WUJ
Vol. 11 No. 6 2006 1819-1822
Wuhan University Journal of Natural Sciences
Article ID. 1007-1202(2006)06-1819-04
...
8 downloads
480 Views
362KB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
WUJ
Vol. 11 No. 6 2006 1819-1822
Wuhan University Journal of Natural Sciences
Article ID. 1007-1202(2006)06-1819-04
A Behavior.Based Remote Trust Attestation Model
0
Introduction
[ ] ZHANG Huanguo, WANG Fan School of Computer, 430072, Hubei, China
Wuhan
University,
Wuhan
Abstract: While remote trust attestation is a useful con cept to detect unauthorized changes to software, the current mechanism only ensures authenticity at the start of the operating system and cannot ensure the action of running software. Our approach is to use a behavio~based monitoring agent to make remote attestation more flexible, dynamic, and trustworthy. This approach was mostly made possible by extensive use of process information which is readily available in Unix. We also made use of a behavior tree to effectively record predictable behaviors of each process. In this paper, we primarily focus on building a prototype implementation of such framework, presenting one example built on it, success fully find potential security risks in the run time of a ftp program and then evaluate the performance of this model. K e y w o r d s ; remote attestatiom trusted computing; trusted platform; behavior monitoring agent; behavior tree
CLC number: TP 309
Received date= 2006 05 20 Foundation item= Supported by the National Natural Science Foun dation of China (90104005, 60373087, 60473023) Biography= ZHANG Huanguo (1945-), male, Professor, research direction=information security. E-mail: liss@whu, edu. cn
~
~iver~iy J~rnalo~Natura~
Vol;
No.6 20O6
ue to the fast development of communication technologies, the lowered cost of hardware, there is an increasing reliance on computer networks. However, along with the tremendous convenience provided, there is increasing number of network based attacks. ()ne particular kind of attacks exploits software vulnerabilities, h is lunched by a virus or worm. Some examples include earlier worms such as Code Red, Nimda as well as recently high speed worms, such as Slammer, Witty and Flash worm described in Ref. [1]. Michael Vatis's report E21 shows worm activity has increased exponentially in the past decade. Instead of constantly exposing systems to unknown vulnerabilities, some detecting methods have been proposed, like monitoring processes in Ref. I-3], anomalous detection in Ref. [41. Trusted Computing Group takes a revolutionary step to offer a trusted computing platform. Its important role in computer security has been analyzed in Ref. ~5,6]. The platform is centered on a dedicated piece of hardware, described in Ref. 1-7~, trusted computing module (TPM) and its ability to perform remote attestation which has been depicted in Refs. [8,91. Nevertheless, the current remote attestation approach cannot reach its full potential against attacks. First of all, the hash value cannot define whether a program running on a machine is malicious or compromised. It actually does nothing but proving to remote party that this machine is using expec ted and unaltered software. Secondly, the traditional approach of remote attestation only verify the integrity of static linked parts of codes, rather than that of both static and dynamic linked parts. Thirdly, the existing remote attestation tech-
D
1 8 19
nique only attests specified programs without considering the whole running environment. In reality, attestation to correct integrity values of new software programs become very difficult or almost impossible to the remote party. This paper proposes a new remote attestation model that uses both integrity and program behavior to detect untrustworthiness. Unlike the approach in Ref. El02, this model not only monitors one specific program, but also all other programs currently running on the machine. In addition, remote attestation happens all the way during the communication, rather than only at the beginning of the remote access.
1
A Behavior-Based Model
1.1
Overview of the Framework In this new model, two types of hosts have been defined-clients which send certificates to the remote party and servers which attest the trustworthiness of the remote clients. We assume all clients ~ machines have TPM modules, and they will not suffer physical attacks. We also assume that the channel for delivering messages is already secured by one of the existing techniques for the channel's security such as SSL or VPN. The client machine comprises of TPM modules, conventional computer hardware, system kernel, behavior-monitoring agent (BMA) modules, and applications environments. On the other hand, the server contains a trusted attestation module and trusted knowledge data base. When the client wants to make a connection to the remote server, it first has to authenticate itself. To initiate a session, the client's TPM sends its bottom platform's integrity values to the server to let the remote server decide whether this client's platform is trustworthy. This attestation also contains client BMA module's integrity value. After these values are passed, the server asks for the client's current programs behavior tree, and verify the tree during their connection time by matching with contents of its own knowledge database. The structure is shown in Fig. 1. 1.2 BMA Module Naturally, the BMA Module is located in the kernel. When the user starts an application program, the BMA will be invoked to monitor this program's behavior by intercepting and capturing its sequences of system calls. It then records a program behavior tree. BMA will 1820
l
application t application 2
Trust knowledge database
F
BMA module
Trust attestation
1
module
Secure kernel Other Trust TPM hardware hardware
Fig. 1
Network service
Framework of the model
then send the up-to date records to the server and answer the server's attestation requests. We develop this module by programming the hook functions of Linux Security Module, and extend its function to monitor the client system's running programs. Also in order to allow BMA module to monitor other program's behavior, it cannot be tampered by others. Since this module is in the kernel, the client's platform boot attestation can verify that the BMA is trustworthy. 1.3 Platform Trust Attestation The platform trust attestation is very similar to the standard TCG remote attestation E4J. When the client host is starting the machine, hash values of BIOS, boot loader, and kernel are computed and cryptographically stored in PCR within the TPM module which is a sealed storage. At the server, there is a database that stores all the possible correct integrity values of different kinds and versions of systems and hardware. 1.4 Application Trust Attestation Unlike the relatively static platform trust information, the application environment is much more subtle. To attest the client's application environment's trust, the server must understand the relationship of all the processes running on the client. This is done through BMA by constructing a process tree. In this process tree, each node represents a process, and the first sub-process will likely be the first left leaf. Similarly, a process' brothers will be located from left to right leaves according to their starting time. The most significant advantage of this process tree is that it can perfectly reflect the rela tionship between processes. For example, in a Redhat AS 4.0 system, it first runs init process, then other usual programs. An example of process tree is shown as the following Fig. 2. Process tree has another important merit, it is mutable to record the tifecycle of one process as it changes
Fig. 2
Redhat AS process tree
along with processes running on a system. When process 5 is finished and quit from the system, it will be cut out of the process tree. All sub-nodes 6 and 7 will be re-arranged to hang under the father node of the deleted node, like the Fig. 3 and Fig. 4 below:
gram's name in one of behavior tree nodes, it extracts this sub-tree and then compares its content with its database to tell whether there is any abnormal behavior. ()n the other side, all the unknown nodes' lists will be matched using the unknown process rule database to see if there is a suspect process running on the client host. The server's trust attestation module also can control the running processes on the client machine. If there is a suspect detected by the remote server, the trust attestation module can make different decisions based on the level of seriousness. On the lightest condition, it can ask the client's BMA to send the suspect nodes list more frequently, including system calls' inputs of this node. Or, the server's trust attestation module may refuse to supply services to this client or ask the client to close the suspect application first.
2 2.1 Fig. 3
Fig. 4
Before prot~,s 5 is deleted
After process 5 (Ps) is deleted
BMA also analyzes all processes' actions, recording their system call functions in a list for each node. Therefore a behavior tree is internally represented as a list of subject, object and actions. The process monitored by BMA is called the subject. The system calls made by subject are the actions and the target of this call is the object. We defined several different kinds of objects, For instance: file, socket, dir and shm. The action does not have to be a single call, a common sequence of system calls can be combined as a single action. Additionally, one subject can have several objects. An example se quence of a process's behavior could look like this: -q--~O:name{ actionl, actionz, action3 , ' " }. When the server receives a behavior tree from client' s BMA module, it first traverses the behavior tree. Once the server's trust attestation module finds a known proWJhalUniversityJourna/of Natural Sciences
Vo1.11 No.6 ~
Experiments and Results Simulation
In the Fig. 5 simulation, we firstly assume the client machine's hardware platform, system booting processes and BMA module's integrity values have already been attested using traditional attestation process. The client's machine then starts up its FTP client processes named vsftpd. During the time which the client is connected to the server, a pingback program is started up on the client machine. This pingback process will stay in the system indefinitely listening on one port. As soon as one outside host send a ping packet with specified length to this client host on the pingback port, the pingback on the client side will open up a super user shell immediately, therefore exposing the client host to unlawful operation and, putting the client machine in danger.
2.2
Behavior Monitoring
In the Fig. 5 simulation environment, two processes traced-vsftpd and pingback. Figure 5 shows vsftpd's behavior sub-tree.
~
PlD:3435(bll,b12,,)..,bl,
6(b21,b22,'",b2n) /~"@p|D:~,~12D:.i~itl (b41,b42,''b4n)
~
Fig. 5
Vsftpd program behavior sub-tree
1821
In the Fig. 5 above, the B~, B2 ,'" ,B, distinguishes different processes, and bl~ ,'", b~, represents different behaviors within one process. For example, P: (vsftpd) may be recorded like following: bn : S1 --"O1. / etc/ld, so. cache { open, fastat, mmap, close} b12: & -+ 02 :/lib/libssl. so. { open, read, fstat, mmap,close} Some of the known service program behavior recorded on the server, P2 is the sub process of the P1, and N/A means Pa has no sub process in the Table 1. Table 1
To reduce memory usage, each action is encoded by 1 byte binary code which can sufficiently represent the 200+ L[nux system calIs. An additional byte can be used for the sequence number of each action, another 20 bytes for the name. The gross memory cost of one integral behavior tree is 58k bytes. However, during client and server's communication, it is only necessary to send the changed part of the tree, one or two node's contents would be sufficient. Since the nodes are deleted as the process terminates. The space requirement on the client machine is kept at a tiny fraction of the space needed to run the same processes.
Known program attestation list
Process
Sub-process
Behavior list
P1
P~
bn b12. "'" bl,,
P2
Pa
b21b22b2a"'"b2,,,
Pa
N/A
bal &2""&p
Before receiving a ping packet, the client machine is considered to be trustworthy to the server. As soon as the client receives a ping packet, it opens a shell tor another host. When the server traverses the changes sent by client, it finds the following malicious sequences of behaviors in the pingback~s node: be~: S~ ~O~: SOCK_STREAM{ socket, bind, listen} bee: Se-+Oe:/bin/bash{ execv} Server promptly takes actions to make sure this client is still trustworthy. In this example it stops its connection with this client immediately. 2.3 Performance In this model, there are two main resources which could affect the client's system performance: one is the memory cost for recording processes ~ behavior tree, the other one is the network throughput. The memory cost of the behavior tree is determined by three factors: @ the average number of processes running in the kernel; @ the average number of object within each process; @ the average number of actions of each object. We analyzed our simulation under a typicat usage scenario, and collected the data below in the Table 2. Table 2
References Ell
E2]
~3]
~4]
[5]
~6]
[-7]
[8]
Eg]
Averagenumber of behaviors
[10] Class
Numbers
Average number of processes
65
Average number of objects in a process
25
Average number of actions in each object
8
1822
Staniford S, Moore D, Paxson V, etal. The Top Speed of Flash Worms~C]// Proc 2004 ACM Workshop on Rapid Malcode. Washington D C, USA.. ACM Press, 2004:33 42. Vatis M. Combating Cyber Attacks: The Role of the Research Community [EB/()L]. [2002-03]. http://wv.nv. h pce-usa, org/ pics/ O2-pres /vatis. p pt. Sekar R , Bowen T, Sega M 1. On Preventing Intrusions by Process Behavior Monitorin[C]//Proc o f tile USENIX Intrusion Petection Workshop. Santaclara,USA; The USENIX Association, 1999 : 29-40. Sekar R, Bendre M, Dburjati D, etal. A Fast AutomatonBased for Detecting Anomalous Program Behavior [ C ] / / IEEE Symposium on Security and Privacy. California, USA, May 14-16, 2001. Sailer R, Doom I. V, Ward J P. The Role of TPM in Enterprise Security[J]. Datenschutz and IDatensicherheit , 2004, 28(9) : 539 547. Oltsik J. Enterprise Strategy Group. Trusted Enterprise Security- How the Trusted Computing Group Will Advance Enterprise Security[EB/()L]. ~2006 01-21 ]. https=//ze, ww. trustedcomputinggroup, org/news/ Industry _ Data/ESG _ Whzte_Paper. pd f. Sailer R, Zhang Xiaolan, Jaeger T, etal. Design and Implementation of a TCCrbased Integrity Measurement Architecture [-C]//13th Useni3" Security Symposium. San Diego, California, USA, Aug 9-13, 2004. Barrett M F. Towards an Open Trusted Computing Framework~EB/O].]. [2005 02]. http://~-atn2z cs. auckland, ac. nz/ research/theses/ 2OO5/ zrd)arrettThesis. pd f . Sailer R, Jaeger T, Zhang Xiaolan, et al. AttestationBased Policy Enforcement for Remote Access [C]//Proc 1l th ACM CCS. Washington D C: ACM Press, 2004: 308-317. Haldar V, Chandra D, Franz M. Semantic Remote Attesta lion: A Virtual Machine Directed Approach to Trusted Computing[C]// Proceedings o f the 3rd USENIX VM Research & Technology Symposium. San Jose, May 6-7,2004.
[]