Detecting attacks that exploit application-logic errors through application-level auditing

Host security is achieved by securing both the operating system kernel and the privileged applications that run on top of it. Application-level bugs are more frequent than kernel-level bugs, and, therefore, applications are often the means to compromise the security of a system. Detecting these attacks can be difficult, especially in the case of attacks that exploit application-logic errors. These attacks seldom exhibit characterizing patterns as in the case of buffer overflows and format string attacks. In addition, the data used by intrusion detection systems is either too low-level, as in the case of system calls, or incomplete, as in the case of syslog entries. This paper presents a technique to enforce nonbypassable, application-level auditing that does not require the recompilation of legacy systems. The technique is implemented as a kernel-level component, a privileged daemon, and an offline language tool. The technique uses binary rewriting to instrument applications so that meaningful and complete audit information can be extracted. This information is then matched against application-specific signatures to detect attacks that exploit application-logic errors. The technique has been successfully applied to detect attacks against widely-deployed applications, including the Apache Web server and the OpenSSH server.

[1]  Wietse Z. Venema,et al.  TCP Wrapper: Network Monitoring, Access Control, and Booby Traps , 1992, USENIX Summer.

[2]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[3]  Eugene H. Spafford,et al.  Identification of Host Audit Data to Detect Attacks on Low-level IP Vulnerabilities , 1999, J. Comput. Secur..

[4]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[5]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[6]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[7]  Eugene H. Spafford,et al.  Generation of Application Level Audit Data via Library Interposition , 1998 .

[8]  James R. Larus,et al.  EEL: machine-independent executable editing , 1995, PLDI '95.

[9]  Larry L. Peterson,et al.  Defensive programming , 2002, OSDI.

[10]  Raju Pandey,et al.  Providing fine-grained access control for Java programs via binary editing , 2000, Concurr. Pract. Exp..

[11]  Insik Shin,et al.  Mobile code security by Java bytecode instrumentation , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[12]  Barton P. Miller,et al.  Playing Inside the Black Box: Using Dynamic Instrumentation to Create Security Holes , 2001, Parallel Process. Lett..

[13]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[14]  Matt Bishop,et al.  A standard audit trail format , 1995 .

[15]  T. Redmond,et al.  Noninterference and intrusion detection , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[16]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[17]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[18]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[19]  Eugene H. Spafford,et al.  Using Internal Sensors and Embedded Detectors for Intrusion Detection , 2002, J. Comput. Secur..

[20]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[21]  Thomas E. Anderson,et al.  SLIC: An Extensibility System for Commodity Operating Systems , 1998, USENIX ATC.

[22]  Christophe Bidan,et al.  Experimenting with a policy-based HIDS based on an information flow control model , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[23]  Timothy W. Curry,et al.  Profiling and Tracing Dynamic Library Usage Via Interposition , 1994, USENIX Summer.

[24]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[25]  Alec Wolman,et al.  Instrumentation and optimization of Win32/intel executables using Etch , 1997 .

[26]  Magnus Almgren,et al.  Application-Integrated Data Collection for Security Monitoring , 2001, Recent Advances in Intrusion Detection.

[27]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[28]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[29]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[30]  Douglas Thain,et al.  Multiple Bypass: Interposition Agents for Distributed Computing , 2001, Cluster Computing.

[31]  Giovanni Vigna,et al.  Detecting Malicious Java Code Using Virtual Machine Auditing , 2003, USENIX Security Symposium.

[32]  Marcus J. Ranum,et al.  A Toolkit and Methods for Internet Firewalls , 1994, USENIX Summer.

[33]  Jeffrey K. Hollingsworth,et al.  An API for Runtime Code Patching , 2000, Int. J. High Perform. Comput. Appl..

[34]  Michael B. Jones,et al.  Interposition agents: transparently interposing user code at the system interface , 1994, SOSP '93.

[35]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).