![Page 1: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/1.jpg)
Backtracking Intrusions
Sam King
Peter Chen
CoVirt Project, University of Michigan
![Page 2: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/2.jpg)
Motivation
• Computer break-ins increasing
• Computer forensics is important– How did they get in
![Page 3: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/3.jpg)
Current Forensic Methods
• Manual inspection of existing logs• System, application logs
– Not enough information
• Network log– May be encrypted
• Disk image– Only shows final state
• Machine level logs– No semantic information
• No way to separate out legitimate actions
![Page 4: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/4.jpg)
BackTracker
• Can we help figure out what was exploited?
• Track back to exploited application
• Record causal dependencies between objects
![Page 5: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/5.jpg)
Process
File
Socket
Detection point
Fork event
Read/write event
![Page 6: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/6.jpg)
Presentation Outline
• BackTracker design
• Evaluation
• Limitations
• Conclusions
![Page 7: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/7.jpg)
BackTracker
• Online component, log objects and events
• Offline component to generate graphs
BackTracker runs, shows source of intrusion
intrusion detected
intrusion occurs
![Page 8: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/8.jpg)
BackTracker Objects
• Process
• File
• Filename
![Page 9: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/9.jpg)
Dependency-Forming Events
• Process / Process– fork, clone, vfork
• Process / File– read, write, mmap, exec
• Process / Filename– open, creat, link, unlink, mkdir, rmdir, stat,
chmod, …
![Page 10: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/10.jpg)
![Page 11: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/11.jpg)
Prioritizing Dependency Graphs
• Hide read-only files
• Eliminate helper processes
• Filter “low-control”events
/bin/bash
/lib/libcbash
proc
backdoor
![Page 12: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/12.jpg)
Prioritizing Dependency Graphs
id
pipe
• Hide read-only files
• Eliminate helper processes
• Filter “low-control”events
bash
proc
backdoor
![Page 13: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/13.jpg)
Prioritizing Dependency Graphs
bash
proc login_a
utmp
login_b
backdoor
• Hide read-only files
• Eliminate helper processes
• Filter “low-control”events
![Page 14: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/14.jpg)
Filtering “Low-Control” Events
bash
proc login
utmp
backdoor
![Page 15: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/15.jpg)
backdoor
sshd
bash
Filtering “Low-Control” Events
bash
proc login
utmp
![Page 16: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/16.jpg)
![Page 17: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/17.jpg)
Process
File
Socket
Detection point
Fork event
Read/write event
![Page 18: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/18.jpg)
Implementation
• Prototype built on Linux 2.4.18
• Both stand-alone and virtual machine
• Hook system call handler
• Inspect state of OS directly
Guest OS
Host OS
VMM EventLogger
Guest Apps
Host OS
EventLogger
Host Apps
Virtual Machine Implementation Stand-Alone Implementation
![Page 19: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/19.jpg)
Evaluation
• Determine effectiveness of Backtracker
• Set up Honeypot virtual machine
• Intrusion detection using standard tools
• Attacks evaluated with six default filtering rules
![Page 20: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/20.jpg)
Process
File
Socket
Detection point
Fork event
Read/write event
![Page 21: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/21.jpg)
Process
File
Socket
Detection point
Fork event
Read/write event
![Page 22: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/22.jpg)
BackTracker Limitations
• Layer-below attack
• Use “low control” events or filtered objects to carry out attack
• Hidden channels
• Create large dependency graph– Perform a large number of steps
– Implicate innocent processes
![Page 23: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/23.jpg)
Future Work
• Department system administrators currently evaluating BackTracker
• Use different methods of dependency tracking
• Forward tracking
![Page 24: Sam King Peter Chen CoVirt Project, University of Michigan](https://reader035.vdocuments.us/reader035/viewer/2022062312/62a800bb5ea3f3539b7782b5/html5/thumbnails/24.jpg)
Conclusions
• Tracking causality through system calls can backtrack intrusions
• Dependency tracking– Reduce events and objects by 100x– Still effective even when same application
exploited many times
• Filtering– Further reduce events and objects