Return to book
Review this book
About the author
Introduction
1. Access Control
2. Authentication
3. Biometrics
4. Crypto Engineering
- 4.1. Software Crypto
- 4.2. Hardware Crypto
5. Malware
- 5.1. Virus
- 5.2. Worm
- 5.3. Trojan Horse
- 5.4. Writing Virus
- 5.5. Rootkits
- 5.6. Anti-virus software
- 5.7. Inside popular software
6. Protecting Clients
7. Security and Usability
- 7.1. User Interface (UI)
- 7.2. Passwords
- 7.3. Cognitive Experiment
- 7.4. Insider Attacks
8. Secure Programming
- 8.1. Buffer overflow
  - 8.1.1. Buffer Overflow Protections
  - 8.1.2. Exploit Buffer Overflow
- 8.2. Secure C practice
- 8.3. secure-sensitive program
9. Physical Security
10. (Web Service) Architecture
- 10.1. Contents and Scripts
11. Confinements
- 11.1. chroot
- 11.2. JVM
- 11.3. Network Identity
- 11.4. Virtual Machine
- 11.5. Sandbox
12. Program Structure
- 12.1. Case study: 4.3BSD FTP Daemon
- 12.2. Case study: mailer
- 12.3. Case study: Web Browser
13. Security Analysis
- 13.1. Construction vs. Destruction
- 13.2. Analyze individual programs
- 13.3. Analyze overall system
- 13.4. Software Engineering Code of Ethics
- 13.5. Tools part 1: OS system calls
- 13.6. Tools part 2: fuzzing and more
- 13.7. Reconnaissance
14. The Internet of Things
- 14.1. Embedded Systems (Smart Devices)
- 14.2. Internet of Things Architecture
- 14.3. Case study: Thermostat
15. Logging
- 15.1. Loggin in practice
- 15.2. Log Incidents
- 15.3. Case study: PHP4 web server attack
16. After An Attack
- 16.1. Analyze a hacked system
- 16.2. Deleted Files
- 16.3. Monitor Intrusion
- 16.4. Conclusion
17. System Structure
- 17.1. Case study: build an e-commerce
- 17.2. Network Operation Center
- 17.3. Router Link Weakness
- 17.4. Remote Access
- 17.5. Question: store credit card number in database?
- 17.6. General Principle
18. Exams
- 18.1. Fall 2014 Midterm
- 18.2. Fall 2013 Midterm
- 18.3. Fall 2010 Midterm
- 18.4. Fall 2008 Midterm

Security Architecture and Engineering

Loggin in practice

How to practice logging on systems?

Example: Web logs

Timestamp, with time zone
IP address
Request can lie: sophisticated attacker can fake some information, like what machine this request is sending from?

Log correlation

Across machine of one site
Across sites
Watch out for privacy issue:
- be aware giving up user information!
- What sites users are reaching (HIV, gun purchase)?

Types of logs

Routing processing
Error message
Authentication events
Request / Reponse

Processing logs

Primary rule: retain raw data as long as possible (Do not delete log data!).
Be suspicious: log files often contain enemy-supplied data.
Be especially careful if you use a web browser to look at log file data: it may contain JavaScript-based pop-ups.
Crunch log down to manageable size; pick out interesting items.

Storing logs

Keep logs as flat files (for small sites).
If possible, store log files in database, it provides sophisticated queries (give me log lines from 12pm to 13pm with words 'Authentication failed').
Today hardware is cheap enough for services to store all logs.
Storing logs at local machine is dangerous: if attacker gets into the machine, logs can be wiped out.
Use a log server: machine sends log packets to log server, but do not have permission to go into the log server.

Secure format of logs

Protocol (with crypto) exists for secure logging.
Log files are parts of systems: the file needs to be consistent and easy to collaborate with other parts of the systems.

Log patterns to look for

Bad requests (with authentication failure).
Anything mentioning /etc/, where many sensitive information is stored.
Attempts to execute commands for functions other than emails and netnews.

Limits of full-traffic logs

Capturing every packet is hard.
Solution: set up web proxy (block port 80, 443), store logs in web proxy.

Security of log files

Needs C(confidentiality) I (Integrity) A (Availability).
Logfiles need to watch out for personal privacy (e.g password).
Confidentiality: Logfiles need to be read-protected.
Integrity: make sure enemy can't tamper with your logs; it is a primary target for many hackers!
Availability: one attack is to fill up log area with innocent garbage, when the log file is full, launch the real attack.

Audit logfile

Prevent users from doing bad things.
E.g. original purpose of a cash register: product manager's copy of all receipts, ensuring nothing gets stolen.
Audit logfile statistically: take a random sample of a transaction, follow that transaction into details.

Analysis of example file

sh              -S       root         _____     0.61 sec

Why is the log not so useful? Several assumptions may rise from this line of log.

It shows root ran a shell, which in turn performed some operation that only root can do.
QUESTION: who ran the root? A system admin? Me? An attacker?
The missing "_" is supposed to be pseduo-tty, there are several possibility how it was set this way. Therefore it's not trustworthy.

How do you know when log file is full?

Research? Yet because disk is cheap nowadays, such attack is hard to launch.

What if you can't log everything?

Distribute log file into different servers.. Use log file analyzer to tie things back together (similar to divide up database table into multiple tables.).