Korset: Linux security thanks to static analysis
Coworkers at the University of Tel Aviv have presented a prototype for a new host-based intrusion detection system (HIDS) for Linux. Named Korset, it uses static code analysis and promises zero failures.
A host-based intrusion system (HIDS) models an application’s behavior and if the behavior deviates from the model, it sends an alarm. Earlier methods of intrusion detection depended either on static data derived from machine learning or on program policies created by developers. In the views of Professor Avishai Wool and kernel developer Ohad Ben-Cohen, the first method is susceptible to false positives and the second one costly.
Instead, Wool and Ben-Cohen use a behavioral model automated through static analysis of source code and object files resulting in control flow graphs (CFGs). Since most attacks are accompanied by system calls, the CFGs limit themselves to these calls and document the legitimate pattern for each application. If a program deviates from the pattern, the kernel ends the process.
Korset consists of two parts: a static analyzer in user space and a runtime monitoring agent in the kernel. The analyzer is drawn into the program’s build process and creates a CFG for each executable, object data and library. The Korset runtime monitor is built into the kernel. Once a detected program runs, the agent monitors any resulting system calls and compares them with those of the CFG model.
A Korset prototype download is available under GPLv3 terms. The developers designate the implementation as pre-alpha software not yet ready for use, but proof-of-concept.
Won't protect apps that include an interpreter.If you apply this technique to an app that embeds an interpreter (mod_python, say), and programs written in the interpreted language can make system calls, then wouldn't the Korset analysis conclude that any sequence of system calls that any script could make was legitimate? That might well be "any arbitrary sequence", leaving Korset with no illegitimate sequences by which to recognize infiltration.
Now, if Korset could analyze the script itself, not the interpreter, then you might get more information. But languages like Python and Ruby are so dynamic that static analysis can't usually tell you much, unless you restrict the language.
Not all that usefulI watched a video of their Blackhat presentation, and while It sounds like a good idea when demo-ed on the simple apps the present, this HIDS does very little to protect against larger pieces of software where all an attacker needs to do is figure out where in the CFG their shellcode is running,and then get to a point where they can make the sysycalls they want (e.g. execve) and then write shellcode that makes all the relevant syscalls, which may not even increase shellcode size drastically as it could just be a loop through a set of integers which uses each char as a value for eax, where the other arguments are (currently) irrelevant, as long as the app doesn't crash.