Abstract
We propose an intrusion prevention system called WHIPS that controls, entirely in kernel mode, the invocation of the critical system calls for the Windows OS security. WHIPS is implemented as a kernel driver, also called kernel module, by using kernel structures of the Windows OS. It is integrated without requiring changes to either the kernel data structures or to the kernel algorithms. WHIPS is also transparent to the application processes that continue to work correctly without source code changes or recompilation. A working prototype has been implemented as a kernel extension and it is applicable to all the Windows NT family OS, e.g. Windows 2000/XP/2003. The WHIPS first contribution is to apply the system call interposition technique to the Windows OS, which is not open source. It is not straightforward to apply this technique to Windows OS, also because Windows kernel structures are hidden from the developer, and furthermore, its kernel documentation is poor.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
One, A.: Smashing the stack for fun and profit. Phrack Magazine! 49 (1996)
Borate, Dabak, Phadke: Undocumented Windows NT. M&T Books (1999)
Borate, Dabak, Phadke: Undocumented Windows NT, M&T Books (1999)
Cogswell, Russinovich: Windows NT System-Call Hooking, Dr. Dobb’s Journal, 261 (1997)
Cowan, et al.: Buffer Overflows: attacks and defences for the vulnerability of the decade. In: Proc. IEEE DARPA Information Survivability Conference and Expo, Hilton Head, South Carolina (2000)
Epstein, et al.: Using Operating System Wrappers to Increase the Resiliency of Commercial Firewalls. In: Proc. ACM Annual Computer Security Applications Conference, Louisiana, USA (December 2000)
Howard, LeBlanc: Writing Secure Code. Microsoft Press, Redmond (2001)
Moore, Paxson, Savage, Shannon, Staniford, Weaver: Inside the slammer worm. IEEE Security&Privacy, pp. 33–39 (July-August 2003)
Microsoft, Well-Known Security Identifiers in Windows 2000, Knowledge Base 243330 (2002), http://support.microsoft.com/default.aspx?scid=KB;ENUS;Q243330&
Nebbet, Windows NT/2000: Native API reference, Macmillan Technical Publishing, MTP (2000)
OSR Open System Resources Inc, Nt vs. Zw - Clearing Confusion On The Native API, The NT Insider, Vol 10, Issue 4 (August 2003)
Russinovich, Solomon: Inside Windows 2000, 3rd edn. Microsoft Press, Redmond (2001)
Russinovich: Inside the Native API, Systems Internals (1998), http://www.sysinternals.com/ntdll.htm
Schmidt: Microsoft Windows 2000 Security Handbook, Que Publishing (2001)
Schreiber: Undocumented Windows 2000 Secrets. Addison Wesley, Reading (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Battistoni, R., Gabrielli, E., Mancini, L.V. (2004). A Host Intrusion Prevention System for Windows Operating Systems. In: Samarati, P., Ryan, P., Gollmann, D., Molva, R. (eds) Computer Security – ESORICS 2004. ESORICS 2004. Lecture Notes in Computer Science, vol 3193. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30108-0_22
Download citation
DOI: https://doi.org/10.1007/978-3-540-30108-0_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22987-2
Online ISBN: 978-3-540-30108-0
eBook Packages: Springer Book Archive