Summary on Backtracking Intrusions

Summary on Backtracking Intrusions

BackTracker attempts to address the shortcomings in current tools in detecting a compromise. Working backward from a detection point, it identifies chain of events that could have led to the modification that was detected. Unlike many other tools that use Application level logs, Network level logs, and Low level logs, BackTracker works by observing OS level objects and events. OS- level events can be interpreted even if the attacker encrypts or obfuscates his network communication. The design comprises on Objects, Potential Dependency causing events and Dependency graphs.

Objects are three kinds: Processes, files, and filenames. A process is identified by a process ID and a version number. The one process that is not created by a fork or a clone system is called the first process (swapper). BT keeps track of processes from the time it is created and to the point where it exits. A file is uniquely identified by a device, an inode number, and a version number. BT uses inode number to track a file across rename operations. It also treats pipes and named pipes as normal files.A filename object refers to the directory data that maps a name to a file object.

BT’s Event Logger,logs dependency causing events at runtime. A dependency relationship is specified by three parts; source objects, sink object and a time interval. Time is measured in terms of an increasing event counter. Based on source and the sink objects dependency causing events can be classified into three categories.

Process/Process Dependencyarises from one process affects the other, whenever a system call is evoked. Apart from the traditional fork system call, Linux supports the clone system call. Process/File Dependencies arise whenever a process affects or is affected by data or attributes associated with the file.Depending on the type of system call, process file dependency varies from process->file and file-> process. Besides the system call, mapping events also create bidirectional dependency as in the case of read and write simultaneously (process<->file).Process/Filename Dependencies cause a process to affect or be affected by a filename object. Of dependency depends on the type of system call like in the previous case.

Using Dependency Graphs BackTracker saves the information about the logging objects and dependency- causing events. Once the detection point of a potential compromise is found, working backwards, dependency graphs are drawn using GraphGen utility of the BT.Dependency graphs provide information to study and asses the events that lead to the detection point.

The current prototype tracks both high-control and low-control events. However, BT is able to provide useful analysis without tracking low-control events as it is difficult to for an intruder to perform task solely by low-control events.High-Control events: Events considered being the easiest for an attacker to use to accomplish a task.

Implementation of EventLogger of the BT can be accomplished in many ways. In this prototype, it is set to run the target operating system and applications inside a virtual machine (guest OS) and to have the virtual-machine monitor call a kernel procedure at appropriate times, in order to leverage ReVirt, which enables one to replay the complete execution of VM. By observing the state of the VM monitors, EventLogger logs information about events and objects.

In order to scrutinize a compromise, it is important to pay special attention on some events and objects that best describe the intrusion. There are several ways to prioritize important parts such as ignoring certain objects, filter out certain type of events, hide files that have been read but not written in the time period being analyzed, filter out helper processes, and finally choosing several detection points.

Attacks against BackTrackercan be done in several ways. First, an intruder foils BT by attacking the layers upon which its analysis and logging depend. Second, attacking the layers of VM monitor and host OS upon which the BT depends on. Third, the intruder can break the chain of events from the detection point to the source of the attack, using low-control events which are not tracked by the BT.

Complementary to the BT, Repairable File Service (RFS) uses forward tracking to identify the files that potentially have been contaminated. However BT’s functionality widely varies from the RFS. There are opportunities for an intruder to hide from the forward tracking phase.The dependency graphs generated by the BT help administrators find and focus on a few important objects and events to understand the intrusion. BT uses different types of rules to filter out parts of the dependency graph that are unlikely to be related to the intrusion.

Suggestions:

Since BT uses OS level objects and events to draw the timeline of a compromise in the system, it is more useful, and to a certain extent,it is a reliable mechanism too. However BT works on the assumption that gaining kernel-mode control can be considered as a more difficult task, but an intelligent hacker may be able to gain the access. Also the efficiency of the BT totally relies on the preciseness of the detection point as earliest detection will reduce the analysis of the dependency causing events and thereby reducing the complexities.

Questions:

1. How would BackTracker address the problem in generating the file/processes dependencies if the files have been changed and still hold the validity?

2.What if the detection point is not found at the right first time?

3.What if a particular compromise makes several detection points?. Which point would yield the correct picture of the attack?

4. How would we implement the BT on other systems? specific for Linux O/S?

5. Difference between the implementation of BT using other systems other than setting up of a VM? is there any way to do the analysis without GraphGen?