Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Confidentiality policies UNIT 2 (CSS)

Download as PPTX, PDF

The document discusses various techniques for confining untrusted code, including running it at different levels of isolation such as in a separate hardware system, virtual machine, process, or thread. It describes approaches like system call interposition and software fault isolation that monitor applications and isolate their ability to access resources. The document also covers topics like rootkits, which can provide unauthorized access, and intrusion detection systems, which monitor networks for malicious activity.

1 of 33

1

Confidentiality Policies UNIT 2 BY:SURBHI SAROHA 1 SURBHI SAROHA

2

SYLLABUS • Confinement Principle • Detour Unix user IDs. • Process IDs and privileges • More on confinement techniques • System call interposition • Error 404 digital Hacking in India part 2 chase • VM based isolation • Confinement principle • Software fault isolation • Rootkits • Intrusion Detection Systems. 2 SURBHI SAROHA

3

Confinement Principle • Running untrusted code • We often need to run buggy/unstrusted code: • – programs from untrusted Internet sites:desktop and mobile apps, Javascript, browser extensions • – exposed applications: browser, pdf viewer, outlook • – legacy daemons: sendmail, bind • – honeypots • Goal: if application “misbehaves” ⇒ kill it 3 SURBHI SAROHA

4

Confinement • Confinement: ensure misbehaving app cannot harm rest of system Can be implemented at many levels: • – Hardware: run application on isolated hw (air gap) 4 SURBHI SAROHA

5

5 SURBHI SAROHA

6

Confinement • Confinement: ensure misbehaving app cannot harm rest of system Can be implemented at many levels: • – Virtual machines: isolate OS’s on a single machine 6 SURBHI SAROHA

7

7 SURBHI SAROHA

8

Confinement • Confinement: ensure misbehaving app cannot harm rest of system Can be implemented at many levels: • – Process: System Call Interposition Isolate a process in a single operating system 8 SURBHI SAROHA

9

9 SURBHI SAROHA

10

Confinement • Confinement: ensure misbehaving app cannot harm rest of system Can be implemented at many levels: • – Threads: Software Fault Isolation (SFI) • Isolating threads sharing same address space – • Application level confinement: • e.g. browser sandbox for Javascript and WebAssembly 10 SURBHI SAROHA

11

Detour Unix user IDs. • https://www.youtube.com/watch?v=yGXTHnV3 124&feature=youtu.be&fbclid=IwAR0DKuRI6e6 GryNnnzrfao7_N2heLTbr2- XILeYNec2ossn3NML7X0OA6ys 11 SURBHI SAROHA

12

Process IDs and privileges • Process privileges • In systems where security is important, applications should run with the fewest privileges possible. • Doing this helps reduce the impact of possible compromises and can also help lower the privilege escalation attack surface of the device. • The more difficult it is for attackers to elevate an application's privileges, the better; forcing attackers to chain multiple attacks against various applications that each have minimal sets of permissions is ideal. 12 SURBHI SAROHA

13

Confinement • 1. Uses encapsulation techniques to structurally guarantee that at most one activity at a time can possibly access a given object. • 2. Instead of using dynamic locking on object, encapsulation statically ensures the unique access to a given object • 3. Define methods and classes that establish leak-proof ownership domains so that one thread (at a time) can ever access a confined object. 13 SURBHI SAROHA

14

Confinement techniques • 1. Scoping • 2. Access control • 3. Data hiding and encapsulation • 4. Problem is information leaking 14 SURBHI SAROHA

15

Kinds of Confinement • Method confinement – hide access within local scope, including hand-offs • 2. Thread confinement – confine objects to sequence of operations (session) • 3. Object confinement – confine accesses internal to object (host-part) • 4. Group confinement – resource only owned by one object, but can be circulated 15 SURBHI SAROHA

16

System call interposition • System call interposition: a better approach to confinement. • Observation: to damage host system (i.e. make persistent changes) app must make system calls • To delete/overwrite files: unlink, open, write • • To do network attacks: socket, bind, connect, send. • Monitor app system calls and block unauthorized calls • • Implementation options: • • Completely kernel space (e.g. GSWTK) • • Completely user space 16 SURBHI SAROHA

17

17 SURBHI SAROHA

18

Cont…. • Systrace only forwards monitored sys-calls to monitor (saves context switches) • • Systrace resolves sym-links and replaces sys- call path arguments by full path to target • • When app calls execve, monitor loads new policy file • • Fast path in kernel for common/easy cases, ask userspace for complicated/rare cases 18 SURBHI SAROHA

19

Error 404 digital Hacking in India part 2 chase • https://security.cse.iitk.ac.in/node/178 19 SURBHI SAROHA

20

VM based isolation • A VM is an isolated environment with access to a subset of physical resources of the computer system. • Each VM appears to be running on the bare hardware, giving the appearance of multiple instances of the same computer, though all are supported by a single physical system. 20 SURBHI SAROHA

21

Cont… • Temporal isolation or performance isolation among virtual machine (VMs) refers to the capability of isolating the temporal behavior (or limiting the temporal interferences) of multiple VMs among each other, despite them running on the same physical host and sharing a set of physical resources such as processors, memory, and disks. 21 SURBHI SAROHA

22

Confinement principle • Confinement is a mechanism for enforcing the principle of least privilege. • The problem is that the confined process needs to transmit data to another process. • The confinement mechanism must distinguish between transmission of authorized data and the transmission of unauthorized data. 22 SURBHI SAROHA

23

Software fault isolation • Software-based Fault Isolation (SFI) is a software-instrumentation technique at the machine-code level for establishing logical protection domains within a process. • In SFI, protection domains stay within the same process, incurring low overhead when switching between domains. 23 SURBHI SAROHA

24

Cont…. • Way to get programs to behave in a manner consistent with a given security policy is by "brainwashing." • That is, modify the programs so that they behave only in safe ways. • This is embodied by a recent approach to security known as software-based fault isolation (SFI). • So far, the environment has been responsible for policy enforcement, where the environment is either the OS/kernel or the hardware. • Hardware methods include addressing mechanisms (e.g. virtual memory); • OS methods include having two modes (where the supervisor mode has access to everything). • The new approach we discuss today is to construct a piece of software that transforms a given program p into a program p', where p' is guaranteed to satisfy a security policy of interest. 24 SURBHI SAROHA

25

25 SURBHI SAROHA

26

Cont… • This SFI SW transformation could be any number of things. • It could be a piece of the compiler or of the loader. It could also involve a separate pass over machine language code before execution commences. • The point is that we are modifying the program before it is executed. • (One easy realization of SFI SW is to always output a program that does nothing. However, there are likely to be properties of the original program that we are interested in preserving, and these properties might not be satisfied by a program that does nothing.) 26 SURBHI SAROHA

27

Rootkits • A rootkit is a malicious software that allows an unauthorized user to have privileged access to a computer and to restricted areas of its software. • A rootkit may contain a number of malicious tools such as keyloggers, banking credential stealers, password stealers, antivirus disablers, and bots for Distributed denial of service (DDoS) attacks. • 27 SURBHI SAROHA

28

Well-Known Rootkit Examples • Lane Davis and Steven Dake - wrote the earliest known rootkit in the early 1990s. • NTRootkit – one of the first malicious rootkits targeted at Windows OS. • HackerDefender – this early Trojan altered/augmented the OS at a very low level of functions calls. • Machiavelli - the first rootkit targeting Mac OS X appeared in 2009. This rootkit creates hidden system calls and kernel threads. • Greek wiretapping – in 2004/05, intruders installed a rootkit that targeted Ericsson's AXE PBX. 28 SURBHI SAROHA

29

Cont… • Zeus, first identified in July 2007, is a Trojan horse that steals banking information by man- in-the-browser keystroke logging and form grabbing. • Stuxnet - the first known rootkit for industrial control systems • Flame - a computer malware discovered in 2012 that attacks computers running Windows OS. It can record audio, screenshots, keyboard activity and network traffic. 29 SURBHI SAROHA

30

Intrusion Detection Systems. • An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. • It is a software application that scans a network or a system for harmful activity or policy breaching. • Any malicious venture or violation is normally reported either to an administrator or collected centrally using a security information and event management (SIEM) system. • A SIEM system integrates outputs from multiple sources and uses alarm filtering techniques to differentiate malicious activity from false alarms. 30 SURBHI SAROHA

31

Cont…. • Although intrusion detection systems monitor networks for potentially malicious activity, they are also disposed to false alarms. • Hence, organizations need to fine-tune their IDS products when they first install them. • It means properly setting up the intrusion detection systems to recognize what normal traffic on the network looks like as compared to malicious activity. • Intrusion prevention systems also monitor network packets inbound the system to check the malicious activities involved in it and at once sends the warning notifications. 31 SURBHI SAROHA

32

Classification of Intrusion Detection System • IDS are classified into 5 types: 1. Network Intrusion Detection System (NIDS) 2. Host Intrusion Detection System (HIDS) 3. Protocol-based Intrusion Detection System (PIDS) 4. Application Protocol-based Intrusion Detection System (APIDS) 5. Hybrid Intrusion Detection System 32 SURBHI SAROHA

33

THANK YOU  33 SURBHI SAROHA

More Related Content

Confidentiality policies UNIT 2 (CSS)

  • 2. SYLLABUS • Confinement Principle • Detour Unix user IDs. • Process IDs and privileges • More on confinement techniques • System call interposition • Error 404 digital Hacking in India part 2 chase • VM based isolation • Confinement principle • Software fault isolation • Rootkits • Intrusion Detection Systems. 2 SURBHI SAROHA
  • 3. Confinement Principle • Running untrusted code • We often need to run buggy/unstrusted code: • – programs from untrusted Internet sites:desktop and mobile apps, Javascript, browser extensions • – exposed applications: browser, pdf viewer, outlook • – legacy daemons: sendmail, bind • – honeypots • Goal: if application “misbehaves” ⇒ kill it 3 SURBHI SAROHA
  • 4. Confinement • Confinement: ensure misbehaving app cannot harm rest of system Can be implemented at many levels: • – Hardware: run application on isolated hw (air gap) 4 SURBHI SAROHA
  • 6. Confinement • Confinement: ensure misbehaving app cannot harm rest of system Can be implemented at many levels: • – Virtual machines: isolate OS’s on a single machine 6 SURBHI SAROHA
  • 8. Confinement • Confinement: ensure misbehaving app cannot harm rest of system Can be implemented at many levels: • – Process: System Call Interposition Isolate a process in a single operating system 8 SURBHI SAROHA
  • 10. Confinement • Confinement: ensure misbehaving app cannot harm rest of system Can be implemented at many levels: • – Threads: Software Fault Isolation (SFI) • Isolating threads sharing same address space – • Application level confinement: • e.g. browser sandbox for Javascript and WebAssembly 10 SURBHI SAROHA
  • 11. Detour Unix user IDs. • https://www.youtube.com/watch?v=yGXTHnV3 124&feature=youtu.be&fbclid=IwAR0DKuRI6e6 GryNnnzrfao7_N2heLTbr2- XILeYNec2ossn3NML7X0OA6ys 11 SURBHI SAROHA
  • 12. Process IDs and privileges • Process privileges • In systems where security is important, applications should run with the fewest privileges possible. • Doing this helps reduce the impact of possible compromises and can also help lower the privilege escalation attack surface of the device. • The more difficult it is for attackers to elevate an application's privileges, the better; forcing attackers to chain multiple attacks against various applications that each have minimal sets of permissions is ideal. 12 SURBHI SAROHA
  • 13. Confinement • 1. Uses encapsulation techniques to structurally guarantee that at most one activity at a time can possibly access a given object. • 2. Instead of using dynamic locking on object, encapsulation statically ensures the unique access to a given object • 3. Define methods and classes that establish leak-proof ownership domains so that one thread (at a time) can ever access a confined object. 13 SURBHI SAROHA
  • 14. Confinement techniques • 1. Scoping • 2. Access control • 3. Data hiding and encapsulation • 4. Problem is information leaking 14 SURBHI SAROHA
  • 15. Kinds of Confinement • Method confinement – hide access within local scope, including hand-offs • 2. Thread confinement – confine objects to sequence of operations (session) • 3. Object confinement – confine accesses internal to object (host-part) • 4. Group confinement – resource only owned by one object, but can be circulated 15 SURBHI SAROHA
  • 16. System call interposition • System call interposition: a better approach to confinement. • Observation: to damage host system (i.e. make persistent changes) app must make system calls • To delete/overwrite files: unlink, open, write • • To do network attacks: socket, bind, connect, send. • Monitor app system calls and block unauthorized calls • • Implementation options: • • Completely kernel space (e.g. GSWTK) • • Completely user space 16 SURBHI SAROHA
  • 18. Cont…. • Systrace only forwards monitored sys-calls to monitor (saves context switches) • • Systrace resolves sym-links and replaces sys- call path arguments by full path to target • • When app calls execve, monitor loads new policy file • • Fast path in kernel for common/easy cases, ask userspace for complicated/rare cases 18 SURBHI SAROHA
  • 19. Error 404 digital Hacking in India part 2 chase • https://security.cse.iitk.ac.in/node/178 19 SURBHI SAROHA
  • 20. VM based isolation • A VM is an isolated environment with access to a subset of physical resources of the computer system. • Each VM appears to be running on the bare hardware, giving the appearance of multiple instances of the same computer, though all are supported by a single physical system. 20 SURBHI SAROHA
  • 21. Cont… • Temporal isolation or performance isolation among virtual machine (VMs) refers to the capability of isolating the temporal behavior (or limiting the temporal interferences) of multiple VMs among each other, despite them running on the same physical host and sharing a set of physical resources such as processors, memory, and disks. 21 SURBHI SAROHA
  • 22. Confinement principle • Confinement is a mechanism for enforcing the principle of least privilege. • The problem is that the confined process needs to transmit data to another process. • The confinement mechanism must distinguish between transmission of authorized data and the transmission of unauthorized data. 22 SURBHI SAROHA
  • 23. Software fault isolation • Software-based Fault Isolation (SFI) is a software-instrumentation technique at the machine-code level for establishing logical protection domains within a process. • In SFI, protection domains stay within the same process, incurring low overhead when switching between domains. 23 SURBHI SAROHA
  • 24. Cont…. • Way to get programs to behave in a manner consistent with a given security policy is by "brainwashing." • That is, modify the programs so that they behave only in safe ways. • This is embodied by a recent approach to security known as software-based fault isolation (SFI). • So far, the environment has been responsible for policy enforcement, where the environment is either the OS/kernel or the hardware. • Hardware methods include addressing mechanisms (e.g. virtual memory); • OS methods include having two modes (where the supervisor mode has access to everything). • The new approach we discuss today is to construct a piece of software that transforms a given program p into a program p', where p' is guaranteed to satisfy a security policy of interest. 24 SURBHI SAROHA
  • 26. Cont… • This SFI SW transformation could be any number of things. • It could be a piece of the compiler or of the loader. It could also involve a separate pass over machine language code before execution commences. • The point is that we are modifying the program before it is executed. • (One easy realization of SFI SW is to always output a program that does nothing. However, there are likely to be properties of the original program that we are interested in preserving, and these properties might not be satisfied by a program that does nothing.) 26 SURBHI SAROHA
  • 27. Rootkits • A rootkit is a malicious software that allows an unauthorized user to have privileged access to a computer and to restricted areas of its software. • A rootkit may contain a number of malicious tools such as keyloggers, banking credential stealers, password stealers, antivirus disablers, and bots for Distributed denial of service (DDoS) attacks. • 27 SURBHI SAROHA
  • 28. Well-Known Rootkit Examples • Lane Davis and Steven Dake - wrote the earliest known rootkit in the early 1990s. • NTRootkit – one of the first malicious rootkits targeted at Windows OS. • HackerDefender – this early Trojan altered/augmented the OS at a very low level of functions calls. • Machiavelli - the first rootkit targeting Mac OS X appeared in 2009. This rootkit creates hidden system calls and kernel threads. • Greek wiretapping – in 2004/05, intruders installed a rootkit that targeted Ericsson's AXE PBX. 28 SURBHI SAROHA
  • 29. Cont… • Zeus, first identified in July 2007, is a Trojan horse that steals banking information by man- in-the-browser keystroke logging and form grabbing. • Stuxnet - the first known rootkit for industrial control systems • Flame - a computer malware discovered in 2012 that attacks computers running Windows OS. It can record audio, screenshots, keyboard activity and network traffic. 29 SURBHI SAROHA
  • 30. Intrusion Detection Systems. • An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. • It is a software application that scans a network or a system for harmful activity or policy breaching. • Any malicious venture or violation is normally reported either to an administrator or collected centrally using a security information and event management (SIEM) system. • A SIEM system integrates outputs from multiple sources and uses alarm filtering techniques to differentiate malicious activity from false alarms. 30 SURBHI SAROHA
  • 31. Cont…. • Although intrusion detection systems monitor networks for potentially malicious activity, they are also disposed to false alarms. • Hence, organizations need to fine-tune their IDS products when they first install them. • It means properly setting up the intrusion detection systems to recognize what normal traffic on the network looks like as compared to malicious activity. • Intrusion prevention systems also monitor network packets inbound the system to check the malicious activities involved in it and at once sends the warning notifications. 31 SURBHI SAROHA
  • 32. Classification of Intrusion Detection System • IDS are classified into 5 types: 1. Network Intrusion Detection System (NIDS) 2. Host Intrusion Detection System (HIDS) 3. Protocol-based Intrusion Detection System (PIDS) 4. Application Protocol-based Intrusion Detection System (APIDS) 5. Hybrid Intrusion Detection System 32 SURBHI SAROHA