SafeCard: A Gigabit IPS on the Network Card

Current intrusion detection systems have a narrow scope. They target flow aggregates, reconstructed TCP streams, individual packets or application-level data fields, but no existing solution is capable of handling all of the above. Moreover, most systems that perform payload inspection on entire TCP streams are unable to handle gigabit link rates. We argue that network-based intrusion detection systems should consider all levels of abstraction in communication (packets, streams, layer-7 data units, and aggregates) if they are to handle gigabit link rates in the face of complex application-level attacks such as those that use evasion techniques or polymorphism. For this purpose, we developed a framework for network-based intrusion prevention at the network edge that is able to cope with all levels of abstraction and can be easily extended with new techniques. We validate our approach by making available a practical system, SafeCard, capable of reconstructing and scanning TCP streams at gigabit rates while preventing polymorphic buffer-overflow attacks, using (up to) layer-7 checks. Such performance makes it applicable in-line as an intrusion prevention system. SafeCard merges multiple solutions, some new and some known. We made specific contributions in the implementation of deep-packet inspection at high speeds and in detecting and filtering polymorphic buffer overflows.

[1]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[2]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[3]  Christopher Krügel,et al.  Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks , 2006, NDSS.

[4]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[5]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[6]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[7]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[8]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[9]  W. de Bruijn,et al.  Scalable network monitors for high-speed links: a bottom-up approach , 2004, 2004 IEEE International Workshop on IP Operations and Management.

[10]  Herbert Bos,et al.  FPL-3: Towards Language Support for Distributed Packet Processing , 2005, NETWORKING.

[11]  S. Seshu,et al.  Introduction to the theory of finite-state machines , 1963 .

[12]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[13]  David Watson,et al.  Transport and application protocol scrubbing , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[14]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[15]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[16]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[17]  Zhenkai Liang,et al.  Fast and automated generation of attack signatures: a basis for building self-protecting servers , 2005, CCS '05.

[18]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[19]  David H. Ackley,et al.  Randomized instruction set emulation , 2005, TSEC.

[20]  Herbert Bos,et al.  FFPF: Fairly Fast Packet Filters , 2004, OSDI.

[21]  Ville Laurikari,et al.  NFAs with tagged transitions, their conversion to deterministic automata and application to regular expressions , 2000, Proceedings Seventh International Symposium on String Processing and Information Retrieval. SPIRE 2000.

[22]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[23]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[24]  Herbert Bos,et al.  Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card , 2005, RAID.

[25]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[26]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[27]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[28]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[29]  Wenke Lee,et al.  A hardware platform for network intrusion detection and prevention , 2005 .

[30]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[31]  Alfred V. Aho,et al.  Foundations of Computer Science , 1979, Lecture Notes in Computer Science.

[32]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[33]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[34]  Eugene H. Spafford,et al.  Using embedded sensors for detecting network attacks , 2000 .