Security Issues in Distributed Heterogeneous Systems

Somesh Jha

Computer Sciences Department

University of Wisconsin

Madison, WI 53706

General Issues

• Vulnerability and information-flow analysis

– detecting malicious code

• safety

– crashes your machine or wipes data

• privacy

– leaks sensitive information

– code executing on malicious host

– distributed vulnerability analysis

• Intrusion Detection

– statistical models of user behavior/network traffic

– using statistical models for anomaly detection

– explaining the anomalies

General Issues (Contd)

• Authentication and Authorization– seamless cross-administrative authentication

• kerberos• passwords• time-varying passwords• smartcards• public keys

– but the real question is authorization• a person can only buy beer from www.booze.com• if he/she is about eighteen years of age

Vulnerability and information-flow analysis

• want to perform these analysis on machine code• suitable for COTS• will require an analysis infrastructure• for machine code• collaborators

– B. Miller– T. Reps

Vulnerability analysis (Safety)

• use static analysis to discover program behavior• that lead to vulnerabilities• examples

– buffer overflows– unutilized pointers

• initial success reported by• Z. Xu, B. Miller, and T. Reps

Information-flow analysis (Privacy)

• initial work provided discretionary access control• we want mandatory access control• consider the following

– x := y

– security-level(y) security-level(x)

• want to perform these forms of analysis on machine code

Benign host and malicious code

• Job foo-bar comes to my host• need to make sure that foo-bar does not• do anything nasty• solution is sandboxing

Malicious host and benign code

• Job foo-bar migrates to host A• A is malicious• hijack foo-bar and instrument the• code to send harmful system calls• note: inverse of the previous problem

Multi-pronged attack

• Build a model of the code– static analysis– dynamic analysis

• replication• obfuscation• collaborators

– Bart Miller– Hong Lin

Sandboxing the home machine

Job A

Malicious HostHome Machine

Model of job A

Building program models

• Deterministic models– use static analysis of the code– derive a finite automata with system– calls as the alphabet set

• statistical models– monitor traffic at the home machines– build a statistical model from the– sequence of system calls

• Hybrid models

Replication

Agreement Protocol

Replica 1

Replica 2

Replica 3

Program obfuscation

• obfuscate the program• so that hard for adversary to reverse engineer• inverse of good software engineering practices• randomize all system call names• randomly permute all the system call parameters• randomly insert “benign” calls

Distributed vulnerability analysis

• Existing techniques good at finding local vulnerabilities– see http://www.iss.net

• we want to find global attacks• from local information provided by• existing tools

Attacking Fidelity

break into the DNS Server

Fidelity

Acquire password

access DNSconfiguration

setup web proxywww.gs.com

exploit poor passwords

access control

ignore errors

Cross-administrative authentication

• Various authentication mechanisms– kerberos– hashed passwords– smartcards– public key infrastructures

• goal: to provide seamless cross-administrative authentication

• collaborator– Hao Wang

Motivating scenario

• Job A is authenticated using Kerberos on host A• Job A runs on host A for a while• migrates to host B, where• smartcard based authentication is required• should job A authenticate again?• Has to reauthenticate every time crosses an

“authentication boundary”

Obvious solution

• translate results of an authentication mechanism to• a common one• convert everything to a X.509 certificate• translate back X.509 certificates as needed

Drawbacks

• different authentication schemes have different trust models– hashed passwords are weaker than time-varying

passwords• many technical problems

– how is credential expiration/revocation handled?– how is delegation handled?

Authorization

• authentication binds a person to a digital entity• such as a credential• the real question is authorization• is a certain person allowed to • perform specific actions on a host

Approaches to Authorization

• examples are– SPKI– Keynote

• express statements of the following form

Miron says (somesh can read files in directory X)• support following features

– compliance checking– delegation– majority decisions

Extensions to authorization infrastructures

• support revocation– can state negative statements

• credential extraction problem– given a request r– a set of statements representing the policy P– what credentials does X need so

– that request r will be authorized

Conclusion

• all the problems mentioned before are crucial• for making security more usable in a• distributed heterogeneous setting• crucial that we work on it