Paper Appeared in 11th NDSS
Posted 02 March 2004
The paper Efficient
Context-Sensitive Intrusion Detection by Jonathon
T. Giffin, Somesh Jha, and Barton P. Miller appeared in the 11th Annual
Network and Distributed System Security Symposium, held in San
Diego, California, on February 5 and 6, 2004. Jon presented the
paper at the conference.
This paper presents the first statically-constructed program model that both accurately reflects expected program executions and is efficient to operate during real-time monitoring. The Dyck model represents all possible sequences of system calls that could be correctly generated using a context-sensitive pushdown automaton that accepts a bracketed context-free language. Binary rewriting inserts code into the original program to produce the bracket symbols that must be visible to accept such a language. The authors demonstrate that the Dyck model is an order of magnitude more precise than previous context-insensitive models and is operable in real time, unlike previous context-sensitive models.
The paper further includes new static data-flow analyses that recover dependencies between data values known only at program runtime. Execution monitoring can enforce the dependencies by limiting uses of variables to only those previously observed. For example, a system call argument that is dependent upon the return value of a previous system call is limited to exactly the return values already recorded.
