4/1/11$1$ Researchers subverted a botnet’s command and control infrastructure (proxy bots) o Modified its spam messages to point to the Web server under researcher control That server mimicked the original Web page from the spam emails o A pharmacy site o A greeting card download site "Spamalytics: An Empirical Analysis of Spam Marketing Conversion” C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage, ACM CCS 2009 How many spam emails reach recipients: open a few email accounts themselves and append them to email delivery lists in spam messages How many emails result in Web page visits o Must filter out defense accesses How many users actually buy advertised products or download software o No “sale” is finalized Ethical issues abound "Spamalytics: An Empirical Analysis of Spam Marketing Conversion” C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage, ACM CCS 2009 "Spamalytics: An Empirical Analysis of Spam Marketing Conversion” C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage, ACM CCS 2009 "Spamalytics: An Empirical Analysis of Spam Marketing Conversion” C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage, ACM CCS 2009 "Spamalytics: An Empirical Analysis of Spam Marketing Conversion” C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage, ACM CCS 2009 "Spamalytics: An Empirical Analysis of Spam Marketing Conversion” C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage, ACM CCS 20094/1/11$2$http://www.shadowserver.org http://www.honeynet.org/papers/bots/ http://www.honeynet.org/papers/ff Can’t protect applications from within themselves o Exploits can turn off defenses Can’t protect the OS from within itself o Exploits can turn off defenses o Rootkits can hide any sabotage from users May not be able to trust users o They may be uninformed o They may be malicious – OK for their computer but risk for the others they communicate with o Digital right management issues Attestation o Means of ensuring someone (user, remote computer) of the system’s trustworthy status Usually means authentic/approved apps o Root of trust needed to store keys o Trusted path (allows user to have confidence in the system) o Chain of trust (like for certificate authorities) Separation o Secure storage (data/keys) o Protection of processes The rest is policy o That’s the hard and controversial part We need a “trusted path” o For user to communicate with a domain that is trustworthy. Usually initiated by escape sequence that application can not intercept: e.g. CTL-ALT-DEL o Could be direct interface to trusted device: Display and keypad on smartcard We need a “trusted path” across the network. Provides authentication of the software components with which one communicates4/1/11$3$ Clearer delineation of security domains o We can run untrusted programs safely Run in domain with no access to sensitive resources Such as most of your filesystem Requests to resources require mediation by TCB (trusted computing base), with possible queries to the user through trusted path. Why are we so vulnerable to !malicious code today? o Running programs have full access to system files o Why? NTFS and XP provide separation But many applications won’t install, or even run, unless users have administrator access o So we run in “System High” Users don’t have administrator access even on their own laptops o This keeps end users from installing their own software, and keeps IT staff in control o IT staff select only software for end users that will run without administrator privileges o But systems still vulnerable to exploits in programs that cause access to private data o Effects of “Plugins” can persist across sessions But, what if programs were accompanied by third party certificates that said what they should be able to access? o IT department can issue the certificates for new applications o Access beyond what is expected results in system dialogue with user over the trusted path Butler Lampson of Microsoft and MIT suggests we need two computers (or two domains within our computers) o Red network provides for open interaction with anyone, and low confidence in who we talk with o We are prepared to reload from scratch and lose our state in the red system The Green system is the one where we store our important information, and from which we communicate to our banks, and perform other sensitive functions o The Green network provides high accountability, no anonymity, and we are safe because of the accountability o But this green system requires professional administration o A breach anywhere destroys the accountability for all4/1/11$4$ But what if we could define these systems on an application by application basis o There must be a barrier to creating new virtual systems, so that users don’t become accustomed to clicking “OK” o But once created, the TCB prevents the unauthorized retrieval of information from outside this virtual system, or the import of untrusted code into this system o Question is who sets the rules for information flow, and do we allow overrides (to allow the creation of third party applications that do need access to the information so protected) I might have my financial virtual system. When asked for financially sensitive data, I hit CTL-ALT-DEL to see which virtual system is asking for the data I create a new virtual system from trusted media provided by my bank I can add applications, like Quicken, and new participants, like my stock broker, to a virtual system only if they have credentials signed by a trusted third party. o Some examples: o Open, untrusted, wild Internet o My financial virtual system o My employer’s virtual system o Virtual systems for collaborations Virtual Organizations o Virtual systems that protect others Might run inside VM’s that protect me Resolve conflicting policies DRM vs. Privacy, etc Trust must be grounded o Hardware support How do we trust the
View Full Document
Unlocking...