King, Samuel T. and Chen, Peter M. (2003) Proceedings of the 2003 Symposium on Operating Systems Principles (SOSP). Backtracking Intrusions (1).
Download (7kB) | Preview
Once an intrusion has been detected, simply fixing the problem found will leave the system vulnerable to attack because hackers typically exploit a vulnerability to gain access and then use that access to do their malicious actions. If a graph showing the dependencies of the files or processes is created, it can let administrators backtrack from the process until they find the root of the problem. Backtracker is installed in the kernel and logs events that can cause dependencies. The first type of dependencies is between two processes this happens when one process forks another, they signal each other or they share memory. The second type of dependencies is between files and processes this is caused by reads or writes of files by processes. Sockets are though of as a special type of file. The third type of dependencies is between filenames and processes. This is caused when a process changes the name of a file or creates or deletes it. Low control events are not checked because they would create too much noise and high-control events are needed for the attacker to do arbitrary things. GraphGen is called after a malicious activity is found and creates the dependency graph between the affected object and all of its predecessors. Filtering is done so that inputs to parents after the last communication with the child are ignored. This prevents dependencies that could not cause the malicious activity. Filtering via configuration files is configurable by the user, so GraphGen can be run multiple times until the user has enough data to find the source of the attack, but not so much data that there is information overload. The authors of the paper set up a honey pot machine to see if they could backtrack to the source of any attacks that were mounted against this machine. They had three attacks launched against their machine from outside sources and launched their own attack on the machine. They kept the machine busy by running specs and compiling the kernel. After filtering the 3 outside attacks had their graph reduced to fewer than 30 nodes and 41 edges. Their attack had a graph that was 36 nodes and 49 edges after filtering. Some attacks are resilient to BackTracker. The first attack is to compromise the guest operating system so the functionality is changed and the event logger does not get the correct information. This can happen through loadable kernel modules and access to kernel memory. These were turned options were turned of for their testing. Another attack is breaking the events that Backtracker BackTracker is useful tool for analysis of security breaches. It does nothing to prevent the first attack, but is very useful for subsequent attacks. The one problem is that the call graph made by BackTracker needs to be analyzed by hand to see where the problem occurred.
|Subjects:||Q Science > Q Science (General)|
|Depositing User:||Rayi Tegar Pamungkas|
|Date Deposited:||26 Mar 2012 06:25|
|Last Modified:||26 Mar 2012 06:25|
Actions (login required)