1 Introduction and Motivation

The Minos/DACODA intrusion-detection system is a collaborative strategy against zero-day polymorphic and metamorphic worm exploits. Minos [1, 2, 3] is a security-enhanced microarquitecture that prevents control data attacks that hijack program control flow. In Minos, every 32-bit word of memory (at the physical memory level) and every 32-bit general purpose register in the x86 architecture is augmented with one tag bit which represents the integrity level of this word (zero meaning low integrity and one meaning high integrity). This integrity bit is set by the operating system kernel based on the trust it has for the data. For instance, all incoming data from the network is not trusted by the kernel. The Biba’s low-water-mark [5] integrity policy is applied in hardware as the process moves and operates on any type of data during its execution. As described in [5, 2], this policy specify that any subject may modify any object if the object’s integrity is not greater than that of the subject. Moreover, any subject that reads an object has its integrity lowered to the minimum of the object’s integrity and its own. The basic assumption of Minos is that any control transfer (execution of instructions such as jump, call, and return) involving untrusted data is a system vulnerability and a hardware exception traps to the kernel whenever this occur. Minos was implemented on the Bochs Pentium emulator [8] for a modified version of the Red Hat Linux 6.2 and was able to effectively stop several types of attacks (including non-buffer overflow attacks) with no false positives. The second component of the system is DACODA (DAvis MalCODe Analyzer), which is a tool that analyzes attacks using symbolic execution [4]. As described in [4], it tracks data from the attacker’s network packets to the point where the hijacking of control flow occurs and discovers predicates that show equality between a tracked or labeled data and an integer that result from an explicit equality check using a comparison instruction followed by a conditional jump. After catching an attack with Minos, one can use DACODA to analyze it. DACODA is implemented as an extension of the Minos Pentium emulator and can be turned on/off by the user. In spite of being able to analyze the attacks with zero observed false positives, DACODA has serious performance problems. As discussed in [4] it only achieves on the order of hundreds of thousands of instructions per second on a 3.0 GHz Pentium 4 with an 800 MHz front side bus. The limiting factor is memory bandwidth and experiments show that DACODA can not execute on any machine less powerful than a 2.8 GHz Pentium 4 with 533 MHz front side bus (in the case of this particular configuration, DACODA barely achieves good enough performance). To make matters worse, any type of future work to be conducted on DACODA to improve attack analysis would just exacerbate the problem. As example of future work for DACODA we can mention [4] signature generation for non-Minos systems, reverse engineering of transport layer protocol, narrowing search space of random ”fuzz testers”, etc... The goal of this project is to develop an information interface between the Minos architecture and DACODA so that after Minos catches an attack, we could run DACODA offline, possibly in another computer, so that the performance of any Minos-enabled system would not be compromised. By doing so, we can still timely analyze and generate signatures for zero-day worms, thus helping protect non-Minos systems.

2 Approach

We plan to develop the information interface between Minos and DACODA by using a logging approach similar to the one described in [6, 7]. In these works, it is presented ReVirt, a logging system inside a Linux kernel that is able to replay the execution of a virtual machine instruction by instruction. The virtual machine monitor (VMM) used is UMLinux and it is implemented in their case as a loadable module in the host Linux kernel with some hooks that invoke the VMM module. The basic idea for replaying a certain process is to log all non-deterministic events that may affect its execution. As the papers shows, most events are deterministic (arithmetic, memory, branch instructions) and their logging is not required. Our information interface differs from the work described in Revirt in several respects. First, our logging system will be developed as an extension of the Pentium-emulator, thus avoiding any change in the host operating system (OS). Second, ReVirt uses as its virtual machine monitor UMLinux, which makes use of paravirtualization, i.e, it is exported an interface that is similar but not identical to the real hardware. As a result, a guest OS must be ported to run on this type of virtual machines. Minos and DACODA were developed aiming at running not only open-source guest OS’s such as Linux but also proprietary guest OS’s such as Windows. Consequently, using ReVirt directly as a tool for logging and replay would not suffice. Following the guidelines described in [6, 7] we intend to log all non-deterministic events that can influence the execution of a given process and can help us replay a certain attack caught by Minos:

[1] Jedidiah R. Crandall, Frederic T. Chong. A Security Assessment of the Minos Architecture, Workshop on Architectural Support for Security and Anti-virus (WASSA). Boston, Massachusetts. October, 2004

[2] Jedidiah R. Crandall, Frederic T. Chong. Minos: Control Data Attack Prevention Orthogonal to Memory Model. 37th International Symposium on Microarchitecture (MICRO). Portland, Oregon. December 2004.

[3] Jedidiah R. Crandall, S. Felix Wu, and Frederic T. Chong Experiences. Using Minos as A Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities, GI/IEEE SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA). Vienna, Austria. July 2005. Springer Lecture Notes in Computer Science.

[4] Jedidiah R. Crandall, Zhendong Su, S. FelixWu, and Frederic T. Chong. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. To Appear at the 12th ACM Conference on Computer and Communications Security (CCS). Alexandria, Virginia. November 2005.

[5] K. J. Biba. Integrity Considerations for Secure Computer Systems, MITRE Technical Report TR-3153, April 1977.

[6] George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza Basrai, Peter M. Chen. ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay, Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (OSDI) , December 2002.

[7] Samuel T. King, George W. Dunlap, Peter M. Chen. Debugging operating systems with timetraveling virtual machines, Proceedings of the 2005 Annual USENIX Technical Conference, April 2005.

[8] http://bochs.sourceforge.net.

[9] David Patterson and John Hennessy. Computer Organization and Design- The Hardware/ Software Interface, Morgan Kaufmann Publishers, Inc., 2nd Edition, 1998.

[10] David Patterson and John Hennessy. Computer Architecture - A Quantitative Approach, Morgan Kaufmann Publishers, Inc., 3rd Edition, 2003.