Return to the Press page

LWN.net Weekly Edition for May 23, 2013

LWN.net Weekly Edition for May 16, 2013

Weekly edition	Kernel	Security	Distributions	Contact Us	Search
Archives	Calendar	Subscribe	Write for LWN	LWN.net FAQ	Sponsors

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

[Posted September 9, 2008 by ris]

Science Daily takes a look at a program called Korset, that fights malware. "Prof. Wool and Ben-Cohen have built an open-source software solution for servers that run on Linux. "We modified the kernel in the system's operating system so that it monitors and tracks the behavior of the programs installed on it," says Prof. Wool. Essentially, he says, they have built a model that predicts how software running on a server should work. If the kernel senses abnormal activity, it stops the program from working before malicious actions occur. "When we see a deviation, we know for sure there's something bad going on," Prof. Wool explains."

(Log in to post comments)

Posted Sep 9, 2008 20:37 UTC (Tue) by linuxturtle (subscriber, #35652) [Link]

Wow, what a vacuous, content-free article. "If the kernel senses abnormal activity, it stops the program from working before malicious actions occur." That's the extent of technical detail given. <Trust us, we're smart, and we can tell what "abnormal activity" is>. Sheesh...

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 9, 2008 21:03 UTC (Tue) by Sutoka (guest, #43890) [Link]

It looks like the PDF for one of the talks is available at: http://www.kernel.org/doc/ols/2008/ols2008v1-pages-31-38.pdf, and the project's website is http://www.korset.org/

The PDF seems to go into a good bit of technical detail (at least from a quick skim).

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 1:09 UTC (Wed) by andrel (subscriber, #5166) [Link]

It is not a vacuous content-free article. It is a vacuous content-free press release. Science Daily only publishes press releases.

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 1:13 UTC (Wed) by spender (subscriber, #23067) [Link]

Yea, apparently they've never heard of packed/protected applications or C++
for that matter. But that's not surprising as they admit it doesn't work
yet on real-world applications: "It does not yet support dynamically linked
applications, multi-threaded applications, signals, setjmp/ longjmp, etc."
nor does it support sysenter.

No mention of what the shellcode was that it claim it prevented, but this
solution is merely obfuscation: it's apparently only checking to see if
syscalls are made in the order in which they would appear from a static
analysis of the binary. Once you're aware of the protection, it's not
difficult to modify your shellcode such that it'd be accepted by the
system, just add a few system calls (you don't even need legitimate
arguments) if you need to, so that you can get to any place in the CFG that
allows you to misuse syscall sequences for malicious purposes. There are a
plethora of these to choose from.

In 2001, Cylant did a similar thing but instrumented at a lower level of
conditional expressions and function epilogues, with fancy statistics and a
watchdog process checking to see if the process was acting anomalously,
which it could possibly terminate in time to prevent actual exploitation.
You can see how well that worked out for them: http://www.cylant.com

-Brad

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 2:16 UTC (Wed) by Thalience (subscriber, #4217) [Link]

Don't worry, we'll lick that durn Halting Problem next time....

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 9, 2008 21:23 UTC (Tue) by drag (subscriber, #31333) [Link]

It's a very cool concept.

* Use static code analysis to determine the code paths and syscalls. Create a logical representation of what a program is going to do. A 'control flow graph'.

* Put a monitoring system in the kernel to observe the application's behavior.

* If the monitoring system detects that the application has deviated from it's previously generated execution model, then it's assumed that some sort of shell code or other malicious software is being executed in that program's context.

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 9, 2008 21:36 UTC (Tue) by mheily (guest, #27123) [Link]

This "invention" is totally unnecessary. All you need to do is prevent the malware from reaching your machine in the first place. Just configure your firewall to check the IPv4 Security flag as per RFC-3514, and drop all packets that are flagged as evil. Problem solved.

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 9, 2008 21:39 UTC (Tue) by leoc (subscriber, #39773) [Link]

The problem with that is that all traffic going into or out of Microsoft, Google and the state of North Korea ends up getting filtered. Microsoft and Google I can live without, but an internet without North Korea is no internet I want to be a part of!

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 12:25 UTC (Wed) by jengelh (subscriber, #33263) [Link]

No problem iptables can do it!

iptables -A INPUT -m geoip --src-cc KP -j ACCEPT iptables -A INPUT -m evil -j DELUDE

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 1:26 UTC (Wed) by kilpatds (subscriber, #29339) [Link]

There's also some research on using sequences of system calls as the "normal" behavior, and using string distance techniques (Hamming in that paper, Levenstein in this patent) to measure "badness".

I my experience, false positives were a real issue. Rather obviously, your monitoring is only as good as your normal training. If don't test a program completely, there will be valid behavior that looks weird. So you need to have some threshold before you view the program as compromised.

Which was an issue for me, as the single bad system call in your generic buffer overflow is "execve", at which point you are running some other program that usually does do weird things. So I had to add a weird hack where I had an in kernel list of "shell" programs that were expected to transition to other programs. So if a non-shell program called exec, I kept comparing it to the behavior of the parent program... which usually meant it tripped the anomaly meter after 3 more system calls, and was shut down after that.

Doug

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 4:09 UTC (Wed) by jwb (guest, #15467) [Link]

Here's an idea: just write your application in Java, where you can explicitly enumerate the things your application is allowed to do? Pretending to solve the halting problem in a press release is not a solution to this problem.

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 8:37 UTC (Wed) by lmb (subscriber, #39048) [Link]

Heuristic detection of malicious and viral behaviour is not new. Nemesis did this, if my memory does not fail me, in around 1993-1994 on MS-DOS already.

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 16:19 UTC (Wed) by drag (subscriber, #31333) [Link]

> Heuristic

It's not heuristics. It's using static compile-time analysis to determine the code paths that the application can perform. They map out the possible behavior of the application's syscalls and has a kernel-level monitor that checks to make sure that the application will follow that behavior.

Therefore, unlike heuristics, it will never ever have a false positive. If it's alert goes off then you're application has been hacked and somebody is attempting to run shellcode.

It won't perfectly detect whether or not you've been hacked. If it alerts you, however, then you know something is wrong 100% of the time. This is the major difference.

Read the PDFs linked above. It's not heuristics, it's not guess work or trying to predict application behavior through educated guesswork..

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 17:34 UTC (Wed) by spender (subscriber, #23067) [Link]

Except that they're being misleading as to how applicable this theory is in real life. The truth is that they can't guarantee anything, despite their claims. You can see hints of the fundamental problems with the solution if you look at what they don't currently support, or that they have problems with something as common as an indirect call. It's obvious to several other people in this thread, but since you don't get it, let me give you a concrete example. Their analyzer can't handle this very common instruction found in C++ applications:

call [esi+0x10]

where esi+0x10 can hold the address of a number of different functions (this would be your virtual function in C++)

The only way they can guarantee 100% accuracy is if their static analyzer is 100% accurate. This is provably impossible. If it can't figure out a code path like the one above, the only choice it can make is to reject the resulting system calls (unless it gets lucky and the syscall sequence it makes is already allowed at that point in the CFG), and there's your false positive.

And that's just a simple example: try code-virtualizing protectors on for size. The only call their static analyzer will see is to a VM-entry function which uses no system calls, completely oblivious to the fact that an entire program using hundreds of system calls is there.

There's a reason why people are critical: it's the computer science equivalent of perpetual motion machines. It's impossible in the real world. It's only possible in their imaginary ivory tower scenarios that they craft specifically to support their solution.

Unrelated, but for future reference:
http://www.wsu.edu/~brians/errors/your.html
http://www.wsu.edu/~brians/errors/its.html

-Brad

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 17:48 UTC (Wed) by drag (subscriber, #31333) [Link]

Very good. Thanks for the explanation.

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 19:04 UTC (Wed) by oak (subscriber, #2786) [Link]

The redux paper from here is also interesting:
http://valgrind.org/docs/pubs.html

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 23:57 UTC (Wed) by nix (subscriber, #2304) [Link]

Thanks to Rice's theorem it's not just a theoretical problem, either
(although even that would be problematic here, as you obviously have to
consider the problem of malicious attacks in this case). It's more that as
soon as you have to handle calls to locations determined at runtime (and
thus do value propagation as well as control flow analysis) you are
guaranteed to slam into intractable cases, in time and space, almost as
soon as you start.

(Compiler optimizers can dodge this case by choosing not to do value
propagation indefinitely far, and also because they can say 'oh, I give
up' and choose not to optimize that bit. This system can't do that.)

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 11, 2008 0:08 UTC (Thu) by flewellyn (subscriber, #5047) [Link]

Mmmm...that's some tasty snake oil they're peddling, no?

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 11, 2008 20:24 UTC (Thu) by job (guest, #670) [Link]

So, when after several years of churning through SETI data your computer finally detects that alien life form, the process gets shot down?

Sorry for not reading the article properly but I am way too skeptical about false positives here.

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays One Step Ahead Of Anti-virus Software (Science Daily)

Posted Sep 12, 2008 15:26 UTC (Fri) by cde (guest, #46554) [Link]

There are many ways their HIDS could be bypassed. For example, a malicious program could simply install a firefox extension, or corrupt an existing one (think: flash player) and gain persistence and the ability to upload information on the internet.

Putting A 'Korset' On The Spread Of Computer Viruses: Invention Stays OneStep Ahead Of Anti-virus Software (Science Daily)

Posted Sep 10, 2008 11:25 UTC (Wed) by Cato (subscriber, #7643) [Link]

This is not remotely new - there are 125,000 hits for this search: http://www.google.com/search?q=antivirus+behavior+heuristic - and it's been implemented in commercial products such as ESET NOD32 (which is available on Linux as well as Windows, and claims to have good heuristics). av-comparatives has some good testing using antivirus tools with deliberately out of date rules, to see how good their heuristics are on current viruses.