The document discusses various techniques for confining untrusted code, including running it at different levels of isolation such as in a separate hardware system, virtual machine, process, or thread. It describes approaches like system call interposition and software fault isolation that monitor applications and isolate their ability to access resources. The document also covers topics like rootkits, which can provide unauthorized access, and intrusion detection systems, which monitor networks for malicious activity.
2. SYLLABUS
• Confinement Principle
• Detour Unix user IDs.
• Process IDs and privileges
• More on confinement techniques
• System call interposition
• Error 404 digital Hacking in India part 2 chase
• VM based isolation
• Confinement principle
• Software fault isolation
• Rootkits
• Intrusion Detection Systems.
2
SURBHI SAROHA
3. Confinement Principle
• Running untrusted code
• We often need to run buggy/unstrusted code:
• – programs from untrusted Internet
sites:desktop and mobile apps, Javascript,
browser extensions
• – exposed applications: browser, pdf viewer,
outlook
• – legacy daemons: sendmail, bind
• – honeypots
• Goal: if application “misbehaves” ⇒ kill it
3
SURBHI SAROHA
4. Confinement
• Confinement: ensure misbehaving app cannot
harm rest of system Can be implemented at
many levels:
• – Hardware: run application on isolated hw (air
gap)
4
SURBHI SAROHA
6. Confinement
• Confinement: ensure misbehaving app cannot
harm rest of system Can be implemented at
many levels:
• – Virtual machines: isolate OS’s on a single
machine
6
SURBHI SAROHA
8. Confinement
• Confinement: ensure misbehaving app cannot
harm rest of system Can be implemented at
many levels:
• – Process: System Call Interposition Isolate a
process in a single operating system
8
SURBHI SAROHA
10. Confinement
• Confinement: ensure misbehaving app cannot
harm rest of system Can be implemented at
many levels:
• – Threads: Software Fault Isolation (SFI)
• Isolating threads sharing same address space –
• Application level confinement:
• e.g. browser sandbox for Javascript and
WebAssembly
10
SURBHI SAROHA
12. Process IDs and privileges
• Process privileges
• In systems where security is important, applications
should run with the fewest privileges possible.
• Doing this helps reduce the impact of possible
compromises and can also help lower the privilege
escalation attack surface of the device.
• The more difficult it is for attackers to elevate an
application's privileges, the better; forcing attackers
to chain multiple attacks against various
applications that each have minimal sets of
permissions is ideal.
12
SURBHI SAROHA
13. Confinement
• 1. Uses encapsulation techniques to structurally
guarantee that at most one activity at a time can
possibly access a given object.
• 2. Instead of using dynamic locking on object,
encapsulation statically ensures the unique
access to a given object
• 3. Define methods and classes that establish
leak-proof ownership domains so that one
thread (at a time) can ever access a confined
object.
13
SURBHI SAROHA
14. Confinement techniques
• 1. Scoping
• 2. Access control
• 3. Data hiding and encapsulation
• 4. Problem is information leaking
14
SURBHI SAROHA
15. Kinds of Confinement
• Method confinement – hide access within local
scope, including hand-offs
• 2. Thread confinement – confine objects to
sequence of operations (session)
• 3. Object confinement – confine accesses
internal to object (host-part)
• 4. Group confinement – resource only owned by
one object, but can be circulated
15
SURBHI SAROHA
16. System call interposition
• System call interposition: a better approach to
confinement.
• Observation: to damage host system (i.e. make
persistent changes) app must make system calls • To
delete/overwrite files: unlink, open, write
• • To do network attacks: socket, bind, connect,
send.
• Monitor app system calls and block unauthorized
calls
• • Implementation options:
• • Completely kernel space (e.g. GSWTK)
• • Completely user space
16
SURBHI SAROHA
18. Cont….
• Systrace only forwards monitored sys-calls to
monitor (saves context switches)
• • Systrace resolves sym-links and replaces sys-
call path arguments by full path to target
• • When app calls execve, monitor loads new
policy file
• • Fast path in kernel for common/easy cases,
ask userspace for complicated/rare cases
18
SURBHI SAROHA
19. Error 404 digital Hacking in India part
2 chase
• https://security.cse.iitk.ac.in/node/178
19
SURBHI SAROHA
20. VM based isolation
• A VM is an isolated environment with access to
a subset of physical resources of the computer
system.
• Each VM appears to be running on the bare
hardware, giving the appearance of multiple
instances of the same computer, though all are
supported by a single physical system.
20
SURBHI SAROHA
21. Cont…
• Temporal isolation or performance
isolation among virtual machine (VMs) refers
to the capability of isolating the temporal
behavior (or limiting the temporal interferences)
of multiple VMs among each other, despite them
running on the same physical host and sharing a
set of physical resources such as processors,
memory, and disks.
21
SURBHI SAROHA
22. Confinement principle
• Confinement is a mechanism for enforcing
the principle of least privilege.
• The problem is that the confined process needs
to transmit data to another process.
• The confinement mechanism must
distinguish between transmission of authorized
data and the transmission of unauthorized data.
22
SURBHI SAROHA
23. Software fault isolation
• Software-based Fault Isolation (SFI) is
a software-instrumentation technique at the
machine-code level for establishing logical
protection domains within a process.
• In SFI, protection domains stay within the same
process, incurring low overhead when switching
between domains.
23
SURBHI SAROHA
24. Cont….
• Way to get programs to behave in a manner consistent with a given
security policy is by "brainwashing."
• That is, modify the programs so that they behave only in safe ways.
• This is embodied by a recent approach to security known
as software-based fault isolation (SFI).
• So far, the environment has been responsible for policy
enforcement, where the environment is either the OS/kernel or the
hardware.
• Hardware methods include addressing mechanisms (e.g. virtual
memory);
• OS methods include having two modes (where the supervisor mode
has access to everything).
• The new approach we discuss today is to construct a piece of
software that transforms a given program p into a program p', where
p' is guaranteed to satisfy a security policy of interest.
24
SURBHI SAROHA
26. Cont…
• This SFI SW transformation could be any number of
things.
• It could be a piece of the compiler or of the loader. It
could also involve a separate pass over machine language
code before execution commences.
• The point is that we are modifying the program before it
is executed.
• (One easy realization of SFI SW is to always output a
program that does nothing. However, there are likely to
be properties of the original program that we are
interested in preserving, and these properties might not
be satisfied by a program that does nothing.)
26
SURBHI SAROHA
27. Rootkits
• A rootkit is a malicious software that allows an
unauthorized user to have privileged access to a
computer and to restricted areas of its software.
• A rootkit may contain a number of malicious
tools such as keyloggers, banking credential
stealers, password stealers, antivirus disablers,
and bots for Distributed denial of service
(DDoS) attacks.
•
27
SURBHI SAROHA
28. Well-Known Rootkit Examples
• Lane Davis and Steven Dake - wrote the earliest
known rootkit in the early 1990s.
• NTRootkit – one of the first malicious rootkits
targeted at Windows OS.
• HackerDefender – this early Trojan
altered/augmented the OS at a very low level of
functions calls.
• Machiavelli - the first rootkit targeting Mac OS X
appeared in 2009. This rootkit creates hidden
system calls and kernel threads.
• Greek wiretapping – in 2004/05, intruders installed
a rootkit that targeted Ericsson's AXE PBX.
28
SURBHI SAROHA
29. Cont…
• Zeus, first identified in July 2007, is a Trojan
horse that steals banking information by man-
in-the-browser keystroke logging and form
grabbing.
• Stuxnet - the first known rootkit for industrial
control systems
• Flame - a computer malware discovered in 2012
that attacks computers running Windows OS. It
can record audio, screenshots, keyboard activity
and network traffic.
29
SURBHI SAROHA
30. Intrusion Detection Systems.
• An Intrusion Detection System (IDS) is a system
that monitors network traffic for suspicious activity
and issues alerts when such activity is discovered.
• It is a software application that scans a network or a
system for harmful activity or policy breaching.
• Any malicious venture or violation is normally reported
either to an administrator or collected centrally using a
security information and event management (SIEM)
system.
• A SIEM system integrates outputs from multiple sources
and uses alarm filtering techniques to differentiate
malicious activity from false alarms.
30
SURBHI SAROHA
31. Cont….
• Although intrusion detection systems monitor
networks for potentially malicious activity, they are
also disposed to false alarms.
• Hence, organizations need to fine-tune their IDS
products when they first install them.
• It means properly setting up the intrusion detection
systems to recognize what normal traffic on the
network looks like as compared to malicious activity.
• Intrusion prevention systems also monitor network
packets inbound the system to check the malicious
activities involved in it and at once sends the
warning notifications.
31
SURBHI SAROHA
32. Classification of Intrusion Detection
System
• IDS are classified into 5 types:
1. Network Intrusion Detection System
(NIDS)
2. Host Intrusion Detection System (HIDS)
3. Protocol-based Intrusion Detection System
(PIDS)
4. Application Protocol-based Intrusion
Detection System (APIDS)
5. Hybrid Intrusion Detection System
32
SURBHI SAROHA