Jun Wang
ABSTRACT
Reducing attack surface is an effective preventive measure to strengthen security in large systems. However, it is challenging to apply this idea in an enterprise environment where systems are complex and evolving over time. In this paper, we empirically analyze and measure a real enterprise to identify unused services that expose attack surface. Interestingly, such unused services are known to exist and summarized by security best practices, yet such solutions require significant manual effort.
We propose an automated approach to accurately detect the idling (most likely unused) services that are in either blocked or bookkeeping states. The idea is to identify repeating events with perfect time alignment, which is the indication of being idling. We implement this idea by developing a novel statistical algorithm based on autocorrelation with time information incorporated. From our measurement results, we find that 88.5% of the detected idling services can be constrained with a simple syscall-based policy, which confines the process behaviors within its bookkeeping states. In addition, working with two IT departments (one of which is a cross validation), we receive positive feedbacks which show that about 30.6% of such services can be safely disabled or uninstalled directly. In the future, the IT department plan to incorporate the results to build a "smaller" OS installation image. Finally, we believe our measurement results raise the awareness of the potential security risks of idling services.
- Bugs: Ubuntu. https://bugs.launchpad.net/ubuntu.Google Scholar
- Common vulnerabilities and exposures. http://cve.mitre.org/cve/.Google Scholar
- Cve vulnerabilities: file with the write mode. http://cve.mitre.org/cgi--bin/cvekey.cgi?keyword=file+write+mode.Google Scholar
- Cve vulnerabilities: remote ports. http://cve.mitre.org/cgi--bin/cvekey.cgi?keyword=remote+port.Google Scholar
- Cve vulnerabilities: unix domain sockets. http://cve.mitre.org/cgi--bin/cvekey.cgi?keyword=unix+domain+socket.Google Scholar
- Guide to network programming. http://beej.us/guide/bgnet/output/html/multipage/advanced.html.Google Scholar
- How to remove geoclue-master? http://ubuntuforums.org/showthread.php?t=1957331.Google Scholar
- The linux audit framework. https://www.suse.com/documentation/sled10/audit_sp1/data/book_sle_audit.html.Google Scholar
- MSDN best practices for security. http://msdn.microsoft.com/en-us/library/ms912889(v=winembedded.5).aspx.Google Scholar
- Securing a linux desktop part 1: removing unwanted services. http://www.ihackforfun.eu/index.php?title=improve-security-by-removing-services&more=1&c=1&tb=1&pb=1.Google Scholar
- Start irqbalance by default? http://ubuntu.5.x6.nabble.com/Start-irqbalance-by-default-td732222.html.Google Scholar
- Survey at penn state university. https://sites.google.com/site/lipzip15/survey.Google Scholar
- System administrator - security best practices. http://www.sans.org/reading-room/whitepapers/bestprac/system-administrator-security-practices-657.Google Scholar
- what is avahi-daemon? http://forums.fedoraforum.org/showthread.php?t=124837.Google Scholar
- What's this at-spi-registryd? https://blogs.oracle.com/jmcp/entry/what_s_this_at_spi.Google Scholar
- D. Chakrabarti, Y. Wang, C. Wang, J. Leskovec, and C. Faloutsos. Epidemic thresholds in real networks. ACM Trans. Inf. Syst. Secur., 2008. Google ScholarDigital Library
- H. Chan, M. Ceyko, and L. Ortiz. Interdependent defense games: Modeling interdependent security under deliberate attacks. In In Proceedings of the Twenty-Eighth Conference on Uncertainty in Artificial Intelligence (UAI), 2012.Google Scholar
- C. Chatfield. The analysis of time series: an introduction. CRC press, 2013.Google Scholar
- A. Frossi, F. Maggi, G. L. Rizzo, and S. Zanero. Selecting and improving system call models for anomaly detection. In DIMVA, 2009. Google ScholarDigital Library
- S. Guha, J. Chandrashekar, N. Taft, and K. Papagiannaki. How healthy are today's enterprise networks? In Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, IMC '08. Google ScholarDigital Library
- S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. In Journal of Computer Security, 1998. Google ScholarDigital Library
- J. Homer, X. Ou, and D. Schmidt. A sound and practical approach to quantifying security risk in enterprise networks. Technical Report (2009): 1--15, Kansas State University.Google Scholar
- A. P. Kosoresow and S. A. Hofmeyr. Intrusion detection via system call traces. In IEEE Software, '97. Google ScholarDigital Library
- A. Kurmus, R. Tartler, D. Dorneau, B. Heinloth, V. Rothberg, A. Ruprecht, W. Sch Aüder-Preikschat, D. Lohmann, and R. Kapitza. Attack surface metrics and automated compile-time os kernel tailoring. In NDSS 2013.Google Scholar
- K. H. Lee, X. Zhang, and D. Xu. High accuracy attack provenance via binary-based execution partition. In Proceedings of the 2013 Network and Distributed System Security Symposium (NDSS'13).Google Scholar
- F. Maggi, M. Matteucci, and S. Zanero. Detecting intrusions through system call sequence and argument analysis. IEEE Transactions on Dependable and Secure Computing, 2010. Google ScholarDigital Library
- P. K. Manadhata and J. M. Wing. An attack surface metric. In IEEE Transactions on Software Engineering (2011), pages 371--386. Google ScholarDigital Library
- J. Reich, M. Goraczko, A. Kansal, and J. Padhye. Sleepless in seattle no longer. In USENIX Annual Technical Conference (ATC), 2010. Google ScholarDigital Library
- A. Rényi. On measures of entropy and information. In Fourth Berkeley Symposium on Mathematical Statistics and Probability, pages 547--561, 1961.Google Scholar
- R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In IEEE Symposium on Security and Privacy, 2001. Google ScholarDigital Library
- J. Szefer, E. Keller, R. B. Lee, and J. Rexford. Eliminating the hypervisor attack surface for a more secure cloud. CCS, 2011. Google ScholarDigital Library
- H. Vijayakumar, G. Jakka, S. Rueda, J. Schiffman, and T. Jaeger. Integrity walls: Finding attack surfaces from mandatory access control policies. ASIACCS '12. Google ScholarDigital Library
- H. Vijayakumar, J. Schiffman, and T. Jaeger. Sting: Finding name resolution vulnerabilities in programs. In Proceedings of the 21st USENIX Security, 2012. Google ScholarDigital Library
- H. Vijayakumar, J. Schiffman, and T. Jaeger. Process firewalls: Protecting processes during resource access. In Proceedings of the 8th ACM European Conference on Computer Systems (EUROSYS 2013), April 2013. Google ScholarDigital Library
- C. Warrender, S. Forrest, and B. Pearlmutter. Detecting intrusions using system calls: Alternative data models. In IEEE Symposium on Security and Privacy, 1999.Google ScholarCross Ref
- Q. Zeng, J. Rhee, H. Zhang, N. Arora, G. Jiang, and P. Liu. Deltapath: Precise and scalable calling context encoding. In Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization, New York, NY, USA, 2014. Google ScholarDigital Library
Index Terms
- Discover and Tame Long-running Idling Processes in Enterprise Systems
Recommendations
Enterprise Systems: Curriculum design and assessment
We present a curriculum that prepares students for supporting large Enterprise Information Systems (EIS). EIS is best explained through the evolution of Enterprise Resource Planning (ERP). These systems evolved over the last years driven by (1) changing ...
Building an E-Business from Enterprise Systems
Building their companies into successful e-businesses has become an important objective for today’s enterprises. Conceptually, it embodies the enabling of the business with such capabilities as global networking, streamlining business processes, sharing ...
Enterprise Collaborative Business Systems Based on Web Services Technology
ICEE '10: Proceedings of the 2010 International Conference on E-Business and E-GovernmentEnterprise collaborative business systems utilize the technical methods to make the information between heterogeneous systems exchanging the information and sharing the resources. Compared with the traditional integration methods, the use of Web ...
Comments