Korset: Linux security thanks to static analysis
Coworkers at the University of Tel Aviv have presented a prototype for a new host-based intrusion detection system (HIDS) for Linux. Named Korset, it uses static code analysis and promises zero failures.
A host-based intrusion system (HIDS) models an application’s behavior and if the behavior deviates from the model, it sends an alarm. Earlier methods of intrusion detection depended either on static data derived from machine learning or on program policies created by developers. In the views of Professor Avishai Wool and kernel developer Ohad Ben-Cohen, the first method is susceptible to false positives and the second one costly.
Instead, Wool and Ben-Cohen use a behavioral model automated through static analysis of source code and object files resulting in control flow graphs (CFGs). Since most attacks are accompanied by system calls, the CFGs limit themselves to these calls and document the legitimate pattern for each application. If a program deviates from the pattern, the kernel ends the process.
Korset consists of two parts: a static analyzer in user space and a runtime monitoring agent in the kernel. The analyzer is drawn into the program’s build process and creates a CFG for each executable, object data and library. The Korset runtime monitor is built into the kernel. Once a detected program runs, the agent monitors any resulting system calls and compares them with those of the CFG model.
Wool’s and Ben-Cohen’s report to the Ottawa Linux Symposium 2008 (PDF) includes further details about their work, as does their presentation at the Black Hat US 2008 conference.
A Korset prototype download is available under GPLv3 terms. The developers designate the implementation as pre-alpha software not yet ready for use, but proof-of-concept.
Won't protect apps that include an interpreter.
Now, if Korset could analyze the script itself, not the interpreter, then you might get more information. But languages like Python and Ruby are so dynamic that static analysis can't usually tell you much, unless you restrict the language.
Not all that useful