Center for Information Technology Integration
Cyber Security and Information Infrastructure Protection

Cyber Security and Information Infrastructure Protection

The primary aim of this research is to improve cyber security and to increase information infrastructure protection by making our information infrastructure more resilient against attacks.

We recognize three distinct problem areas: Critical Infrastructure Protection, Intrusion Prevention and Threat Assessment. We provide practical solutions for each problem area that can be deployed on Unix systems. The general mechanisms apply to other operating systems as well.

Critical Infrastructure Protection

The Internet infrastructure relies on primarily on the Border Gateway Protocol (BGP) and the Domain Name System (DNS). The secure remote administration of routers relies mostly on the Secure Shell (SSH) protocol.

Attacks against any of these technologies may impact on the availability of Internet-based services. As we do not know how to guarantee software correctness, it is a reasonable to assume that exploitable programming errors exist in applications.

To reduce the ability of an adversary to cause damage, we need to limit the impact of such programming errors. We offer Privilege Separation as one solution.

Services that authenticate remote users to system resources are difficult to contain via external application confinement mechanisms. Privilege Separation is a protection mechanism at the application level that separates the privileged code path from the unprivileged code path. An adversary interacts with the unprivileged part only; an exploitable programming error in the unprivileged code path does not lead to immediate privilege escalation.


Cyber Security Areas Critical Infrastructure Protection: Internet: BGP, DNS, and SSH. Intrusion Prevention Threat Assessment Solutions Privilege Separation System Call Policy Enforcement Virtual Honeypots

Privilege Separation in OpenSSH - We have implemented privilege separation in OpenSSH and analyzed its security.

Privilege separation may also be employed to increase the resilience of domain name service implementations like bind. Privilege Separation is very portable as most modern Unix operating system provide address space protection between processes and inter-process communication, privilege separation.

Intrusion Prevention

While Privilege Separation increases an application's resilience against programming errors, it does not prevent all possible intrusions. Many system services and applications perform specific tasks. By confining applications to only those operations that required for its correct execution, we prevent adversaries who gain control over these system services from causing damage to the system.

In Unix operating systems, persistent changes are possibly only via System Calls. By carefully monitoring and restricting an application's system calls, we can limit or even prevent an adversary from causing damage.

We offer Systrace as solution. Systrace provides fine-grained application confinement based on configurable security policies. Additionally, it can detect and prevent intrusions. It also records audit trails that can used in forensic analysis.

System Call Policy Enforcement - Systrace enforces system call policies. It supports automatic and interactive policy generation, intrusion detection and prevention, and audit trails for forensic analysis.

One problem of many security solutions is the difficulty to create comprehensive security policies. The Systrace system provides automatic and interactive policy generation to facilitate correct configuration. Systrace can be used to confine all system services including BGP, DNS and SSH.

Threat Assessment

The impact of new security problems can be reduced by early threat detection. Threat detection and assessment allows us to quickly identify so far unknown attacks, prioritize their threat and protect vulnerable systems. Honeypot technology serves this purpose by providing computer systems that we expect to be compromised. The honeypot systems are network sensors that allows us to detect new attacks.

As computer security problems are inherently repeatable, we obtain threat detection by populating our network with honeypots. New attacks can easily be identified by monitoring the state of deployed honeypots including new worms or widespread scans for vulnerabilities.

We offer Honeyd, a virtual honeypot daemon, as solution.

Honeyd - Honeyd creates virtual honeypots for general network monitoring. Monitoring traffic to Honeyd systems allows us to identify new threats and assess their danger to other computer systems.

Additionally, Honeyd deters adversaries by hiding the real computer systems in the middle of virtual systems that have no production value. While directed attacks can not be deterred, many attacks are based on Internet scanning. These scans are unable to differentiate between real and virtual systems.

Additional Resources

Talks

Practical Cyber Security - Presents concepts to improve host security.
Honeyd - A Virtual Honeypot Daemon - Provides an overview of the Honeyd architecture.

For invited talks, contact Niels Provos.

Questions and Comments:

Niels Provos

Last modified: Sat Mar 29 01:35:33 EST 2003

You can keep me happy while hacking by reducing my Wishlists: Books, Music