Attack - Informatik 4
Transcription
Attack - Informatik 4
Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Attacks (Intrusions) Chapter 2: Security Techniques Background Even if a network is protected by a firewall, attacks can be started on it. Chapter 3: Security on Network and Transport Layer An attack, also called intrusion, is defined as any set of actions that attempts to compromise a resource regarding • confidentiality, • integrity, or • availability Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks • Firewalls • Intrusion Detection 5.2: Intrusion Detection • Intrusion detection techniques • Misuse detection • Anomaly detection • Specification-based anomaly detection • Transaction-based anomaly detection Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Sources of information: • Communication with users (shoulder surfing, socializing, social engineering, etc.) • Actions on place (dumpster diving, theft, etc.) • Actions on computers • Communication with experts • Communication with other potential attackers Chapter 5.2: Intrusion Detection Ping of Death Ping Sweep UDP UDP Scan TCP SYN Flood SYN Scan FIN Scan SYN/ACK Scan RST Scan Xmas Tree Scan Application FTP Bounce Attack Process Deadlock Buffer Overflow Race Condition Page 2 Chapter 5.2: Intrusion Detection Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Step 2: Information Collection Information retrieval: • Structure of the network • Used operating systems • Installed software • Accounts Attack ICMP SYN/FIN Scan Steps of an intrusion attempt: 1. Target selection 2. Information collection 3. Attack 4. System modification 5. Hiding of traces Page 1 Chapter 5.2: Intrusion Detection Protocol Step 3: Attack – SYN Flood Attack Example: Scanning Identify the network structure, the available hosts, their operating system and the available services FIN Scan: identify open ports by polling all ports using TCP Port closed: Attacker FIN Port open: Server Attacker Server FIN RST Page 3 • Denial-of-Service (DoS) attack • Establishment of a certain number of half-open TCP connections in order to prevent the server from opening any other connections • Attacker sends several SYN packets in order to establish connections, which are answered by the target with the corresponding SYN/ACK packets • Attacker does never answer the received SYN/ACK packets, i.e. he never completes 3way-handshake of TCP’s connection establishment • Half-open connections are discovered by the server through timeouts, but attacker sends connection requests with a higher rate • Somewhen, all resources of the server are reserved for these half-open connections Chapter 5.2: Intrusion Detection SYN CK SYN, A not sent ACK SYN CK SYN, A . . . SYN CK SYN, A SYN Page 4 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Step 3: Attack – Buffer Overflow Chapter 5.2: Intrusion Detection Address space of the process 0xFFFF Attack Code Return Address Local Variables Buffer Stack Heap Buffer overflow and overwriting of return address • The stack on a host keeps track of location of the instructions following a procedure call so that control can be passed back to that instruction • Corrupting the stack can cause the system to return to a random address • Attackers use this feature to induce a system to execute arbitrary code • Attacker crafts a character string that overwrites the buffer so that the content of the return pointer field is overwritten with alternative values • Altered values cause the system to execute a inserted command • Particular interesting in combination with processes running with super user privilege Step 3: Attack – Race Condition 0x0000 Page 5 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Step 0 1 2 3 4 5 6 7 8 System calls done by rdistd System calls done by the attacker execv("/usr/ucb/rdist"); fd=creat("/ko/rdista768"); write(fd, ...); close (fd); rename("/ko/rdista768", "/ko/tmp"); symlink("/bin/sh","/ko/rdista768"); Timing Window chown("/ko/rdista768", owner); chmod("/ko/rdista768", pmode); rename("/ko/rdista768", "/ko/data"); Attacker uses timing window to place the file he wants to have access to Page 6 Chapter 5.2: Intrusion Detection Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Intrusion Detection Common Intrusion Detection Framework (CIDF) Firewalls… • do not protect against internal attacks • do not protect against errors in software • do not protect against configuration errors • do not protect against errors of external servers • do not protect against connection hijacking • can be eluded → Intrusion Detection to deal with these problems Additionally to a firewall, let run an Intrusion Detection System (IDS) in your network to detect against attacks Needed: Monitoring of the network traffic and generate events if something happens (i.e. constantly process a network audit) Processing of events, generating alarms Defining actions to be taken in presence of certain alarms Chapter 5.2: Intrusion Detection A timing window exists between the time an attribute is checked and the time it is actually used, e.g. • rdist (remote file distribution program) • rdist and rdistd run with root privileges • rdistd creates temporary file (1), writes new data to the temporary file (2, 3), changes ownership (6) and the permission mode (7) of the temporary file to correspond to the master, and renames the temporary file (8) • chmod changes the permission mode of /bin/sh Page 7 E-box1 A-box1 A-box3 R-box1 Network E-box2 A-box2 Event boxes (E-boxes) • Generate audit events that are processed by the IDS Analysis boxes (A-boxes) • Process events form the E-boxes to create alarms Chapter 5.2: Intrusion Detection D-box1 Database boxes (D-boxes) • Store events for later retrieval Response boxes (R-boxes) • Apply countermeasures to the system according to the alarms generated Page 8 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Intrusion Detection Techniques Misuse Detection – Expert Systems Misuse Detection: • Specify abnormal (attack) behavior through attack signatures • Monitor network for occurrences of attack signatures Anomaly Detection: • Specify normal behavior • Monitor the network for deviations from the normal behavior Technique System Technique System Quantitative analysis IDES Expert systems IDES Profilebased Mean/standard deviation IDES NIDES Multivariate statistics IDES MIDAS Markov processes IDES EMERALD Cluster analysis LB Finite state machines STAT Rule-based TIM Petri nets IDIOT Languages RUSSEL Modelling of state transitions by USTAT Wisdom & Sense Specification-based C. Ko transaction -based Page 9 Chapter 5.2: Intrusion Detection Example of fact matching: [+e:event|event_type==login, return_code==BAD_PASSWORD] Example of rule declaration: rule[Bad_Login(#10;*): [+e:event| event_type==login, return_code==BAD_PASSWORD] ==>[+bad_login| username=e.username, hostname=e.hostname] [-|e] [!|printf(“Bad login for user %s from host %s\n”, e.username, e.hostname)] ] Page 10 IDIOT (Intrusion Detection In Our Times) • Knowledge-based IDS using Colored Petri Nets • Example: number of unsuccessful login attempts exceeds four within a minute 1. %cp /bin/csh /usr/spool/mail/root assumes no root mail file 2. %chmod 4755 /usr/spool/mail/root make setuid file 3. %touch x create empty file 4. %mail root < x mail root empty file 5. %/user/spool/mail/root execute setuid-to-root shell 6. root % attacker mod_setuid (object) t=T1 attacker mod_ouid (object) SC-1 t=T2 unsuccessful login unsuccessful login unsuccessful login unsuccessful login (start) (final) S1 SC S2 Page 11 S3 S4 S5 T2 - T1 ≤ 60 s 1. exists(object)=false 1. owner(object) = attacker 1. owner(object)=attacker 1. owner(object) ≠ attacker 2. attacker ≠ root 2. setuid(object) = disabled 2. setuid(object) = enabled 2. setuid(object) = enabled Object=/usr/spool/mail/root Chapter 5.2: Intrusion Detection ] Misuse Detection – Petri Nets USTAT (Unix State Transition Analysis): • State transition diagram as a graphical representation of a penetration scenario • Example: mail bug Step Command Comment SC-2 [ event event_type:int, return_code:int, usernname:string, hostname:string Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Misuse Detection – Finite State Machines SR ptype Chapter 5.2: Intrusion Detection Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme attacker creates (object) Example of a pattern type declaration: P-BEST: • Expert systems provide mechanisms for processing facts regarding the state of a given environment and deriving local inferences from these facts • A fact maps an event that is recorded and evaluated • The process of fact evaluation is referred to as modus ponens, which states that given (p → q) ∧ p, q is deduced • Systems iteratively applying modus ponens under a bottom-up reasoning strategy are referred to as forwardchaining systems • Event records are asserted as facts and evaluated against penetration rules sets Chapter 5.2: Intrusion Detection Page 12 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Misuse Detection Anomaly Detection – Statistical Measures Advantages: • Small number of false positives • Small performance overhead • Clear definition of relevant audit events False Positives False Negatives Disadvantages: • Not possible to detect new attacks • Correctness of used patterns difficult to prove • Scalability and performance depend on the number of patterns that have to be tested Anomaly detector observes the activity of subjects and generates profiles • System periodically generates a value indicative of the abnormality of audit records • Value generation is done by measures defined in a profile: a1S12 + a2 S22 + + anSn2 ,ai > 0 1. Activity Intensity Measures Rate at which an activity is progressing, e.g. number of audit records processed for a user in interval t 2. Audit Record Distribution Measures Measure the distribution of all activity types in recent audit records, e.g. relative distribution of file accesses, I/O activity, etc. for a particular user 3. Categorical Measures Measure the distribution of a particular activity over categories, e.g. the relative frequency of logins from each physical location 4. Ordinal Measures Measure activity whose outcome is a numeric value, e.g. the amount of CPU and I/O used by a particular user … reduced tolerance Page 13 Chapter 5.2: Intrusion Detection Chapter 5.2: Intrusion Detection Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Anomaly Detection – Combining Anomaly Measures • Let A1, A2, ..., An be n measures used to determine if an intrusion is occurring (I/O activity, number of page faults, etc.) • Each measure Ai has two values, 1 implying that the measure is anomalous, 0 otherwise • Let I be the hypothesis that the system is currently undergoing an intrusive attack • reliability and sensitivity of each anomaly measure Ai is determined by the number P(Ai =1|I) and P(Ai =1|¬I) • Combined belief in I is: …, A ) = P(I ) P( A , A ,… ,A | I ) × P( A , A ,… , A P(I | A1 ,A2 , 1 2 n n 1 2 Chapter 5.2: Intrusion Detection n ) Page 14 Anomaly Detection – Combining Anomaly Measures • Combined belief requires joint probability distribution of the set of measures conditioned on I and ¬I • Simplification of assuming that each measure Ai depends only on I and is independent of the other measures … ,A | I ) = ∏ P( A1 ,A2 , and n n i =1 … , A | ¬I ) = ∏ P( A1 ,A2 , n P( Ai | I ) n i =1 AT C −1 A where C is the covariance matrix representing the dependence between each pair of anomaly measures Ai and Aj P( Ai | ¬I ) which leads to … … • The odds of an intrusion can be determined, given the values of various anomaly measures, form the prior odds of the intrusion and the likelihood of each measure being anomalous in the presence of intrusion • More realistic estimate of P(I|A1, A2, ..., An) by taking the interdependence of the various measures Ai into account, e.g. by use of covariance matrix • If measures Ai are represented by the vector A, then the compound anomaly measure is determined by: P(I | A1 ,A2 , ,An ) P(I ) ∏ i =1 P( Ai | I ) = × P( ¬I | A1 ,A2 , ,An ) P( ¬I ) ∏ n P( Ai | ¬I ) n i =1 Page 15 Bayesian Networks: • Use of Bayesian or other belief networks to combine anomaly measures • Bayesian networks allow representation of causal dependencies between random variables and permit calculation of joint probability distribution of the random variables by specifying only a small set of probabilities Chapter 5.2: Intrusion Detection Page 16 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Anomaly Detection – Combining Anomaly Measures Anomaly Detection – Rule-based Approaches Intrusion Intrusion Bayesian Networks: • Boxes represent binary random variables with values representing either its normal or abnormal condition • Observe values of some of the variables and calculate P(Intrusion|Evidence) with Bayesian network calculus • Not trivial to determine the a-priori probability of the root node and the link matrices for each directed arc Too TooMany Many CPU CPUIntensive Intensive Jobs Jobs Too TooMany Many Users Users DISK DISKI/O I/O CPU CPU NET NETI/O I/O Too TooMany Many Disk DiskIntensive Intensive Jobs Jobs Trashing Trashing Newly NewlyAvailable Available Fragmentation Fragmentation Program on the Net Program on the Net Page 17 Chapter 5.2: Intrusion Detection Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme False Negatives False Positives Page 18 Chapter 5.2: Intrusion Detection Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Statistical Anomaly Detection Advantages: • No knowledge about possible attacks necessary • Universal validity • Use of well-known statistical methods Predictive Pattern Generation: • Assumption: sequences of events are not random but follow a discernible pattern • Usage of inductive time-based rules that characterize the normal behavior patterns of users • Looks for patterns in sequences of events by implementing a Markov transition probability model • Rules are modified dynamically and only rules with low entropy remain in the system • If sequence of events matches the head of a rule, then the next event in the body of the rule is considered anomalous if it is not in the set of predicted events in the body of the rule • Example (TIM): E1→E2→E3⇒(E4=95%,E5=5%) i.e. if the pattern of observed events is E1 followed by E2 followed by E3 then the probability of seeing E4 is 95% and that of E5 is 5% Alternative Approaches Disadvantages: • High number of false positives • Difficulty of defining the normal behavior and protecting it from the attacker • Statistical properties of relevant parameters are probably difficult to detect (probability distribution, correlation, etc.) • No consideration of the sequence of events in time Model-based Intrusion Detection • Combines models of misuse with evidential reasoning to support conclusions about the occurrence of a misuse • Database of attack scenarios • At any given moment the system is considering a subset of these attack scenarios as likely ones under which the system might be currently under attack • Seek information in audit trail to substantiate or refute an attack scenario (the anticipator) • Anticipator generates next behavior to be verified, and passes it to the planner • Planner determines how the hypothesized behavior will show up in the audit data and translates it into a system dependent audit trail match • Mapping from behavior to activity must have a high likelihood of appearing in the behavior, i.e. the following value has to be high: P( Activity | Behavior ) P( Activity | ¬Behavior ) • Evidence for some scenarios accumulates and drops for other scenario reduced tolerance Chapter 5.2: Intrusion Detection Page 19 Chapter 5.2: Intrusion Detection Page 20 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Specification-based Anomaly Detection – C. Ko Transaction-based Anomaly Detection Behavior is specified • Definition of expected process behavior • Definition based on parallel environment grammars (PEGs) • PEGs allows the description of the parallel execution of processes • Basic elements of a PEG: Environment variables Protovariables Terminals Initial environment assignments Hyperrules Parallel start expression Example grammar: Advantages: • Formal process description • Operational security policy Chapter 5.2: Intrusion Detection Disadvantages: • No universal validity, restricted to OS • Complicated specification Page 21 Network protocols and processes can be specified by finite state machines: /* Environment Variables */ 1. Int E=0; /* Start Expression */ 2. <progA> || <progB> /* Hyperrules */ 3. <progA> -> <writeA, E>. 4. <writeA, 0> -> <openA><closeA>{E=E-1;}. 5. <openA> -> open_A {E=E+1;}. 6. <closeA> -> close_A. 7. <progB> -> <writeB, E>. 8. <writeB, 0> -> <openB><closeB>{E=E-1;}. 9. <openB> -> open_B {E=E+1;}. 10. <closeB> -> close_B. A finite state machine (FSM) A is defined by a quintuple A=(Q, Σ, q0, δ, F) with • Q: finite set of states • Σ: finite input alphabet • q0 ∈ Q: initial state • δ: transition function δ: Q × Σ → Q • F ⊆ Q: set of final states A finite state machine accepts a language L(A) ⊆ Σ*, which is defined by L(A) = {x ∈ Σ*| δ*(q0,x) ∈ F} δ* is the extension of the transition function from single input symbols to words Now: use FSMs to model transactions Page 22 Chapter 5.2: Intrusion Detection Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Transaction-based Anomaly Detection Transaction-based Anomaly Detection Transactions can be characterized by the ACID properties: • Atomicity: all operations of a transaction must be completed, i.e. a transaction is treated as a single, indivisible unit • Consistency: a transaction takes the system from one consistent state to another • Isolation: each transaction must be performed without interference with other transactions • Durability: after a transaction has successfully been completed, all its results are saved in permanent storage Detect attacks by violation of ACID properties: Violation Protocol / Layer Attack Atomicity TCP SYN Flood TCP SYN Scan Process Deadlock ICMP Ping of Death ICMP Ping of Death TCP FIN Scan TCP SYN/ACK Scan TCP SYN/FIN Scan TCP RST Scan TCP Xmas Tree Scan UDP UDP Scan Application FTP Bounce Attack Process Buffer Overflow Process Race Condition Consistency Transaction-based anomaly detection: • Description of positive behavior by definition of admissible transactions through FSMs • Monitor security domain regarding potential violations of transaction properties (ACID) • Report detected anomalies for further classification based on simple misuse detection (ECA rules) Chapter 5.2: Intrusion Detection Page 23 Isolation Chapter 5.2: Intrusion Detection Page 24 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Conclusion For networks, a lot of different security concepts exist: 1. Guarantee confidentiality, authentication, and integrity of data exchanged between communication partners • On the network layer by IPSec • On the transport layer by SSL/TLS • On the application layer by security enhancements tailored to certain applications, e.g. PGP, PEM, S/MIME • Make life easier by introducing e.g. central authentication services, like Kerberos • To apply security concepts, trusted third parties are necessary, e.g. KDCs 2. Guarantee inaccessibility of your Intranet • Firewalls to control incoming and outgoing traffic, and block unwanted traffic • Intrusion Detection to detect attacks to your Intranet 3. … and maybe much more not presented in this lecture Chapter 5.2: Intrusion Detection Page 25