Jingyu Zhou
UCSB
USA

Giovanni Vigna
UCSB
USA

Host security is achieved by securing both the operating system
kernel and the privileged applications that run on top of it.
Application-level bugs are more frequent than kernel-level bugs,
and, therefore, applications are the target of continuous attacks
that exploit these vulnerabilities to compromise the security of
a host. Detecting these attacks can be difcult, especially in the
case of attacks that exploit application-logic errors. These attacks
seldom exhibit characterizing patterns as in the case of buffer
overflows and format string attacks. In addition, the data used
by intrusion detection systems is either too low-level, as in the
case of system calls, or incomplete, as in the case of syslog entries.
This paper presents a technique to enforce non-bypassable,
application-level auditing that doesn't require the recompilation
of legacy systems. The technique is implemented as a kernel-level
component, a privileged daemon, and an off-line language
tool. The technique uses binary rewriting to instrument applications
so that meaningful and complete audit information can be
extracted. This information is then matched against application-speci
fic signatures to detect attacks that exploit application-logic
errors. The technique has been successfully applied to detect
several attacks against widely-deployed applications including
the Apache web server and the OpenSSH server. The performance
evaluation of a Linux-base implementation indicates that
the approach imposes less overhead than an OS-based auditing
facility.

Keywords: Application Security -- Auditing -- Binary Instrumentation

Read Paper (in PDF)