Download DYMO：Tracking Dynamic Code Identity

Bob Gilber, Richard Kemmerer, Christopher
Kruegel, Giovanni Vigna
University of California, Santa Barbara
RAID 2011,9
報告者：張逸文
1
Outline
 Introduction
 System Overview
 System Implementation
 Applications for DYMO
 Evaluation
 Security Analysis
 Related Work
 Conclusions
2
Introduction（#1）
 Access control：user-based authorization
 Code identity
 Measurements of a process
 DYMO, a system that provides a dynamic code identity
primitive
 Identity label
 Network access
3
Introduction（#2）
 Track the run-time integrity of a process
 DYMO
 Extending DYMO to label network packets
 Experimental results
4
System Overview（#1）
 System requirements
 Precise
 Secure
 Efficient
 System Design
 Computing cryptographic hash of each code section as
the process’ identity
 Precise Label computation
5
System Overview（#2）
 Handling Dynamically Generated Code


Don’t hash dynamic code regions directly
dynamically generated code only in certain known parts
 Secure Label Computation


runs at a higher privilege
Inside a VMM / as part of the OS
 Efficient Label Computation


Modify Windows memory management routines
The label is computed incrementally
6
System Implementation（#1）
 Problems
 Load DLLs during run-time
 Arbitrary memory regions
 DLL reloading
 System Initialization
1. Register for kernel-provided callbacks
2. Hook the NT kernel system services
3. Hook the page fault handler
4. Use Data Execution Prevention(DEP)
7
System Implementation（#2）
 Identity Label Generation
 Image hash + region hash = identity label
 Image Hashes
1. Build process profile
2. Locate the code segment
3. Modify page protection
4. DEP exception
5. Page fault handler
8
System Implementation（#3）
 Region Hashes
1.
2.

hook NtAllocateVirtualMemory, NtMapViewOfSection,
NtProtectVirtualMemory
check execute access
These executable regions are for dynamic code generation
Handling Dynamic Code Generation




Allocator
Writer
Caller
region
hash
9
System Implementation（#4）
 Handling the PAGE_EXECUTE_READWRITE
protection

PAGE_EXECUTE_READWRITE =>
PAGE_READWRITE + PAGE_EXECUTE_READ
 Establishing Identity
 Strict matching policy
 Relaxed matching policy
10
Application for DYMO（#1）
 Application-Based Access Control
 access control based on the identity
 global distribution mechanisms
 whitelist for all users
 DYMO Network Extension
 Inject network packet
 Label Size Optimization


Huffman
Split label over multiple packets
11
Application for DYMO（#2）
 The injector：NDIS Intermediate Filter driver
 The Broker：TDI Filter driver
TCP/IP transport
driver
Modified packet
Network
Adapter
Modified packet
injector
Connection ID
Process identity
label
broker
12
Evaluation（#1）
 Label Precision
 Three experimental environment
 Training database
 93% applications’ labels are precision
 Effect of Process Tampering
 Tampering by Malware
 Tampering by Exploits
 Performance Impact
13
Evaluation（#2）
14
Evaluation（#3）
• PassMark AppTimer tool
< 1 sec.
15
Security Analysis
 Create executable memory regions
 Add code to a trusted program
 Tamper with the data of a process
 Non-control-data attack
16
Related Work
 Local Identification
 Patagonix – a hypervisor-based system
 Tripwire – static code identity
 Remote Identification
 Sailer ti al. Trusted Platform Module – identify
applications for remote attestation
17
Conclusion
 DYMO, a dynamic code identity primitive
 Extends DYMO to network packet
 An acceptable performance overhead
 Future work
 Extending DYMO to other platforms
 Sophisticated network-level policy enforcement
mechanism
18