Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: Need help. Proof of concept 100% security.
From: "Joyce, MP (Matthew) " <M.P.Joyce () rl ac uk>
Date: Mon, 18 Aug 2003 10:15:19 +0100

Some issues for these types of systems:

EFC has to build the behavioural model for each application. For simple
applications, it may be possible to build the behavioural model in a test
environment, then use that model in production. However complex applications
will have behaviour that may be very difficult to capture easily in a test
environment, unless the test environment is very *very* complete. Therefore
there may be some building of the behaviour model in a production
environment. While this is happening, EFC cannot protect the application
completely as it has no full model yet, but the application may be under
attack as this is a production environment. So there is the risk of
successful attacks forming part of the behavioural model.

Every time a new version is released into production, a new model has to be
built or the current model modified by aging old behaviours and allowing
admins to flag deviant behaviour as permissible. So for complex
applications, the training time may be long, or may require plenty of
administrative input to mark false positives as permissible.  and rememnber
there's no protection while the model is being built.

I built a similar system for Windows apps in '99. It easily captured simple
behaviours (e.g. winhlp32 or notepad) and with some more effort captured
more complex behaviours. But big apps such as IIS were constantly generating
new sequences of system calls and it looks like the learning phase was going
to be longer than the time between patches to IIS, meaning the system would
constantly be in learning mode.

Also you only capture the behaviour used during training. If the sysadmin
decided one day to use a feature that's never been used before, it generates
many false positives as the behavioural model doesn't recognise the system
calls sequences. So the system has to go back into learning mode until the
new behaviour is learnt, inhibting the protection.

So some problems still to be solved. But as part of a multi-variable IDS or
IDP system, these systems will have a part to play.

I would add to the model learning about what files were accessed in which
directories, under Windows what registry entries were accessed and how, what
ports were used and & what IPs were communicated with. So record particular
parameters used with the syscalls, not just the syscalls themselves. That
would form a fuller picture of how the app behaved and would reduce the
false positives from only looking at the system calls.

Matt
-----Original Message-----
From: Balwinder Singh [mailto:balwinder () gmx net] 
Sent: 18 August 2003 16:25
To: bugtraq () securityfocus com
Subject: Need help. Proof of concept 100% security.


Hi All,

I have developed an application, which I believe can provide 100% security
against various attacks.I can hear people laughing. Hmm.. The applications
is called Execution Flow Control (EFC). Details of software can be found at
http://203.197.88.14/efc

Now the help part:
I have put up a site at http://203.197.88.14 which is protected by EFC. It
is unpatched RH7.0 system with 2.4.20 kernel, no firewall, no IDS. All holes
in the kernel and programs are intentionally kept. It is put up there for
people to attack and try to get into the system. Gaining root to system is
not enough as another level of protection unfolds when one has become root.
There have been 1000+ attacks but no one could get even a normal user. This
is first release and there got to be bugs in the system. The fact that so
far no one could get into the system, is creating all kinds of complications
in me (nervous, sad, bad ...). Machine is up for past one month and I still
have a weeks internet time. Can you help me by providing your expert
guidance on this software project. Can you help me by breaking into the
system and then letting me know how can I improve the software. The paper at
http://203.197.88.14/efc gives introduction only. detailes and most recent
documentation will be made available as soon as I finish making it (The job
is in the pipeline). I know about systrace, but have never used it.
----------------------------------------------------------------------


Brief Introduction of EFC
-------------------------

1. Kernel runs in kernel space, which cannot be modified by user space
programs. Each request from program ends up calling a routine in kernel
space called syscall. Lets call syscall with arguments just syscalls

Each program will make a defind set of syscalls to achieve its objective.
Now idea is to watch syscalls that a program is supposed to make during its
run time. A database which describes the syscalls that a program can make is
called behavior model of the program. Lets assume we can generate a behavior
model which perfectly describes an application. Now any deviation from
behavior model of program essentially indicates an intrusion at real time.
Thus a corrective action can be taken. This makes kernel intelligent which
knows which program should do what, rather than a slave of program in which
any program can ask anything and kernel will provide it.


REGARDS

Balwinder

---------------------------------------------------------------------
We do not allow postman to bedroom but kernel does.
---------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault