Abstract
This paper presents a novel approach to policy-based detection of “attacks by delegation”. By exploiting unpredictable behaviour such as unknown side-effects, race-conditions, buffer overflows, confused deputies etc., these attacks aim at achieving their goals (i.e. executing some illegal operation) as legal consequences of other legitimate operations. The proposed approach enforces restrictions on whether an operation can be executed as a consequence of another, in order to detect that kind of attacks. We propose a proof-of-concept application to a Unix system and show its ability to detect novel attack scenarii that seek the same intrusion goals.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner. State of the practice of intrusion detection technologies. Technical Report SEI-99TR-028, CMU/SEI, 2000.
John McHugh. Intrusion and intrusion detection. International Journal of Information Security, July 2001.
D. Schnackenberg, K. Djahandari, and D. Sterne. Infrastructure for intrusion detection and response. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX’00), 2000.
Frédéric Cuppens. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference (AC-SAC 2001), December 2001.
R. P. Goldman, W. Heimerdinger, S. A. Harp, C. W. Geib, V. Thomas, and R. L. Carter. Information modeling for intrusion report aggregation. In Proceedings of the DARPA Information Survivability Conference and Exposition, June 2001.
Frédéric Cuppens and Alexandre Miège. Alert correlation in a cooperative intrusion detection framework. In Proccedings of the IEEE Symposium on Security and Privacy, 2002.
Benjamin Morin, Ludovic Mé, Hervé Debar, and Mireille Ducassé. M2D2: A formal data model for IDS alert correlation. In Proceedings of the Fifth International Symposium on the Recent Advances in Intrusion Detection (RAID’2002), 2002.
Prem Uppuluri and R. Sekar. Experiences with specification-based intrusion detection. In W. Lee, L. Mé, and A. Wespi, editors, Proceedings of the Fourth International Symposium on the Recent Advances in Intrusion Detection (RAID’2001), number 2212 in LNCS, pages 172–189, October 2001.
Calvin Ko and Timothy Redmond. Noninterference and intrusion detection. In Proccedings of the IEEE Symposium on Security and Privacy, 2002.
Daniel Hagimont, Jacques Mossiere, Xavier Rousset de Pina, and F. Saunier. Hidden software capabilities. In International Conference on Distributed Computing Systems, pages 282–289, 1996.
David F.C. Brewer and Michael J. Nash. The chinese wall security policy. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 206–214. IEEE Computer Society Press, May 1989.
CMU CERT/CC. Ca-1995-02: Vulnerabilities in /bin/mail. http://www.cert.org/advisories/CA-1995-02.html, January 26 1995.
CMU CERT/CC. Vu#40327: Openssh uselogin option allows remote execution of commands as root. http://www.kb.cert.org/vuls/id/40327, November 2001.
Fred B. Schneider. Enforceable security policies. Information and System Security, 3(1):30–50, 2000.
John Rushby. Noninterference, transitivity, and channel-control security policies. Technical Report CSL-92-02, SRI, dec 1992.
J. McLean. A general theory of composition for trace sets closed under selective interleaving functions. In Proceedings of the IEEE Symposium on Research in Security and Privacy, May 1994.
E. Ferrari, P. Samarati, E. Bertino, and S. Jajodia. Providing flexibility in information flow control for object-oriented systems. In Proceedings of the IEEE Symposium on Security and Privacy, pages 130–140, 1997.
H. Mantel and A. Sabelfeld. A generic approach to the security of multi-threaded programs. In Proceedings of the 13th ProIEEE Computer Security Foundations Workshop, pages 200–214, June 2001.
Steve Zdancewic, Lantian Zheng, Nathaniel Nystrom, and Andrew C. Myers. Untrusted hosts and confidentiality: Secure program partitioning. In Proceedings of the 18th ACM Symposium on Operating Systems Principles, 2001.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zimmermann, J., Mé, L., Bidan, C. (2002). Introducing Reference Flow Control for Detecting Intrusion Symptoms at the OS Level. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_16
Download citation
DOI: https://doi.org/10.1007/3-540-36084-0_16
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00020-4
Online ISBN: 978-3-540-36084-1
eBook Packages: Springer Book Archive