Korset: Linux security thanks to static analysis
Coworkers at the University of Tel Aviv have presented a prototype for a new host-based intrusion detection system (HIDS) for Linux. Named Korset, it uses static code analysis and promises zero failures.
A host-based intrusion system (HIDS) models an application’s behavior and if the behavior deviates from the model, it sends an alarm. Earlier methods of intrusion detection depended either on static data derived from machine learning or on program policies created by developers. In the views of Professor Avishai Wool and kernel developer Ohad Ben-Cohen, the first method is susceptible to false positives and the second one costly.
Instead, Wool and Ben-Cohen use a behavioral model automated through static analysis of source code and object files resulting in control flow graphs (CFGs). Since most attacks are accompanied by system calls, the CFGs limit themselves to these calls and document the legitimate pattern for each application. If a program deviates from the pattern, the kernel ends the process.
Korset consists of two parts: a static analyzer in user space and a runtime monitoring agent in the kernel. The analyzer is drawn into the program’s build process and creates a CFG for each executable, object data and library. The Korset runtime monitor is built into the kernel. Once a detected program runs, the agent monitors any resulting system calls and compares them with those of the CFG model.
Wool’s and Ben-Cohen’s report to the Ottawa Linux Symposium 2008 (PDF) includes further details about their work, as does their presentation at the Black Hat US 2008 conference.
A Korset prototype download is available under GPLv3 terms. The developers designate the implementation as pre-alpha software not yet ready for use, but proof-of-concept.
Comments
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
Won't protect apps that include an interpreter.
Now, if Korset could analyze the script itself, not the interpreter, then you might get more information. But languages like Python and Ruby are so dynamic that static analysis can't usually tell you much, unless you restrict the language.
Not all that useful