SBIR Phase I: Automatic Extraction and Enforcement of Application-Specific Security Policy

SBIR 第一阶段：自动提取和执行特定于应用程序的安全策略

• 批准号: 0339955
• 负责人: Tzi-cker Chiueh
• 金额: $ 10万
• 依托单位: Rether Networks Incorporated
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2004
• 资助国家: 美国
• 起止时间: 2004-01-01 至 2004-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0339955&HistoricalAwards=false
• 关键词: SBIR; Phase; Automatic; Extraction; Enforcement

This Small Business Innovation Research (SBIR) Phase I project is to develop a Program semantics-Aware Intrusion Detection (PAID) system that derives a security policy from an application's source code, and checks the application's system calls against the resulting policy at run time. Not only can this product derive these policies completely automatically, but also the resulting security policy is tailored to individual applications and thus is highly accurate. Some of the most dangerous cyber security threats are "control hijacking" attacks, which hijack the control of a victim application, and execute arbitrary system calls assuming the identity of the victim program's effective user. These types of attacks are highly perilous because commercial applications with such vulnerabilities appear to be wide spread, as shown in the rampancy of the recent SQL Slammer Worm. System call monitoring has been touted as an effective solution to "control hijacking" attacks because it could prevent remote attackers from inflicting damage upon a victim system even if they can successfully compromise applications running on the system. A weakness of this approach is how to construct accurate security policy that could minimize false positives and negatives. Although various approaches have been tried to solve this problem, none of them is satisfactory. Host-based intrusion detection based on system call monitoring, also referred to as behavioral blocking systems, is a well known tend to err on the conservative or false positive side. The tool will automatically derive accurate security policies corresponding to the system call patterns of individual applications, thus reducing both false positives and negatives to the minimum. The PAID system represents a big step in closing the gap between current behavioral blocking products and the actual needs of real world information technology (IT) systems.

这个小型企业创新研究（SBIR）第一阶段项目是开发一个程序语义感知入侵检测（PAID）系统，该系统从应用程序的源代码中导出安全策略，并在运行时检查应用程序的系统调用。 该产品不仅可以完全自动地导出这些策略，而且生成的安全策略是针对各个应用程序量身定制的，因此非常准确。 一些最危险的网络安全威胁是“控制劫持”攻击，它劫持受害者应用程序的控制权，并假设受害者程序的有效用户的身份执行任意系统调用。 这些类型的攻击是非常危险的，因为具有此类漏洞的商业应用程序似乎广泛传播，如最近的SQL Slammer蠕虫的猖獗所示。 系统调用监控一直被吹捧为“控制劫持”攻击的有效解决方案，因为它可以防止远程攻击者对受害者系统造成损害，即使他们可以成功地危害系统上运行的应用程序。 这种方法的一个弱点是如何构建准确的安全策略，可以最大限度地减少误报和漏报。 尽管已经尝试了各种方法来解决这个问题，但没有一种是令人满意的。 基于系统调用监控的基于主机的入侵检测，也被称为行为阻塞系统，是一个众所周知的倾向于保守或误报的一面。 该工具将自动导出与各个应用程序的系统调用模式相对应的准确安全策略，从而将误报和漏报减少到最低限度。PAID系统代表着在缩小当前行为阻止产品与真实的世界信息技术（IT）系统的实际需求之间的差距方面迈出的一大步。