 |
Security Research:
Host Intrusion Prevention
Our computer forensics capabilities are based in part on our research in information security, and more specifically, deep knowledge of operating systems, software archetecture and intrusion prevention.
We have contributed to advances in computer systems intrusion prevention through peer-reviewed publications and international conferences. Our contributions include software source code implementation and training as described in the slides for our Defcon 2003 presentation, 'Host Based Intrusion Prevention on Windows and Unix.'
 Download FreeBSD Kernel Extensions
Source code for kernel extensions for intrusion prevention are available here:
|
|
Compared to sandboxing using jails and chroots, Intrusion Prevention offers much finer grained  control of the interface between each application and the kernel. Jails and chroots are popular methods of hardening web services, beyond what the application's configuration itself allows. They provide a restricted view of the file system and devices. In contrast, IntrusionPrevention provides fine grained control of individual system calls that are the interface to file systems and devices.
For example, Intrusion Prevention can be used to blacklist certain systems calls or certain argument values. It can specify that a service can fork processes as any user except root. Or, a process running as a normal user can open a specified socket as root, thereby avoiding the need to run it as root. Or, a process can read any file except /etc.
Better yet, one can create a "default deny" white-list by monitoring an application to observe all the system calls it makes under normal circumstances. White lists can be tuned and exchanged just like firewall rules. In that sense, one can view Intrusion Prevention as a sort of firewall for messages between user applications and the kernel. |
