Skip to main content
SpringerLink
Log in

Introducing Reference Flow Control for Detecting Intrusion Symptoms at the OS Level

  • Conference paper
  • First Online:
Recent Advances in Intrusion Detection (RAID 2002)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2516))

Included in the following conference series:

Abstract

This paper presents a novel approach to policy-based detection of “attacks by delegation”. By exploiting unpredictable behaviour such as unknown side-effects, race-conditions, buffer overflows, confused deputies etc., these attacks aim at achieving their goals (i.e. executing some illegal operation) as legal consequences of other legitimate operations. The proposed approach enforces restrictions on whether an operation can be executed as a consequence of another, in order to detect that kind of attacks. We propose a proof-of-concept application to a Unix system and show its ability to detect novel attack scenarii that seek the same intrusion goals.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner. State of the practice of intrusion detection technologies. Technical Report SEI-99TR-028, CMU/SEI, 2000.

    Google Scholar 

  2. John McHugh. Intrusion and intrusion detection. International Journal of Information Security, July 2001.

    Google Scholar 

  3. D. Schnackenberg, K. Djahandari, and D. Sterne. Infrastructure for intrusion detection and response. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX’00), 2000.

    Google Scholar 

  4. Frédéric Cuppens. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference (AC-SAC 2001), December 2001.

    Google Scholar 

  5. R. P. Goldman, W. Heimerdinger, S. A. Harp, C. W. Geib, V. Thomas, and R. L. Carter. Information modeling for intrusion report aggregation. In Proceedings of the DARPA Information Survivability Conference and Exposition, June 2001.

    Google Scholar 

  6. Frédéric Cuppens and Alexandre Miège. Alert correlation in a cooperative intrusion detection framework. In Proccedings of the IEEE Symposium on Security and Privacy, 2002.

    Google Scholar 

  7. Benjamin Morin, Ludovic Mé, Hervé Debar, and Mireille Ducassé. M2D2: A formal data model for IDS alert correlation. In Proceedings of the Fifth International Symposium on the Recent Advances in Intrusion Detection (RAID’2002), 2002.

    Google Scholar 

  8. Prem Uppuluri and R. Sekar. Experiences with specification-based intrusion detection. In W. Lee, L. Mé, and A. Wespi, editors, Proceedings of the Fourth International Symposium on the Recent Advances in Intrusion Detection (RAID’2001), number 2212 in LNCS, pages 172–189, October 2001.

    Chapter  Google Scholar 

  9. Calvin Ko and Timothy Redmond. Noninterference and intrusion detection. In Proccedings of the IEEE Symposium on Security and Privacy, 2002.

    Google Scholar 

  10. Daniel Hagimont, Jacques Mossiere, Xavier Rousset de Pina, and F. Saunier. Hidden software capabilities. In International Conference on Distributed Computing Systems, pages 282–289, 1996.

    Google Scholar 

  11. David F.C. Brewer and Michael J. Nash. The chinese wall security policy. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 206–214. IEEE Computer Society Press, May 1989.

    Google Scholar 

  12. CMU CERT/CC. Ca-1995-02: Vulnerabilities in /bin/mail. http://www.cert.org/advisories/CA-1995-02.html, January 26 1995.

  13. CMU CERT/CC. Vu#40327: Openssh uselogin option allows remote execution of commands as root. http://www.kb.cert.org/vuls/id/40327, November 2001.

  14. Fred B. Schneider. Enforceable security policies. Information and System Security, 3(1):30–50, 2000.

    Article  Google Scholar 

  15. John Rushby. Noninterference, transitivity, and channel-control security policies. Technical Report CSL-92-02, SRI, dec 1992.

    Google Scholar 

  16. J. McLean. A general theory of composition for trace sets closed under selective interleaving functions. In Proceedings of the IEEE Symposium on Research in Security and Privacy, May 1994.

    Google Scholar 

  17. E. Ferrari, P. Samarati, E. Bertino, and S. Jajodia. Providing flexibility in information flow control for object-oriented systems. In Proceedings of the IEEE Symposium on Security and Privacy, pages 130–140, 1997.

    Google Scholar 

  18. H. Mantel and A. Sabelfeld. A generic approach to the security of multi-threaded programs. In Proceedings of the 13th ProIEEE Computer Security Foundations Workshop, pages 200–214, June 2001.

    Google Scholar 

  19. Steve Zdancewic, Lantian Zheng, Nathaniel Nystrom, and Andrew C. Myers. Untrusted hosts and confidentiality: Secure program partitioning. In Proceedings of the 18th ACM Symposium on Operating Systems Principles, 2001.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Supélec, France

    Jacob Zimmermann, Ludovic Mé & Christophe Bidan

Authors
  1. Jacob Zimmermann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ludovic Mé
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christophe Bidan
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Zurich Research Laboratory, Säumerstraße 4, 8803, Rüschlikon, Switzerland

    Andreas Wespi

  2. Department of Computer Science, University of California at Santa Barbara, Santa Barbara, CA, 93106-5110, USA

    Giovanni Vigna

  3. Centro Serra, University of Pisa, Lungarno Pacinotti 43, 56100, Pisa, Italy

    Luca Deri

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zimmermann, J., Mé, L., Bidan, C. (2002). Introducing Reference Flow Control for Detecting Intrusion Symptoms at the OS Level. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_16

Download citation

  • DOI: https://doi.org/10.1007/3-540-36084-0_16

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-00020-4

  • Online ISBN: 978-3-540-36084-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation