time-varying
passwords• many technical problems
– how is credential expiration/revocation handled?– how is delegation handled?
Authorization
• authentication binds a person to a digital entity• such as a credential• the real question is authorization• is a certain person allowed to • perform specific actions on a host
Approaches to Authorization
• examples are– SPKI– Keynote
• express statements of the following form
Miron says (somesh can read files in directory X)• support following features
– compliance checking– delegation– majority decisions
Extensions to authorization infrastructures
• support revocation– can state negative statements
• credential extraction problem– given a request r– a set of statements representing the policy P– what credentials does X need so
– that request r will be authorized
Conclusion
• all the problems mentioned before are crucial• for making security more usable in a• distributed heterogeneous setting• crucial that we work on it