System Call API Obfuscation (Extended Abstract).
ABSTRACT We claim that attacks can evade the comprehension of security tools that rely on knowledge of standard system call interfaces
to reason about process execution behavior. Our attack, called Illusion, will invoke privileged operations in a Windows or Linux kernel at the request of user-level processes without requiring
those processes to call the actual system calls corresponding to the operations. The Illusion interface will hide system operations
from user-, kernel-, and hypervisor-level monitors mediating the conventional system-call interface. Illusion will alter neither
static kernel code nor read-only dispatch tables, remaining elusive from tools protecting kernel memory.
- SourceAvailable from: psu.edu
Conference Proceeding: Information flow control for standard OS abstractions.[show abstract] [hide abstract]
ABSTRACT: Decentralized Information Flow Control (DIFC) (24) is an ap- proach to security that allows application writers to contr ol how data flows between the pieces of an application and the outsid e world. As applied to privacy, DIFC allows untrusted software to compute with private data while trusted security code controls the release of that data. As applied to integrity, DIFC allows tr usted code to protect untrusted software from unexpected malicious in- puts. In either case, only bugs in the trusted code, which ten ds to be small and isolated, can lead to security violations. We present Flume, a new DIFC model and system that applies at the granularity of operating system processes and standard OS ab- stractions (e.g., pipes and file descriptors). Flume eases D IFC's use in existing applications and allows safe interaction betwe en con- ventional and DIFC-aware processes. Flume runs as a user-level reference monitor on Linux. A process confined by Flume canno t perform most system calls directly; instead, an interposit ion layer replaces system calls with IPC to the reference monitor, which en- forces data flow policies and performs safe operations on the pro- cess's behalf. We ported a complex Web application (MoinMoin wiki) to Flume, changing only 2% of the original code. The Flume version is roughly 30-40% slower due to overheads in our current implementation but supports additional security policies impossible without DIFC.Proceedings of the 21st ACM Symposium on Operating Systems Principles 2007, SOSP 2007, Stevenson, Washington, USA, October 14-17, 2007; 01/2007
Conference Proceeding: A fast automaton-based method for detecting anomalous program behaviors[show abstract] [hide abstract]
ABSTRACT: Anomaly detection on system call sequences has become perhaps the most successful approach for detecting novel intrusions. A natural way for learning sequences is to use a finite-state automaton (FSA). However previous research indicates that FSA-learning is computationally expensive, that it cannot be completely automated or that the space usage of the FSA may be excessive. We present a new approach that overcomes these difficulties. Our approach builds a compact FSA in a fully automatic and efficient manner, without requiring access to source code for programs. The space requirements for the FSA is low - of the order of a few kilobytes for typical programs. The FSA uses only a constant time per system call during the learning as well as the detection period. This factor leads to low overheads for intrusion detection. Unlike many of the previous techniques, our FSA-technique can capture both short term and long term temporal relationships among system calls, and thus perform more accurate detection. This enables our approach to generalize and predict future behaviors from past behaviors. As a result, the training periods needed for our FSA based approach are shorter. Moreover false positives are reduced without increasing the likelihood of missing attacks. This paper describes our FSA based technique and presents a comprehensive experimental evaluation of the techniqueSecurity and Privacy, 2001. S&P 2001. Proceedings. 2001 IEEE Symposium on; 02/2001
- [show abstract] [hide abstract]
ABSTRACT: Model-based intrusion detection compares a process's execution against a program model to detect intrusion attempts. Models constructed from static program analysis have historically traded precision for efficiency. We address this problem with our Dyck model, the first efficient statically-constructed context-sensitive model. This model specifies both the correct sequences of system calls that a program can generate and the stack changes occurring at function call sites. Experiments demonstrate that the Dyck model is an order of magnitude more precise than a context-insensitive finite state machine model. With null call squelching, a dynamic technique to bound cost, the Dyck model operates in time similar to the contextinsensitive model.12/2003;