Radmin: Early Detection of Application-Level Resource Exhaustion and Starvation Attacks

Software systems are often engineered and tested for functionality under normal rather than worst-case conditions. This makes the systems vulnerable to denial of service attacks, where attackers engineer conditions that result in overconsumption of resources or starvation and stalling of execution. While the security community is well familiar with volumetric resource exhaustion attacks at the network and transport layers, application-specific attacks pose a challenging threat. In this paper, we present Radmin, a novel system for early detection of application-level resource exhaustion and starvation attacks. Radmin works directly on compiled binaries. It learns and executes multiple probabilistic finite automata from benign runs of target programs. Radmin confines the resource usage of target programs to the learned automata, and detects resource usage anomalies at their early stages. We demonstrate the effectiveness of Radmin by testing it over a variety of resource exhaustion and starvation weaknesses on commodity off-the-shelf software.

[1]  Sumit Gulwani,et al.  A Numerical Abstract Domain Based on Expression Abstraction and Max Operator with Application in Timing Analysis , 2008, CAV.

[2]  Yoram Singer,et al.  The Power of Selective Memory: Self-Bounded Learning of Prediction Suffix Trees , 2004, NIPS.

[3]  Sergei Vassilvitskii,et al.  k-means++: the advantages of careful seeding , 2007, SODA '07.

[4]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[5]  Andrew C. Myers,et al.  End-to-end availability policies and noninterference , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[6]  Dan S. Wallach,et al.  Algorithmic DoS , 2011, Encyclopedia of Cryptography and Security.

[7]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[8]  Golan Yona,et al.  Variations on probabilistic suffix trees: statistical modeling and prediction of protein families , 2001, Bioinform..

[9]  Angelos D. Keromytis,et al.  Efficient, DoS-resistant, secure key exchange for internet protocols , 2001, CCS '02.

[10]  Angelos D. Keromytis,et al.  ASSURE: automatic software self-healing using rescue points , 2009, ASPLOS.

[11]  Paulo Veríssimo,et al.  Detection and Prediction of Resource-Exhaustion Vulnerabilities , 2008, 2008 19th International Symposium on Software Reliability Engineering (ISSRE).

[12]  Gang-Ryung Uh,et al.  Analyzing Dynamic Binary Instrumentation Overhead , 2007 .

[13]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[14]  Dana Ron,et al.  The power of amnesia: Learning probabilistic automata with variable memory length , 1996, Machine Learning.

[15]  Malay K. Ganai Dynamic Livelock Analysis of Multi-threaded Programs , 2012, RV.

[16]  Song Fu,et al.  Performance Metric Selection for Autonomic Anomaly Detection on Cloud Computing Systems , 2011, 2011 IEEE Global Telecommunications Conference - GLOBECOM 2011.

[17]  Richard Ford,et al.  Probabilistic suffix models for API sequence analysis of Windows XP applications , 2008, Pattern Recognit..

[18]  R. Sekar,et al.  A practical mimicry attack against powerful system-call monitors , 2008, ASIACCS '08.

[19]  Marius Minea,et al.  Formal modelling and automatic detection of resource exhaustion attacks , 2011, ASIACCS '11.

[20]  A. Nur Zincir-Heywood,et al.  Mimicry Attacks Demystified: What Can Attackers Do to Evade Detection? , 2008, 2008 Sixth Annual Conference on Privacy, Security and Trust.

[21]  Jörg Zinke System call tracing overhead , 2009 .

[22]  Jeffrey K. Hollingsworth,et al.  Data Centric Techniques for Mapping Performance Measurements , 2011, 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum.

[23]  Vitaly Shmatikov,et al.  Inputs of Coma: Static Detection of Denial-of-Service Vulnerabilities , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[24]  Sandeep S. Kulkarni,et al.  Automatic repair for multi-threaded programs with Deadlock/Livelock using maximum satisfiability , 2014, ISSTA 2014.

[25]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[26]  Daniel C. DuVarney,et al.  Model-carrying code: a practical approach for safe execution of untrusted applications , 2003, SOSP '03.