application-audit - Detecting Attacks That Exploit...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Detecting Attacks That Exploit Application-Logic Errors Through Application-Level Auditing Jingyu Zhou and Giovanni Vigna Department of Computer Science University of California, Santa Barbara { jzhou, vigna } @cs.ucsb.edu Abstract Host security is achieved by securing both the operat- ing system kernel and the privileged applications that run on top of it. Application-level bugs are more frequent than kernel-level bugs, and, therefore, applications are often the means to compromise the security of a system. Detecting these attacks can be difficult, especially in the case of at- tacks that exploit application-logic errors. These attacks seldom exhibit characterizing patterns as in the case of buf- fer overflows and format string attacks. In addition, the data used by intrusion detection systems is either too low-level, as in the case of system calls, or incomplete, as in the case of syslog entries. This paper presents a technique to enforce non-bypassable, application-level auditing that does not re- quire the recompilation of legacy systems. The technique is implemented as a kernel-level component, a privileged dae- mon, and an off-line language tool. The technique uses bi- nary rewriting to instrument applications so that meaning- ful and complete audit information can be extracted. This information is then matched against application-specific signatures to detect attacks that exploit application-logic errors. The technique has been successfully applied to de- tect attacks against widely-deployed applications, including the Apache web server and the OpenSSH server. 1. Introduction The security of a host depends on both the operating sys- tem and the privileged applications that run on top of it. However, application-level vulnerabilities account for the majority of the vulnerabilities that are found and made pub- lic through mailing lists and advisories. A large number of the vulnerabilities in applications are caused by the lack of dynamic checks on input data, which makes it possible to perform buffer overflow and format string attacks. Another type of attacks are those exploiting application- logic errors. Application-logic errors happen when an ap- plication performs actions that were not originally consid- ered in the application design. For example, suppose that a privileged application is designed to read and print a spe- cific file, such as “/etc/services”. An application-logic error would allow an attacker to exploit an unexpected interac- tion with the shell environment to force the application to access (and print) a different file, such as “/etc/shadow”, re- sulting in a security compromise. The goal of Intrusion Detection Systems (IDSs) is to de- tect attacks against networks, operating systems, and appli- cations. The mainstream approaches to intrusion detection use attack signatures to identify evidence of malicious ac- tivity in an event stream. The two most common types of intrusion detection systems are network-based intrusion de-
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/05/2011 for the course CS 2105 taught by Professor Ana during the Fall '09 term at National University of Singapore.

Page1 / 11

application-audit - Detecting Attacks That Exploit...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online