Rich Murphey Home News Site Map Contact

Blackbox Lite
GNU Graphics
Scouting Resources
Recent Talks:

AAFS 2009

IAFS 2008

HTCIA Intl. 2008

DoD CyberCrime 08

DFRWS 2007

Defcon 2007

HTCIA Intl. 2007

GMU Forensics 2007

CEIC 2007

Information Security Magazine

Defcon 11

Host-based Intrusion Prevention

Here are slides to my Defcon talk about work on host-based Intrusion Prevention for FreeBSD.

The kernel code for:

Compared to sandboxing using jails and chroots, Intrusion Prevention offers much finer grained control of an application's access to the interface to the kernel. Jails and chroots are popular methods of hardening web services, beyond what the application's configuration itself allows. They provide a restricted view of the file system and devices. In contrast, Intrusion Prevention provides fine grained control or argument filtering for specified system calls..

For example, Intrusion Prevention can be used to blacklist certain systems calls or certain argument values. It can specify that a service can fork processes as any user except root. Or, a process running as a normal user can open a specified socket as root, thereby avoiding the need to run it as root. Or, a process can read any file except /etc.

Better yet, one can create a "default deny" white-list by monitoring an application to observe all the system calls it makes under normal circumstances. White lists can be tuned and exchanged just like firewall rules. In that sense, one can view Intrusion Prevention as a sort of firewall for messages between user applications and the kernel.


Copyright © 2007 Carey Richard Murphey. All Rights Reserved.