research-article

WatchIT: Who Watches Your IT Guy?

Authors:

Yaron Weinsberg,

Elad Ben-YehudaAuthors Info & Claims

SOSP '17: Proceedings of the 26th Symposium on Operating Systems Principles

Pages 515 - 530

https://doi.org/10.1145/3132747.3132752

Published: 14 October 2017 Publication History

Abstract

System administrators have unlimited access to system resources. As the Snowden case highlighted, these permissions can be exploited to steal valuable personal, classified, or commercial data. This problem is exacerbated when a third party administers the system. For example, a bank outsourcing its IT would not want to allow administrators access to the actual data. We propose WatchIT: a strategy that constrains IT personnel's view of the system and monitors their actions. To this end, we introduce the abstraction of perforated containers -- while regular Linux containers are too restrictive to be used by system administrators, by "punching holes" in them, we strike a balance between information security and required administrative needs. Following the principle of least privilege, our system predicts which system resources should be accessible for handling each IT issue, creates a perforated container with the corresponding isolation, and deploys it as needed for fixing the problem.

Under this approach, the system administrator retains superuser privileges, however only within the perforated container limits. We further provide means for the administrator to bypass the isolation, but such operations are monitored and logged for later analysis and anomaly detection.

We provide a proof-of-concept implementation of our strategy, which includes software for deploying perforated containers, monitoring mechanisms, and changes to the Linux kernel. Finally, we present a case study conducted on the IT database of IBM Research in Israel, showing that our approach is feasible.

Supplementary Material

MP4 File (watchit.mp4)

Download
1968.32 MB

References

[1]

2015. TOMOYO: A Security Module for System Analysis and Protection. (2015). http://tomoyo.osdn.jp/ Available at http://tomoyo.osdn.jp/.

[2]

2016. Linux Programmer's Manual (4.10 ed.).

[3]

2017. Linux Containers. Available at https://linuxcontainers.org/.

[4]

2017. OpenVZ. Available at openvz.org.

[5]

Stefan Achleitner, Thomas La Porta, Patrick McDaniel, Shridatt Sugrim, Srikanth V. Krishnamurthy, and Ritu Chadha. 2016. Cyber Deception: Virtual Networks to Defend Insider Reconnaissance. In Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats (MIST '16). ACM, New York, NY, USA, 57--68.

Digital Library

[6]

Alexey Kopytov. 2016. SysBench - A Modular, Cross-Platform and Multi-Threaded Benchmark Tool. (2016). http://manpages.ubuntu.com/manpages/trusty/man1/sysbench.1.html

[7]

Mick Bauer. 2006. Paranoid Penguin: An Introduction to Novell AppArmor. Linux J. 2006, 148 (Aug. 2006), 13--. http://dl.acm.org/citation.cfm?id=1149826.1149839

Digital Library

[8]

Eric Biederman and Karel Zak. 2017. nsenter - Run Program With Namespaces of Other Processes. Linux Man Pages.

[9]

David M. Blei. 2012. Probabilistic Topic Models. Commun. ACM 55, 4 (April 2012), 77--84.

Digital Library

[10]

David M. Blei, Andrew Y. Ng, and Michael I. Jordan. 2003. Latent Dirichlet Allocation. J. Mach. Learn. Res. 3 (March 2003), 993--1022. http://dl.acm.org/citation.cfm?id=944919.944937

Digital Library

[11]

Balázs Bucsay. 2015. Chw00t: Breaking Unices' chroot() Solutions. (2015). Available at https://github.com/earthquake/chw00t.

[12]

M. Bugliesi, S. Calzavara, R. Focardi, and M. Squarcina. 2012. Gran: Model Checking Grsecurity RBAC Policies. In 2012 IEEE 25th Computer Security Foundations Symposium. 126--138.

Digital Library

[13]

Varun Chandola, Arindam Banerjee, and Vipin Kumar. 2009. Anomaly Detection: A Survey. ACM Comput. Surv. 41, 3, Article 15 (July 2009), 58 pages.

Digital Library

[14]

Chef 2017. Chef -- Automate Your Infrastructure. Chef. Available at www.chef.io.

[15]

You Chen and Bradley Malin. 2011. Detection of Anomalous Insiders in Collaborative Environments via Relational Analysis of Access Logs. In Proceedings of the First ACM Conference on Data and Application Security and Privacy (CODASPY '11). ACM, New York, NY, USA, 63--74.

Digital Library

[16]

Cisco. 2017. Cisco™Security MARS. (2017).

[17]

Sharon Gaudin. 2006. Ex-UBS Systems Admin Sentenced To 97 Months In Jail. (December 2006). www.informationweek.com/ex-ubs-systems-admin-sentenced-to-97-months-in-jail/d/d-id/1049873?

[18]

Gaurang Gavai, Kumar Sricharan, Dave Gunning, Rob Rolleston, John Hanley, and Mudita Singhal. 2015. Detecting Insider Threat from Enterprise Social and Online Activity Data. In Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats (MIST '15). ACM, New York, NY, USA, 13--20.

Digital Library

[19]

Google. 2017. gRPC: A High Performance, Open-Source Universal RPC Framework. (2017). Available at https://grpc.io/.

[20]

Hewlett Packard. 2017. ArcSight ESM. (2017).

[21]

IBM® X-Force Research 2016. 2016 Cyber Security Intelligence Index. IBM® X-Force Research.

[22]

Jeffrey Katcher. 1997. Postmark: a New File System Benchmark. Technical Report. TR3022, Network Appliance.

[23]

Ryan V. Johnson, Jessie Lass, and W. Michael Petullo. 2016. Studying Naive Users and the Insider Threat with SimpleFlow. In Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats (MIST '16). ACM, New York, NY, USA, 35--46.

Digital Library

[24]

Poul-Henning Kamp and Robert N. M. Watson. 2000. Jails: Confining the Omnipotent Root. In In Proc. 2nd Intl. SANE Conference.

[25]

Jesse D. Kornblum. 2009. Implementing BitLocker Drive Encryption for Forensic Analysis. Digit. Investig. 5, 3-4 (March 2009), 75--84.

Digital Library

[26]

David Kravets. 2008. San Francisco Admin Charged With Hijacking City's Network. (July 2008). www.wired.com/2008/07/sf-city-charged/

[27]

Ninghui Li, John C. Mitchell, and William H. Winsborough. 2002. Design of a Role-Based Trust-Management Framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP '02). IEEE Computer Society, Washington, DC, USA, 114--130. http://dl.acm.org/citation.cfm?id=829514.830539

Digital Library

[28]

Wolfgang Mauerer. 2008. Professional Linux Kernel Architecture. Wrox Press Ltd., Birmingham, UK, UK.

Digital Library

[29]

Bill McCarty. 2004. SELinux: NSA's Open Source Security Enhanced Linux. O'Reilly Media, Inc.

Digital Library

[30]

Dirk Merkel. 2014. Docker: Lightweight Linux Containers for Consistent Development and Deployment. Linux J. 2014, 239, Article 2 (March 2014). http://dl.acm.org/citation.cfm?id=2600239.2600241

Digital Library

[31]

Reddy Nikhilesh. 2016. FUSE: Add Support for Passthrough Read/Write. (February 2016). http://fuse.sourceforge.net/ Available at https://lwn.net/Articles/674286/.

[32]

Angela Orebaugh, Gilbert Ramirez, Jay Beale, and Joshua Wright. 2007. Wireshark & Ethereal Network Protocol Analyzer Toolkit. Syngress Publishing.

Digital Library

[33]

Lennart Poettering, Kay Sievers, Harald Hoyer, Daniel Mack, Tom Gundersen, and David Herrmann. 2016. systemd-nspawn. (November 2016). Available at wiki.archlinux.org/index.php/Systemd-nspawn.

[34]

Daniel Price and Andrew Tucker. 2004. Solaris Zones: Operating System Support for Consolidating Commercial Workloads. In Proceedings of the 18th USENIX Conference on System Administration (LISA '04). USENIX Association, Berkeley, CA, USA, 241--254. http://dl.acm.org/citation.cfm?id=1052676.1052707

Digital Library

[35]

Puppet 2017. Puppet - The shortest path to better software. Puppet. Available at https://puppet.com/.

[36]

Aditya Rajgarhia and Ashish Gehani. 2010. Performance and Extension of User Space File Systems. In Proceedings of the 2010 ACM Symposium on Applied Computing (SAC '10). ACM, New York, NY, USA, 206--213.

Digital Library

[37]

Nikolaus Rath. 2017. FUSE: Filesystem in Userspace. (2017). http://fuse.sourceforge.net/ Available at http://fuse.sourceforge.net/.

[38]

Martin Roesch. 1999. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the 13th USENIX Conference on System Administration (LISA '99). USENIX Association, Berkeley, CA, USA, 229--238. http://dl.acm.org/citation.cfm?id=1039834.1039864

Digital Library

[39]

Malek Ben Salem, Shlomo Hershkop, and Salvatore J. Stolfo. 2008. A Survey of Insider Attack Detection Research. Springer US, Boston, MA, 69--90.

[40]

Jerome H. Saltzer. 1974. Protection and the Control of Information Sharing in Multics. Commun. ACM 17, 7 (July 1974), 388--402.

Digital Library

[41]

Nuno Santos, Rodrigo Rodrigues, and Bryan Ford. 2012. Enhancing the OS Against Security Threats in System Administration. In Proceedings of the 13th International Middleware Conference (Middleware '12). Springer-Verlag New York, Inc., New York, NY, USA, 415--435. http://dl.acm.org/citation.cfm?id=2442626.2442653

Digital Library

[42]

Splunk. 2017. Splunk™User Behavior Analytics. (2017).

[43]

Symantec. 2013. Symantec™Security Information Manager. (2013).

[44]

Bob Toxen. 2002. Real World Linux Security (2nd ed.). Prentice Hall Professional Technical Reference.

Digital Library

[45]

Bob Van Zant. 2017. SSH Certificate Authority. (2017). Available at github.com/cloudtools/ssh-ca.

[46]

Varonis. 2017. "Varonis™Enterprise Security". (2017).

[47]

Joseph Verble. 2014. The NSA and Edward Snowden: Surveillance in the 21st Century. SIGCAS Comput. Soc. 44, 3 (Oct. 2014), 14--20.

Digital Library

[48]

W. T. Young, A. Memory, H. G. Goldberg, and T. E. Senator. 2014. Detecting Unknown Insider Threat Scenarios. In Security and Privacy Workshops (SPW), 2014 IEEE. 277--288.

Digital Library

Cited By

Daubner LMacak MMatulevičius RBuhnova BMaksović SPitner T(2023)Addressing insider attacks via forensic-ready risk managementJournal of Information Security and Applications10.1016/j.jisa.2023.10343373:COnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.jisa.2023.103433
Syed NShah SShaghaghi AAnwar ABaig ZDoss R(2022)Zero Trust Architecture (ZTA): A Comprehensive SurveyIEEE Access10.1109/ACCESS.2022.317467910(57143-57179)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3174679
Liu PJi SFu LLu KZhang XLee WLu TChen WBeyah R(2020)Understanding the Security Risks of Docker HubComputer Security – ESORICS 202010.1007/978-3-030-58951-6_13(257-276)Online publication date: 12-Sep-2020
https://doi.org/10.1007/978-3-030-58951-6_13
Show More Cited By

Index Terms

WatchIT: Who Watches Your IT Guy?
1. Security and privacy
  1. Security services
  2. Systems security

Recommendations

WatchIT: Who Watches Your IT Guy?
MIST '16: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats

System administrators have unlimited access to system resources. As the Snowden case shows, these permissions can be exploited to steal valuable personal, classified, or commercial data. In this work we propose a strategy that increases the ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
A flexible role-based delegation model using characteristics of permissions
DEXA'05: Proceedings of the 16th international conference on Database and Expert Systems Applications

Role-Based Access Control(RBAC) has recently received considerable attention as a promising alternative to traditional discretionary and mandatory access controls.[7] RBAC ensures that only authorized users are given access to protected data or ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SOSP '17: Proceedings of the 26th Symposium on Operating Systems Principles

October 2017

677 pages

ISBN:9781450350853

DOI:10.1145/3132747

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

SOSP '17

Sponsor:

SIGOPS
USENIX Assoc

SOSP '17: ACM SIGOPS 26th Symposium on Operating Systems Principles

October 28, 2017

Shanghai, China

Acceptance Rates

Overall Acceptance Rate 131 of 716 submissions, 18%

Upcoming Conference

SOSP '24

Sponsor:
sigops

ACM SIGOPS 30th Symposium on Operating Systems Principles

November 4 - 6, 2024

Austin , TX , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
1,543
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Daubner LMacak MMatulevičius RBuhnova BMaksović SPitner T(2023)Addressing insider attacks via forensic-ready risk managementJournal of Information Security and Applications10.1016/j.jisa.2023.10343373:COnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.jisa.2023.103433
Syed NShah SShaghaghi AAnwar ABaig ZDoss R(2022)Zero Trust Architecture (ZTA): A Comprehensive SurveyIEEE Access10.1109/ACCESS.2022.317467910(57143-57179)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3174679
Liu PJi SFu LLu KZhang XLee WLu TChen WBeyah R(2020)Understanding the Security Risks of Docker HubComputer Security – ESORICS 202010.1007/978-3-030-58951-6_13(257-276)Online publication date: 12-Sep-2020
https://doi.org/10.1007/978-3-030-58951-6_13
Jeon YRhee JKim CLi ZPayer MLee BWu ZAhn GThuraisingham BKantarcioglu MKrishnan R(2019)PoLPerProceedings of the Ninth ACM Conference on Data and Application Security and Privacy10.1145/3292006.3300028(209-220)Online publication date: 13-Mar-2019
https://dl.acm.org/doi/10.1145/3292006.3300028
Nadgowda SIsci CBal M(2018)DéjàVuProceedings of the 19th International Middleware Conference Industry10.1145/3284028.3284031(17-24)Online publication date: 10-Dec-2018
https://dl.acm.org/doi/10.1145/3284028.3284031
Wang LZhu MLi QTu B(2018)Simau: A Dynamic Privilege Management Mechanism for Host in Cloud DatacentersInformation and Communications Security10.1007/978-3-030-01950-1_43(721-731)Online publication date: 26-Oct-2018
https://doi.org/10.1007/978-3-030-01950-1_43

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents