Date: Tue, 20 Dec 94 15:53:55 EST From: coast-request@cs.purdue.edu (Coast Watch maintainers) Reply-To: coast-request@cs.purdue.edu Subject: Coast Watch Digest V1 #1 (part 1 of 2) To: important-people@cs.purdue.edu (Coast Watch subscribers) Precedence: bulk Coast Watch Digest Tue, 20 Dec 94 Volume 1 : Issue 1 Today's Topics: Introduction Announcing the COAST Security FTP Archive New COAST Sponsors Name that System! A little about COAST students The New COAST Laboratory COASTERS hanging in the Multi Media Web Tripwire v1.2 Released IFIP 11.4 ISOC '95 Symp. Net. & Distr. Sys. Security 5th USENIX UNIX Security Symposium SANS'95: 4th UNIX System Administration, Networking & Security Conference The "Coast Watch" newsletter is intended as an irregular electronic digest of information about the COAST Laboratory and Project at Purdue University. It is distributed via e-mail to colleagues, sponsors, and friends of COAST. To subscribe or unsubscribe from the newsletter, send mail to the maintainers at . Past issues of the newsletter, as well as information on COAST, may be obtained via WWW at http://www.cs.purdue.edu/coast ---------------------------------------------------------------------- Date: Tue Dec 20 12:01:03 EST 1994 From: Gene Spafford Subject: Introduction To: Coast Watch subscribers Greetings! This is our first issue of the "Coast Watch" newsletter. We intend for this to be a simple way of letting our friends and colleagues know about what we're up to here in COAST. For the time being, It will be issued on an irregular basis, approximately every other month. It will contain little snippets of news about our projects, personnel, and things happening in the community. If you are getting this, it is because you: * asked to be on our mailing list (via e-mail or subscription through our WWW page) * asked one of us to be kept informed about our research * put one of us on a related mailing list *you* run * you are involved with (potential) sponsorship of COAST It is also possible you got added to this list because someone you know asked to have you added to the list. If you're on the list and don't want to be, send mail to coast-request@cs.purdue.edu and let us know. In a like manner, write if you want to be added to the list. If you have some items you think would be of interest to the readership, please send those along to us at coast-request@cs.purdue.edu. We'll consider putting them in the list and in our WWW page (http://www.cs.purdue.edu/coast). For instance, we have 3 conference announcements in this issue that might be of interest to some of you, and a small piece on IFIP 11.4. You can also check out our WWW pages for links to our published papers, personnel info, on-going projects, and other information. In this issue we start with a piece on the establishment of our Internet archive for security information. Then we have a short article about some of our current sponsors and donors. Next, Sandeep Kumar (the senior PhD student in COAST) describes his thesis work and invites all of you to participate in a contest to name his prototype system. We follow that with a description of our current COAST students and their research interests, a note about the new COAST laboratory, a note about our WWW pages, and the release of Tripwire version 1.2. We conclude with the aforementioned short article on IFIP 11.4 and the conference announcements. We hope you find this useful, and we welcome your comments. Because some mailers tend to barf when presented with messages above a certain size, this issue of the newsletter has been split into two parts. Part II contains only the conference announcements. In closing, all of us with COAST wish you a happy holiday season, and a prosperous and joyful new year. ------------------------------ From: spaf (Gene Spafford) Subject: Announcing the COAST Security FTP Archive! The COAST group at Purdue is pleased to announce the availability of our security archive. In early 1994, IBM provided a grant to COAST to establish a net-accessible archive of security information. This project was then enhanced with the generous gift by Sun Microsystems of hardware for the archive server. What followed was several months of development work by the group involved: Mark Crosbie, Dave Curry, Ivan Krsul, Sandeep Kumar, Christoph Schuba, Gene Spafford, and Frank Wang. Several months ago, we went on-line with a comprehensive ftp archive (URL: ftp://coast.cs.purdue.edu/pub). The archive contains nearly 400 MB of tools, papers, technical reports, documentation, announcements, alerts, security patches, and newsletters. We continue to add to this archive on a daily basis. Before the end of December, the archive should also be available via a gopher server (URL: gopher://coast.cs.purdue.edu), with ``jughead'' and ``Essence'' indices. There is currently a link to the archive from the current COAST top-level WWW page (URL http://www.cs.purdue.edu/coast/coast.html). The archive currently contains software, standards, tools, and other material in at least the following areas: * access control * artificial life * authentication * criminal investigation * cryptography * e-mail privacy enhancement * firewalls * formal methods * general guidelines * genetic algorithms * incident response * institutional policies * intrusion detection * law & ethics * malware (viruses, worms, etc.) * network security * password systems * policies * privacy * risk assessment * security related equipment * security tools * social impacts * software forensics * software maintenance * standards * technical tips * the computer underground The collection also contains a large collection of site "mirrors" of interesting collections, many of which are linked by topic to the rest of the archive. You can connect to the archive using standard ftp to "coast.cs.purdue.edu". Information about the archive structure and contents is present in "/pub/aux"; we encourage users to look there, and to read the README* files located in the various directories. We would like to invite you to browse the archive. Please feel free to copy whatever looks useful to you. All the material present is available via anonymous ftp and (soon) gopher. You may make copies subject to any copyright restrictions present in the individual files. If you know of material you think should be added, please send mail to security-archive@cerias.purdue.edu and tell us what you have and where we can get a copy. In order of preference, we would prefer to get: -- a pointer to the source ftp/gopher/WWW site for a package -- a pointer to a mirror ftp/gopher/WWW site for the package -- a uuencoded tar file -- a shar file -- a CD-ROM -- a diskette or QIC tape If you are providing software, we encourage you to "sign" the software with PGP to produce a standalone signature file. This will help to ensure against trojaned versions of the software finding their way into the archive. We also suggest you think about getting Betsi signatures on your contributions (see /pub/doc/authentication/Betsi.ps.Z) as an additional means of certifying your package. Any comments or suggestions about the archive should be directed to "security-archive@cerias.purdue.edu" -- please let us know what you think! ------------------------------ Date: Tue Dec 20 16:02:05 EST 1994 From: Gene Spafford Subject: New COAST Sponsors We'd like to use a little space to thank some of our sponsors for their past and continuing support of COAST. In no particular order, we'd like to note those sponsors who have supported COAST in a general way (as opposed to sponsoring specific projects): * Bell Northern Research made a gift to Purdue University in 1992 of seed money to establish the COAST Project. That support has enabled us to obtain some much-needed equipment, software, publications, and other materials for the lab. Although BNR is not currently involved with COAST, we want to express our gratitude for their original generosity. * The US Air Force and Trident Data Systems have worked together to provide COAST with needed infrastructure support. In particular, they have provided us with almost 1/2 of the equipment in the COAST lab as an extended loan. * IBM provided a large grant to us through Purdue University as part of a Shared University Research program. This supported our work on a number of projects, but most especially our work on the security archive. IBM is not currently sponsoring any of our work, but their contribution to the establishment of the archive was critical to its success. * Enigma Logic, InternetOne, and Raxco have all donated demonstration copies of their security products to the COAST lab for our experimentation. This is material we would not otherwise have been able to buy, and we appreciate having them present in the lab. * Security Dynamics has donated a complete ACE/Server system to the COAST Laboratory for our continuing experimentation and use. This token-based authentication system replaces common passwords and allows us to thwart any attempts to "sniff" passwords when we access COAST systems from remote locations. Security Dynamics has continued to provide us with enhancements and upgrades to the system, too. Two more recent gifts bear more particular notice: ** Freedman Sharp and Associates, Inc. has donated a 100-machine license for their PowerBroker software package for our use within the laboratory and the department. Dan Freedman has offered to extend this license, currently valued at $21,000, to cover our remaining workstations if we find it helpful to our work. PowerBroker is a distributed software package that enables distributed monitoring and control of Unix computer systems, including delegation of certain supervisory functions to other users. ** Sun Microsystems has become our #1 supporter. In the last eight months, Sun has given COAST support money and equipment valued over $100,000. They have recently promised additional funds for the coming year. Their generous equipment gift of four advanced workstations, coupled with the loans from Trident and the Air Force, means that each COAST student now has a Sun SPARC-based system w/color monitor on his or her desk. It has also allowed us to dedicate a SPARC-based machine as the server for our security archive (described elsewhere in this newsletter). The cash portion of their gift is currently (partially) supporting two PhD students and two MS students. The continuing dialogue with their engineering staff has also helped us in shaping some of our activities. We'd like to acknowledge the support of all these organizations for our work. Their commitment to security for open systems and to our academic mission is very much appreciated. As time goes on and our research program expands, these contributions will become even more significant. Their advice and interaction with our students and faculty is also much appreciated. Next newsletter issue, we expect to be able to announce several other exciting contributions, currently in preparation. ------------------------------ Date: Fri, 16 Dec 1994 08:54:09 -0500 From: kumar (Sandeep Kumar) Subject: Name that System! Here's your chance to win fame and fortune (well, at least a little fame). First, some background, and then a description of the contest. Background ---------- I have been working on intrusion detection with Dr. Eugene Spafford in the COAST laboratory for about two years. The focus of my work is investigation of new techniques for intrusion detection. The particular technique that I am investigating is the application of pattern matching to this problem. I expect to defend my thesis some time in 1995. Current approaches to detecting intrusions can be broadly classified into two categories: Anomaly Detection and Misuse Detection. Anomaly Detection is based on the premise that intrusive activity often manifests itself as an abnormality. The usual approach here is to devise metrics indicative of intrusive activity, and detect statistically large variances on these metrics. Examples might be an unusually high number of network connections within an interval of time, unusually high CPU activity, or use of peripheral devices not normally used. The other technique of detecting intrusions, misuse detection, attempts to encode knowledge about specific attacks and monitors for the occurrence of those attacks. My Research ----------- My primary interest is in investigating techniques for misuse detection. The broad goals of my study are: * To devise an efficient and portable scheme for detecting a large class of intrusions in real time. * To study existing intrusion scenarios to determine the attack characteristics that need to be modeled and detected. * To devise efficient algorithms to detect these characteristics. * To study the representation problem of attack signatures. I have developed a model that supports these goals by decomposing the problem into a special form of matching problem, and by narrowing the scope of what we are trying to detect. There are several results from this approach. One important benefit is the clean separation of the various components comprising a generic misuse detector. With my approach, a generic misuse detector can be viewed as three basic abstractions. This enables generic solutions to be substituted for each abstraction without changing the interfaces between the abstractions of the model. These abstractions are: The Information Layer. This encapsulates the audit trail and provides a low-level data interface to the monitored computer system. The Signature Layer. This provides for a system-independent internal representation of signatures and a system-independent virtual machine to represent the signature context. The Matching Engine. This encapsulates the method used to match the patterns; it makes the system independent of any particular choice of matching algorithms. It also allows simple substitution of newer or more powerful mechanisms as they become available. Furthermore, a standardization of the model of matching signatures permits several external representations of signatures to exist, each facilitating the representation of certain types of signature constructs. Other benefits of the model include its extensibility and portability to different event models, its ability to assign priority to signatures and the ability to dynamically add signatures in the midst of matching. Status ------ The model of matching on which the intrusion detection system is based was presented at the 17th National Computer Security Conference. [Note: Sandeep won a conference "Outstanding Student Paper" award for that presentation. --spaf] I am currently implementing a prototype detector structured as an application library so it can be embedded in any application program. The library provides a parser for translating signature descriptions into automaton code that will match the signature. This code is then dynamically linked into the application. Papers describing this work and other useful information on intrusion detection, including a reasonably complete bibliography in bibtex format, can be obtained on the world wide web through my home page at http://www.cs.purdue.edu/people/kumar The Contest ----------- I am currently looking for an acronym for my detector. One suggestion made to Dr. Spafford (in jest, I hope) is IDIOT -- "Intrusion Detection in Our Time." If you have a better name please let us know! Every good project requires a good acronym, and this is no different. The contributor of the best entry will be awarded an as yet undetermined prize. At the very least, you will achieve minor fame in the footnotes when we continually acknowledge your contribution to our work. :-) Send your suggestions to kumar@cs.purdue.edu or spaf@cs.purdue.edu; you may enter more than once. The contest will close sometime after February 1, so enter soon! [Note that Sandeep is currently thinking about employment after he gets his PhD. He is as yet undecided between a future in academia or in commercial research. If you have any suggestions for him, you might contact him directly. --spaf] ------------------------------ Date: Tue Dec 20 16:00:53 EST 1994 From: spaf (Gene Spafford) Subject: A little about COAST students People often hear about the backgrounds of the faculty involved in research projects, but they don't often get to hear about the students until about the time they finish. That's unfortunate, because the students are a major part of most university research projects. The same is true with COAST. Our research students embody a great amount of talent. They also represent some of the best students at Purdue, including two Fulbright Scholars, an NSF graduate fellow and a GM Fellow. Every graduate student in the group holds other honors including memberships in honor societies including Upsilon Pi Epsilon, Phi Beta Kappa, Phi Kappa Phi, Tau Beta Pi, Alpha Lambda Delta, Phi Eta Sigma, and the Gold Key Society. So, to help introduce our current students (yes, there will be more in January, we're sure), here is a brief introduction to our notable crew. More information can be found through the WWW links in the COAST homepage. Ivan Krsul hails from La Paz in Bolivia. He obtained his undergraduate degree from The Catholic University of America in Washington D.C. in 1989. Ivan completed his MS thesis on Software Authorship Analysis, part of the Software Forensics work in COAST. He is currently finishing his PhD qualifier studies, and is developing a topic for his PhD research. His work is being funded by Sun Microsystems. Christoph Schuba is from Heidelberg in southwest Germany. He studied Mathematics and English at Heidelberg University, and Management Information Systems at Mannheim University. After obtaining his German Vordiplom and completing several semesters of graduate level studies, he came to Purdue University on a Fulbright Scholarship. Christoph did his MS thesis on DNS Security Vulnerabilities, and most recently spent the summer in a research position at Xerox PARC. He is now narrowing his search for a PhD topic to the intersection of research in high-speed networks and security. His work will be funded by Xerox and Sprint. Mark Crosbie, another European, is from Dublin, Ireland. He obtained his undergraduate degree in Computer Science from Trinity College, Dublin. He also came to Purdue on a Fulbright Scholarship. Mark is currently working on an MS thesis on how genetic algorithms can be used in intrusion detection and firewall constructs. His work has been funded by IBM and Sun Microsystems. Sandeep Kumar is from near New Delhi in India. He received his B.Tech in Electrical Engineering from Indian Institute of Technology, New Delhi. He holds a Master's degree in Computer Science from the University of Tennessee at Knoxville. Sandeep is currently finishing his PhD in the area of intrusion and anomaly detection methods, and he should defend his thesis sometime in 1995. (See his article elsewhere in this digest.) His work is being funded by the US Department of Defense. Taimur Aslam is from Karachi in Pakistan. He attended Purdue University for his undergraduate degree, and is now working on his MS degree. Taimur's thesis work is in the area of fault classification and penetration analysis. He most recently spent the summer as an intern at Motorola, working in an area related to his research interests. He has accepted a job at Motorola, to begin when he completes his thesis. His work has been funded by IBM and Sun Microsystems. Steve Lodin is attending Purdue as a GM Fellow sponsored by Delco Electronics. He hails (most recently) from exotic Kokomo, Indiana. Steve's research plans are not yet fixed, but may include development of a formal methodology of generating and/or testing security tools. Frank Wang is an undergraduate at Purdue, originally from the People's Republic of China. He is currently working with COAST to help develop tools for the ftp archive, and to help build our gopher and WWW servers. Bryn Dole is another US native, originally from Knoxville, Tennessee. He completed his undergraduate degree at the University of Illinois, and is about to finish his MS here at Purdue. He will then begin work on a PhD in the area of network security. His research is being funded by Sun Microsystems. Recently graduated from Purdue and COAST, Jennifer Dick completed her undergraduate degree with an Honors degree in Computer Sciences, and an additional major in Mathematics. Jennifer worked in COAST on some aspects of the OPUS project. She is currently working for Federal Express. However, Jennifer was awarded a prestigious National Science Foundation Graduate Fellowship upon graduation, so we might see her back at Purdue in the next year or two. Also recently graduated, Gene Kim received his undergraduate degree in Computer Sciences. Gene is now completing his MS degree at the University of Arizona, and trying to decide what to do next. Among other things, Gene is the primary author of the Tripwire package (see the article about Tripwire elsewhere in this newsletter). ------------------------------ Subject: The New COAST Laboratory From: krsul (Ivan Victor Krsul), spaf (Gene Spafford) To: COAST Watch In mid-1994 the COAST lab was officially moved to G-18 in the Computer Science building. The new lab provides a more spacious and quiet working environment for students working on COAST projects. The new room has space for almost all of our equipment and books, plus some room left over for desks and work areas. Coupled with the move, Spaf has moved his office to G-22, right next door to the new lab. The lab space was made available through the Computer Sciences department. Funds provided by the department, and by the Dean of the School of Science, will help cover some renovation costs, including new wiring, air conditioning, painting, and the removal of the old chalkboards. This is work we hope to accomplish in January. Next up on the agenda is new furniture and installation of some additional wiring to support all the computing equipment. When completed, we'll have the newest working lab in the building, with room for seven graduate student work areas, a small conference table, and a small reference library. The lab will have two independent networks, including one that can be used for experimentation without interfering with regular department networks. Additional funding will be required to cover all the remaining renovation costs. We need about $20,000 to complete the work, not counting any donations of equipment or software anyone would like to make. COAST sponsors (or prospective sponsors) interested in helping us to fund the completion of the lab are invited to contact Gene Spafford. We intend to make some permanent, *prominent* notice of sponsors once the lab construction is completed, so now's the time to get involved! Once the renovation is finished, we hope to have some form of dedication ceremony to recognize the sponsors and supporters of the lab. We hope to couple this with some other event, perhaps a series of lectures or a workshop. Stay tuned for details! ------------------------------ From: schuba (Christoph Schuba) Subject: COASTERS hanging in the Multi Media Web ...tune your URL to http://www.cs.purdue.edu/coast/coast.html... You want to know more about COAST? You want to obtain recent technical reports and published papers? You want to know which projects are currently being investigated? You want to know about who our sponsors are? You want to see pictures of involved faculty and students without moving from your desk? Want a link in to the COAST archive (described elsewhere in this digest)? Want some links to other security resources? You want it -- you can get it. Just point your favorite hypermedia reader to http://www.cs.purdue.edu/coast/coast.html and explore. There are sections that describe what COAST is all about, descriptions of current research projects, and pointers to all involved faculty and grad students. You can even find a link to a page that contains this newsletter! Check it out! ------------------------------ Date: Tue Aug 30 20:00:01 EST 1994 From: gkim@cs.arizona.edu (Gene Kim), spaf (Gene Spafford) Subject: Tripwire v1.2 Released Announcing the release of version 1.2 of Tripwire! This version supersedes all previous versions of Tripwire. Version 1.2 includes several new features, small performance improvements, and several bug fixes. This version also includes a new signature routine, porting to new machines, support for symbolic links and HP CDF files, and more. (See the list below.) Version 1.2 of Tripwire is probably the final release of Tripwire for some time to come. Gene Kim is no longer at Purdue, Spaf is on sabbatical for portions of the 1994/95 academic year, and no COAST sponsor has shown particular interest (yet!) in funding continued development. Enclosed below is a brief description of what Tripwire is, a description of how to get a copy of the source code, and a list of new features added since the Version 1.1 release. We greatly appreciate the time and effort expended by all the people who beta-tested various versions of Tripwire over the last few years. Without the contributions and reports of these people, we are certain that the package would not be as complete as it is currently. We have tried to acknowledge all our testers and contributors in the documentation and Changlog file in this distribution; our sincere apologies if we forgot anyone. Also, our thanks to COAST sponsors and sponsors of COAST research projects who helped fund this project, directly or indirectly. This includes especially Bell Northern Research, Trident Data Systems, Sun Microsystems and the US Air Force. What is Tripwire? ----------------- Tripwire is an integrity monitor for Unix systems. It uses several checksum/message-digest/secure-hash/signature routines to detect changes to files, as well as monitoring selected items of system-maintained information. The system also monitors for changes in permissions, links, and sizes of files and directories. It can be made to detect additions or deletions of files from watched directories. The configuration of Tripwire is such that the system/security administrator can easily specify files and directories to be monitored or to be excluded from monitoring, and to specify files which are allowed limited changes without generating a warning. Tripwire can also be configured with customized signature routines for site-specific checks. Tripwire, once installed on a clean system, can detect changes from intruder activity, unauthorized modification of files to introduce backdoor or logic-bomb code, and virus activity (if any were to exist) in the Unix environment. Tripwire is provided as source code with documentation. The system, as delivered, performs no changes to system files and does not require root privilege to run (in the general case). The code has been extensively tested at many sites. Tripwire should work on almost any version of Unix, from Xenix on 80386-based machines to Cray and ETA-10 supercomputers. It now even works properly on DEC Alphas, and on Linux and BSDI systems! Tripwire may be used without charge, but it may not be sold or modified for sale (see the copyright notice in the distribution for specifics). Tripwire was written as a project under the auspices of the COAST Project at Purdue University. The primary author was Gene Kim, with the aid and under the direction of Gene Spafford (COAST Director). Where to Get Tripwire --------------------- Copies of the Tripwire distribution may be obtained from "ftp://coast.cs.purdue.edu/pub/COAST/Tripwire". The distribution is available as a compressed tar file. When you untar the file, you will find another tar file, a Readme file, and a PGP external signature to give proof against tampering. Questions, comments, complaints, bugfixes, etc. may be directed to: gkim@cs.arizona.edu (Gene Kim) spaf@cs.purdue.edu (Gene Spafford) The address "tripwire@cs.purdue.edu" is aliased to both of us. The mailserver formerly at that address and the "tripwire-request" address have been discontinued. What's New in Version 1.2 ------------------------- Version 1.2 adds several new features, as well as fixing reported bugs. Among the changes are: - Signature checking for symbolic link contents has been added. - Tripwire now correctly runs on Alpha AXPs, and other machines with "long" types that are not 32 bits wide. - The Haval digital hash routine has been added as the eighth signature routine (faster than MD5, and purportedly more secure). - The SHA signature routine has been changed to conform to the recent fix introducted in its FIPS definition by NIST/NSA to correct an unspecified weakness. - The database format changes slightly to correct a boundary condition error. Because database entry numbers change, because the SHA signatures change, and because of Haval, old Tripwire databases must be reinitialized. - Handling specified configuration and database files (and file descriptors) has been fixed to better accommodate pipes. - Full support for flex added. - Signature checking is now considerably faster through the use of the stdio library for file I/O. - A Perl script has been added to update Tripwire databases where all inode numbers were changed by "fsirand" (NFS sites only); See FAQ. - Another fix to make database updates more predictable. - All reported bugs have been fixed in this revision. - A new README section describes some documented attacks on systems running Tripwire. - Many small changes have been made to the documentation to correct and update information. ------------------------------ Date: Tue Dec 20 15:14:53 EST 1994 From: Gene Spafford Subject: IFIP 11.4 The International Federation for Information Processing (IFIP) was established in 1960 under sponsorship of UNESCO. In 1984 the Technical Committee for Security and Protection in Information Processing Systems, Technical Committee 11, came into existence. Its aim is to increase the reliability and general confidence in information processing, as well as to act as a forum for security managers and others professionally active in the field of information processing security. Its scope encompasses the establishment of a frame of reference for security common to organizations, professionals and the public; and the promotion of security and protection as essential parts of information processing systems. One of the working groups under TC 11 is working group 4, Network Security. WG 4 used to be a group on cryptography, but it fell dormant and was disbanded. In mid-1994, WG 4 was reconstituted as the group on network security, and I was appointed as the chair. The goals of the working group are very much like that of TC 11 as a whole: to promote good practice in security for networked systems, to encourage research into problems in the area, and to enhance communication among practitioners and researchers in the field. I've been on sabbatical for the past semester, and I have been unable to do much with WG 4 until now. Starting in January, I hope to expand the membership and make some plans for future events, including a workshop to try to define the big issues in network security. We're already acting as cooperative sponsors for the next Usenix Security Symposium (see the conference announcement later in this newsletter). If you think you'd be interested in working with WG 11.4, send me some e-mail. There is no membership fee or other requirement to join -- just a willingness to actively participate. News about future 11.4 activities will be available through WWW: http://www.cs.purdue.edu/homes/spaf/ifip11.4.html ------------------------------ End of Coast Watch Digest part 1 of 2 ------------------------------