Some issues for these types of systems: EFC has to build the behavioural model for each application. For simple applications, it may be possible to build the behavioural model in a test environment, then use that model in production. However complex applications will have behaviour that may be very difficult to capture easily in a test environment, unless the test environment is very *very* complete. Therefore there may be some building of the behaviour model in a production environment. While this is happening, EFC cannot protect the application completely as it has no full model yet, but the application may be under attack as this is a production environment. So there is the risk of successful attacks forming part of the behavioural model. Every time a new version is released into production, a new model has to be built or the current model modified by aging old behaviours and allowing admins to flag deviant behaviour as permissible. So for complex applications, the training time may be long, or may require plenty of administrative input to mark false positives as permissible. and rememnber there's no protection while the model is being built. I built a similar system for Windows apps in '99. It easily captured simple behaviours (e.g. winhlp32 or notepad) and with some more effort captured more complex behaviours. But big apps such as IIS were constantly generating new sequences of system calls and it looks like the learning phase was going to be longer than the time between patches to IIS, meaning the system would constantly be in learning mode. Also you only capture the behaviour used during training. If the sysadmin decided one day to use a feature that's never been used before, it generates many false positives as the behavioural model doesn't recognise the system calls sequences. So the system has to go back into learning mode until the new behaviour is learnt, inhibting the protection. So some problems still to be solved. But as part of a multi-variable IDS or IDP system, these systems will have a part to play. I would add to the model learning about what files were accessed in which directories, under Windows what registry entries were accessed and how, what ports were used and & what IPs were communicated with. So record particular parameters used with the syscalls, not just the syscalls themselves. That would form a fuller picture of how the app behaved and would reduce the false positives from only looking at the system calls. Matt -----Original Message----- From: Balwinder Singh [mailto:balwinder@gmx.net] Sent: 18 August 2003 16:25 To: bugtraq@securityfocus.com Subject: Need help. Proof of concept 100% security. Hi All, I have developed an application, which I believe can provide 100% security against various attacks.I can hear people laughing. Hmm.. The applications is called Execution Flow Control (EFC). Details of software can be found at http://203.197.88.14/efc Now the help part: I have put up a site at http://203.197.88.14 which is protected by EFC. It is unpatched RH7.0 system with 2.4.20 kernel, no firewall, no IDS. All holes in the kernel and programs are intentionally kept. It is put up there for people to attack and try to get into the system. Gaining root to system is not enough as another level of protection unfolds when one has become root. There have been 1000+ attacks but no one could get even a normal user. This is first release and there got to be bugs in the system. The fact that so far no one could get into the system, is creating all kinds of complications in me (nervous, sad, bad ...). Machine is up for past one month and I still have a weeks internet time. Can you help me by providing your expert guidance on this software project. Can you help me by breaking into the system and then letting me know how can I improve the software. The paper at http://203.197.88.14/efc gives introduction only. detailes and most recent documentation will be made available as soon as I finish making it (The job is in the pipeline). I know about systrace, but have never used it. ---------------------------------------------------------------------- Brief Introduction of EFC ------------------------- 1. Kernel runs in kernel space, which cannot be modified by user space programs. Each request from program ends up calling a routine in kernel space called syscall. Lets call syscall with arguments just syscalls Each program will make a defind set of syscalls to achieve its objective. Now idea is to watch syscalls that a program is supposed to make during its run time. A database which describes the syscalls that a program can make is called behavior model of the program. Lets assume we can generate a behavior model which perfectly describes an application. Now any deviation from behavior model of program essentially indicates an intrusion at real time. Thus a corrective action can be taken. This makes kernel intelligent which knows which program should do what, rather than a slave of program in which any program can ask anything and kernel will provide it. REGARDS Balwinder --------------------------------------------------------------------- We do not allow postman to bedroom but kernel does. ---------------------------------------------------------------------
