SITIS Archives - Topic Details
Program:  SBIR
Topic Num:  OSD11-IA5 (OSD)
Title:  Deterministic Detection for Hijacked Program Execution
Research & Technical Areas:  Information Systems

Acquisition Program:  
  Objective The objective of this SBIR topic is to design and develop a method for reliable and deterministic detection method for hijacked execution (D2HE), and to evaluate its capability, performance, and cost. Description Achieving information dominance requires Department of Defense (DoD) to provide information assurance within its information infrastructures. COTS based hardware and software in our computing systems and the network are large, complex and hence inherently insecure. Malwares and adversaries regularly exploit our inherently insecure computing infrastructure. Many approaches have been used to detect malwares and adversarial intrusion activities. The approach varies from detecting the malware signatures, heuristics behavior monitoring, white-listing, marking data entering the system (taint tracking), etc. However, even with all of these security mechanisms, malwares and adversaries still manage to penetrate our system. It is desirable to have a reliable and deterministic alarm which will always ring every time a program is hijacked. The word reliable indicates that the alarm cannot be circumvented and deterministic means that the detection mechanism is not probabilistic (0% false positive). One of the often used approaches is to insert checkpoints or assertions into the body of the program via code rewriting process. The location of the check points can be derived from code-analysis or from formal model of the program. This approach can be effective in detecting error and improper state in a program. An issue with this approach, in an adversarial situation, is that if the execution of the program is maliciously diverted by an adversary (or malware), the subsequent checkpoint may never be reached, and the execution flow diversion may never raise any alarm. Understanding of the invariants in an execution hijacking process plays important roles in deterministically recognizing it. The challenge in this topic is to develop a reliable and deterministic detection method for hijacked execution, making use of one or more of the invariant properties of the execution hijacking process. Phase I Design and develop an efficient method for a reliable and deterministic detection method for hijacked execution flow (D2HE). Develop a proof of concept prototype for D2HE in an open-source OS environment, and investigate its cost and effectiveness. Phase II Further develop and mature D2HE method, develop a full scale D2HE protected system, and perform full-scale evaluation on the system. Phase III Dual Use Application This system could be used in a broad range of information security products within the military, as well as in civilian enterprise applications. The technologies developed in this SBIR will be beneficial in providing additional resiliency to networked enterprise computing system against malwares and intrusions. References: 1. J. Newsom ,D. Song, “Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software”, Proceedings of IEEE Symposium on Security and privacy 2005. 2. G.E. Suh, J.W. Lee, D. Zang, S. Devadas, “Secure program execution via dynamic information flow tracking”, Proceedings of International Conference on Architectural Support for Programming languages and Operating Systems 2004. 3. R. Sekar, M. Bendre, D. Dhurjati, P. Bollineni, “A fast automaton-based method for detecting anomalous program behaviors”, Proceedings of IEEE Symposium on Security and privacy 2001. 4. M. Sharif, W. Lee, W. Chui, A. Lanzi, “Secure in-VM monitoring using hardware virtualization”, Proceedings of ACM conference on Computer and Communication Security 2009. 5. S. Fischmeister, Y. Ba, “Sampling-based Program Execution Monitoring”, Proc. of the ACM SIGPLAN/SIGBED Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES) 2010

Keywords:  Execution flow hijacking, malware detection, intrusion detection, program flow tracking, deterministic detection

Questions and Answers:
Q: Can we tap the Program Counter(s), Registers, IO channels and cause redirection through software interrupt?
A: Yes, we are open to all possibilities, whether it'll require hardware support or not.

Record: of