1. Field of the Invention
The present invention relates generally to securing computer systems.
2. Description of the Related Art
Remote exploitation of program vulnerabilities poses a very serious threat to modem information infrastructures. Because of the monoculture of modem computer software, a single vulnerability in a critical piece of software can make millions of computers susceptible to attacks. These susceptible computers are exploited by rapid, automatic, self-propagating programs, or worms, that gain control over a large number of them.
The lifecycle of a typical attack can be divided into three phases. In the first phase (“the enter phase”) an attack enters the computer system by taking advantage of a vulnerability or bug such as a buffer overflow or a format string vulnerability in a privileged program. These vulnerabilities allow an attack to send malformed data from a remote host that will result in an insertion of data or modification of certain memory locations in the address space of the program. By modifying key program data such as the return addresses in the stack or jump tables in the heap, the attack moves to the next phase (“hijacking phase”) by hijacking the control from the program. After the program is hijacked, instructions carried out on behalf of the program are in fact the instructions dictated by the attack. Now the attack enters the final phase (“the compromise phase”) where it executes a sequence of instructions that compromises the computer. This can lead to self propagation of the worm and infection of other computers, and destruction or disclosure of the information on the local machine.
Traditional forms of protection against these attacks have focused on stopping them in either the enter phase or the compromise phase. In attempting to stop an attack in the enter phase, all the input strings are scrutinized in order to identify possible attacks. Although known exploits can be stopped using signatures, that does not stop previously unknown or “zero day” attacks. It is very difficult to prevent all exploits that allow address overwrites, as they are as varied as program bugs themselves. Furthermore, there are no effective techniques that can stop malevolent writes to memory containing program addresses in arbitrary programs, because addresses are stored in many different places and are legitimately manipulated by the application, compiler, linker and loader.
The second traditional approach is to stop an attack in the compromise phase. These forms of policy enforcement use limited types of target system events that they can monitor, such as API or system calls. See Golan [U.S. Pat. No. 5,974,549] or Hollander [U.S. Pat. No. 6,412,071] for examples of these. Such a coarse-grained approach cannot accurately monitor improper control transfers of the above type and are known to produce many false positives.
Therefore, a need exists in the industry to address the aforementioned deficiencies and inadequacies.