Date post: | 22-Dec-2015 |
Category: |
Documents |
View: | 214 times |
Download: | 1 times |
2
Contents
● Overview● Worms: Type, Attackers, Enabling Factors● Existing Practices and Models● Cyber CDC● Vulnerability Prevention Defenses● Automatic Detection of Malicious Code● Automated Response to Malicious Code● Aid to Manual Analysis of Malicious Code● Aid to Recovery● Policy Considerations● Validation and Challenging Problems● Conclusion
3
Motivation and Goal
● Networking infrastructure is essential to many activities– Address the “worm threat”
● Establish taxonomy for worms● Motivate Cyber “CDC”● Establish a road map for research efforts
4
Challenges
● Prevention– i.e. Non-executable stacks
● Avoidance– i.e. Filter ports
● Detection– i.e. Network telescopes
● Recovery– i.e. Fix vulnerability
5
Challenges
● Spread speed is faster than human reaction time● Further generations of worms address previous
counter measurements– Smart guys behind the scene
● Monocultures in today Internet● People are not sensitive to security
6
Contents
● Overview● Worms: Type, Attackers, Enabling Factors● Existing Practices and Models● Cyber CDC● Vulnerability Prevention Defenses● Automatic Detection of Malicious Code● Automated Response to Malicious Code● Aid to Manual Analysis of Malicious Code● Aid to Recovery● Policy Considerations● Validation and Challenging Problems● Conclusion
7
Taxonomy
● Activation techniques– Human– Scheduled process– Self
● Propagation strategies– Scanning– Pre-generated Target Lists– Externally Generated Target Lists– Internal Target Lists– Passive
● Propagation carriers– Self, Embedded
8
Taxonomy
• Motivation and Attackers– Pride and Power– Commercial Advantage– Extortion, – Random Protest– Political Protest– Terrorism– Cyber Warfare
• Payloads– None– Opening Backdoors– Remote DOS– Receive Updates– Espionage– Data Harvesting– Data Damage– Hardware Damage– Coercion
9
Ecology of Worms
● Application Design● Buffer Overflows● Privileges
– Mail worms● Application Deployment● Economic Factors● Monocultures
10
Contents
● Overview● Worms: Type, Attackers, Enabling Factors● Existing Practices and Models● Cyber CDC● Vulnerability Prevention Defenses● Automatic Detection of Malicious Code● Automated Response to Malicious Code● Aid to Manual Analysis of Malicious Code● Aid to Recovery● Policy Considerations● Validation and Challenging Problems● Conclusion
11
Cooperative Information Technology Org.
● CERT/CC– Human analysis and aggregation
● IIAP– Human-time analysis
● ISAC– Practices and background
● FIRST● Public Mailing Lists
12
Commercial Entities
● Anti-virus Companies– Computer Anti-Virus Researchers Organization
(CARO)● Network based IDS Vendors● Centralized Security Monitoring● Training Organizations● Limited Scope of Commercial Response
– Worm has yet to cause significant damage– No clear way to generate additional revenue
13
Contents
● Overview● Worms: Type, Attackers, Enabling Factors● Existing Practices and Models● Cyber CDC● Vulnerability Prevention Defenses● Automatic Detection of Malicious Code● Automated Response to Malicious Code● Aid to Manual Analysis of Malicious Code● Aid to Recovery● Policy Considerations● Validation and Challenging Problems● Conclusion
14
Cyber CDC
● Identify outbreaks– Develop mechanism for gathering information– Sponsor research in automated detection
● Rapidly analyzing pathogens– Develop analysis tools– Understand the harm and spread of pathogens
● Fighting Infections– Deploy agent that detect, terminate or isolate worms
15
Cyber CDC
● Anticipating new vectors– Analyze the threat potential of new applications
● Proactively devising detectors for new vectors– Develop analysis modules for IDS
● Resisting future threats– Foster research into resilient application design
paradigms● How open?
16
Contents
● Overview● Worms: Type, Attackers, Enabling Factors● Existing Practices and Models● Cyber CDC● Vulnerability Prevention Defenses● Automatic Detection of Malicious Code● Automated Response to Malicious Code● Aid to Manual Analysis of Malicious Code● Aid to Recovery● Policy Considerations● Validation and Challenging Problems● Conclusion
17
Vulnerability Prevention Defenses
● Grading potentials– A: high potential, lower cost– B: medium potential or significant cost– C: low potential but high risk
18
Vulnerability Prevention Defenses
● Programming Languages and Compilers
– Safe C Dialects (C, active area)● Enforcing type and memory safety● Ccured / Cyclone● [future] extending to C++
– Software Fault Isolation (C, active area)● Memory safe sandboxes● Lack of availability of SFI-based systems
– StackGuard (C, active area)● Compiler calling-convention● Works well against conventional stack attacks
19
Vulnerability
● Programming Languages and Compilers– Nonexecutable Stacks and Heaps w/ Randomized
Layouts (B, mostly engineering)● Randomizing layout● Guard pages, exception when accessed● No attempt to build such a complete system
– Monitoring for Policy- and Semantics-Enforcement (B, opportunities for worm specific monitoring)
● System call patterns (“mimicry” attack)● Static analysis● [future] increase performance and precision
20
Vulnerability
● Automatic vulnerability analysis (B, highly difficult, active area)– Discover buffer overflow in C– Sanitized integers from untrusted source– User-supplied pointers for kernel– [future] assemply level– [future] specific patterns of system calls
21
Vulnerability Prevention Defenses
● Privilege Issues– Fine-grained Access Control (C, active area)
● [future] integrating into commodity OS– Code Signing (C, active area)
● Publi-key authentication– Privilege Isolation (C, some active research, difficult)
● Mach kernel
22
Vulnerability
● Protocol Design– Design Principles (A, difficult, low cost, high reward)
● Open problem– Proving Proto Properties (A, difficult, high reward)
● Worm resistant properties -> verify● [future] interpreter detects violation of protocol
– Distributed Minable Topology (A, hard but critical)● Match subset, not the entire list
– Network Layout (C, costly)● Never co-occur (i.e. strictly client / server)
23
Vulnerability
● Network Provider Practices– Machine Removal (C, already under development)
● No standard protocol● Implementation Diversity
– Monoculture is a dangerous phenomena
24
Vulnerability
● Synthetic Polycultures– Synthetic polycultures (C, difficult, may add
unpredictability)● [future] techniques to develop synthetic polycultures● [future] Code obfuscation
● Economic and Social– Why is Security Hard (B, active area of research)
● [future] understanding of why practices remain so poor
25
Contents
● Overview● Worms: Type, Attackers, Enabling Factors● Existing Practices and Models● Cyber CDC● Vulnerability Prevention Defenses● Automatic Detection of Malicious Code● Automated Response to Malicious Code● Aid to Manual Analysis of Malicious Code● Aid to Recovery● Policy Considerations● Validation and Challenging Problems● Conclusion
26
Automatic Detection of Malicous Code
● Host-based detectors– Host-based Worm Detection (A, Critical)
● Contagion worms● IDS
– Existing Anti-virus Behavior Blocking (A, Critical)● Behavior blocking (usability and false positives)
– Wormholes / honeyfarms (A, Low Hanging Fruit)● Excellent detector / machine cost● Must target the cultured honepots...
27
Detection
● Network-level detectors– Edge Network Detection (A, critical, powerfull)
● Large number of scans– Backbone Level Detection (B, hard, difficult to deplay)
● Routing is highly asymmetric● Correlation of Results
– Centralized (B, Some commercial work)– Distributed (A, powerful, flexible)– Worm Traceback (A, high risk, high payoff)
● No attention to date in research community● [future] Network telescopes
28
Automated Response to Malicious Code
● Host-Based (B, overlaps with personal firewall)
– Open question
● Edge Network (A, poweful, flexible)
– [future] Filter traffic (side effects...)
● Backbone/ISP Level (B, difficult, deployment issues)
– [future] Limitation of outbound scanning
● National Boundaries (C, too coarse grained)
● Graceful Degradation and Containment (B, mostly engineering)
– [future] Quarantine sections
29
Aids to Manual Analysis of Malicious Code● Collaborative Code Analysis Tool (A, scaling is
important, some ongoing research)● Higher Level Analysis (B, important, Halting
problem imposes limitations● Hybrid Static-Dynamic Analysis (A, hard but
valuable)● Visualization (B, mostly educational value)
– [future] Real-time analysis– [future] what information might be gathered
30
Aids to Recovery
● Anti-worms (C, impractical, illegal)● Patch distribution in a hostile environment (C,
already evolving commercially)● Updating in a hostile environment (C, hard
engineering, already evolving)– Metamorphic code to insert a small bootstrap
program
31
Policy considerations
● Privacy and Data Analysis● Obscurity● Internet Sanitation
– Scan limiters● The “Closed” Alternative
– Apply topological restrictions
32
Contents
● Overview● Worms: Type, Attackers, Enabling Factors● Existing Practices and Models● Cyber CDC● Vulnerability Prevention Defenses● Automatic Detection of Malicious Code● Automated Response to Malicious Code● Aid to Manual Analysis of Malicious Code● Aid to Recovery● Policy Considerations● Validation and Challenging Problems● Conclusion
33
Challenging Problems
● Common evaluation framework– DARPA IDS evaluation– Finding proper level of abstraction for analysis– Limit resource available to attacker
● Milestones for detection– Sensitivity to presence– False positive– Distortion resistant
34
Challenging Problems
● Milestones for analysis– Strategize vs. Understanding– State of practice: Identifying vs. Reverse engineering– Metrics: accuracy, completeness, speed, usability– Milestone: progressively bigger variety of worms
● Detecting targeted worms● Tools for validating defenses
– Worm Simulation Environment– Internet Wide Worm Testbed (A, essential)– Testing in the Wild (A, essential)
35
Contents
● Overview● Worms: Type, Attackers, Enabling Factors● Existing Practices and Models● Cyber CDC● Vulnerability Prevention Defenses● Automatic Detection of Malicious Code● Automated Response to Malicious Code● Aid to Manual Analysis of Malicious Code● Aid to Recovery● Policy Considerations● Validation and Challenging Problems● Conclusion
36
Conclusions
● Worms are a significant thread● Limited number of strategies● Inadequate defensive infrastructure● Cyber CDC
– Prevention role● Huge potential damage
37
Problems
● Build tomorrows security system based on todays worm technologies– Will always be one step behind– Reactive
● Need to address root cause instead of patching things– Prevention