Approved for Public Release, Distribution Unlimited Detecting & Preventing Misuse of Privilege Bob...

Approved for Public Release, Distribution Unlimited

Detecting & PreventingMisuse of Privilege

Bob Balzer (Teknowledge)

Howie Shrobe (MIT)


BehaviorAuthorizer

M

M

M

M

Mediation Cocoon

LegacyApp

BehaviorMonitor

OperatorAction

OperationalSystemModel Predicted

State

HarmAssessment

BenignOperatorAction

HarmfulOperatorAction

GUI

IntentAssessment

OperatorError

MaliciousInsider


BehaviorAuthorizer

M

M

M

M

Mediation Cocoon

LegacyApp

BehaviorMonitor

OperatorAction


State

HarmAssessment



GUI

IntentAssessment

OperatorError

MaliciousInsider

MITTeknowledge


BehaviorAuthorizer

M

M

M

M

Mediation Cocoon

LegacyApp

BehaviorMonitor

OperatorAction


State

HarmAssessment



GUI

IntentAssessment

OperatorError

MaliciousInsider


BehaviorAuthorizer

M

M

M

M

Mediation Cocoon

LegacyApp

BehaviorMonitor

OperatorAction


State

HarmAssessment



GUI

IntentAssessment

OperatorError

MaliciousInsider

What are we trying to do?• Block Harmful Operations

• Differentiate– Operator Error

– Malicious Intent


BehaviorAuthorizer

M

M

M

M

Mediation Cocoon

LegacyApp

BehaviorMonitor

OperatorAction


State

HarmAssessment



GUI

IntentAssessment

OperatorError

MaliciousInsider

How will you show success?• Block Harmful Operations

• Differentiate– Operator Error

– Malicious Intent

• Red-TeamExperiment


BehaviorAuthorizer

M

M

M

M

Mediation Cocoon

LegacyApp

BehaviorMonitor

OperatorAction


State

HarmAssessment



GUI

IntentAssessment

OperatorError

MaliciousInsider

What are implicationsof success?

• Systems can be protectedfrom insider attacks

from operator error

from zero-day attacks


BehaviorAuthorizer

M

M

M

M

Mediation Cocoon

LegacyApp

BehaviorMonitor

OperatorAction


State

HarmAssessment



GUI

IntentAssessment

OperatorError

MaliciousInsider

What is technical approach?• Observe effect of operator

action in system model• Match harmful

actions against– Errorful Operator Plans– Attack Plans


RealOutput

SimulatedOutput

Real Environment (Implementation)

Simulated Environment (Model)

in

in'

out

out'

List ofConflicts

Translator

in out

SimulatedComponent

RealComponent

Reflection

Differencer

Architectural Differencing

Predicted


File System

filefile

filefile

filefile

file

Read

RealFiles

file file

filefile

file

filefile

Virtual File System

VirtualFile

VirtualFile

VirtualFile

VirtualFile Virtual

File VirtualFile

VirtualFile

VirtualFile

Registry

Read

RealKeys

key key

keykey

key

keykey

keykey

keykey

key keykey

Virtual RegistryVirtual

KeyVirtual

Key

VirtualKey

VirtualKey Virtual

KeyVirtual

Key

VirtualKey

VirtualKey

COTSApplication

M

M

M M

Wrapper

Contained Execution• Transparent

Redirection

Write Virtual Files

Write Virtual Keys

• Selectively Applied

• Once created virtual resource used instead of real resource


What’s Different About the Insider?• Doesn’t need to exploit vulnerabilities to

compromise resources• Can directly command the system to do bad

things• Won’t continually make mistakes that adversely

impact enterprise level goals• Can be identified by recognizing action

sequences that undermine enterprise level goals.• Similar to “attack plans”, except the leaf nodes

aren’t exploits, but rather actions allowed to the operator.


Modeling the Enterprise

• Computational resources– Decomposition, Compromised States

• Topology of computational resources• Application actions

– What it does if resources are nominal– What it does if resources are compromised

• Organizational model– How the organization will behave if the information system

(mis)behaves– E.g. the organization’s tempo of operation is slowed down if

the computational system is slowed down.


Modeling System Structure

Hardware

Processor

Memory DeviceControllers

Devicescontrols

Part-of

OperatingSystem

LogonController

Scheduler

DeviceDrivers

Part-of

JobAdmitter

Resides-In

controls

UserSet

WorkLoad

FileSystem

AccessController

resources

controls

files

Part-of

Input-to

Input-to

controls

SchedulerPolicy


Modeling the topologyMachine name: sleepyOS Type: Windows-NTServer Suite: IIS…..User Authentication Pool: Dwarfs…

Router: Enclave restrictions. ….

Topology tells you:who can share (and sniff) which packetswho can affect what types of connections to whom

Switch: subnet restrictions. ….

Switch: subnet restrictions. ….


Modeling Dependencies• Start with desirable properties of the Enterprise• Analyze how they relate to properties of the

computational system• Consider the desirable properties of systems:

– Reliable performance– Privacy of communications– Integrity and/or privacy of data

• Analyze which system components impact those properties– Performance - scheduler– Privacy - access-controller

• To affect a desirable property control a component that contributes to the delivery of that property


Controlling components (1)• One way to gain control of a component is to

directly exploit operator privilege– One way to limit availability of a web server is to

reduce it maximum number of server threads

Web Server Process

Operator Action

Takes control of


Controlling components (2)• Another way to control a component is to find an

input to the component and then find a way to modify the input– Modify the scheduler policy parameters

Scheduler

Scheduler Policy

Parameters

Input to

Scheduler

control by

Modification-action

Scheduler Policy

Parameters


Controlling components (3)• Another way to control a component is to find one

of its components and then to find a way to gain control of the sub-component

Job-Admitter

User Job Admitter

Component-of

Job-Admitter

control by

Control-action

User JobAdmitter


Modifying Inputs (1)• One way to modify an input is to find a

component which controls the input and then to find a way to gain control of that component

Scheduler

Workload

Input-of

Scheduler

control by

Job Admitter Workload

Job Admitter

Controls

Controls

Attack.

Controls


Modifying Inputs (2)• One way to modify an input is to find a

component of the input and then to find a way to modify the component

Scheduler

Workload

Input-of

Scheduler

control by

User Workload

Workload

User Workload

ComponentComponent

Attack.Modify


Access Rights• Each object specifies a set of capabilities required

for each operation on that object– Capabilities are organized in an DAG

– This generalizes the access mechanisms of all OS’s.

• Each actor (user or process) possesses certain capabilities.

• An actor can perform an action on an object only if it possesses a capability at least as strong as that required for the operation– This is a generalization of the access mechanisms in all

current OS’s.

• An access pool is a set of machines that shares resources, password & access right descriptions


Netchex

The AI Lab Topology (partial)

Router Netchex Filters out Telnet.

ServerSwitch

8th-Floor-1

8th-Floor-2

7th-Floor-1

RouterAccesspool

Life

Kenmore

Maytag

Server Access Pool

Doc

Dopey

Sleepy

DwarfAccess Pool

Sneezy

Sakharov

Truman

Quincy-Adams

LispAccess Pool

Jefferson

Wilson

CreepyCrawler

GeneralAccess Pool


Obtaining Access (1)• One way to gain access to an operation on an

object is to find a process with an adequate capability and take control of the process

Typical User File

User Read

Required forRead

Typical User File

To Read

Control-action

Typical UserProcess

Typical User Process

User Read

PossesesCapability


Obtaining Access (2)• Another way to gain access to an operation on an

object is to find a user with an adequate capability and to invoke operator privilege to log in as that user and launch a process with the user’s capabilities

Typical User File

User Read

Required forRead

Typical User File

To Read

Logon asTypical User

UserProcess

Typical User

User Read

PossesesCapability

Launches


Logging On

• Logging on requires obtaining knowledge of a password• To gain knowledge of a password

– Guess it, using guessing attacks– Sniff it

• By placing a parasitic virus on the user’s machine• By monitoring network traffic

– Hack the password file

• To remove somebody else’s knowledge of a password– Hack the password file


Monitoring and Changing Network Traffic• Network is broken down into subnet segments• Segments are connected by Routers

– Routers can monitor traffic on any connected segment• Each segment may be:

– Shared media• Coaxial ethernet• Wireless ethernet• Any connected computer can monitor traffic

– Switched media• 10 (100, 100) base-T• Only the switch (or reflected ports) can monitor Traffic

• Switches and Routers are computers – They can be controlled– But they may be members of special access pools

• To gain knowledge of some information gain the ability to monitor network traffic


Residences• Components reside in several places

– Main memory– Boot files– Paging Files

• They migrate between residences– Through local peripheral controllers– Through networks

• To modify/observe a component find a residence of the component and modify/observe it in the residence

• To modify/observe a component find a migration path and modify/observe it during the transmission


Formats and Transformations

• Components live in several different formats– Source code

– Compiled binary code

– Linked executable images

• Processes transform one format into another– Compilation

– Linking

• To modify a component change an upstream format and cause the transformations to happen

• To modify a component gain control of the processes that perform the transformations


Modification during Transmission

• To control traffic on a network segment launch a “man in the middle attack”– Get control of a machine, redirect traffic to it

• To observe network traffic get control of a switch/router and a user machine and then reflect traffic to the user machine

• To modify network traffic launch an “inserted packet” attack.– Get control of a machine– Send a packet from the controlled machine with the

correct serial number but wrong data before the sender sends the real packet


An Example• Retard the organization’s response rate to

events during time of crisis• Slow down the Situational Assessment Tool• By affecting reliable performance:

– Control the scheduler - • The scheduler is a component that impacts

performance– By controlling the workload

• An input of the schedule– By admitting an inappropriate resource consuming

task– By using operator privilege to start a full backup

during the crisis


A Second Example• Remove enterprises advantage of surprise

before engagement• By Exfiltrating critical planning data• By creating a user account with read privilege

and external access• And copying planning data to that account’s

storage• External actor accesses data in that account


Affecting Performance (1)


Attack Models and Monitoring• Actions of attack plan are transformed into

nodes of plan recognition engine• Leaf nodes involve insider actions (not

attacks)• Recognition of whole plan indicates

probability of malicious intent• Update the “Trust Model” just as in

AWDRAT, but also include compromise of person


Insider Outsider Coordination

• Insider acts independently (“going postal”) or by mistake

• Insider aids the outsider to gain privilege or knowledge of system

• Insider exfiltrates information to outsider

• Insider acts in coordination with outsider– Combination of insider and outsider action is

what’s harmful.


Error or Attack?

• Each complete plan recognition accumulates some probability of malicious activity– Some plans also contribute some credibility to

accident– Build estimates based on number and difficulty of

activities involved

• Coordination with outsider is one discriminator between accidents and attack.

• Some attack plans involve coordinated insider and outsider actions, these lend much more evidence to malicious intent


BehaviorAuthorizer

M

M

M

M

Mediation Cocoon

LegacyApp

BehaviorMonitor

OperatorAction


State

HarmAssessment



GUI

IntentAssessment

OperatorError

MaliciousInsider

What is new?• Observe effect of operator

action in system model• Match harmful

actions against– Errorful Operator Plans– Attack Plans


BehaviorAuthorizer

M

M

M

M

Mediation Cocoon

LegacyApp

BehaviorMonitor

OperatorAction


State

HarmAssessment



GUI

IntentAssessment

OperatorError

MaliciousInsider

What is hard?• Modeling System

to predict effect• Modeling Operator

to differentiate– Operator Error– Malicious Intent

Approved for Public Release, Distribution Unlimited Detecting & Preventing Misuse of Privilege Bob...

Documents

Transcript of Approved for Public Release, Distribution Unlimited Detecting & Preventing Misuse of Privilege Bob...