(mis)use cases for the grid dane skow fermilab september 29, 2004
TRANSCRIPT
(Mis)Use Cases for the Grid
Dane SkowFermilabSeptember 29, 2004
Who is the audience for this talk ?
Software and service developersAppropriate controls and recovery mechanisms need to be designed in.
System and service administrators Timescales are much reduced and demands greater
ManagersGrid brings new threats and costs
Who will misuse the Grid ?
Criminals looking to exploit resources and/or hide their tracksCurious people experimentingAuthorized users trying to “game” the system to their advantageAuthorized users making mistakes
How will they do it ?
Probably the same patterns as general Internet attacks.
The Grid is under attack todayFirst likely grid-specific channel is credential hijack Next are probably grid versions of current attack methods (code vulnerability exploits, code injection, …)Also may utilize grid management/forensics tools directly and/or develop their own tools
Consider a Grid Worm
A worm is a piece of software which is aware of its environment and tries to automatically exploit available resources.Sounds like an opportunistic Grid job….
Users are expected to have automated agents acting on their behalf to manage long/complex jobs.Agents and/or job elements are expected to be able to discover resources available to perform jobs.
Lifecycle of a Worm
Birth (Executable
Insertion)
Growth(Privilege Acquisition)
Reproduction(Propagation)
Executable Insertion
Executable is somehow inserted into a grid job submission.
Today most likely exploits a common application (e.g. OS or browser) vulnerabilityIncreasing use of trojan weblinksWe do see cases of worms including password sniffers and automatically following users
Spread of these so far has been limited One user uses relatively few machinesUser communities don’t frequently share resourcesThe grid will reduce both of those limitations.
Detection and Defense
Network Security:IDS can help spot attacks. (Beware false positives)
Developers:All applications which accept input need to validity check the input and protect against input replacement.Working files need to be protected against changeApplications which accept executable input should allow for a trusted scanning serviceHave some method of input flood control
Sysadmins:Don’t run unnecessary servicesMinimize trust in services to avoid jumping
Lifecycle of a Worm
Birth (Executable Insertion)
Growth(Privilege
Acquisition)
Reproduction(Propagation)
Privilege Acquisition
Initial toehold usually not enoughMay need to gain access to local privileged account (e.g. “get root”)May need to create new execution environment (e.g. fork a shell)May need to collect some data (credentials, targets, etc.)
The worm may use local exploits to do this. This phase may be long running and independent of the propagation phase
Detection and Defense
Developers:Check all inputs and error returns !Assume uncertain environment. Contain threats
Separate functions (particularly privileged ones)Protect your working dataRemove data no longer neededCreate and protect logs
Allow for throttles and/or alarms on “overuse”System Administrators:
All attempts to use privileged accounts should be logged. Don’t neglect patches for local exploitsBe alert for unusual (patterns of) network connectionsBe alert for unusually long running processesProtect your logs from unauthorized reading or tampering
Lifecycle of a Worm
Birth (Executable Insertion)
Growth(Privilege Acquisition)
Reproduction(Propagation)
Propagation
To spread, worms must propagate to new hosts
Propagation method may differ from insertionOften includes multiple attack methodsMay be driven by data collected from Privilege Acquisition phase
Overly aggressive propagation destroys the host environment
The electronic parasites are learning this tooMay or may not be their goal
Detection and Defense
Network Security:Consider active network defenses (in- and outbound).Consider authorized network channel provisioning
Developers:Build in throttle control points and/or alarms on “overuse”Avoid temptation to multiplex on few “clear channels”
System Administrators:Be alert for unusual network connection frequencyBe alert for unusually long running processesConsider IPSEC where possibleProtect your logs from unauthorized reading and tampering
Lifecycle of a Worm
Birth (Executable Insertion)
Growth(Privilege Acquisition)
Reproduction(Propagation)
Death ?(Eradication)
Eradication
Currently not possible
The Internet carries a load of parasitesOld worms just overshadowed by next releaseAttacks always get betterRapid (re)infections will kill the weak
Must break the propagation cycleDevelopments in rapid quarantine perhaps not enough
Grid Implications?
Most destructive worms are greedy. Need to harden discovery service against flooding DOSBrokering services should include some sort of flooding feedback.
Credentials may be automatically collected.
Need method of dealing with large scale compromises quickly enoughProxy exploitation may be rapid enough to be sustaining
More Grid ImplicationsDetermining source may be difficult.
Currently this involves examination of the compromised machine, system logs and local network logsUp- and downstream links may be obscured by resource brokers, etc.
Determining attack effects may be difficult
The actions of the executable have to be researchedThe next step in the action may not be the next direct target
More Misuse Cases
The Grid Filez serverBad guys scour the net looking for resources available to host their software (including the Filez service itself)Capacious disk and network connections are valued and preferentially used.
The Grid Doorknob rattlerBad guys probe the grid cataloging the Grid services and vulnerabilities
ConclusionsIncident response will be required
Controls must be put in place to contain spread.Prepare for the likely cases.Every incident can’t be a full-scale alert.
We can predict early types of abuses We need to instrumentation to look for them We need controls to contain them.
Avoid the “tragedy of the commons” Requires the ability to effectively assert authorization controls.
Backup Slides
What is misuse ?
Trivial definitions are not usefulUnauthorized merely pushes problem down a levelUnintended use hampers exploration and serendipity
I’m going to focus on use which causes harm to either the resource owners or the general public
Why study misuse ?
Rigorous security is usually expensive and usually inconvenientNeed to understand likely misuse in order to prioritize investmentsControls need to be designed in beforehand to respond quickly to changes in attacks.Have responsibility to do “professional job” with the public’s trust