Tracing the root of "rootable" processes

In most existing systems, the authorization check for system resource access is based on the user ID of the running processes. Such systems are vulnerable to password stealing/cracking attacks. Considering that remote attackers usually do not have physical access to local machines, we propose a security architecture called NPTrace (network-wide process tracing), which requires a user to know the root password and to prove that he is within some physical proximity in order to exercise the root privilege. More specifically, NPTrace attaches a privilege-level attribute to every process, and propagates this attribute across machines on demand. The privilege-level attribute of a process is set to rootable if the system can trace back its origin to a process started by a user that has physically logged on from a specific set of hosts on the network. Only a root process with this privilege-level attribute set to rootable, is allowed to perform privileged operations. The NPTrace architecture essentially exploits physical security to strengthen password-based security. This paper describes the design and implementation of the NPTrace prototype, which features a distributed mechanism to identify the entry point of a user into a network. The prototype is implemented under Linux and has been tested under many attack scenarios. The system shows correct behavior in these tests with negligible performance overhead.

[1]  Clay Shields,et al.  Providing Process Origin Information to Aid in Network Traceback , 2002, USENIX Annual Technical Conference, General Track.

[2]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[3]  Philip N. Klein,et al.  Using router stamping to identify the source of IP packets , 2000, CCS.

[4]  Brian D. Carrier,et al.  A recursive session token protocol for use in computer forensics and TCP traceback , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[5]  Sang Lyul Min,et al.  Caller ID System in the Internet Environment , 1993, USENIX Security Symposium.

[6]  W. Richard Stevens,et al.  Unix network programming , 1990, CCRV.

[7]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[8]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[9]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[10]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[11]  Sang Lyul Min,et al.  Caller Identification System in the Internet Environment , 1993 .

[12]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.