Generation of Application Level Audit Data via Library Interposition

One difficulty encountered by intrusion and misuse detection systems is a lack of application level audit data. In this paper we present a technique to automatically generate application level audit data using library interposition. Interposition allows the generation of audit data without needing to recompile either the system libraries or the application of concern. We created a library that detects some types of unsafe programming practices, and discovered two unreported race conditions in some common applications.

[1]  Michael B. Jones,et al.  Interposition agents: transparently interposing user code at the system interface , 1994, SOSP '93.

[2]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[3]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[4]  R. Sekar,et al.  User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement , 2000, NDSS.

[5]  Matt Bishop,et al.  Race Conditions, Files, and Security Flaws; or the Tortoise and the Hare Redux , 1995 .

[6]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[7]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[8]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[9]  Stephanie Forrest,et al.  Infect Recognize Destroy , 1996 .

[10]  Eugene H. Spafford,et al.  An architecture for intrusion detection using autonomous agents , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[11]  Calton Pu,et al.  Protecting Systems from Stack Smashing Attacks with StackGuard , 1999 .

[12]  Simson L. Garfinkel,et al.  Practical UNIX Security , 1991 .

[13]  Craig A. Knoblock,et al.  Advanced Programming in the UNIX Environment , 1992, Addison-Wesley professional computing series.

[14]  Eugene H. Spafford,et al.  Computer Vulnerability Analysis , 1998 .

[15]  Nathan P. Smith,et al.  Stack Smashing Vulnerabilities in the UNIX Operating System , 1997 .

[16]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[17]  Timothy W. Curry,et al.  Profiling and Tracing Dynamic Library Usage Via Interposition , 1994, USENIX Summer.

[18]  Eugene H. Spafford,et al.  Use of A Taxonomy of Security Faults , 1996 .

[19]  Harold Joseph Highland,et al.  A Pattern Matching Model for Misuse Intrusion Detection , 1995 .