A Host Intrusion Prevention System for Windows Operating Systems

We propose an intrusion prevention system called WHIPS that controls, entirely in kernel mode, the invocation of the critical system calls for the Windows OS security. WHIPS is implemented as a kernel driver, also called kernel module, by using kernel structures of the Windows OS. It is integrated without requiring changes to either the kernel data structures or to the kernel algorithms. WHIPS is also transparent to the application processes that continue to work correctly without source code changes or recompilation. A working prototype has been implemented as a kernel extension and it is applicable to all the Windows NT family OS, e.g. Windows 2000/XP/2003. The WHIPS first contribution is to apply the system call interposition technique to the Windows OS, which is not open source. It is not straightforward to apply this technique to Windows OS, also because Windows kernel structures are hidden from the developer, and furthermore, its kernel documentation is poor.

[1]  Prasad Dabak,et al.  Undocumented Windows NT , 1999 .

[2]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[3]  Gary Nebbett Windows NT/2000 Native API Reference , 2000 .

[4]  David LeBlanc,et al.  Writing Secure Code , 2001 .

[5]  Philip Cox,et al.  Windows 2000 Security Handbook , 2000 .

[6]  Massimo Bernaschi,et al.  Remus: a security-enhanced operating system , 2002, TSEC.

[7]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[8]  Sven B. Schreiber Undocumented Windows 2000 Secrets: A Programmer's Cookbook , 2001 .

[9]  Jeremy Epstein,et al.  Using operating system wrappers to increase the resiliency of commercial firewalls , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[10]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.