No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Fork Bomb Attack Mitigation by Process Resource Quarantine
Abstract
A fork bomb attack is a denial of service attack. An attacker generates many processes rapidly, exhausting the resources of the target computer systems. There are several previous work to detect and remove the processes that cause fork bomb attacks. However, the operating system with the previous methods have the risks to terminate inappropriate processes that do not fork bomb processes. In this paper, we propose a new method that named process resource quarantine. With the proposed method, the operating systems don't terminate the detected fork bomb processes. Instead of the termination, the operating systems make resource limitations for the detected processes and inspect them periodically. We implemented the proposed method on Linux kernel and executed several evaluation experiments. The results show that the proposed method is effective for fork bomb attacks mitigation.
... Depleting all available CPU and memory resources leads the FSW to hang or crash, forcing the satellite into a predefined recovery process. The malicious script in this scenario contains the infamous fork bomb, more formally known as the "rabbit virus" [22]. The fork bomb uses the fork system call, commonly found within a Unix-based or Linux OS. ...
View Video Presentation: https://doi.org/10.2514/6.2022-4219.vid Satellites are essential to critical and commercial infrastructure used by governments, militaries, and industries worldwide. Satellites are prime targets for malicious cyber actors thanks to their relatively minimal defenses, the significance of their compromise, and their low barrier to entry. Due to technical limitations, satellite operators are hindered in their ability to quickly detect and respond to the presence of a cyber threat. Intrusion detection systems have demonstrated value in critical infrastructure, allowing operators to detect and prevent cyberattacks on their systems. The lack of cybersecurity resources that provide insight into adversarial attack patterns challenges the development of an intrusion detection system onboard a satellite. To overcome the lack of cybersecurity resources, we approach intrusion detection systems for satellites through the lens of penetration testing. This work begins by following the penetration testing process on a notional cube satellite to generate attack scenarios that can disrupt the satellite’s operations. We then compare the satellite attack scenarios with similar terrestrial-based attack patterns found in the MITRE ATT&CK framework and the common attack pattern enumeration and classification catalog. Through this comparison, satellite components that require malicious activity monitoring are identified and used as a medium for discussing a host-based and network-based intrusion detection system onboard a satellite. This paper concludes with the limitations of intrusion detection systems in a space-based environment.
... The second example (listing 2) shows a denial of a service attack called fork bomb which generates many processes rapidly, thus exhausting the resources of the computer it is running on. As a result, any legitimate process can not start its tasks because the malicious processes are exhausting system resources [27]. By using isolate as its sandbox environment Judge0 can safely compile and execute arbitrary source code and even binaries that have come from an unknown source. ...
In this paper, we present a novel, robust, scalable, and open-source online code execution system called Judge0. It features a modern modular architecture that can be deployed over an arbitrary number of computers and operating systems. We study its design, comment on the various challenges that arise in building such systems, compare it with other available online code execution systems and online judge systems, and finally comment on several scenarios how it can be used to build a wide range of applications varying from competitive programming platforms, educational and recruitment platforms, to online code editors. Though first presented now, Judge0 is in active use since October 2017 and has become a crucial part of several production systems.
... Livelocking can be avoided by a system-specified limit on the use of CSA policy for a given timeframe. Such methodology has been used effectively against other types of scheduler livelocks [NO16]. ...
Parallel applications are essential for efficiently using the computational power of a MultiProcessor System-on-Chip (MPSoC). Unfortunately, these applications do not scale effortlessly with the number of cores because of synchronization operations that take away valuable computational time and restrict the parallelization gains. The existing solutions either restrict the application to a subset of synchronization primitives, require refactoring the source code of it, or both. We introduce Subutai, a hardware/software architecture designed to distribute the synchronization mechanisms over the Network-on-Chip. Subutai is comprised of novel hardware specialized in accelerating synchronization operations, a small private memory for recording events, an operating system driver, and a user space custom library that supports legacy and novel parallel applications. We target the POSIX Threads (PThreads) library as it is widely used as a synchronization library, and internally by other libraries such as OpenMP and Threading Building Blocks. We also provide extensions to Subutai intended to further accelerate parallel applications in two scenarios: (i) multiple applications running in a highly-contended scheduling scenario; (ii) remove the access serialization to condition variables in PThreads. Experimental results with four applications from the PARSEC benchmark running on a 64-core MPSoC show an average application speedup of 1.57× compared with the legacy software solutions. The same applications are further sped up to 5% using our proposed Critical Section-aware scheduling policy compared to a baseline Round-Robin scheduler without any changes in the application source code.
... As suggested in [2], accurate detection is made. Once done, we took it as base and applied the solution presented in [1]. Reason behind doing this is, once the process name is added in to the detection list, it stays there forever. ...
Linux is one of the most popular and widely used operating system in devices ranging from servers to tiny embedded gadgets. However, Linux has greatly enhanced the security in many ways, but still it suffers from many attacks. A major process security issue called Fork Bomb is one of them, which is denial of service attack in which process continually creates itself to make system down or crash due to resource starvation. Most of the solutions found in the literature has their own limitations like false positive detection and resource unavailability. To preserve one goal that is availability among the CIA (Confidentiality, Integrity and Availability) of Information security, we proposed to develop efficient solution which handles the fork bomb in such a way that system remains available for use by end user.
The decrease of the performance gain dictated by Moore's Law boosted the development of manycore architectures to replace single-core architectures. These new architectures must employ parallel applications and distribute its workload over a multitude of cores to reach the desired performance. Parallel applications are harder to develop than sequential ones since the developer must guarantee data integrity using synchronization primitives. While multiple novel solutions have been proposed to speed up parallel applications through handling one type of data synchronization primitive, exceptionally few works support multiple types of synchronization primitives and legacy code. This work proposes Subutai, a hardware/software co-design solution for accelerating multiple synchronization primitives without modifying the application source code. By providing a new user library, while retaining an existing synchronization API, legacy and novel applications can benefit from our solution. Our experimental evaluation, which provides a POSIX Threads implementation, demonstrates Subutai speeds up to 2.71× and 4.61× the execution of single- and multiple-application executions, respectively.
Little is known about the duration and prevalence of zero-day attacks, which exploit vulnerabilities that have not been disclosed publicly. Knowledge of new vulnerabilities gives cyber criminals a free pass to attack any target of their choosing, while remaining undetected. Unfortunately, these serious threats are difficult to analyze, because, in general, data is not available until after an attack is discovered. Moreover, zero-day attacks are rare events that are unlikely to be observed in honeypots or in lab experiments.
In this paper, we describe a method for automatically identifying zero-day attacks from field-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Searching this data set for malicious files that exploit known vulnerabilities indicates which files appeared on the Internet before the corresponding vulnerabilities were disclosed. We identify 18 vulnerabilities exploited before disclosure, of which 11 were not previously known to have been employed in zero-day attacks. We also find that a typical zero-day attack lasts 312 days on average and that, after vulnerabilities are disclosed publicly, the volume of attacks exploiting them increases by up to 5 orders of magnitude.
A process overload attack is an attack on a shared computer system in which a user repeatedly forks new processes and hence makes the system unusable for others. The specific problem we address is seen in an academic environment where student programs create unintentional process overload attacks in UNIX systems by careless coding. Instead of rebooting the system or manually examining and killing the processes, our approach to dealing with these attacks was to build a process load monitoring tool to detect and kill these processes automatically. This paper focuses on what we learned about the behaviors of different fork bombs, how we classified them based on their self-replicating capabilities, and our experience with detecting, killing and cleaning these unwanted processes.
Fork Bomb Defuser (rexFBD)
- R Singh
How Attackers Abuse Computing Systems