|
Intrusion Prevention Motivated by work of Paul England from Microsoft Research (link to a patent), back in 1999 we thought that it would be cool to run programs so that their integrity is guaranteed. Our idea was to divide an executable into small batches of instructions, MAC each batch using a machine-unique key, store the MACs back into the executable, and then verify MACs at run-time. First, we tried augmenting the MACs as watermarks back into executables with high hardware overhead [2], thus creating one of the first software watermarking techniques, but then realized that a much simpler and more realistic scheme was possible via simple data appendices [1]. The key contribution of our work is the introduction of intrusion prevention rather than detection -- in our system, an adversary could easily and successfully launch a buffer overrun attack against an unchecked buffer, however, she would not be able to create a piece of code that would execute in trusted mode immediately following the buffer overrun. The reason is that the adversary could not compute the keyed MAC of this injected code due to the lack of access to the machine-unique key. Thus, we let bugs live in the trusted part of our system (as modern software development has proven that it is rather difficult to have bug-free functional specifications) and NOT pose an intrusion problem. Compared to existing methods such as static analysis, this approach is significantly simpler and more effective. Learn more about our system from [1,2]. The following patent application covers some of the ideas.
|
