A Tamper-Resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors

Replication and redundancy techniques rely on the assumption that a majority of components are always safe and voting is used to resolve any ambiguities. This assumption may be unreasonable in the context of attacks and intrusions. An intruder could compromise any number of the available copies of a service resulting in a false sense of security. The kernel based approaches have proven to be quite effective but they cause performance impacts if any code changes are in the critical path. In this paper, we provide an alternate user space mechanism consisting of process monitors by which such user space daemons can be unambiguously monitored without causing serious performance impacts. A framework that claims to provide such a feature must itself be tamper-resistant to attacks. We theoretically analyze and compare some relevant schemes and show their fallibility. We propose our own framework that is based on some simple principles of graph theory and wellfounded concepts in topological fault tolerance, and show that it can not only unambiguously detect any such attacks on the services but is also very hard to subvert. We also present some preliminary results as a proof of concept

A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows

Abstract. A common way by which attackers gain control of hosts is through remote exploits. A new dimension to the problem is added by worms which use exploit code to self-propagate, and are becoming a commonplace occurrence. Defense mechanisms exist but popular ones are signature-based techniques which use known byte patterns, and they can be thwarted using polymorphism, metamorphism and other obfuscations. In this paper, we argue that exploit code is characterized by more than just a byte pattern because, in addition, there is a definite control and data flow. We propose a fast static analysis based approach which is essentially a litmus test and operates by making a distinction between data, programs and program-like exploit code. We have implemented a prototype called styx and evaluated it against real data collected at our organizational network. Results show that it is able to detect a variety of exploit code and can also generate very specific signatures. Moreover, it shows initial promise against polymorphism and metamorphism.

Handling Failures and DOS Attacks Using Network Device Groups

With the growing popularity of the Internet and the falling prices of network devices, it is not unusual to find multiple network devices in a computer system. Technologies such as Internet connection sharing and NAT are commonly being used by end users to make network connectivity more viable. In this paper, we point out that this implicit redundancy can be used to achieve fault tolerance. It is known that network devices can be grouped to achieve failover support. However, the focus has been limited to localized factors and device failures. In the context of the Internet, security against DOS attacks also becomes an important issue. While the use of multiple network devices provides a good solution for device failure, it doesn’t guarantee a good defense against DOS attacks. We show that computer systems can become tolerant to DOS attacks if some external factors are also taken into account. The main contribution of this paper is a systematic and comprehensive solution that makes a best effort to provide reliable network connectivity even when network device failures and DOS attacks occur. We have implemented and tested this technique in Linux and report our findings.

ARCHERR: Runtime environment driven program safety

Abstract. Parameters of a program’s runtime environment such as the machine architecture and operating system largely determine whether a vulnerability can be exploited. For example, the machine word size is an important factor in an integer overflow attack and likewise the memory layout of a process in a buffer or heap overflow attack. In this paper, we present an analysis of the effects of a runtime environment on a language’s data types. Based on this analysis, we have developed Archerr, an automated one-pass source-to-source transformer that derives appropriate architecture dependent runtime safety error checks and inserts them in C source programs. Our approach achieves comprehensive vulnerability coverage against a wide array of program-level exploits including integer overflows/underflows. We demonstrate the efficacy of our technique on versions of C programs with known vulnerabilities such as Sendmail. We have benchmarked our technique and the results show that it is in general less expensive than other well-known runtime techniques, and at the same time requires no extensions to the C programming language. Additional benefits include the ability to gracefully handle arbitrary pointer usage, aliasing, and typecasting.

A Target-Centric Formal Model For Insider Threat and More

The diversity of cyber threat has grown over time from network-level attacks and passwordcracking to include newer classes such as insider attacks, email worms and social engineering, which are currently recognized as serious security problems. However, attack modeling and threat analysis tools have not evolved at the same rate. Known formal models such as attack graphs perform action-centric vulnerability modeling and analysis. All possible atomic user actions are represented as states, and sequences which lead to the violation of a specified safety property are extracted to indicate possible exploits. While attack graphs are relevant in the context of network level attacks, they are ill-equipped to address complex threats such as insider attacks. The difficulty mainly lies in the fact that adversaries belonging to this threat class use familiarity of and accessibility to their computational environment to discover new ways of launching stealthy, damaging attacks. In this paper, we propose a new target-centric model to address this class of security problems and explain the modeling methodology with specific examples. Finally, we perform quantified vulnerability analyses and prove worst case complexity results on our model.