Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
白名單極緻安全強固技術ultimate security hardening with multi-level application whitelisting
Ares Cho, Chuan-Yu
Information and Communications Research Laboratory
Industrial Technology Research Institute (ITRI)
Total Staffs: 6,146
Ph.D.: 1,418
Master: 3,618
Alumni:25,006
Total Patents
27,606
Spin-offs
273
144 CEOs
Industry Services (2018)
Service Cases: 17,939
Tech Transfer Cases: 614
Industrial Technology Research Institute (ITRI)
2
ITRI International Center
Office of Strategy and R&D Planning
Office of Marketing Communications
ITRI College
Technology Transfer and Law Center
ITRI Central Region Campus
ITRI
Industrial Economics and Knowledge Center
Computational Intelligence Technology Center
Display Technology Center
Service Systems Technology Center
Smart Microsystems Technology Center
Information and Communications Research Laboratories
Electronics and Optoelectronics Research Laboratories
Mechanical and Mechatronics Systems Research
Material and Chemical Research Laboratories
Biomedical Technology and Device Research Laboratories
Green Energy and Environment Research Laboratories
Administrative Service Center
Accounting Resource Center
IT Service and Development Center
Human Resources Office
Commercialization and Industry Service Center
Intelligent Machinery Technology Center
ITRI Southern Region Campus
Laser and Additive Manufacturing Technology Center
Center for Measurement Standards
ITRI Organization
ICL’s Organization Chart • Overview: 1000+ employees, $115M+ USD in revenue• Communications
• Division for Broadband Networks and System Integration Technology (K) 5G: Ultra Dense Network• Division for Emerging Wireless Applications Technology (M) 5G: mmWave & massive MIMO• Division for Video & Multimedia Communications Technology (V) 5G: D2D and moving network• Division for Telematics & Vehicular Control System (U) DSRC/wave, Sub systems for Autonomous Driving,
• Information• Division for Application-oriented Core Information Technology (E) Drone, Public safety technology• Division for Data Center Systems Software (F) Cyber Security, Edge Computing, ITRI Cloud OS/Openstack• Division for IoT Innovated Technologies and Services (N) Fintech, IoT• Division for Digital Manufacturing (T) Industry 4.0• Division for Data Center System Architecture and Operation (X) AI Appliance, Network function virtualization
• Integrated Circuit• Division for Embedded System and SoC Technology (D) Smartphone OS, ESL• Division for Biomedical and Industrial IC Technology (R) Energy harvesting, ULV• Division for Design Automation Technology (S) Photon-counting Lidar, 3D IC
6
Cyber Security Research Directions in ITRI/ICL
Smartphone Virtualization
Android Container
Virtual Mobile Infrastructure
Automated Cyber Offense / Defense
Auto Penetration Testing Tools
Software Bug Testing, Exploitation, Fingerprinting and Patching
Security Hardening with Multi-level Application Whitelisting
Windows Application Whitelisting
SELinux / SMAC for Autonomous Driving/IoT/IIoTSecurity
First Multi-mode Virtualized Smartphone
2016 Virtualized ASUS Zenfon2(VM based)
github.com/clondroid
Android Container on Google PixelVirtual Mobility Infrastructure
ARM Cluster Server Google Pixel
Automated Cyber Offense / Defense
• Goal: DARPA seeks ways to create automaticmechanisms of analyzing bugs, and formulating & deploying patches and attacks in real time.
• Result: Seven teams competed in August 2016, and the champion team, ForAllSecure, led by David Brumley from CMU, took home a $2M award.
• Problem: Once a bug is announced,
▪ Bad guys: bug attack
▪ Good guys: Bug Patch Patch application
▪ Bad guys tend to act more quickly than good
guys
Testing entry point crawlerSubQueryDomain, URL crawler, Ajax, Field autofill, Javascript
Auto Penetration Testing Tools
Reconnaissance1. Fingerprinting (ex.NMAP)2. Crawling potential testing entry points
(ex. CAPTCHA, Login credential, Subdomain, Java script, Flash, …)
Exploitation1. Testing inputs (Ex. Open source, derived from known CVEs, Fuzzing,
Symbolic Execution) 2. Testing Tools (metasploit, SQLMAP, W3AF, Application Specific PT Tools…)
Report1.Log trace2.Evidence Preserving3.Risk Analysis
Open Available test cases
Vendor/Domain specific test cases
Vulnerability information & evidence in text log and/or screenshots
Open Source Security Tools
NMAP Brute script, HYDRA, AFL, Angr
Fingerprinting: OS ver, Application, API,…
Fuzzing and Symbolic Execution
Fuzzing Symbolic Execution
Good at finding solutions for general inputs
Good at finding solutions for specific inputs
Monitors program for crashes
Checks each state for safety violations• symbolic program counter• writes/reads from
symbolic address
Security challenges in the IoT era
• Personal Computer → Networking → Internet → Mobile Network → IoT
Fishing → Target Ransom Self Interspersing → Zombie Attack
ObjectsLarge scale, Automated Exploit and Defense
PeopleTarget Attack, Social Engineering
Defense without knowledge of hacking/exploitation techniques
To seal all doors and windowswith strictly “firewall” rules
Restrict Area
To add on internal locks• Resource Privilege Control• Continuously Monitoring• Event Alarms → Security Center
A General Purpose OS (House)Any app (anyone) can live in
How to Exploit a Vulnerability
• Attacker’s objective: get a program into the victim’s computer
• Example: Drive-by download, in which an email containing a link, which points to a page whose content exploits a vulnerability of a browser
Network-Facing Application
Malware (3)Shell Code (2)
Cause Damage (5)
Run (4)
Vulnerability (1)
How to Stop a Vulnerability-Exploiting Attack
Network-Facing Application
Can’t Download Malware (3)
Shell Code Can’t Run (2)
Detect DamageMade (5)
Malware Can’t Run (4)
Software Has No Vulnerability (1)
Many AI-based or anomaly detection-based cyber security solutions are here SecurityInformation and Event Management (SIEM)
How to Stop a Vulnerability-Exploiting Attack
Network-Facing Application
Can’t Download Malware (3)
Shell Code Can’t Run (2)
Detect DamageMade (5)
Malware Can’t Run (4)
Software Has No Vulnerability (1)
• Blacklist• Whitelist
How to Stop a Vulnerability-Exploiting Attack
Network-Facing Application
Can’t Download Malware (3)
Shell Code Can’t Run (2)
Detect DamageMade (5)
Malware Can’t Run (4)
Software Has No Vulnerability (1)
PAID, Control Flow Integrity
Program Semantics-Aware Intrusion Detection
• Objective: A program is only allowed to make system calls at run time in a
way specified by its code: which calls, where and in what order
Application
Source Code
Call Site
Flow Graph
Application
Binary Code
Compile Time Run Time
System Call
Pattern Checker
PAID
Compiler System call
RUNUSER
KERNELS11, S8, S92, S13, …
S11, S8, S76, S21, ….
Control Flow Integrity Assurance
• Objective: A program’s execution follows its control flow graph
• Why?▪ Code injection attack is getting harder▪ Code reuse attack is on the rise
• Return to libc• Return-oriented programming (ROP)
• Enforcement of control flow integrity ▪ Compile time: compute the control• flow graph and targets of indirect • jumps/calls▪ Run time: check the actual targets of indirect jumps/calls are the
same as those computed at compile time
Attack?
Multi-level Application Whitelisting
Restrict Area
Multi-level Application Whitelisting
• Application Executable
• DLL, Static Libraries
• Scripts
• System call trace
• Program integrity
• Network behavior analysis
• Anomaly detection
Cloud
Edge/Gateway
Smart Sensor
Physical Facilities
Internet/Mobile
Local Network
Summary
• Security Hardening can be done without knowledge of hacking/exploiting techniques
• Access Control/Application Whitelisting/Program Integrity and Network Micro-segmentation consist of multi-level defense protection
• “Prevention is always better than cure”• Security has to be managed from the beginning
→ Security requirements to product/solution supply chain partners
• Automation is the key to success