Protecting Against Unexpected System Calls

This paper proposes a comprehensive set of techniques which limit the scope of remote code injection attacks. These techniques prevent any injected code from making system calls and thus restrict the capabilities of an attacker. In defending against the traditional ways of harming a system these techniques significantly raise the bar for compromising the host system forcing the attack code to take extraordinary steps that may be impractical in the context of a remote code injection attack. There are two main aspects to our approach. The first is to embed semantic information into executables identifying the locations of legitimate system call instructions; system calls from other locations are treated as intrusions. The modifications we propose are transparent to user level processes that do not wish to use them (so that, for example, it is still possible to run unmodified third-party software), and add more security at minimal cost for those binaries that have the special information present. The second is to back this up using a variety of techniques, including a novel approach to encoding system call traps into the OS kernel, in order to deter mimicry attacks. Experiments indicate that our approach is effective against a wide variety of code injection attacks.

[1]  Christopher Krügel,et al.  On the Detection of Anomalous System Call Arguments , 2003, ESORICS.

[2]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[4]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[5]  Karl Pettis,et al.  Profile guided code positioning , 1990, PLDI '90.

[6]  Jesse C. Rabek,et al.  Detection of injected, dynamically generated, and obfuscated malicious code , 2003, WORM '03.

[7]  Saumya K. Debray,et al.  On the complexity of flow-sensitive dataflow analyses , 2000, POPL '00.

[8]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[9]  John R. White,et al.  Linkers and Loaders , 1972, CSUR.

[10]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[11]  Somesh Jha,et al.  Buffer overrun detection using linear programming and static analysis , 2003, CCS '03.

[12]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[13]  Frederick B. Cohen,et al.  Operating system protection through program evolution , 1993, Comput. Secur..

[14]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[15]  Richard D. Schlichting,et al.  Signed system calls and hidden fingerprints , 2004 .

[16]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[17]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[18]  Tal Garfinkel,et al.  Ostia: A Delegating Architecture for Secure System Call Interposition , 2004, NDSS.

[19]  Daniel C. DuVarney,et al.  SELF: a transparent security extension for ELF binaries , 2003, NSPW '03.

[20]  Matti A. Hiltunen,et al.  Authenticated system calls , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[21]  Massimo Bernaschi,et al.  Operating system enhancements to prevent the misuse of system calls , 2000, CCS.

[22]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[23]  Dawn Song,et al.  Mitigating buffer overflows by operating system randomization , 2002 .

[24]  Gregory Wroblewski,et al.  General Method of Program Code Obfuscation , 2002 .

[25]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[26]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[27]  Christian S. Collberg,et al.  SLINKY: Static Linking Reloaded , 2005, USENIX Annual Technical Conference, General Track.

[28]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[29]  Gregory R. Andrews,et al.  PLTO: A Link-Time Optimizer for the Intel IA-32 Architecture , 2007 .

[30]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[31]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[32]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[33]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[34]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[35]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.