Audit Counter-measures Outline

Brant Hashii, Chris Wee

  1. Introduction
    1. Intrusion detection relys on audit logs
    2. Can audit logs be trusted?
      1. If super-user is trusted?
      2. If super-user is not trusted?
    3. Goals of subverting audit logs
      1. hide the perpetrator
      2. hide other details of the attack
      3. hide the attack itself
  2. Scenarios
    1. Physically damage or steal machine. The baseball bat approach.
    2. Stick code for misuse in a macro virus. Blame it on the virus. This runs on the assumption that the punishment for being stupid is less than the punishment for being evil. In some environments users are separated from programmers. Macro viruses violates this separation.
    3. Overload the log file by changing the permissions on a file and repeatedly attempting to access it. How it is used is dependent on configuration of audit system.
      1. Could crash system.
      2. Could stop auditing.
      3. Could overwrite old information.
    4. Modifing event mappings. Modify registry entries?
    5. Deleting events out of the audit log while maintaining correct sequence numbers.
    6. NT System-Call hooking can add or change functionality of system calls. Can this be used to intercept audit system calls? Should be easier to do with application level audit calls.
  3. Component Steps
    1. Get superuser access. Not needed if already a super-user.
      1. NTsecurity.com - recover admin password < 30 min.
      2. PWdump recovers MD4 hash. Brute force result.
      3. IE bugs involving challenge/response.
      4. NTAccess - changes Administrator password by using special set of boot disk.
    2. Disable auditing. Either turn it off or intercept audit calls.
    3. Destroy integrity of audit log. Includes the baseball bat approach.
  4. Experiments - Used for determing cost effectiveness and how much effort should be put into securing a resource.
    1. Implement a few of the scenarios
    2. Measurements
      1. Timings? Will they be useful? Is it too dependent on how much other work the machine is doing?
      2. Instruction count - how much work the machine must do.
      3. Effort - how much work the hacker must do.
  5. Counter Counter Measures
    1. Division of responisblities. Don't give the superuse the ability to modify auditing or to run arbitrary applications.
    2. Cryptographic checksums
    3. 3rd party authentication
    4. Will a authentication provide a greater level of security? Will the key be any more secure than the adminstrative password?
    5. Hardware authentication.

Brant Hashii / hashii@cs.ucdavis.edu
last modified: 4/21/97