Download Printable PDF

Defenses Against Malicious Code

Malicious code, including worms and viruses, causes huge economic damage every year. Estimates of the worldwide economic impact of malicious-code attacks vary, but Computer Economics, a leading independent research organization, estimates that the impact was $10.7 billion in 2002. Richard D. Pethia, Director of the CERT Coordination Center at Carnegie Mellon University (a center of Internet security expertise), has highlighted the need for a pro-active approach to security:

“For the past 15 years, we have relied heavily on the ability of the Internet community as a whole to react quickly enough to security attacks to ensure that damage is minimized and attacks are quickly defeated. Today, however, it is clear that reactive solutions alone are no longer adequate…[We] can expect many attacks to cause significant economic losses and service disruptions within even the best response times that we can realistically hope to achieve.”

The Code Red worm (2001) infected fewer than 7,000 machines during its first three hours. In contrast, the Blaster worm (2003) infected over 100,000 machines in its first three hours. Research conducted by Weaver at U.C. Berkeley suggests that attackers may soon launch worms capable of infecting all vulnerable hosts on the Internet in 15 minutes to an hour. Paxson and Weaver estimate that a worst-case worm could cause as much as $50 billion in economic damage in the US.

The key idea of this proposal is to protect programs in advance by making system calls inaccessible to an attacker. System calls are the mechanism by which processes interact with their environment (e.g., to do input or output, create new processes, change permissions, etc.). Malicious code usually works by taking control of a legitimate process and using the process to either execute attack code directly or spawn another process that executes attack code. Both approaches rely heavily on the ability to use system calls. If system calls are inaccessible to an attacker, it will be extremely difficult to use a hijacked process to cause harm.

The proposed system will restrict access to system calls using a multi-layer hardening strategy that employs security in depth”: remapping of system calls, dual (source and binary) obfuscation, and monitoring run-time behavior by comparing it against an expected, precomputed model.

The technology will perform transformations on a program's binary and source code (if available). Scrambling the system call mapping can be performed through a binary-to-binary transformation. Good obfuscation can be performed with binary-to-binary transformations, as well. However, better obfuscation can be performed when source-to-source transformations are added to the binary-to-binary transformations, resulting in a higher degree of assurance. A better model of a program's behavior can be constructed from source, as well.


Free Trial | Products | Customers | Support | News | Jobs | About Us         © 2007-2008, GrammaTech, Inc. All rights reserved.