virtual directories: attack models and prevention
DESCRIPTION
Virtual Directories: Attack Models and Prevention. June 2 nd , 2009 Bill Claycomb Systems Analyst Sandia National Laboratories. - PowerPoint PPT PresentationTRANSCRIPT
Virtual Directories:Attack Models and Prevention
June 2nd, 2009
Bill ClaycombSystems Analyst
Sandia National Laboratories
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration
under contract DE-AC04-94AL85000.
Agenda
•Directory services and virtual directories•Threats to directory services•Attack models for directory services
–Preventing attacks on directory services•Protecting information in directory services•Future directions
Directory Services
• Localized data store containing information about objects– Users– Computers– Contacts, etc.
• Provide information to applications– Authentication and access control – Contact information– Group membership
• Use LDAP Communication Protocol– Lightweight Directory Access Protocol
Directory Services Data
dn: cn=Joe User,dc=somedomain,dc=comcn: Joe UsergivenName: Joesn: UsertelephoneNumber: 1 505 555 1212postalAddress: 123 Main St.mail: [email protected]: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: top
Object
Attribute
Directory Services
• Popular Directory Services Implementations– Windows Server Active Directory – IBM Tivoli – Apple Open Directory– OpenLDAP– Fedora Directory Server– Sun JAVA System Directory Server
Virtual Directories
Directory Servers
Virtual Directory Server
Client
Virtual Directories
Directory Servers
Virtual Directory Server
Data Stores
Synchronization
Threats to Sensitive Directory Information
• “Insider Threat Study: Illicit Cyber Activity in the Government Sector”, a study conducted by U.S. Secret Service and CERT (2008) found: – Most of the insiders had authorized access at the
time of their malicious activities– Access control gaps facilitated most of the insider
incidents, including:• The ability of an insider to use technical methods to
override access controls without detection• System vulnerabilities that allowed technical insiders
to use their specialized skills to override access controls without detection
Attack Models on Virtual Directories
•Authentication Attacks•Cache Attacks•Data Transformation Attacks•Network Attacks•Data Source Attacks
Authentication Attacks
Destination Servers
Virtual Directory Server
Stored
Credentials
StoredCredentials
StoredCredentials
UserCredentials
Preventing Authentication Attacks
• Require pass-through authentication– Use a surrogate pass-through directory if
necessary• User restricted accounts when stored credentials
are required
Cache Attacks
Directory Servers
Virtual Directory Server
HighSpeedCache
Client
Preventing Cache Attacks
• Do not use cache for high-risk information• Require frequent consistency checks• Require datastore connectivity before returning
any data• Protect cache on directory server
Data Transformation Attacks
Directory Servers
Virtual Directory Server
Client
Data Transformation
505-555-1212(505) 555-1212
US Citizen: NUS Citizen: Y
Preventing Data Transformation Attacks
• Protect transformation scripts on virtual directory server
• Do not allow transformation of sensitive data• Double-check sensitive data sent to client
machines• Establish consistency checking on
transformation scripts– Monitor for changes
Network Attacks
Directory Server
Virtual Directory Server
Change Detected:Disable Account X
Accounts:XYZ
Network Attacks
Directory Server
Virtual Directory Server
Change Detected:Disable Account X
Accounts:XYZ
Preventing Network Attacks
• Detect inconsistencies in data stores• Require consistency checking at standard
intervals• Require consistency checking after network
disruption• Require transactions to be atomic and durable
Data Source Attacks
Authoritative Data Store
Virtual Directory Server
Account Store
Accounts EnabledX Y
Y Y
Z N
Accounts EnabledX Y
Y Y
Z Y
Accounts EnabledX Y
Y Y
Z N
Accounts EnabledX Y
Y Y
Z Y
Synchronization
Preventing Data Source Attacks
• Protect authoritative data sources• Monitor sensitive data modifications• Protect sensitive data
Protecting Sensitive Directory Information
Personal Virtual Directory Service
Protecting and Delegating Access•New Approach
•S – symmetric data encryption key•Krw / K’rw – public/private key pair for signing data•Kux – data user public key•Ko / K’o – data owner public/private key pair• IDo – data owner identifier
...||,||,||,||||||21
'''
uuoo'rw KKrwKrwoKrwKS SKSKSIDKdata
Personal Virtual Directory Service Components
Advantages of PVDS
•Uses existing key management infrastructure•Little client modification•No user-based key protection•Directory independent
– Can be extended to protect databases as well•Performance impact largely confined to clients utilizing PVDS capabilities
Future Directions
• Implement attack models to determine feasibility• Explore attacks on various VDS implementations• Identify additional attacks on virtual directory
servers• PVDS
– Reduce the impact of working with encrypted attributes
– Analyze impact to different types of data sources– Consider how security policies may conflict with
using a virtual directory to manage security– Usability studies
