UNIVERSITY OF CALIFORNIA, SAN DIEGO A Model of Forensic Analysis Using Goal-Oriented Logging A dissertation submitted in partial satisfaction of the requirements for the degree Doctor of Philosophy in Computer Science by Sean Philip Peisert Committee in charge: Professor Sidney Karin, Chair Professor Matthew A. Bishop Professor Roger E. Bohn Professor Larry Carter Professor Keith Marzullo Professor Stefan Savage 2007 UMI Number: 3246091 Copyright 2007 by Peisert, Sean Philip All rights reserved. UMI Microform 3246091 Copyright 2007 by ProQuest Information and Learning Company.
All rights reserved. This microform edition is protected against unauthorized copying under Title 17, United States Code. ProQuest Information and Learning Company 300 North Zeeb Road P. Box 1346 Ann Arbor, MI 48106-1346 Copyright Sean Philip Peisert, 2007 All rights reserved.
The dissertation of Sean Philip Peisert is approved, and it is acceptable in quality and form for publication on microfilm: Chair University of California, San Diego 2007 iii For Kathryn — my wife, my inspiration, my everything. And for my parents, who gave me what I needed to get here. iv Sherlock Holmes: “It is an old maxim of mine which states that once you have eliminated the impossible, whatever remains, however improbable, must be the truth.” —Sir Arthur Conan Doyle, “The Sign of the Four,” Lippincott’s Monthly Magazine (1890) deduce (verb): draw as a logical conclusion New Oxford American Dictionary, Second Edition (2005) logic (noun): The art of thinking and reasoning in strict accordance with the limitations and incapacities of human misunderstanding. —Ambrose Bierce, The Devil’s Dictionary (1911) v TABLE OF CONTENTS Signature Page.
v Table of Contents. vi List of Tables. ix List of Figures. xiii Vita, Publications, and Fields of Study.
Organization of the Dissertation. 8 3 A Method of Forensic Analysis Using Sequences of Function Calls. Experiments and Results. Conclusions on Forensics Using Sequences of Function Calls.
30 4 Toward Forensic Models. Principles of Forensic Analysis. Current Problems with Forensics. Principle 1: Consider the Entire System.
Principle 2: Log Information without Regard to Assumptions. Principle 3: Consider the Effects, Not Just the Actions. Principle 4: Consider Context to Assist in Understanding. Principle 5: Present and Process Actions and Results in an Understandable Way 41 6.
Summary of Current Problems with Forensics. Principles-Driven Solutions. Principles-Driven Logging. Principles-Driven Auditing.
Summary of Principles-Driven Solutions. From Principles to Models. Qualities for a Forensic Model. 50 vi 5 Laocoön: The Forensic Model.
Introduction to Our Approach. Choosing Intruder Goals to Model. Modeling Intruder Goals. Extracting and Interpreting Logged Data.
Unique Path Identifier. Proving the Model. 71 6 Examples of Using Laocoön. Obtaining a Root Shell.
Modify /etc/passwd (e. via lpr bug). via search path modification). Bypassing Standard Interfaces (e.
via utmp bug). Inconsistent Parameter Validation (e. with chsh or chfn). Shared Memory Code Injection.
The 1988 Internet Worm. Christma Exec Worm. Summary of Examples. 114 7 Implementation, Experiments, and Results.
Obtaining a Local Root Shell. Spyware via a Trojaned sshd. Modify /etc/passwd via lpr bug. Avoid Authentication in su.
Trojan Horse to gain root. Bypassing Standard Interfaces. Summary of Experiments. 124 8 Taking Laocoön from a Model to a System.
Our Model in Practice. Issues with Instrumentation. Issues with Logging. Issues with Forensic Analysis.
Issues with Construction. Policy Discovery and Compilation. Overview of the Approach. Applying Policies to Systems and Sites.
Reverse-Engineering Policies. Software/Hardware Issues. Sufficiency and Necessity in the Forensic Model. Applying Forensic Techniques to Intrusion Detection.
156 viii LIST OF TABLES Table 5.3 Service Property Types. 59 ix LIST OF FIGURES Figure 1.1 Diagram of possible measures of utility based on different data collected. (c) represents our goal, by using a model of forensics, in this dissertation.2 Diagram of a generic attack where circles represent actions. An attack model almost always consists of at least the endpoint (d), but may also include the beginnings (a) and possibly other states near the end (c).1 Unique and different numbers of function call sequences in the original version of su, and the version with pam authenticate removed.2 Number of function call sequences appearing only in the original version of su, and the version modified to ignore the results of pam authenticate.3 Number of function call sequences appearing only in the original version of ssh, and the version modified to echo the password back.4 Difference in number of function call sequences in original version of ssh, and the version modified to send the captured password over a network socket.1 Diagram of a generic attack where circles represent actions.
An attack model almost always consists of at least the endpoint (d), but may also include the beginnings (a) and possibly other states near the end (c).2 A coordinated, multi-stage attack. (a) represents a dual-pronged, co- ordinated beginning of the attack, (b) represents the beginnings of two individual components of the attacks, (c) represents the “ultimate goals” of each individual attack, and (d) represents the ultimate goal of the entire attack.3 Algorithm for placing bounds on the unknown goals in an attack graph.4 Algorithm for extracting the information necessary to log from an entire attack graph.5 An attack graph where circles represent known goals that can be described in advance and squares represent unknown exploits, which cannot.6 Algorithm for applying the λ function on a specific sub-goal.1 Diagram of a remote attack, exploiting a network program to obtain a root shell. (a) represents the remote connection. (b) represents the exploit that occurs to obtain the shell.
In an experiment that we show later, this is a buffer overflow, but it could be many different things. Hence, we do not model this directly. (c) represents executing the root shell.2 Diagram of spyware capturing a password and sending it over a network. (a) represents the capturing of the password.
(b) represents sending the password around the machine to another program. We do not know the mechanism used to do this, hence, we do not model this directly. (c) represents sending the password over the network.3 Diagram of re-writing a privileged file by exploiting multiple bugs in the UNIX program lpr.4 The attack graph used by the Internet Worm .5 The attack graph used by the Christma Exec Worm .6 Attack graphs for two possible classes of NFS exploits.1 Diagrams of two attack graphs, before and after path elimination has been applied. 130 xi PREFACE While Sherlock Holmes was not a doctor, Conan Doyle had based Holmes’s method as a detective upon one of his former professors of medicine at Edinburgh University, Dr.
Joseph Bell, whose powers of observation and deduction had made him a wizard at diagnosis. With the exception of Edgar Allan Poe’s pioneering stories about Auguste Dupin of Paris, Dr. Conan Doyle recalled many years later, most contemporary fictional detectives produced their results by chance or luck. Dissatisfied with that, he had decided, he said, to create a detective who would treat crime as Dr.
Bell had treated disease. This meant, in short, the application of scientific method to crime detection. That was a novel concept in 1887, to be sure, but it worked, first in fiction and then in practice, with life imitating art as it so often does when the art in question is a work of genius. As a detective in a scientific sense, Holmes always wants to know and looks for the physical evidence; he made himself a master at observing and analyzing physical evidence that the police and other detectives overlook or fail to recognize at all.
By his innate but also rigorously trained powers of deduction, he is able to reason backwards from this evidence to reconstruct the crime and delineate the physical attributes of the perpetrator. Holmes pays little attention to the psychology of crime. 1 This passage describes a 120-year-old methodology for analyzing crime successfully, that started as fiction and became reality. Amazingly, these words still apply today to computer forensic analysis.
However, until now, computer forensic analysis has largely been performed in the same way that Holmes’s fictional predecessors, and Scotland Yard’s real predecessors, performed forensic analysis: by chance or luck. Sometimes, chance and luck are enough. However, it is no coincidence that the most famous pieces of computer detective work have been performed by unusually brilliant computer analysts, such as Bill Cheswick [Che92], Cliff Stoll [Sto88, Sto89], and Tsutomu Shimomura [Shi95, SM96, Shi97]. But there are more attacks and attackers in the world than genius cyberdetectives available to analyze those attacks.
It will always help to be a a genius cyberdetective to analyze computer crime, and even for them, luck will never hurt. However, our goal is to change the level to which one must rely on these things by using a rigorous method of analyzing facts rather than relying on luck, chance, or what we think we might know about an intruder’s abilities, psychology, or motives. In this way, even the non-genius cyberdetective has a little more of a chance of getting things right. In this dissertation, we describe the year 2007 application of these year 1887 ideas.
1 See the afterword (“Dr. ”) by Jon Lellenberg, in [Car05]. xii ACKNOWLEDGEMENTS Many people have given me generous support and encouragement during my life, my time as a Ph. student, and during the process of writing this dissertation.
I would like to thank my advisors, teachers, mentors, and coaches — Sid Karin, Matt Bishop, Larry Carter, and Keith Marzullo. They have guided me through a series of steps in my life and my work that I could not have made it through without them — and have become friends in the process. In the best way that I can, I hope to live up to the gifts that they have given me. The advice from my entire dissertation committee has been interesting and valuable.
I appreciate their interest, support, and guidance, and I hope to have the opportunity to continue to interact with all of them in the future. Special thanks to Becky Bace, Martha Dennis, Drew Gross, Tsutomu Shimomura, Abe Singer, and Kevin Walsh, who all gave me support at important times and in important ways, and who also taught me new ways to think about academia, careers, and computer security. I wish to thank Robert S. Cohn and Steven Wallace at Intel for their enhancements to the FreeBSD version of the dynamic, binary instrumentation tool, Pin, which greatly helped my research on forensic analysis using sequences of function calls.
Finally, I would like to thank my patient and wonderful wife, Kathryn (who also copy- edited this entire dissertation); my closest friends, Aaron, Greg, Kent, Laura, Noah, PJ, and Stephen; and all of my family, who have all given me support throughout my life, have helped to make this possible, and have ultimately made the end result mean much more than just obtaining a degree. This material is based on work sponsored in part by: the Air Force Research Laboratory under Contract F30602-03-C-0075, a Lockheed-Martin Information Assurance Technology Focus Group 2005 University Grant, and award ANI-0330634, “Integrative Testing of Grid Software and Grid Environments,” from the National Science Foundation. The following papers, which have been previously published or are currently in submis- sion, are reprinted in this dissertation with the full permission of all co-authors of the papers: • In Chapter 3: “Analysis of Computer Intrusions Using Sequences of Function Calls,” Sean Peisert, Matt Bishop, Sidney Karin, and Keith Marzullo, conditionally accepted with minor revisions by IEEE Transactions on Dependable and Secure Computing (TDSC), January 2007. • In Chapter 4: “Principles-Driven Forensic Analysis,” Sean Peisert, Matt Bishop, Sidney Karin, and Keith Marzullo, in Proceedings of the 2005 New Security Paradigms Workshop (NSPW), pp.
85–93, Lake Arrowhead, CA, October 2005.