A tamper-resistant framework for unambiguous detection of attacks in user space using process monitors

Replication and redundancy techniques rely on the assumption that a majority of components are always safe and voting is used to resolve any ambiguities. This assumption may be unreasonable in the context of attacks and intrusions. An intruder could compromise any number of the available copies of a service resulting in a false sense of security. The kernel based approaches have proven to be quite effective but they cause performance impacts if any code changes are in the critical path. We provide an alternate user space mechanism consisting of process monitors by which such user space daemons can be unambiguously monitored without causing serious performance impacts. A framework that claims to provide such a feature must itself be tamper-resistant to attacks. We theoretically analyze and compare some relevant schemes and show their fallibility. We propose our own framework that is based on some simple principles of graph theory and well-founded concepts in topological fault tolerance, and show that it can not only unambiguously detect any such attacks on the services but is also very hard to subvert. We also present some preliminary results as a proof of concept.

[1]  Albert Endres,et al.  An analysis of errors and their causes in system programs , 1975, IEEE Transactions on Software Engineering.

[2]  Liming Chen,et al.  N-VERSION PROGRAMMINC: A FAULT-TOLERANCE APPROACH TO RELlABlLlTY OF SOFTWARE OPERATlON , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[3]  R. Sekar,et al.  User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement , 2000, NDSS.

[4]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[5]  C. R. Ramakrishnan,et al.  Model-Carrying Code (MCC): a new paradigm for mobile-code security , 2001, NSPW '01.

[6]  Gagan Agrawal,et al.  An efficient protocol for voting in distributed systems , 1992, [1992] Proceedings of the 12th International Conference on Distributed Computing Systems.

[7]  Stephen Smalley,et al.  The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments , 2000 .

[8]  Cauligi S. Raghavendra,et al.  Optimal loop topologies for distributed systems , 1981, SIGCOMM.

[9]  T. Mitchem,et al.  Using kernel hypervisors to secure applications , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[10]  Algirdas Avizienis,et al.  The N-Version Approach to Fault-Tolerant Software , 1985, IEEE Transactions on Software Engineering.

[11]  John B. Bowen Standard error classification to support software reliability assessment , 1980, AFIPS '80.

[12]  John L. Cole,et al.  Proceedings of the First IEEE International Workshop on Information Assurance (IWIA'03), March 24, 2003, Darmstadt, Germany , 2003, IWIA.

[13]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[14]  Ravishankar K. Iyer,et al.  Chameleon: A Software Infrastructure for Adaptive Fault Tolerance , 1999, IEEE Trans. Parallel Distributed Syst..

[15]  Robert H. Thomas,et al.  A Majority consensus approach to concurrency control for multiple copy databases , 1979, ACM Trans. Database Syst..

[16]  Jon M. Peha,et al.  Analyzing the fault tolerance of double-loop networks , 1994, TNET.

[17]  David K. Gifford,et al.  Weighted voting for replicated data , 1979, SOSP '79.

[18]  Yair Amir,et al.  Transis: A Communication Sub-system for High Availability , 1992 .

[19]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[20]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[21]  Pankaj Jalote,et al.  Fault tolerance in distributed systems , 1994 .

[22]  Louise E. Moser,et al.  Totem: a fault-tolerant multicast group communication system , 1996, CACM.

[23]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[24]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[25]  Jonathan Lemon Kqueue - A Generic and Scalable Event Notification Facility , 2001, USENIX Annual Technical Conference, FREENIX Track.

[26]  Michael F. Deering The HoloSketch VR sketching system , 1996, CACM.

[27]  Niraj K. Jha,et al.  Fault-tolerant computer system design , 1996, IEEE Parallel & Distributed Technology: Systems & Applications.

[28]  B W Arden,et al.  Analysis of Chordal Ring Network , 1981, IEEE Transactions on Computers.

[29]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[30]  Midori Asaka,et al.  A Protection Mechanism for an Intrusion Detection System Based on Mandatory Access Control , 2001 .