Building up on SIDAN: improved and new invariants for a software hardening Frama-C plugin

We present improvements made on SIDAN, an intrusion detection system working at the software level. The operating principle of SIDAN consists in statically computing invariant properties of the targeted programs and in generating an instrumentation to check those properties at runtime, in order to detect attacks. More precisely, it focuses on invariants involving the values of variables of the program. It checks these invariants when calling functions. We present improvements on the existing invariants used by SIDAN and propose new invariants as well. We also describe how these have been implemented in SIDAN by using the Frama-C framework, and how they could improve its attack detection capabilities.

[1]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[2]  R. Sekar,et al.  Dataflow anomaly detection , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[4]  Martín Abadi,et al.  A Theory of Secure Control Flow , 2005, ICFEM.

[5]  Jonathan-Christofer Demay,et al.  Génération et évaluation de mécanismes de détection des intrusions au niveau applicatif , 2011 .

[6]  Antoine Miné,et al.  Domaines numériques abstraits faiblement relationnels , 2004 .

[7]  Jacob A. Abraham,et al.  CEDA: control-flow error detection through assertions , 2006, 12th IEEE International On-Line Testing Symposium (IOLTS'06).

[8]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[9]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[10]  Andrew W. Appel,et al.  Modern Compiler Implementation in Java , 1997 .

[11]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[13]  Massimo Violante,et al.  Soft-error detection using control flow assertions , 2003, Proceedings 18th IEEE Symposium on Defect and Fault Tolerance in VLSI Systems.

[14]  Frédéric Tronel,et al.  Detecting Illegal System Calls Using a Data-Oriented Detection Model , 2011, SEC.

[15]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[16]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.