1 / 25

OS Diversity for Intrusion Tolerance: Myth or Reality?

OS Diversity for Intrusion Tolerance: Myth or Reality?. Miguel Garcia 1 , Alysson Bessani 1 , Illir Gashi 2 , Nuno Neves 1 and Rafael Obelheiro 3 1 University of Lisbon, Faculty of Sciences – Lisbon, Portugal 2 Center for Software Reliability, City University London – London, UK

kenley
Download Presentation

OS Diversity for Intrusion Tolerance: Myth or Reality?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OS Diversity for Intrusion Tolerance: Myth or Reality? Miguel Garcia1, Alysson Bessani1, Illir Gashi2, Nuno Neves1and Rafael Obelheiro3 1 University of Lisbon, Faculty of Sciences – Lisbon, Portugal 2Center for Software Reliability, City University London – London, UK 3 Computer Science Department, State University of Santa Catarina – Joinville, Brazil

  2. Contents • Motivation • Goals • Methodology • Results • Conclusions & Futurework OS Diversity for Intrusion Tolerance: Myth or Reality?

  3. Fault-andIntrusion-TolerantReplication 1 All replicas are equal 1 1 1 Byzantine Fault Tolerance n = 3f + 1 n=4 f=1 1 1 ? 0-Day 1 ? ? -1 0-Day 1 1 -1 -1 OS Diversity for Intrusion Tolerance: Myth or Reality?

  4. Main limitation of Intrusion Tolerance 1 • It is easy to compromise f+1 replicas with the same exploit in a short period of time, because they share the same vulnerabilities. 1 1 1 Now all replicas are different 1 0-Day 1 1 ? -1 1 1 -1 1 OS Diversity for Intrusion Tolerance: Myth or Reality?

  5. Easyassumptions • Some BFT papers explicitly assume uncorrelated faults: • “We assume independent node failures.” Castro and Liskov. Practical Byzantine fault tolerance. OSDI’99 “… tolerating one or few uncorrelated failures may be enough” Clement et al. UpRight Cluster Services. SOSP’09 • “… replicas fail independently” Wood et al. ZZ and the Art of BFT Execution. EuroSys’11 But that assumption must be covered when deploying the system. Show how the use of diversity can improve independent node failures caused by vulnerabilities OS Diversity for Intrusion Tolerance: Myth or Reality?

  6. Previousworksondiversity • N-version programming: high costs, programmers must develop different code with the same semantic • [Avizienis and Chen 1977.] • Off-the-shelf diversity: achieved at application level [Gashi et al. 2007 andRodrigues et al. 2001.] • Obfuscation: non-trivial problem, this technique must guarantee that service's semantic does not change during the process [Roeder and Schneider 2010.] BUT almost all these works only assume that using diverse components is in itself the solution to avoid common vulnerabilities OS Diversity for Intrusion Tolerance: Myth or Reality?

  7. Goal Do off-the-shelf operating systems have common vulnerabilities? • We intend to explore diversity • … among different OSes • … among different releases of the same OS • to build more resilient intrusion tolerant systems • Why Operating Systems? • OSes play a critical role in every system • A substantial part of the code of a replica is the OS • People will resort to an OS rather than build their own • There are plenty of OSes available many options for diversity OS Diversity for Intrusion Tolerance: Myth or Reality?

  8. Methodology OS Diversity for Intrusion Tolerance: Myth or Reality?

  9. Data source – raw data • All vulnerabilities from National Vulnerability Database (NVD)’ XML feeds • Vulnerability reports from 1994 to 2010 44000 OS Diversity for Intrusion Tolerance: Myth or Reality?

  10. Data source – NVD feedentry Vulnerability unique ID <entry id="CVE-2003-0061"> …. <vuln:published-datetime>2003-01-11-05:00</vuln:published-datetime> <vuln:summary> Buffer overflow in passwd for HP UX B.10.20 allows local users to execute arbitrary commands with root privileges via a long LANG environment variable. </vuln:summary> ... <cpe-lang:fact-ref name="cpe:/o:sun:solaris:2.5.1" /> <cpe-lang:fact-ref name="cpe:/o:debian:debian:3.0" /> ... Date of the report Vulnerability description Affected products OS Diversity for Intrusion Tolerance: Myth or Reality?

  11. Data source – refiningthe data • We selected some of the mostly used server OS products* vulnerabilities from the XML feeds and store them in a database • Next, we removed 233 vulnerabilities due to their uncertainty, vague info or disputed state 2120 1887 *OpenBSD, NetBSD, FreeBSD, Solaris, OpenSolaris, Ubuntu, Debian, Redhat, Win2000, Win2003 and Win2008 OS Diversity for Intrusion Tolerance: Myth or Reality?

  12. Results OS Diversity for Intrusion Tolerance: Myth or Reality?

  13. Vulnerability classification • - OS is a product/distribution • -We classified those 1887 vulnerabilities, by hand, in one of four categories, to find out which part of the OS is vulnerable: • Driver : for all devices • Kernel: libraries, TCP stack, file systems… • SystemSoftware: login shells, firewall, telnet… • Application: web browsers, ftp clients, music/video players… OS Diversity for Intrusion Tolerance: Myth or Reality?

  14. Vulnerability classification distribution OS Diversity for Intrusion Tolerance: Myth or Reality?

  15. Temporal distribution of the vulnerabilitiesfor Linux family There is a pattern on the vulnerabilities counting In the beginning Ubuntu was much similar to Debian OS Diversity for Intrusion Tolerance: Myth or Reality?

  16. CommonVulnerabilities Fat Server Thin Server Isolated Thin Server In the Isolated Thin Server OpenBSD has 60 vulns and Solaris 103 and only share 6 vulns Most of the shared vulnerabilities are in the Kernel Even in the Fat Server scheme NetBSD and Ubuntu have 0 common vulnerabilities OpenSolaris has only 6 vulns, which are shared with Solaris 74% of Win 2003 vulnerabilities are shared with Win 2000 Most of the shared vulnerabilities are on Applications OS Diversity for Intrusion Tolerance: Myth or Reality?

  17. Buildinga setwithfourdifferent OSes We intend to understand if we can choose OS pairs based on the past shared vulnerabilities History Observed Unix TCP stack OS Diversity for Intrusion Tolerance: Myth or Reality?

  18. Othergoodsets Top 3 Set1: Windows 2003, Solaris, Debian and OpenBSD Set2: Windows 2003, Solaris, Debian and NetBSD Set3: Windows 2003, Solaris, RedHat and NetBSD Set4: Debian, RedHat, NetBSD and OpenBSD Easier to manage OS Diversity for Intrusion Tolerance: Myth or Reality?

  19. Furtheranalysis • To tolerate f=4 we need 13 distinct Oses • But if we consider (OS, release) pairs instead, we may augment the number of different sets • We looked for security advisory websites to find out if they correlate the vulnerabilities patched in each release with the information in NVD. OS Diversity for Intrusion Tolerance: Myth or Reality?

  20. Exploringdiversityacross OS releases Common vulnerabilities between OS releases from 2000 to 2007 OS Diversity for Intrusion Tolerance: Myth or Reality?

  21. Caveats • It is not clear if NVD, when it receives a vulnerability report, checks for that vulnerability in all OSes or wait for other discoveries of the same vulnerability in other OSes • NVD does not provide exploits in data feeds, otherwise we could attempt to exploit the vulnerabilities OS Diversity for Intrusion Tolerance: Myth or Reality?

  22. Conclusions OS Diversity for Intrusion Tolerance: Myth or Reality?

  23. Conclusions • Myth or reality? Reality! Based on the NVD data there is a strong suggestion that operating systems do not contain a high number of common vulnerabilities • A step on a very important problem of evaluating diversity on replicated systems OS Diversity for Intrusion Tolerance: Myth or Reality?

  24. Futurework • Estimate the security gains of using diverse OSes when compared with a single OS on replicated systems • Combine all diversity techniques: obfuscation, randomization, and other off-the-shelf diversity (e.g., Databases, JVM) • Other approaches like source code comparison can complement our work • In the poster session, we explain how this work evolved to an architecture with proactive recovery: Diverse OS Rejuvenation for IntrusionTolerance,M. Garcia, A. Bessaniand N. Neves OS Diversity for Intrusion Tolerance: Myth or Reality?

  25. Questions? mhenriques@lasige.di.fc.ul.pthttp://homepages.lasige.di.fc.ul.pt/~mhenriques/ OS Diversity for Intrusion Tolerance: Myth or Reality?

More Related