SafeCard: A Gigabit IPS on the Network Card

  • Willem de Bruijn
  • Asia Slowinska
  • Kees van Reeuwijk
  • Tomas Hruby
  • Li Xu
  • Herbert Bos
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4219)

Abstract

Current intrusion detection systems have a narrow scope. They target flow aggregates, reconstructed TCP streams, individual packets or application-level data fields, but no existing solution is capable of handling all of the above. Moreover, most systems that perform payload inspection on entire TCP streams are unable to handle gigabit link rates. We argue that network-based intrusion detection systems should consider all levels of abstraction in communication (packets, streams, layer-7 data units, and aggregates) if they are to handle gigabit link rates in the face of complex application-level attacks such as those that use evasion techniques or polymorphism. For this purpose, we developed a framework for network-based intrusion prevention at the network edge that is able to cope with all levels of abstraction and can be easily extended with new techniques. We validate our approach by making available a practical system, SafeCard, capable of reconstructing and scanning TCP streams at gigabit rates while preventing polymorphic buffer-overflow attacks, using (up to) layer-7 checks. Such performance makes it applicable in-line as an intrusion prevention system. SafeCard merges multiple solutions, some new and some known. We made specific contributions in the implementation of deep-packet inspection at high speeds and in detecting and filtering polymorphic buffer overflows.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks Inc. (1998)Google Scholar
  2. 2.
    Handley, M., Paxson, V., Kreibich, C.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: USENIX-Sec 2001, Washington, D.C., USA (2001)Google Scholar
  3. 3.
    Stuart Staniford, V.P., Weaver, N.: How to 0wn the internet in your spare time. In: Proc. of the 11th USENIX Security Symposium (2002)Google Scholar
  4. 4.
    James Newsome, B.K., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proc. of the IEEE Symposium on Security and Privacy (2005)Google Scholar
  5. 5.
    Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proc. of the 6th USENIX Symposium on Operating Systems Design and Implementation (OSDI), pp. 45–60 (2004)Google Scholar
  6. 6.
    Ioannidis, S., Keromytis, A.D., Bellovin, S.M., Smith, J.M.: Implementing a distributed firewall. In: CCS 2000: Proceedings of the 7th ACM conference on Computer and communications security, pp. 190–199. ACM Press, New York (2000)CrossRefGoogle Scholar
  7. 7.
    Bos, H., Huang, K.: Towards software-based signature detection for intrusion prevention on the network card. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 102–123. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks. In: Proc. ACM SIGOPS EUROSYS 2006, Leuven, Belgium (2006)Google Scholar
  9. 9.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proc. of LISA 1999: 13th Systems Administration Conference (1999)Google Scholar
  10. 10.
    Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proc. of the 7th USENIX Security Symposium (1998)Google Scholar
  11. 11.
    Bhatkar, S., Du Varney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proc. of the 12th USENIX Security Symposium, pp. 105–120 (2003)Google Scholar
  12. 12.
    Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanovix, D., Zovi, D.D.: Randomized instruction set emulation to disrupt code injection attacks. In: Proc. of the 10th ACM Conference on Computer and Communications Security (CCS), pp. 281–289 (2003)Google Scholar
  13. 13.
    Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worms. In: Proc. of the 20th ACM Symposium on Operating Systems Principles (SOSP), Brighton, UK (2005)Google Scholar
  14. 14.
    Clark, C., Lee, W., Schimmel, D., Contis, D., Koné, M., Thomas, A.: A hardware platform for network intrusion detection and prevention. In: Third Workshop on Network Processors and Applications, Madrid, Spain (2004)Google Scholar
  15. 15.
    Williamson, M.M.: Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. In: Proc. of ACSAC Security Conference, Las Vegas, Nevada (2002)Google Scholar
  16. 16.
    Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: NDSS 2005 (2005)Google Scholar
  17. 17.
    Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: Protecting pointers from buffer overflow vulnerabilities. In: Proc. of the 12th USENIX Security Symposium, pp. 91–104 (2003)Google Scholar
  18. 18.
    Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G.: FormatGuard: Automatic protection from printf format string vulnerabilities. In: Proc. of the 10th Usenix Security Symposium (2001)Google Scholar
  19. 19.
    Provos, N.: Improving host security with system call policies. In: Proc. of the 12th USENIX Security Symposium (2003)Google Scholar
  20. 20.
    Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proc. of the 10th USENIX Security Symposium, pp. 201–216 (2001)Google Scholar
  21. 21.
    Necula, G.C., McPeak, S., Weimer, W.: CCured: Type-safe retrofitting of legacy code. In: Proc. of the Principles of Programming Languages (PoPL) (2002)Google Scholar
  22. 22.
    bulba and Kil3r: Bypassing Stackguard and Stackshield. Phrack Magazine 10(56) (2000)Google Scholar
  23. 23.
    gera, riq: Advances in format string exploitation. Phrack Magazine 11(59) (2002)Google Scholar
  24. 24.
    Liang, Z., Sekar, R.: Fast and automated generation of attack signatures: A basis for building self-protecting servers. In: Proc. ACM CCS, Alexandria, VA, USA, pp. 213–223 (2005)Google Scholar
  25. 25.
    Krügel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. 26.
    Kerschbaum, F., Spafford, E.H., Zamboni, D.: Using embedded sensors for detecting network attack. Technical report, Purdue University (2000)Google Scholar
  27. 27.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  28. 28.
    Bos, H., de Bruijn, W., Cristea, M., Nguyen, T., Portokalidis, G.: FFPF: Fairly Fast Packet Filters. In: Proceedings of OSDI 2004, San Francisco, CA (2004)Google Scholar
  29. 29.
    Cristea, M.-L., de Bruijn, W., Bos, H.: FPL-3: Towards language support for distributed packet processing. In: Boutaba, R., Almeroth, K.C., Puigjaner, R., Shen, S., Black, J.P. (eds.) NETWORKING 2005. LNCS, vol. 3462, pp. 743–755. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  30. 30.
    Malan, R., Watson, D., Jahanian, F., Howell, P.: Transport and application protocol scrubbing. In: Infocom 2000, Tel-Aviv, Israel (2000)Google Scholar
  31. 31.
    Laurikari, V.: NFAs with tagged transitions, their conversion to deterministic automata and application to regular expressions. In: SPIRE, pp. 181–187 (2000)Google Scholar
  32. 32.
    Aho, A.V., Ullman, J.D.: Foundations of Computer Science. Computer Science Press (1992)Google Scholar
  33. 33.
    Gill, A.: Introduction to the Theory of Finite-state Machines. McGraw-Hill, New York (1962)MATHGoogle Scholar
  34. 34.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proc. of the 12th Annual Network and Distributed System Security Symposium (NDSS) (2005)Google Scholar
  35. 35.
    SecurityFocus: Can-2003-0245 apache apr-psprintf memory corruption vulnerability (2003), http://www.securityfocus.com/bid/7723/discussion/
  36. 36.
    Nguyen, T., Cristea, M., de Bruijn, W., Box, H.: Scalable network monitors for high-speed links: a bottom-up approach. In: Proceedings of IPOM 2004 (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Willem de Bruijn
    • 1
  • Asia Slowinska
    • 1
  • Kees van Reeuwijk
    • 1
  • Tomas Hruby
    • 1
  • Li Xu
    • 2
  • Herbert Bos
    • 1
  1. 1.Vrije UniversiteitAmsterdam
  2. 2.Universiteit van Amsterdam 

Personalised recommendations