Approved for Public Release, Distribution Unlimited Detecting & Preventing Misuse of Privilege Bob...
-
Upload
lindsey-mathews -
Category
Documents
-
view
216 -
download
0
Transcript of Approved for Public Release, Distribution Unlimited Detecting & Preventing Misuse of Privilege Bob...
Approved for Public Release, Distribution Unlimited
Detecting & PreventingMisuse of Privilege
Bob Balzer (Teknowledge)
Howie Shrobe (MIT)
Approved for Public Release, Distribution Unlimited
BehaviorAuthorizer
M
M
M
M
Mediation Cocoon
LegacyApp
BehaviorMonitor
OperatorAction
OperationalSystemModel Predicted
State
HarmAssessment
BenignOperatorAction
HarmfulOperatorAction
GUI
IntentAssessment
OperatorError
MaliciousInsider
Approved for Public Release, Distribution Unlimited
BehaviorAuthorizer
M
M
M
M
Mediation Cocoon
LegacyApp
BehaviorMonitor
OperatorAction
OperationalSystemModel Predicted
State
HarmAssessment
BenignOperatorAction
HarmfulOperatorAction
GUI
IntentAssessment
OperatorError
MaliciousInsider
MITTeknowledge
Approved for Public Release, Distribution Unlimited
BehaviorAuthorizer
M
M
M
M
Mediation Cocoon
LegacyApp
BehaviorMonitor
OperatorAction
OperationalSystemModel Predicted
State
HarmAssessment
BenignOperatorAction
HarmfulOperatorAction
GUI
IntentAssessment
OperatorError
MaliciousInsider
MITTeknowledge
Approved for Public Release, Distribution Unlimited
BehaviorAuthorizer
M
M
M
M
Mediation Cocoon
LegacyApp
BehaviorMonitor
OperatorAction
OperationalSystemModel Predicted
State
HarmAssessment
BenignOperatorAction
HarmfulOperatorAction
GUI
IntentAssessment
OperatorError
MaliciousInsider
Approved for Public Release, Distribution Unlimited
BehaviorAuthorizer
M
M
M
M
Mediation Cocoon
LegacyApp
BehaviorMonitor
OperatorAction
OperationalSystemModel Predicted
State
HarmAssessment
BenignOperatorAction
HarmfulOperatorAction
GUI
IntentAssessment
OperatorError
MaliciousInsider
What are we trying to do?• Block Harmful Operations
• Differentiate– Operator Error
– Malicious Intent
Approved for Public Release, Distribution Unlimited
BehaviorAuthorizer
M
M
M
M
Mediation Cocoon
LegacyApp
BehaviorMonitor
OperatorAction
OperationalSystemModel Predicted
State
HarmAssessment
BenignOperatorAction
HarmfulOperatorAction
GUI
IntentAssessment
OperatorError
MaliciousInsider
How will you show success?• Block Harmful Operations
• Differentiate– Operator Error
– Malicious Intent
• Red-TeamExperiment
Approved for Public Release, Distribution Unlimited
BehaviorAuthorizer
M
M
M
M
Mediation Cocoon
LegacyApp
BehaviorMonitor
OperatorAction
OperationalSystemModel Predicted
State
HarmAssessment
BenignOperatorAction
HarmfulOperatorAction
GUI
IntentAssessment
OperatorError
MaliciousInsider
What are implicationsof success?
• Systems can be protectedfrom insider attacks
from operator error
from zero-day attacks
Approved for Public Release, Distribution Unlimited
BehaviorAuthorizer
M
M
M
M
Mediation Cocoon
LegacyApp
BehaviorMonitor
OperatorAction
OperationalSystemModel Predicted
State
HarmAssessment
BenignOperatorAction
HarmfulOperatorAction
GUI
IntentAssessment
OperatorError
MaliciousInsider
What is technical approach?• Observe effect of operator
action in system model• Match harmful
actions against– Errorful Operator Plans– Attack Plans
Approved for Public Release, Distribution Unlimited
RealOutput
SimulatedOutput
Real Environment (Implementation)
Simulated Environment (Model)
in
in'
out
out'
List ofConflicts
Translator
in out
SimulatedComponent
RealComponent
Reflection
Differencer
Architectural Differencing
Predicted
Approved for Public Release, Distribution Unlimited
File System
filefile
filefile
filefile
file
Read
RealFiles
file file
filefile
file
filefile
Virtual File System
VirtualFile
VirtualFile
VirtualFile
VirtualFile Virtual
File VirtualFile
VirtualFile
VirtualFile
Registry
Read
RealKeys
key key
keykey
key
keykey
keykey
keykey
key keykey
Virtual RegistryVirtual
KeyVirtual
Key
VirtualKey
VirtualKey Virtual
KeyVirtual
Key
VirtualKey
VirtualKey
COTSApplication
M
M
M M
Wrapper
Contained Execution• Transparent
Redirection
Write Virtual Files
Write Virtual Keys
• Selectively Applied
• Once created virtual resource used instead of real resource
Approved for Public Release, Distribution Unlimited
What’s Different About the Insider?• Doesn’t need to exploit vulnerabilities to
compromise resources• Can directly command the system to do bad
things• Won’t continually make mistakes that adversely
impact enterprise level goals• Can be identified by recognizing action
sequences that undermine enterprise level goals.• Similar to “attack plans”, except the leaf nodes
aren’t exploits, but rather actions allowed to the operator.
Approved for Public Release, Distribution Unlimited
Modeling the Enterprise
• Computational resources– Decomposition, Compromised States
• Topology of computational resources• Application actions
– What it does if resources are nominal– What it does if resources are compromised
• Organizational model– How the organization will behave if the information system
(mis)behaves– E.g. the organization’s tempo of operation is slowed down if
the computational system is slowed down.
Approved for Public Release, Distribution Unlimited
Modeling System Structure
Hardware
Processor
Memory DeviceControllers
Devicescontrols
Part-of
OperatingSystem
LogonController
Scheduler
DeviceDrivers
Part-of
JobAdmitter
Resides-In
controls
UserSet
WorkLoad
FileSystem
AccessController
resources
controls
files
Part-of
Input-to
Input-to
controls
SchedulerPolicy
Approved for Public Release, Distribution Unlimited
Modeling the topologyMachine name: sleepyOS Type: Windows-NTServer Suite: IIS…..User Authentication Pool: Dwarfs…
Router: Enclave restrictions. ….
Topology tells you:who can share (and sniff) which packetswho can affect what types of connections to whom
Switch: subnet restrictions. ….
Switch: subnet restrictions. ….
Approved for Public Release, Distribution Unlimited
Modeling Dependencies• Start with desirable properties of the Enterprise• Analyze how they relate to properties of the
computational system• Consider the desirable properties of systems:
– Reliable performance– Privacy of communications– Integrity and/or privacy of data
• Analyze which system components impact those properties– Performance - scheduler– Privacy - access-controller
• To affect a desirable property control a component that contributes to the delivery of that property
Approved for Public Release, Distribution Unlimited
Controlling components (1)• One way to gain control of a component is to
directly exploit operator privilege– One way to limit availability of a web server is to
reduce it maximum number of server threads
Web Server Process
Operator Action
Takes control of
Approved for Public Release, Distribution Unlimited
Controlling components (2)• Another way to control a component is to find an
input to the component and then find a way to modify the input– Modify the scheduler policy parameters
Scheduler
Scheduler Policy
Parameters
Input to
Scheduler
control by
Modification-action
Scheduler Policy
Parameters
Approved for Public Release, Distribution Unlimited
Controlling components (3)• Another way to control a component is to find one
of its components and then to find a way to gain control of the sub-component
Job-Admitter
User Job Admitter
Component-of
Job-Admitter
control by
Control-action
User JobAdmitter
Approved for Public Release, Distribution Unlimited
Modifying Inputs (1)• One way to modify an input is to find a
component which controls the input and then to find a way to gain control of that component
Scheduler
Workload
Input-of
Scheduler
control by
Job Admitter Workload
Job Admitter
Controls
Controls
Attack.
Controls
Approved for Public Release, Distribution Unlimited
Modifying Inputs (2)• One way to modify an input is to find a
component of the input and then to find a way to modify the component
Scheduler
Workload
Input-of
Scheduler
control by
User Workload
Workload
User Workload
ComponentComponent
Attack.Modify
Approved for Public Release, Distribution Unlimited
Access Rights• Each object specifies a set of capabilities required
for each operation on that object– Capabilities are organized in an DAG
– This generalizes the access mechanisms of all OS’s.
• Each actor (user or process) possesses certain capabilities.
• An actor can perform an action on an object only if it possesses a capability at least as strong as that required for the operation– This is a generalization of the access mechanisms in all
current OS’s.
• An access pool is a set of machines that shares resources, password & access right descriptions
Approved for Public Release, Distribution Unlimited
Netchex
The AI Lab Topology (partial)
Router Netchex Filters out Telnet.
ServerSwitch
8th-Floor-1
8th-Floor-2
7th-Floor-1
RouterAccesspool
Life
Kenmore
Maytag
Server Access Pool
Doc
Dopey
Sleepy
DwarfAccess Pool
Sneezy
Sakharov
Truman
Quincy-Adams
LispAccess Pool
Jefferson
Wilson
CreepyCrawler
GeneralAccess Pool
Approved for Public Release, Distribution Unlimited
Obtaining Access (1)• One way to gain access to an operation on an
object is to find a process with an adequate capability and take control of the process
Typical User File
User Read
Required forRead
Typical User File
To Read
Control-action
Typical UserProcess
Typical User Process
User Read
PossesesCapability
Approved for Public Release, Distribution Unlimited
Obtaining Access (2)• Another way to gain access to an operation on an
object is to find a user with an adequate capability and to invoke operator privilege to log in as that user and launch a process with the user’s capabilities
Typical User File
User Read
Required forRead
Typical User File
To Read
Logon asTypical User
UserProcess
Typical User
User Read
PossesesCapability
Launches
Approved for Public Release, Distribution Unlimited
Logging On
• Logging on requires obtaining knowledge of a password• To gain knowledge of a password
– Guess it, using guessing attacks– Sniff it
• By placing a parasitic virus on the user’s machine• By monitoring network traffic
– Hack the password file
• To remove somebody else’s knowledge of a password– Hack the password file
Approved for Public Release, Distribution Unlimited
Monitoring and Changing Network Traffic• Network is broken down into subnet segments• Segments are connected by Routers
– Routers can monitor traffic on any connected segment• Each segment may be:
– Shared media• Coaxial ethernet• Wireless ethernet• Any connected computer can monitor traffic
– Switched media• 10 (100, 100) base-T• Only the switch (or reflected ports) can monitor Traffic
• Switches and Routers are computers – They can be controlled– But they may be members of special access pools
• To gain knowledge of some information gain the ability to monitor network traffic
Approved for Public Release, Distribution Unlimited
Residences• Components reside in several places
– Main memory– Boot files– Paging Files
• They migrate between residences– Through local peripheral controllers– Through networks
• To modify/observe a component find a residence of the component and modify/observe it in the residence
• To modify/observe a component find a migration path and modify/observe it during the transmission
Approved for Public Release, Distribution Unlimited
Formats and Transformations
• Components live in several different formats– Source code
– Compiled binary code
– Linked executable images
• Processes transform one format into another– Compilation
– Linking
• To modify a component change an upstream format and cause the transformations to happen
• To modify a component gain control of the processes that perform the transformations
Approved for Public Release, Distribution Unlimited
Modification during Transmission
• To control traffic on a network segment launch a “man in the middle attack”– Get control of a machine, redirect traffic to it
• To observe network traffic get control of a switch/router and a user machine and then reflect traffic to the user machine
• To modify network traffic launch an “inserted packet” attack.– Get control of a machine– Send a packet from the controlled machine with the
correct serial number but wrong data before the sender sends the real packet
Approved for Public Release, Distribution Unlimited
An Example• Retard the organization’s response rate to
events during time of crisis• Slow down the Situational Assessment Tool• By affecting reliable performance:
– Control the scheduler - • The scheduler is a component that impacts
performance– By controlling the workload
• An input of the schedule– By admitting an inappropriate resource consuming
task– By using operator privilege to start a full backup
during the crisis
Approved for Public Release, Distribution Unlimited
A Second Example• Remove enterprises advantage of surprise
before engagement• By Exfiltrating critical planning data• By creating a user account with read privilege
and external access• And copying planning data to that account’s
storage• External actor accesses data in that account
Approved for Public Release, Distribution Unlimited
Affecting Performance (1)
Approved for Public Release, Distribution Unlimited
Attack Models and Monitoring• Actions of attack plan are transformed into
nodes of plan recognition engine• Leaf nodes involve insider actions (not
attacks)• Recognition of whole plan indicates
probability of malicious intent• Update the “Trust Model” just as in
AWDRAT, but also include compromise of person
Approved for Public Release, Distribution Unlimited
Insider Outsider Coordination
• Insider acts independently (“going postal”) or by mistake
• Insider aids the outsider to gain privilege or knowledge of system
• Insider exfiltrates information to outsider
• Insider acts in coordination with outsider– Combination of insider and outsider action is
what’s harmful.
Approved for Public Release, Distribution Unlimited
Error or Attack?
• Each complete plan recognition accumulates some probability of malicious activity– Some plans also contribute some credibility to
accident– Build estimates based on number and difficulty of
activities involved
• Coordination with outsider is one discriminator between accidents and attack.
• Some attack plans involve coordinated insider and outsider actions, these lend much more evidence to malicious intent
Approved for Public Release, Distribution Unlimited
BehaviorAuthorizer
M
M
M
M
Mediation Cocoon
LegacyApp
BehaviorMonitor
OperatorAction
OperationalSystemModel Predicted
State
HarmAssessment
BenignOperatorAction
HarmfulOperatorAction
GUI
IntentAssessment
OperatorError
MaliciousInsider
What is new?• Observe effect of operator
action in system model• Match harmful
actions against– Errorful Operator Plans– Attack Plans
Approved for Public Release, Distribution Unlimited
BehaviorAuthorizer
M
M
M
M
Mediation Cocoon
LegacyApp
BehaviorMonitor
OperatorAction
OperationalSystemModel Predicted
State
HarmAssessment
BenignOperatorAction
HarmfulOperatorAction
GUI
IntentAssessment
OperatorError
MaliciousInsider
What is hard?• Modeling System
to predict effect• Modeling Operator
to differentiate– Operator Error– Malicious Intent