AngeL: a tool to disarm computer systems - Columbia CS

AngeL: a tool to disarm computer systems Danilo Bruschi, Emilia Rosti Dipartimento di Scienze delrlnformazione Universit~ degli Studi di Milano Via Comelico 39, 20135 Milano - Italy E-mail: bruschi, [email protected]

ABSTRACT

the source tbJm at their target, even if sophisticated heuristics are adopted. By defining an adequate characterization of such att~ks in terms of their signatures, as in signature based intntsion detection, it could be possible to detect and block them before they leave their origination point.

In this paper we present a tool designed to intercept attacks at the host where they are launched so as to block t h e m before they reach their targets. The tool works both for attacks targeted on the local host and on hosts connected to the network. In the current implementation it can detect and block more t h a n 70 attacks as reported in the literature.

Moving from the above observations, t h e authors suggested an alternative approach to system security t h a t builds on "harmless components". Reducing t h e t h r e a t of virtually any network host turning into a source of attack should be a parallel thread to the classical protection oriented one. Recent DDoS attacks have shown t h a t the mere size of an attack, i.e., the number of attacking hosts, is a critical factor in computer security incidents, possibly even more t h a n the Uquality" of the attack itself. In a network where no, or just a few, hosts are a threat, global security results from individual haxmles~ness. Preventing systems from doing arty harm, i.e.,disarming the systems by turning off their of_ fending capabilities,is a way to improve security. Offending capabilities should be turned off both at host level, so as to prevent local exploitation of the host, i.e.,compromising the host, and at network level,so as to prevent an offensive use of the host against other machines. Since it reverses the perspective of intrusion detection, t h e authors' approach is suggested to be called Uex-trusion" detection and response, as it aims at detecting and acting against outgoing attacks rather than incoming ones [13].

The tool is bMed on the idea of improving the overall security of the I n t e m e t by connecting disarmed systems, i.e., hosts t h a t cannot launch attacks against other hosts. Such a strategy was presented in [4]. Here we present an extended version of the tool t h a t has been engineered to consider a wide variety of attacks and to run on various releases of the Linux kernel and the experience learned in building such a tool. A protection mechanism of the tool itself t h a t prevents its removed is also implemented. Experimental results of the impact of the tool on system performance show t h a t the overhead introduced by the tool is negligible from the user's perspective, thus it is not expected to be a hindrance to the successful deployment of the tool.

Keywords Computer and network security, defense, offense, disarm,

attack, monitor

1.

INTRODUCTION

In [4] a new approach to computer security, and system protection in particular, was proposed based on the following remarks. In a networked environment, any host can suddenly, possibly involuntarily, become an attacker, t h a t is, a threat for the entire community (usually as a consequence of a compromise it was the victim of). This is particularly true of unattended hosts connected on the network, such as those of non-professional users. Intruders' life would be more difficult if t h e y could not exploit such hosts to attack their targets. Furthermore, there are attacks, such as IP spoofing, t h a t can be more easily and more successfully blocked at

Permission to make digits] or hard copies of all or part of this work for personal or classroom use is Brantcd without fee provided that copies are not made or dislributed for profit or commercial advantage and that copics bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redislribute to lists, requires prior specific permission and/or a fee. NSPW'OI, September 10-13 'h, 2002, Cloudcmfl, New Mexico, USA. Copyright 2002 ACM 1-58113-457-6/01/0009...$5.00.

63

A tool t h a t intercepts all network packets and drops those t h a t it recognizes as typical of a set of attacks it "knows", as they ewe generated on the machine where the tool is installed, would limit the offensive capabilities of the networked computer running such a tool. Attackers t h a t were to seize t h a t host and use it as a base for their attacks would be significantly limited. Furthermore, such an approach would be interesting for organizations such as large universities or corporations t h a t would not like to see their reputation damaged by being t h e source of an attack. Movin K from protection of one's reputation t o liability, from a legal point of viewj a tool t h a t disarms a computer could protect the owner of t h a t computer from liability in cnse the machine were subverted and attacks suceessfuliy launched from it 1. In fact, the system expected to be running such 1Thiz could be particularly interesting in countries, such as Italy, where the law holds the owner of a computer liable for whatever action is taken from t h a t computer, regardless of it beinK compromised or not, unless the owner can show t h a t MI " r e . e n a b l e preventive measures" were taken to protect

a t o o l is t h e ( p e r s o n a l ) c o m p u t e r o f n o n - p r o f e s s i o n a l u s e r s , w i t h l i t t l e if a n y m a i n t e n a n c e , e s p e c i a l l y for w h a t c o n c e r n s security, i n t e r e s t e d in a t r e m s p ~ . ~ n t s o l u t i o n t h a t allow t o c o n n e c t a safe m a c h i n e o n t h e n e t w o r k . P o t e n t i a l l i m i t a t i o n s of some s y s t e m functionalities deriving from the adop t i o n of t h e t o o l , i.e., t h e i m p c e s i b i l i t y t o r u n s o m e n e t w o r k t e s t s , axe e x p e c t e d t o h a v e a n e g l i g i b l e i m p a c t o n t h e a v e r a g e u s e r w h o is e i t h e r n o t ab]e or n o t allowed t o t a k e a n y a d v a n t a g e of t h e m .

d e t e c t i o n , e x c e p t for [4] a n d t h e p r e s e n t p a p e r . H o w e v e r , s i m i l a r a p p r o a c h e s as t h e o n e a d o p t e d in t h e h o s t m o d u l e h a v e b e e n i n v e s t i g a t e d i n t h e l i t e r a t u r e . I n [14], an i n t r u s i o n p r e v e n t i o n / d e t e c t i o n s y s t e m b a s e d o n s y s t e m call p a t t e r n emalysis is d e s c r i b e d . A s p e c i f i c a t i o n lembnmge b a s e d . o n r e g u l a r e x p r e s s i o n s for e v e n t s is d e f i n e d t h a t allows t o c h e x a c t e r i z e a progra~n b a s e d o n t h e n o r m a l / a b n o r m a l seq u e n c e of s y s t e m calls it m a k e s , talcing i n t o c o n s i d e r a t i o n also t h e i r a r g u m e n t s . A t r u n t i m e , a n i n t e r c e p t i o n m e c h a n i s m c a p t u r e s e a c h s y s t e m call a n d efficiently m ~ t c h e s t h e c u r r e n t p a t t e r n a g a i n s t t h e o n e d e f i n e d , p o s s i b l y teJcing act i o n s a g a i n s t t h e p r o c e s s if n e c e s s a r y . T h e s y s t e m p r e s e n t e d i n [14] is m o r e g e n e r a l t h a n A n g e L h o s t m o d u l e , w h e r e o n l y a critical f r a c t i o n o f s y s t e m calls is c o n s i d e r e d . Like A n g e L , i t s h o w s t h a t s y s t e m p r o t e c t i o n b y s y s t e m call i n t e r c e p t i o n a n d a n a l y s i s is a v i a b l e a n d efficient w a y t o e n f o r c e s y s t e m security, as t h e overall o v e r h e a d o n p r o c e s s e x e c u t i o n t i m e is n e v e r g r e a t e r them 5~e. I t c o u l d b e i n t e r e s t i n g t o i n v e s t i g a t e h o w well t h e p a t t e r n m a t c h i n g a l g o r i t h m p r o p o s e d i n [14] could p e r f o r m on t h e signature analysis in AngeL network module.

A p r o t o t y p e o f t h e t o o l t h a t w a s able t o d e t e c t a s m a l l n u m b e r o f n e t w o r k a t t a c k s , b a s e d on a t t a c k s i g n a t u r e s , w a s i m p l e m e n t e d t o verify t h e viability' o f t h e p r o p o s e d a p p r o a c h [3]. Since t h e p r o t o t y p e i m p l e m e n t a t i o n w a s successful, w e d e s c r i b e h e r e t h e full s c a l e v e r s i o n of t h e t o o l , w h i c h h a s b e e n e x t e n d e d t o i n c l u d e also local a t t a c k s , n o t c o n s i d e r e d in [3]. A m o r e e x t e n s i v e a n d so]3histicated k n o w l e d g e b a s e o f s i g n a t u r e a t t a c k s , i n c l u d i n g l o c a l ones, is b u n d l e d i n t h e t o o l t h a t is a b l e t o i d e n t i f y m o r e t h a n 70 a t t a c k s , b o t h a t n e t w o r k level a n d a t h o s t level. A m e c h a n i s m t o h a r d e n t h e t o o l p r o t e c t i o n i t s e l f s o as t o s a l v e its r e m o v a l m o r e difficult h a s b e e n a d d e d . A p r e l i m i n a r y ~et o f e x p a x i m e n t a l r e s u l t s o f the impact of the tool on system performance show that the o v e r h e a d i n t r o d u c e d b y t h e tool is negligible f r o m t h e u s e r ' s p e r s p e c t i v e . T h e r e f o r e , t h e issue o f p e r f o r m a n c e is n o t exp e c t e d to be a h i n d r a n c e to t h e successful d e p l o y m e n t of t h e ~oul. O t h e r f a c t o r s t h a t m a y h i n d e r t h e success of t h e t o o l , s u c h as t h e e c o n o m i c o n e b o t h as for t h e d e p l o y m e n t , m a i n t e n a n c e a n d u p d a t e o f s u c h a t o o l , o r t h e t e c h n i c a l one, s u c h as t h e i m p o s s i b i l i t y of u s i n g m o b i l e I P or t h e difficulty t o tell a h a r m f u l b e h a v i o r f r o m a l e g i t i m a t e one, t h u s t a k ing p u n i t i v e m e a s u r e s a g a i n s t p o s s i b l y i n n o c e n t users, w e r e i n v e s t i g a t e d in [4].

T h e G e n e r i c S o f t w a r e W r a p p e r s is a n o t h e r s y s t e m b a s e d o n s y s t e m call i n t e r c e p t i o n [10] b y m e a n s o f w r a p p e r s . I t ind u d e s a w r a p p e r d e f i n i t i o n l a n g u a g e t l u t t allows t o define g e n e r i c w r a p p e r s for all p o s s i b l e s y s t e m calls a n d a w r a p p e r s u p p o r t s u b s y s t e m i m p l e m e n t e d as a loactable kernel m o d ule, like A n g e L w h i c h is also p a s s w o r d p r o t e c t e d . U n l i k e A n g e L , w h e r e t h e h o s t m o d u l e is a c t i v a t e d u p o n e a c h ins t a n c e o f t h e s e l e c t e d s y s t e m calls, a w r a p p e r is a c t i v a t e d w h e n t h e a c t i v a t i o n c r i t e r i a d e f i n e d b y t h e u s e r for t h a t w r a p p e r axe verified. A ] t h o n g h t h i s rn~y g a i n in t e r m s o f efficiency a n d l o w e r o v e r h e a d , i t m a y r e d u c e t h e e f f e c t i v e n e s s o f t h e s y s t e m i t s e l f i f t h e a c t i v a t i o n c r i t e r i a are n o t c o m p r e h e n s i v e e n o u g h t o c o n s i d e r all r e l e v a n t c ~ e s . A n o t h e r key difference is t h a t G S W is m e a n t for s y s t e m z w i t h a s e n sible a A m l n i s t r a t o r w h o w o u l d b e in c h a r g e o f i n s t a l l i n g i t a n d d e f i n i n g t h e w r a p p e r s n e e d e d . A n g e l is m e a n t to b e i n s t a l l e d a u t o m a t i c a l l y as p a r t o f t h e o p e r a t i n g s y s t e m w i t h m i n i m u m if a n y k n o w l e d g e o f its p r e s e n c e b y t h e user.

T h e c u r r e n t i m p l e m e n t a t i o n o f t h e t o o l , called A n g e L , is based on t h e m o s t recent version of t h e Linux kernel (hence t h e c a p i t a l L in t h e n a m e ) . I t is i m p l e m e n t e d as a l o a d a b l e kernel m o d u l e c o m p r i s i n g t w o d i s t i n c t m o d u l e s . T h e h o s t b a s e d m o d u l e is t h e n e w o n e a n d h a n d l e s local a t t a c k s , i.e., a t t a c k s p e r f o r m e d b y a n auth0ri'zed a c c o u n t a g a i n s t t h e h o s t w h e r e t h e t o o l h a s b e e n i n s t a l ] e d in o r d e r t o gain h i g h e r privileges. T h e n e t w o r k b a s e d m o d u l e is a r e f i n e d v e r s i o n o f t h e one p r e s e n t i n t h e p r o t o t y p e a n d h a n d l e s a t t a c k s a i m e d at other hosts on the network.

A d i f f e r e n t approar~h t o p r e v e n t a t t a c k s a i m e d a t i n c r e a s i n g privileges by sending a piece of code to b e executed on the v i c t i m s y s t e m is p r e s e n t e d in [8]. T h e s o u r c e c o d e , h e it C o r shell codej is e x a m i n e d a n d t h e p r e s e n c e o f t y p i c a l a t t a c k c o d e f e a t u r e s e r e i d e n t i f i e d . A n e u r a l n e t w o r k is t r a i n e d t o p e r f o r m t h e a n a l y s i s w i t h fairly g o o d r e s u l t s in t e r m s o f false alewm r a t e . I t c a n t h e n b e a p p l i e d t o s c a n all t h e d o w n l o a d traffic o f a s y s t e m i n o r d e r t o d e t e c t r e m o t e a t t a c k c o d e s b e f o r e t h e y are i n s t a l l e d o r e x e c u t e d o n t h e s y s t e m .

T h i s p a p e r is o r g a n i z e d as fallcnvs. S e c t i o n 2 d i s c u s s e s rel a t e d w o r k . I n S e c t i o n 3 w e des~,-ibe t h e m o d u l e h a n d l i n g att a c k s t e x g e t e d o n t h e local h o s t a n d i n S e c t i o n 4 t h e m o d u l e h a n d l i n g a t t a c k s t a r g e t e d o n networkJ~l h o s t s . T e c h n i q u e s a d o p t e d to make the tool '~emper=resistant" are discussed i n S e c t i o n 5. P r e l i m i n a r y e x p e ~ m e n t a l r e s u l t s o n t h e use o f t h i s m o d u l e b y a s m a l l c o m m u n i t y o f u s e r a r e r e p o r t e d in S e c t i o n 6. T h e a r e v e r y e n c o u r a g i n g a n d i n d i c a t e t h a t t h e c u r r e n t s t a b l e v e r s i o n o f s u c h t o o l s h o u l d b e c o n s i d e r e d as a b a s i c c o m p o n e n t in t h e d e s i ~ , o f s e c u r i t y a r c h i t e c t u r e s .

2.

T h e S T A T m e t h o d o l o g y [15] b a s e d o n d e f i n i n g a t t a c k ecen~rios t h a t a b s t r a c t f r o m t h e s y s t e m specific d e t a i l s o f a t t a c k s i g n a t u r e s c o u l d b e a n i n t e r e s t i n g a l t e r n a t i v e t o t h e p l a i n att.ack s i g n a t u r e s u s e d in A n g e I , . N o t e t h a t b o t h S T A T a n d A n g e l follow t h e m i s u s e a p p r o a c h t o i n t r u s i o n de~-ection, alt h o u g h t h e h i g h level d e s c r i p t i o n o f a t t a c k sc~naxio6 in S T A T allows t o r e p r e s e n t o n l y t h o s e s t e p in a n i n t r u s i o n t h a t a r e c r i t i c a l for t h e e ~ e c t i v e n e s s o f t h e a t t a c k . A n g e L uses, o n t h e c o n t r a r y , low level a t t a c k s i g n a t u r e s for efficiency a n d simplicity reasons. However, a b s t r e ~ t i n g away from specific d e t a i l s allows t o i d e n t i f y v a r i a t i o n s o f a t t a c k s t h a t m a y o t h erwise go u n n o t i c e d , t h u s r e d u c i n g t h e i m p a c t o f u p d a t i n g

RELATED WORK

In this section we c o m p a r e the p r o p o s e d tool w i t h existing s o l u t i o n s t h a t e x h i b i t a c e r t a i n d e g r e e o f s i m i l a r i t y a n d discuss t h e differences. A w e a l t h ,".f l i t e r a t u r e exists o n I n t r u sion Detection and prevention, nothing exists on "extrusion" t h e n~N=hine.

64

t h e s i g n a t u r e base of t h e system. Due to its b e h a v i o r , i.e., it is always invoked u p o n certain conditions, such as specific s y s t e m call execution a n d network packet transmission, A n g e l is often c o m p a r e d t o a reference m o n i t o r [I, 12]. However, t h e similarity is more from a functioned p o i n t of view, since AngeL c a n n o t b e proved t o work correctly since it relies u p o n heuristics, it is n o t small since it is b u n d l e d t o t h e a t t a c k s i g n a t u r e set, it is n o t complete as t h e s i g n a t u r e set needs regular updates, it is es t a m p e r - p r o o f as poasible. U n d e r this respect, A n g e l b e h a v i o r is closer to t h a t of a personal firewa]l, a l t h o u g h b y being a kernel patch, AngeL offers s t r o n g e r resistance to t a m p e r i n g , t r e ~ s p m ~ n c y t o t h e user w h o is n o t required to define any security level or t u r n o n / o f f a n y security feature explicitly, b u t no p r o t e c t i o n e~g~inst incoming attacks since AngeL's elm is t o prevent outgoing att~-Im~

3.

• eetregid and K e n e r l c s h e l l code * f o r slirp[vl.0.10(ILELEL~E)] •/ \xeb\x29\xSe\x31\xc0\xb0kx2s\x31\xdb\xb3\x0c\xcd\xS0 ~xBg~76~zOB\][31~cO\xSB\x46\nOT\zB9\z46\xOc\zbO\xOb \z89\xf3~zSd\x4o\xOB\xSd\xE6~zOc\xed\z80\x31\zdb\z89 kxdB%x40kxcdkxS0kxeBkxd~\xff\xff\xff\vgf\xG2\xG9\x6e \x2f\x73\x68

THI~ MODULE FOR HOST TARGETED

ATTACKS

/•

A t t a c k s t a r g e t e d on t h e locel h o s t are performed by authorized interned users in o r d e r t o a u g m e n t t h e i r privileges on t h e system where t h e y have a n account, or by external users t h a t have gained access to a local account b y guessing t h e password or b r e a k i n g t h e a u t h e n t i c a t i o n procedure in order to gain root privileges. As r e p o r t e d by t h e CSI-FBI r e p o r t [7], this is the m o s t p o p u l a r t y p e of a t t a c k used to comproraise c o m p u t e r systems a n d more t h a n 5 0 ~ of t h e c o m p u t e r security attacks in Lhe USA were performed by internals.

s p a v n e a s h e l l from a program e x e c u ~ i u g c h r o o ~ ( ) */ %xeb%z4/%x31%xcO%z31\xcg~xSe\x88\x45\xOT\xbO\z27\xSd \xSe\zOS\x~e\xcS\zbl~ced\xcdkxgO\x31\xcO\xOd\xSe\z05 \xbO~z3d~tcd~zSO~z31\xcO\xbb\zd2\xdl\xdO\x.ff\]r.f7\xdb \x31\xcg\zbl\zlO\xS6~zOl\xee\xS9\zle\xS3\xc6\xO3\zeO \xfg\xSeizb0kx3dkxSd\xSe\x10\zcd\xS0\xSl\xc0\x89\x76 \z08\x89\x46\x0c\xb0~t0b~x89\zfa\zSd\x4e\z08\z8d\xE6 \z0c\xcd~0tS0~xeS\xac\xff\xff\~ff/bJaz/eh •

In order to build t h e new modude t o h a n d l e local attacks, which was n o t present in t h e original prototype, we arm]yzed d/fferent kinds of h o s t b a s e d attacks (see A p p e n d i x 1) a n d concluded t l ~ t t h e y can b e classified into two different species: attacks fdmed a t gaining higher privileges, in t h e large m a j o r i t y based o n t h e buffer overflow technique, a n d attacks whose scope is t o c o n s u m e a resource of t h e local host, i.e., the X-server or n ~ i n memory, so as to achieve a denial of service. Attacks such as those a h n e d at h a v i n g a procees m i s b e h a v e b y passing it b a d d a t a aze n o t cousidered as s e m a n t i c anelysis of process exguments is b e y o n d t h e scope of this paper. We now illustrate each of t h e two species in details.

3.1

• A l e p h o n e ' s s h e l l cede f o r s y s ~ s m ( " / b i n / s h " ) ; */ ~zeb~zlf\zEe\x89\x76\xOB\x31\xcO\x88\z46\xO7\x89 \x46\zOc\zbO~xOb\x89\xf3~zSd\x4e\zOB\xSd\xE6\zOc ~ted~zSO~z31~zdb~t89~zdS\x40\xcd\xSO\xeS\xdc\xff \xff\xff/bin/eh /• * This shellcode ez'plot~s cz~ermS.l-pll. • I t verks on RHS.2-1tH6.O, Slackwaze 3.6. • S h e l l c o d e i s i n j e c t e d v i a t h e DISPLAY v L r t a b l e */ k=eb\xlf\x6e\xS9kx761x08\x31\xc0\xSB\x46\x07\x89 \x46%x0c\xb01x0b\xO9\xfakxSd\x4e\x08\xSd\x56\x0c kxcdkxS0\x31\xdbkx89\xda\x40\xcd\xS0\xeS\xdc\xff \xff\xff/bin/eh

Higher Privilege Attacks

T h e must c o m m o n a t t a c k used t o gain higher privileges on a s y s t e m is t h e buffer overflow. Therefore, we examine it here as t h e first case we i m p l e m e n t e d in t h e host t a r g e t e d a t t a c k m o d u l e in AngeL. F u r t h e r m o r e , in t h e c u r r e n t release, we only consider t h e buffer overflow attacks where a p r o g r a m receives o n t h e c o m m a n d line, as t h e a r g u m e n t of a n option, a s t r i n g contedning t h e b i n a r y code of a p r o g r a m executing t h e e x e c v e ( " / b i n / e h " ) s / s t e m call, or equivalent ones, ins t e a d of a regular i n p u t p a r a m e t e r . We will refer to such a code as shell code in t h e rest of t h e paper. Some examples of shell codes we have considered are given below.

F i g u r e 1: E x a m p l e s

O t h e r types of buffer overflows where t h e shell code is inj e c t e d as i n p u t d a t a at r u n - t i m e are n o t considered in t h e c u r r e n t release of t h e tool a n d will b e included in t h e future ones. Because t h e vast m a j o r i t y of ]oced buffer overflows use t h e o t h e r t y p e of buffer overflow illustrated before, we

65

of shell codes.

W h e n axty o f t h e m e n t i o n e d s y s t e m calls is e x e c u t e d , t h e corr e s p o n d i n g w r a p p e r is e x e c u t e d instea£1, w h i c h verifies t h e c u r r e n t use o f t h e r e s o u r c e b y t h e c a l l i n g p r o c e s s t o g e t h e r w i t h t h e r a t e o f use in t h e laat t i m e i n t e r v a l . I f o n e o f t h e s e p a r a m e t e r s is g r e a t e r t h e m a t h r e s h o l d v a l u e t h e p o t e n t i a l l y h o g g i n g p r o c e s s is t e r m i n a t e d . T h e c r i t i c a l f a c t o r i n t h i s s t r a t e g y is o b v i o u s l y t h e i d e n t i f i c a t i o n o f t h e c o r r e c t t h r e s h old v a l u e s a n d t i m e i n t e r v a l , T h e t i m e i n t e r v a l is s e t t o one second, which strikes a good balance between too short an i n t e r v a l , w h i c h w o u l d n o t allow t o o b s e r v e a t r e n d , a n d a t o o l o n g one, w h i c h w o u l d o n t h e c o n t r a r y e m p h a s i z e e v e n small differences.

s t a r t e d w i t h t h e m o s t p o p u l a r t y p e a n d d e c i d e d t o leave t h e less p o p u l e r o n e for f u t u r e reles~.es o f A n g e L . T h e t e c h n i q u e w d o p t e d b y Ange:[~ t o h a n d l e b u f f e r overflow a t t a c k s is b a s e d o n a w r a p p e r re;: t h e e x e c v e O s y s t e m call, s i n c e b u f f e r overflows eu-e b a s e d o n t h e e x e c u t i o n o f s u c h a s y s t e m call. T h u s , in emy s y s t e n t w h e r e A n g e l h a s b e e n ins t a l l e d , a call t o e x e c v e O is i n t e r c e p t e d b y t h e t o o l ~nd its p a r a m e t e r s carefully analyzed in order to verify if malicious c o d e is h i d d e n i n t h e m . A n g e L fLrst e x a m i n e s t h e e x e c u t i o n environment of the new process that should execute after c o m p l e t i n g t h e e x e e v e ( ) s y s t e m call is a n a l y z e d . T h e values o f e n v i r o n m e n t v a r i a b l e s 2 s u c h as $ H O M E or S T E R M , a r e c h e c k e d t o see if t h e y c o n t a i n a n e x e c u t a b l e s h e l l c o d e o r a s u s p i c i o u s c h a r a c t e r , e.g., " / " . S u c h a s t e p is i m p l e m e n t e d as a n e x h a u s t i v e s e a r c h o v e r all t h e e n v i r o n m e n t v a r i a b l e s for t h e s e t o f shell c o d e s collec:ted i n t h e t o o l k n o w l e d g e b a s e . I f t h i s c h e c k y i e l d s a n e g a t i v e r e s u l t , i.e., n o n e o f t h e e n v i r o n m e n t v a r i a b l e s h i d e s a ~ r o f t h e shell c o d e s k n o w n t o t h e t o o l , A n g e L s t a r t s t h e e~nalysis o f t h e p r o p e r t i e s o f t h e p r o g r a m w h o s e e x e c u t i o n is i n v o k e d v i a e x e c v e O . T h e m a i n p r o p e r t i e s o f s u c h a p r o g r a m are g a t h e r e d b y c a l l i n g t h e e z a t O s y s t e m call, w h i c h p r o v i d e s t h e i n f o r m a t i o n reg a r d i n g t h e p r i v i l e g e s o f t h e n e w p r o c e s s , i.e., w h e t h e r i t wiU b e s e t u i d o r s e t g i d t o r o o t . I f tibia is t h e case, o u r a n a l y s i s c o n t i n u e s b y c h e c k i n g t h e p a r a ~ t e t e r s t h a t will b e p a s s e d t o t h e p r o g r m n t o see w h e t h e r t h e r e is s o m e k n o w n s h e l l c o d e . If t h i s c h e c k t o o y i e l d s a n e g a t i ~ r e s u l t , t h e n e w p r o c e s s is finally s p a w n e d , o t h e r w i s e t h e e x e c u t i n g p r o g r a m is t e r m i n a t e d a n d a m e s s a g e l o g g e d for t h e s u p e r t m e r . N o t e t h a t in t h i s case, a d r a s t i c a c t i o n is teJ~en, w h i c h m a y d m n ~ g e t h e i n n o c e n t u s e r w h o s e p r o c e s s is b e i n g e x p l o i t e d . L e s s d r a s t i c a c t i o n s c o u l d b e t a l t e n , s u c h as p r e v e n t i n g t h e e x e c u t i o n o f t h e o f f e n d i n g c o d e w h i l e l e t t i n g t h e o r i g i n a l progreml p r o c e e d . ] q ~ f i n e m e n t s u c h as t h i s will b e t a k e n i n t o c o n s i d e r a t i o n [or f u t u r e r e l e a s e s o f AnE~L. T h e s a m e a p p l i e s in c a s e of hostile packets being i n t e r c e p t e d by the n e t w o r k module.

After an extensive t u n i n g phase, we have defined a set of t h r e s h o l d values, w h i c h a r e t h e d e f a u l t v a l u e s . F o r t h i s r e a son, t h e d e f a u l t v a l u e s i m p l e m e n t a f~irly r e s t r i c t e d e n v i r o n m o n t . I n o r d e r t o m a k e t h e t o o l as t r a n s p a r e n t aa p c e s i b l e t o non-professional users or users with limited system admini s t r a t i o n k n o w l e d g e , t h e t h r e s h o l d values o f t h e p a r a m e t e r s coronet b e m o d i f i e d . H o w e v e r , sinCe t h e t o o l c o u l d also b e installed on systems with experienced administrators who c o u l d b e w i l l i n g t o t u n e t h e p a r a m e t e r s t o t h e i r configura~ t i o n s , t h e y c a n still c h a n g e t h e p a r a m e t e r s b y m o d i f y i n g t h e tool source code. T h e s y s t e m a d m i t s a t m o s t 100 p r o c e s s e s in e x e c u t i o n p e r user via the compiler directive #def:Lne MAX..PORKS..PER_USER 100 w i t h a m a x i m u m f o r k i n g r a t e o f 50 p r o c e s s e s p e r s e c o n d v i a the compiler directive

#define HAX_FOR~S_PEEJECOND E0. A s for t h e m e m o r y a l l o c a t i o n , t h e s y s t e m a c c e p t s u p t o 500.000 m a l l o c r e q u e s t s p e r s e c o n d v i a t h e c o m p i l e r directive

T h e e x e c v e 0 w r a p p e r e x e c u t i o n is fairly o v e r h e a d p r o n e , as i t will a p p e a x i n S e c t i o n 6, b e c a u s e t h e s e a r c h for shell c o d e s is l e n g t h y a n d c o m p u t a t i o n e d l y heavy. S o m e i m p r o v e m e n t s are p o s s i b l e b y i m p l e m e n t i n g o p t i m i z e d s t r i n g m a t c h i n g alg o r i t h m s , w h i c h is p a r t o f f u t u r e releases.

3~

• defJ.ne MAX_BRK_PEK_JIFFIE E 0 0 0

Local DoS

w h e r e J I F F I E is o n e h u n d r e d t h s e c o n d for a t o t a l m a x i m u m memory allocation of 20MB, via the directive

I f t h e m a l i c i o u s u s e r is u n a b l e to p e r f o r m a n a t t a c k a i m e d at g a i n i n g h i g h e r p r i v i l e g e s , o r h e / s h e is s i m p l y n o t i n t e r e s t e d i n g a i n i n g c o n t r o l o f t h e h o s t a n d a n u i s a n c e a c t i o n is sufficient, a s i m p l e w a y t o d a m a g e t h e s y s t e m is t o r e d u c e i t s amsilability t o t h e p o i n t o f m a l t i n g i t u s e l e s s o r e x t r e m e l y slow, b y c o n s u m i n g o n e o r m o r e o f its r e s o u r c e s . T h e e a s i e r t e c h n i q u e t o a c h i e v e s u c h a goal is to l a u n c h a l o c a l D o S a t t a c k . T h e m o s t p o p u l a r a t t e b ~ o f t h i s t y p e ewe t h e f o r k bombing, ~imed at e x h a u s t i n g the resource n u m b e r of processes i n t h e s y s t e m , a n d t h e irudloc b o m b i n g , aixned a t c o n s u m i n g t h e d y n a m i c memoL'y a r e a (e.g., t h e h e a p ) o f a proc_~ss__. I n o r d e r t o b l o c k t h e s e a t t a c k s , w e a d o p t e d t h e following s t r a t e g y . T h e f o r k ( ) , v£erk(), clone() system e~llR for t h e f o r k b o m b i n g a t t e ~ a n d t h e b r k O s y s t e m call for t h e m a l l o c b o m b i n g a t t a c k are p r o t e c t e d b y w r a p p e r s .

#define

HkXlaHX_DINENSION 20000000.

A s a s p e c i a l c~se o f l o c ~ D o S , w e i l l u s t r a t e t h e l o c a l X s e r v e r a t t a c k . I n t h i s case, t h e X s e r v e r is f o r c e d t o b e h a v e as a C P U h o g w h e n it r e c e i v e s a c o n t r o l p a c k e t t h a t specifies a n e g a t i v e v a l u e f o r t h e X C - Q U E R Y - S E C U R T I ~ - I p a r a m e t e r a t a 20 b y t e offset f r o m t h e i n t e r e s t e d field. T h e X s e r v e r t e ~ e s s u c h a v a l u e a n d s t a r t s d e c r e m e n t i n g i t u n t i l it r e a c h e s 0, w i t h o u t c h e c k i n g t h e i n i t i a l value. T h u s , b y s e t t i n g X C - Q U E R Y S E C U R I T Y - 1 t o a n e g a t i v e value, e.g., -1, t h e w h o l e r a n g e o f first t h e n e g a t i v e a n d t h e n t h e p o s i t i v e 64 b i t i n t e g e r s is s p - - n ~ l b e f o r e t h e wariable r e a c h e s 0. B e c a u s e t h e v a r i a b l e is a long, i.e., a d o u b l e w o r d i n t e g e r , t h e o p e r a t i o n t a k e s s o m e t i m e (in t h e o r d e r o f m i n u t e s ) d u r i n g w h i c h t h e s y s t e m does not respond to any signal whatsoever.

2 T h e uae o f e n v i r o n m e n t v a r i a b l e s t o i n s e r t t h e shell c o d e in t h e v u l n e r a b l e p r o g r a m haa a p p e a r e d in s o m e c a s e s o f b ~ overflow e x p l o i t s .

66

4.

THE

MODULE

FOR

NETWORK

W i t h respect t o t h e H T T P protocol, we s t a r t e d b y considering attacks t h a t axe p e r f o r m e d b y forcing t h e server to execute various c o m m a n d s . T h e s e attacks too are d e t e c t e d b y payload inspection. T h e y are characterized b y t h e fact t h a t t h e y hide c o m m a n d execution requests i n " G E T " or " P O S T " requests. T h e A n g e l m o d u l e looks for c o m m a n d execution requests in t h e packets leaving t h e h o s t for p o r t 80. Based o n this strategy, t h e m o d u l e blocks t h e following attacks: PI-I'F hacking, IIS a r b i t r a r y c o m m a n d execution, Infaseaxch a r b i t r a r y c o m m a n d execution, A l i b a b a a r b i t r a r y c o m m a n d execution, A m l i t e VuLnerability a n d BizDB vulnerability.

TAR-

GETED ATTACKS This m o d u l e is developed to b e i n t e g r a t e d w i t h t h e personal firewall capability of Linux, i.e., the n e t f J . l t e = tool. W i t h netfilter, a user can customize actions t h a t some filters will apply t o the packets of vRrious protocols. Different "hooks," i.e., points where t h e filters c a n h e inserted in t h e netfilter skeleton, axe defined [or each network protocols, for which a user c a n specify a set of rules he w a n t s t h e protocol t o apply to t h e packet. A n g e L modules are c o n n e c t e d to t h e N F . I P _ L O C A L _ O U T hook, i.e., t h e h o o k t h a t netfilter pror i d e s to h a n d l e outgoing I P packets, j u s t before t h e y are passed to t h e d a t a link layer protocols.

$.

In t h e d e v e l o p m e n t of our module, we divided the attacks t a r g e t e d on net-work services in two b r o a d categories: attacks t h a t exploit n e t w o r k a n d t r a n s p o r t layer protocols vulnerabilities (such as S y n F l o o d for T C P or S M U I t F for I C M P [5, 11]), e n d t h o s e t h a t exploit application layer protocols vuluerabilities, such as t h e P H F a t t a c k on H T T P .

ON

THE

DIFFICULTY

OF

REMOVING

ANGEL T h e c o n s t r u c t i o n of tools such as A n g e L always raises controversial issues r e g a r d i n g t h e possibility t o easily bypass t h e m a n d t h e i r update. In particular,

software modules i n t e n d e d t o p r o t e c t a s y s t e m can b e removed or b y p a s s e d in various ways b y i n t r u d e r s who h a v e gained control of t h e system, e.g., by m e a n of a root compromise, thus m a k i n g such a p r o t e c t i o n ineffective; AngeL, b e i n g a software module, is not imm u n e to this drawback;

4.1 Network and trAn,port layer attacks T h e network a n d t r a n s p o r t layer m o d u l e handles t h e UDP, T C P , I C M P , a n d I F protocols. F r o m our perspective, the a t t a c k s t o such protocols axe characterized by t h e n e e d to r e m e m b e r previous b e h a v i o r in order t o d e t e c t a malicious intent, or by t h e simple packet inspection in order t o detect t h e malicious int~at. T h e former ca~e is t h e m o s t d e m a u d ing for t h e m o d u l e from a p e r f o r m a n c e p o i n t of view as it requires t o m a i n t a i n , a n d exami~le, pl'~tJons s t a t e s of t h e protocols a n d t h e packets.

u p d a t i n g t h e signature d a t a b a s e used b y all types of filter modules t o d e t e c t a t t a c k s is particularly difficult a n d critical, especially if t h e d a t a b a s e is b u n d l e d in t h e code, a n d periodical u p d a t e is necessary to m a i n t a i n t h e effectiveness of t h e filter; A n g e L ' s a t t a £ k s i g n a t u r e d a t a b a s e is b u n d l e d in t h e code.

A t t a c k s such as I F spoofing, S M U I t F , L A N D [6] axe examples of attacks t h a t c a n b e recognized b y simple packet h e a d e r inspection. As a n example, in order to detect a packet w i t h a spoofed source address tha~- is a b o u t to leave t h e h o s t it is sufficient t o c o m p a r e t h e packet IF source address w i t h all t h e I P addresses of the network interfaces of t h e host. Similax strategies c a n b e a d o p t e d for o t h e r attacks of this kind.

A l t h o u g h t h e s e issues m a y seem different, t h e y axe related, as we will explain in w h a t follows. O n e of t h e i m p l e m e n t a t i o n choices we faced d u r i n g t h e d e v e l o p m e n t of AngeL, was between s t a t i c kernel m o d u l e a n d loadable kernel module. In t h e first ease, t h e m o d u l e is loaded t o g e t h e r w i t h t h e kernel at b o o t t i m e as opposed t o t h e second case where t h e m o d u l e is loaded after t h e b o o t p h a s e completes as p a r t of t h e executing kernel. I n t h e f o r m e r case, a n i n t r u d e r who gains s u p e r u s e r privileges o n a m a c h i n e executing Ang e l c a n remove it only b y d o w n l o a d i n g on t h e m a c h i n e a copy of t h e kernel w i t h o u t A n g e L a n d r e b o o t i n g t h e m a chine w i t h t h e new kernel. T h i s s o l u t i o n provides a good security level, as good as it is possible w i t h software modules, a s s u m i n g t h a t a r e b o o t o p e r a t i o n would n o t go u n n o ticed. However, u p d a t i n g t h e s i g n a t u r e d a t a b a s e becomes a very serious problem because a n y d a t a b a s e u p d a t e would require t h e re-compilation of t h e kernel, a critical a n d t i m e cons,,m~,~g operation.

Attac2~s such as S y n F l o o d a n d X s H o K are examples of attacks t h a t require t h a t t h e m o d u l e m a i n t a i n variables describing t h e h i s t o r y of t h e b e h a v i o r o[ t h e host w i t h respect to some critical p a r a m e t e r s . As a n example, in order to prev e n t a host to flood a r e m o t e Xserver w i t h false requests, a t a b l e addressed by t h e d e s t i n a t i o n I F address = a n d t h e user id, uid, is m a i n t a i n e d . E a c h t a b l e e n t r y contains t h e n u m b e r of connections established b y t h a t u l d t o t h e Xserver of systern z. If such a value exceeds a given t h r e s h o l d value, uid is disabled from opening f u r t h e r connections t o t h e )[server o n z.

4.2 Application layer attacks T h e c u r r e n t release of AngeL considers t h e following application layer protocols: H T T P , F T P , S e n d m a i l a n d Telnet. T h e attacks considered for t h e Telnet a n d F T P protocols are r e m o t e buffer overflows of some i m p l e m e n t a t i o n s of t h e servers for t h e s e services. T h e s e attacks are d e t e c t e d a n d blocked by i n s p e c t i n g t h e packet payload in outgoing packsts t o p o r t s 21 a n d 23, respectively, looking for shell codes such as t h o s e described in Section 3.1.

O n t h e o t h e r h a n d , by i m p l e m e n t i n g A n g e L as a loadable module, we simplify t h e u p d a t e p r o b l e m significantly. I n ord e r t o u p d a t e t h e s i g n a t u r e d a t a b a s e we only need to compile t h e new version, remove t h e older one using t h e r==od s y s t e m utility a n d replace it w i t h t h e new m o d u l e using t h e l n m o d s y s t e m utility. Unfortunately, w i t h this solution, it would b e very easy for a n i n t r u d e r to remove t h e m o d u l e from t h e kernel.

67

is o b s e r v e d . U n f o r t u n a t e l y , w i t h t h e i n c r e a s i n g p o p u l a x i t y o f f o r m a t b u g s , c h e c k i n g e n v i r o n m e n t v a r i a b l e s is b e c o m i n g m o r e a n d m o r e i m p o r t a n t . A l t h o u g h a 1 2 . 6 ~ reduction in t h r o u g h p u t is n o t negligible, t h e e x e c v e () s y s t e m call is n o t i n v o k e d c o n t i n u o u s l y , so t h e i m p a c t is n o t so s e r i o u s .

T h e o p t i m a ] s o l u t i o n would b e I;he o n e t h a t gives t h e s a m e s e c u r i t y level o f a s t a t i c k e r n e l r£Lodule w i t h t h e flexibility o f a loadable kernel module. Using some features of Linux, we were. a b l e t o i m p l e m e n t t h e o p t i m a l s o l u t i o n . A n g e L is c o n f i g u r e d as a loada.ble k e r n e l m o d u l e . I n t h e l o a d i n g p h a s e a p m m w o r d is e~'~ociated w i t h it, i.e., it is loaded with the instruction

exocveO fork()

I W/O ANGEL w/ANGEL 1~.1 [ 82.171 (0.015) 72.953 (0.009) -1 % 31.189 (0.02) 30.286 (0.02) -2.8%

2nemod a n g e l p a a e v o r d =, * * * * . T a b l e 1: A v e r a g e n u m b e r o f s y s t e m oAlla c o m p l e t e d p e r s e c o n d f o r t h e e z e c v e ( ) a n d f o r k ( ) s y s t e m cA11m without the module (rlghtmost column) and with the module (central column). In the case of the execveO system call, the leftmost column gives the results with the module checking all environment variables. The value in parentheses Is t h e c o e f f i c i e n t of variation.

T h e p a s s w o r d is e n c r y p t e d using: M D 5 a n d s t o r e d in a k e r n e l area. A n A n g e l d e v i c e ( / d e e / a l g o l ) is ~ o c r e a t e d , o n w h i c h n o r e a d o p e r a t i o n is d e f i n e d , o n l y w r i t e o p e r a t i o n is p o s s i b l e . I n o r d e r t o r e m o v e t h e m o d u l e , t h e m o d u l e password must be written on the AngeL device/dev/angeZ. T h e w r i t e o p e r a t i o n o n s u c h a d e v i c e verifies if t h e n e w l y w r i t t e n p a s s w o r d is eClUal t o tEte o r i g i n a l o n e , w h o s e M D 5 is m a i n t a i n e d i n k e r n e l m e m o r y . I f t h i s is t h e c~se, a f ~ g is set t h a t enables the module removal, otherwise the only way to remove the module would be to download on the disk a n e w b o o t file, a n d r e b o o t t h e s y s t e m as if t h e m o d u l e w e r e a static kernel module.

Table 2 illustrates t h e results of t h e mmusurements t a k e n for t h e n e t w o r k m o d u l e , o n t h e n a t i v e s y s t e m a n d w i t h t h e m o d u l e , u n d e r h o s t i l e traffic. T h e m e t r i c i n t h i s case is the average number of packets per second the system can s e n d u n d e r t h e vaxious s c e n a r i o s . T h e n u m b e r s r e p o r t e d i n t h e t a b l e a r e t h e a v e r a g e o v e r 39.000 p a c k e t s . I n t h i s c a s e too, v e r y s m a l l values o f t h e c o e f f i c i e n t o f v a r i a t i o n are o b t a i n e d . A s t h e t a b l e s h o w s , t h e l a r g e s t i m p a c t is o n h t t p traffic, as t h e w o r s t c a s e is c o n s i d e r e d for m a t c h i n g all strings to be checked. However, since the outgoing traffic is s i g n i f i c a n t l y less t h e m t h e i n c o m i n g o n e , a t h r o u g h p u t r e d u c t i o n in t h e remge o f 7 ~ t o 15% d o e s n o t affect t h e p e r f o r m a n c e as p e r c e i v e d b y t h e u s e r .

A l t h o u g h a s y s t e m r e b o o t is ma o p e r a t i o n w h i c h d o e s n o t u s u a l l y go I m n o t i c e d , i t is dilfiC'Jhlt for a " a v e r a g e " e n d - u s e r , i.e., a u s e r w i t h l i t t l e s y s t e m a t d m i n i s t r a t i o n skills, t o n o tice the difference b e t w e e n t h e malicious b o o t and t h e usual b o o t . F u r t h e r m o r e , in o r d e r t o m a k e t h e o p e r a t i o n less noticeable, t h e intruder m a y wait for a "natural" b o o t to occur, i.e., w a i t for t h e s y s t e m t o r e b o o t b e c a u s e o f s o m e u n r e c o v e r a b l e p r o b l e m s r a t h e r t h a n fo:rce a r e b o o t . I t d e p e n d s o n t h e t y p e o f s y s t e m h o w o f t e n s u c h a n e v e n t is for t h e int r u d e r t o b e willing to wait or not. Unfort-nately~ while we c a n w o r k o n i m p r o v i n g t h e prc, t e c t i o n m e a s u r e s t o p r e v e n t o u r m o d u l e f r o m b e i n g remove~i f r o m t h e system~ t h e r e is not much t h a t c~n be done to prevent the s y s t e m from being reinsted]ed completely. T h e only viable solution in this case would be a hardware implementation of the module. This is t h e o n l y w a y a d i s a x m e d s y s l ~ m c o u l d n o t b e r e a r m e d .

6.

EXPERIMENTAL

htte f~p/Zpd/telnez

B69.7 (0.009) 220.9 (0.01)

739.5 (0.006)

-1.~%

203.2 (0.006)

-7.7%

se~lma:LX

1195.5 (0.01)

1110

(0.009)

-7.1~

T a b l e 2: A v e r a g e n u m b e r o f p a c k e t s p e r s e c o n d f o r various application layer protocoiB without and with the rnodulew under different types of traffic. Coefficients of variation are given in parentheses.

EVALUATION

In this section we describe t h e results of a set of e x p e r i m e n t s aimed at investigating the impact of Angel on system perf o r m a ~ c e . T h e h a r d w a r e p l a t f o r m u s e d for t h e e x p e r i m e n t a l e v a l u a t i o n is a P C w i t h a 133 M H z P e n t i u m a n d 64 M B R,klV[ r u n n i n g L i n u x S l a c k w a r e 7.0, 2.4.2 k e r n e l . W e p e r f o r m e d t w o s e t s o f t e s t s , o n e for e a c h m o d u l e o f t h e t o o l . I n order t o m e a s u r e t h e o v e r h e a d of t h e local attacks module, we r a n s o m e kernel progrLrns t h a t only execute t h e w r a p p e d s y s t e n x calls. T a b l e i s h o w s t h e a v e r a g e n u m b e r o f fork() stud e x e c v e 0 s y s t e m calls p e r s e c o n d t h a t c a n b e i s s u e d i n t h e a b s e n c e o f t h e m o d u l e (right~gtost c o h m 3 n ) , w i t h t h e m o d ule (centred c o l u m n ) , emd w i t h full checks o n e n v i r o n m e n t voa-iables ( l e f t m o s t co],,,'nn). ~.~he n u m b e r s r e p o r t e d in t h e t a b l e a r e t h e avereq~e o v e r 20.000 r u n s . A s t h e v e r y s m a l l v a l u e s o f t h e coefficient o f v a r i a t i o n i n d i c a t e , t h e m e a s u r e m e n t s a r e fairly s t a b l e . A s t h e t a b l e s h o w s , c h e c k i n g all t h e e n v i r o n m e n t variables in case of e x e c v e O reduces t h e m a x i m u m t h r o u g h p u t i n ternLs o f c o m p l e t e d e y s t e m calls p e r s e c o n d o f a b o u t 1 3 ~ . If o n l y t h e call p a r a m e t e r s are c h e c k e d , a n e g l i g i b l e r e d u c t i o n o f 2.5% i n t h e t h r o u g h p u t

7.

CONCLUSIONS

In this paper we have described a tool that disarm computere by i n t e r c e p t i n g hostile traffic carrying attacks at n e t w o r k e d h o s t s emd b l o c k i n g it, a n d . l o c a l a t t a c k s s u c h as l o c a l D o S a n d b u f f e r overflows. T h e t o o l is p u b l i c l y avai1~ble u n d e r t h e G n u CopyleEt L i c e n s e . I t c a n b e d o w n l o a d e d a t t h e following D-FtL- h t t p : / / w w w . l a a s r . d s i . u n i m i . i t / A n g e L . T h e c u r r e n t v e r s i o n w a s d e v e l o p e d u n d e r t h e k e r n e l 2-4.x a n d r u n s also for v e r s i o n s 2.2.18 a n d following.

Acknowledgments T h e authors are grateful to Carla M a r c e a u who excellently presented the paper on their behalf, to Bob Btakley whose n o t e k e e p i n g effort were t h i s t i m e e v e n m o r e i m p o r t e m t , a n d t o A i d e S c a c c a b a r o z z i a n d P e ~ l o P e r e g o , w h o p a t i e n t l y coll e c t e d attar.k e x p l o i t s a n d i m p l e m e n t e d t h e m i n t o A n g e L modules.

68

8.

REFERENCES

APPENDIX A. ATTACK REFERENCES

[1] Anderson J., "Computer security technology planning study," [/.8. Air Force Electronic ~qyatcm Division Technical Report 73-51, October 1972.

The following list is just a partied list of the attacks handled by the tool based on the cve.mitre.com database. Only the reference number is provided for the sake of space.

[2] Bande] D. " L i n u x S e c u r i t y Toolkit," IDG Books,

2000.

1. 2. 3. 4. 5. 6.

[3] Bruschi D.~ Cavallaro L., 11~ti E., "Lees harm, less worry or how to improve network security by bounding system offensiveness," Proceedinga of AC,.qAC "00, 16th Annual Computer Security Application Conference, New Or]seres, pp 188-195, 2000. [4] Bnzschi D., l ~ e t i E., "Disarming offense to facilitate defense," Proceedings ol the New Security Paradigm Workshop RO00, Ireland, pp 69-75, Sept. 2000.

CVE-2000-0454 cVF.-2000- USO CVE-1999-0137 CVE-2000-0438 CAN-1999-0114 CVE-2000-0824

7. CV'E-2000-0844 8. CV'E-199(J-0032 9. CVE-1999-0335

[5] CERT-CC, "TCP SYN flooding attacks and IP Spoofing attacks," CERT Advisory CA-96.21, http://www.cert.org, 1996-98.

10. CAN-2000-0545 11. CAN-2000-054,5

[6] CERT-CC, "IP Denied of service attack~," CERT Advisory CA-97.28, hr.tp://www.cert.org, 1997-98. {7] Computer Securi W Institute, http://www.gocei.com/prele&.00321.htm. [8] Cunninghmn R., PAsser A., "Detecting source code of attacks that increase privilege," presented at RAID 2000, available st http://www.raidsymposium.org/r&d2000/]Claterieds/Abstrscts/53/53 .pdf [9] Erlingmmn, U., Schneider, F.B., "IRM Enforcement of J,wL Stack Inspection", Proceedinga o] the IBEE S#mposium on ~ecurity and Pri~acy, pp.246-55, May 2000. [10] Freser T., B~lger L., Feldman M., "Hardening COTS - softwsxe with generic software wrsppers," Proceedings o/the IEEB 3ymposium on Security and Privacy, Oakland, CA, May 1999.

12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27.

28. 29. 30. 31.

[11] Huegen C., " r h e latest in denied of service attaclm: smurfmg. Description and h-fform~tion to minimize

CVE-2000-0218 CA.N-1999-0317 CAN-1999-0317 CA.N-1999-0651 CVE-1999-0034 CVE-1999-0138 CVE-2000-0703 CVE-1999-0733 CVE-2000-0090 CAN-1999-0623 CAN-2000-0620 CVE-1999-0038 CVE-1999-0128 CVE-1999-0166 CVF-,-1999-0016 CVE-1999-0513 CVE-1999-0265 CVE..2000-0305 CVE-1999-0067 CVE-2000-0207

effects,"

32. CAN-2000-0866

http: / /users.quadrunner.com/chuegen/smurf.c~, last

33. CAN-1999-0385/0776

update Feb. 2000.

34. CVF~2000-0287 35. CVE-2000-0638/639 36. CV'F_,-2000-0810/811

[12] Lampson B-, 'q)rotection," republished in Proc. o] the 5th Princeton Sltmpoaium, Opemting Spstem Review, Vol 8, No 1, pp 18-24, Jan. 1974.

37. 38. 39. 4O. 41. 42.

[13] McHugh, J., et ed., Discussion st NSPW2001, 2001. [14] Seksr R., Uppuluri P., "Synthesizing fast intrusion prevention/detoction systems from high-level specifications," Proceeding8 el the Useniz Securi~ Symposium~ pp , 1999.

CVE-2000-0138 CAN-2000-0573 CVE-2000-733 CAN-2000-0917

CVE-2OO0-733 CVE-2000-0567 43. CVE-200O-0352

[15] Vigna G., Eckmann S., Kemmerer EL., "The STAT tool suite," Pmceedinga o/DISCEX ~O00j 2000.

69