AWERProcedia Information Technology & Computer Science Vol 03 (2013) 167-172
3rd World Conference on Information Technology (WCIT-2012)
Architectural Design and Realization for Management of end Point DLP Murat Topaloglu *, Kesan Yusuf Çapraz School of Applied Sciences, Trakya University, Kesan, 22880, Turkey. Erdem Ucar, Faculty of Engineering and Architecture, Trakya University, Edirne, 22030, Turkey. Ilhan Umut, Faculty of Engineering and Architecture, Trakya University, Edirne, 22030, Turkey. Suggested Citation: Topaloglu, M., Ucar, E. & Umut, I. Architectural Design and Realization for Management of end Point DLP, AWERProcedia Information Technology & Computer Science. [Online]. 2013, 3, pp 167-172. Available rd from: http://www.world-education-center.org/index.php/P-ITCS. Proceedings of 3 World Conference on Information Technology (WCIT-2012), 14-16 November 2012, University of Barcelon, Barcelona, Spain. Received 29 March, 2013; revised 2 July, 2013; accepted 9 September, 2013. Selection and peer review under responsibility of Prof. Dr. Hafize Keser. ©2013 Academic World Education & Research Center. All rights reserved. Abstract Ensuring continuity of the institutional structure of the data can be made by protecting data. Providing data protection with strict rules hinders the efficient functioning of the system. Restricting users with strict rules does not produce a solution. The most promising solution that can help to reduce risks is called as data leak prevention. Data leak prevention system has the intention of protecting corporate data integrity against data leakage. In this study, we produced a solution with which the flow of data which may be sensitive is controlled without restricting the client, and the users who can leak data are prevented, errors which can be made unwillingly are minimized. Protection of institutional data must be mobile, adaptable, and in need of the least intervention. This study presents the software solution realized with the aim of DLP endpoint protection. The solution is to describe the architecture designed with kernel hook in Windows operating system and coded in C language. Developed DLP architecture is designed to work even without network connectivity, the protection is provided by using SSDT in end point management. DLP client architecture provides control of data to be transferred to external media according to their types in multiple files. Keywords: Data leak prevention, end point, security, SSDT, Kernel Hook;
* ADDRESS FOR CORRESPONDENCE: Murat Topaloglu, Kesan Yusuf Çapraz School of Applied Sciences, Trakya University, Kesan,
22880, Turkey, E-mail address:
[email protected] / Tel:+905425144796
Topaloglu, M., Ucar, E. & Umut, I. Architectural Design and Realization for Management of end Point DLP, AWERProcedia Information Technology & Computer Science. [Online]. 2013, 3, pp 167-172. Available from: http://www.world-education-center.org/index.php/P-ITCS
1. Introduction Institutional safety requirements have become a need at an increasing rate with each coming day and new strategies have been developed against newly arisen problems. Together with the great development speed in Information Technologies, persons and institutions confront various threats such as frauds via use of computers and software, information theft, information leakage, computer pirates, electronic attacks, and potential internal attacks to be committed by the personnel of the related institutions. When competitive economies and technologies taken into consideration, the institutions with the ability to convert data into information and acquired information can make much more successful, faster and more effective decisions [9]. DLP (Data Leak Prevention) is a multi-step safety solution aiming to prevent the leakage of the information obtained by the institutions to the outer sources through in-institution reasons. It also helps prevent the loss of delicate information [1]. Furthermore, DLP is a popular system which provides sophisticated reporting, content analysis, filtering, and the protection of the delicate data [7]. Besides, it proves a protection method including creating, distribution, and storage within the information and life cycle [8]. Since the institution wants to control its delicate data, it should carry out content-scanning regularly [4]. 2. Body The users enabling the data to move within the institution should also try to give primary importance to the institutional secrecy [3]. Being an agent and data leakage prevention solution, DLP is a client-based data component. DLP administration server distributes the rules to the clients and each client is loaded with a DLP agent. The client should be monitored and controlled as it is required. When DLP agent does not exist, data leakage may occur. DLP agent piece is applied as a kernel driver and thus it becomes possible to monitor the operating system. The client’s tasks of DLP architecture application developed in this study are as follows:
Getting the rules from the administration server, Getting the rules achieved, Classifying the data, Monitoring / Logging.
DLP, firstly, should receive the correct definitions to provide the protection of our data. We need a control agent to monitor the actions of the users [5]. VSE systems are to scan thousands of data in a stable media, follow the net traffic at real time and monitor the users actions at devices placed at extremes [2]. In the architecture developed, DLP agent gathers the rules and protects them against unauthorized changes. In the case of getting informative files or a disconnection between the server and data transfer, it is obligatory that definitive files be kept at the client. The structure of DLP client architecture developed is shown in Figure 1.
168
Topaloglu, M., Ucar, E. & Umut, I. Architectural Design and Realization for Management of end Point DLP, AWERProcedia Information Technology & Computer Science. [Online]. 2013, 3, pp 167-172. Available from: http://www.world-education-center.org/index.php/P-ITCS
Figure 1. The structure of DLP client architecture.
In parallel to this, DLP agent violations are kept at the log and the messages related to them are sent to the DLP administration server. If DLP administration server is out of reach, definitions are taken into the memory cache, and when the server is reached, the data are sent. To protect the rules, the classification of the files by DLP agent is required as well as the fact that the rules should be obeyed. As conducted at the administration server (ICAP SERVER), the fingerprint and statisticalcontent-analysis of the documents can be applied to the extreme point administration. It is required that the statistical definitive files are sent to the client by the server and the rules be obeyed. When a client without a network communication is considered, as changing statistical content analysis data may lead to misclassification, this is system is not included in the client. DLP agent can be applied as kernel module, for it, including functions like copying and transferring, provides the user with the data monitoring. Figure 2 shows the client-based kernel structure of the DLP driver at the architecture developed by us.
Figure 2. Kernel schematic of DLP driver.
169
Topaloglu, M., Ucar, E. & Umut, I. Architectural Design and Realization for Management of end Point DLP, AWERProcedia Information Technology & Computer Science. [Online]. 2013, 3, pp 167-172. Available from: http://www.world-education-center.org/index.php/P-ITCS
3. 3.1.
Materials and Methods Kernel driver application
The kernel driver developed in this study is composed of two parts. One part is user land and the other is the kernel. Kernel piece provides connection to the all related units of the operating system. Loadable kernel can be integrated to the operating system during the working times. Model or kernel is load only once, and system-call-table is used for the kernel data structures of DLP agent. 3.2. The manipulation of the System-Call-Table (SSDT Hooking) System Service Descriptor Table is a critical system table which is prepared during the start-up of the operating system and then used by the servers and the other kernel components. Our driver firstly enables a set of functions related to the system to reach their own code locations and then allows the system to continue with its task by regulating this table. Our purpose for using this technique is to understand whether the request of the process operating on a document which includes delicate data comes from the user or not, and if the document includes delicate data, to stop the user’s request before it is realized. In recent operating systems, there are two ways to fulfill this function: user mode and kernel mode. Intel architecture presents four different authority modes for operating system writers (ring 0-3). Of these authority modes, only two of them can be used by the operating system (ring 0 and ring 3). The code functioning at the user mode cannot work some protected operation instructions, cannot read and write protected memory fields, and cannot reach the hardware directly. On the other hand, the programs functioning at the kernel mode work with full authority without being obstacle by any safety prevention. 3.3. Implementation During Apis travel on WinNT32 in a program written with C language, when a function like frintf is called, firstly fprintf function available in C runtime library works (mvscrt.dll). This function calls WriteFile Api after necessary parametric controls and adjustments (kernel32.dll). And, WriteFile Api calls NtWriteFile function after required parametric adjustments (ntdll.dll). At this level, a stub in Ntdll.dll makes the necessary adjustments, appoints the index number of the related system call to eax register value, and then works the sysenter – syscall operating instruction. The role of this instruction is to switch the operator from the user mode into the kernel mode in a safe way. It has been stated that the programs functioning at the user mode cannot reach the hardware directly; yet, almost all the programs used by the users directly work at the user mode. In this case, it is sysenter instruction which enables the user to write data on a disc or a device. When the user wants to apply a writing function, ntdll.dll makes the last point. At this point, it is the operating system’s task to switch the operator into the kernel mode, and to switch it back into the user mode when the necessary operation call is achieved. The user returns to ntdll.dll instruction when the operation call s/he requests is finished. Its value in the eax register part is used as an index and the address in the SSDT finds its match. The function at this address is the operation call which is being requested. What outcomes will the manipulation of the SSDT bring? The only way to change the SSDT is to write a program which works at the kernel mode. If any input is changed and the address of our function is written instead of it, all user modes would work the program we wrote. By analyzing this program’s parameters, the call of the function can be controlled. If the old function in the SSDT is called within ourselves, the user will not notice anything. If not allowed, it will simply end the function and the program request of the user mode will not be achieved. On the SDTT side, whose client-based architecture solution has been done by us, NtWriteFile operation call is being hooked. This call is a function which allows writing data on devices like pipe and disc file. While one parameter of the 170
Topaloglu, M., Ucar, E. & Umut, I. Architectural Design and Realization for Management of end Point DLP, AWERProcedia Information Technology & Computer Science. [Online]. 2013, 3, pp 167-172. Available from: http://www.world-education-center.org/index.php/P-ITCS
system is buffer, the other is the size of the buffer. Checking the buffer, the writing operation can be approved or rejected. Through the VSE client-based solution, the buffer has been transferred to the user mode program, and delicate data-searching methods have been applied over the buffer at the user mode. After these techniques are applied and the decision is made, the kernel mode driver re communicates with the user mode driver and the decision is reported and this decision determines the outcome of the present writing operation. In the architecture developed in the study, the steps of the SSDT hook application are as below:
Passivizing the writing protection Locating the necessary structures Patching the table Reactivating the writing protection
4.
Discussion DLP end-point architecture controls the users’ data-transfer and new file creating. When this control mechanism is in process, data protection is ensured with the definition file involving regular expressions which is taken from the DLP server. The end-point protection which is not complex and does not necessitate the machine-learning techniques gives highly successful results. The statistical content-analysis method which is used in the DLP administration server (M-ICAP) which makes the other leg of the architecture developed can be included in the end-point protection. However, taking the problem which will occur through reaching the files to change into consideration, a different protocol will be practiced in the transfer of the definitive packages. Due to the fact that the DLP structure has been made up of many layers, it offers highly successful data-protection. This subject that develops continuously in the field of data protection is open to many new approaches. 5.
Conclusion In the DLP architecture developed, the definitive file loaded by the administration server on the client’s side and DLP agent working on the client’s side have taken the definitions. During the transfer and file-creating, delicate data are being searched in the definitions taken, local discs, and the outer media. In the searching activities, the results are determined according to the words and the regular expressions available in the definition files. Regular expressions make a technique which is used for finding the expressions which have complex word order which can be determined by will within the data. This technique also helps us find another string in a string or change the string if we want. The copy or transfer of the data which proves good for us is not allowed. References [1] Abbadi, I., & Alawneh, M. (2008). Preventing insider information leakage for enterprises. SECURWARE’08 (pp. 99–106). [2] Hart, M., Manadhata, P. K., & Johnson, R. (2011). Text classification for data loss prevention. Proceedings of the 1th International Conference on Privacy Enhancing Technologies. [3] Kurta, M. (2010). On the road towards cloud computing services. Master’s Thesis. Erasmus University, Rotterdam. [4] Mundada, Y., Ramachandran, A., Bin Tariq, M., & Feamster, N. (2011). Practical dataleak prevention for legacy applications in enterprise networks. Georgia Institute of Technology College of Computing. [5] Redwood, O. W. (2011). Apecs: A dynamic framework for preventing and mitigating theft, loss, and leakage of mission critical ınformation in trust management networks. Master’s Thesis. Florida State University College of Arts and Sciences.
171
Topaloglu, M., Ucar, E. & Umut, I. Architectural Design and Realization for Management of end Point DLP, AWERProcedia Information Technology & Computer Science. [Online]. 2013, 3, pp 167-172. Available from: http://www.world-education-center.org/index.php/P-ITCS
[6] Rost, J., & Glass, R. L. (2011). The dark side of software engineering. Evil on Computing Projects. IEEE Computer Society. New Jersey, USA: John Wiley & Sons, Inc. [7] Topaloğlu, M. (2012). Design and implementation of an architecture for data leak prevention in data containing specific meaning. Doctoral Thesis, Edirne, Türkiye. [8] Ubois, J. (2007). Reinventing data loss prevention. The Security Report. [9] Vercellis, C. (2009). Business intelligence: Data mining and optimization for decision making. London, UK: John Wiley & Sons, Ltd.
172
