A Security Attack and Defense in the Grid Environment

Abstract

Programs in execution have long been considered to be immutable objects. Object code and libraries are emitted by the compiler, linked and then executed; any changes to the program require revisiting the compile or link steps. In contrast, we consider a running program to be an object that can be examined, instrumented, and re-arranged on the fly. The DynInst API provides a portable library for tool builders to construct tools that operate on a running program. Where previous tools might have required a special compiler, linker, or run-time library, tools based on DynInst can operate directly on unmodified binary programs during execution. I will discuss how this technology can be used to subvert system security and present an interesting scenario for security vulnerability in Grid computing. The example comes from an attack that we made on the Condor distributed scheduling system.

For this attack, we created ”lurker” processes that can be left latent on a host in the Condor pool. These lurker processes lie in wait for subsequent Condor jobs to arrive on the infected host. The lurker then uses Dyninst to attach to the newly-arrived victim job and take control. Once in control, the lurker can cause the victim job to make requests back to its home host, causing it execute almost any system call it would like.

Using techniques similar to those in intrusion detection, I show how to automatically construct a nondeterministic finite automata from the binary code of the Condor job, and use this NFA while the job is executing to check that it is not acting out of character.