1. Field of the Invention
The present invention relates to a software operation modeling device, a software operation monitoring device, a software operation modeling method, and a software operation monitoring method.
2. Description of the Related Art
All computing machines including personal computers (PCs), workstations, servers, routers, cellular telephones, personal digital assistances (PDAs) are exposed to attacks from outside and from within. A typical attack takes advantage of vulnerability of software executed by the computing machines. An attacker sends a malicious code to a computing machine by exploiting the software vulnerability to seize control of a process in execution, and carries out an unauthorized operation while making use of an authority for that process.
An anomaly detecting system which models a normal operation of a program, and which determines presence or absence of a deviation from the model in the course of executing the program, has been provided for detecting attacks taking advantage of the vulnerability, and particularly for detecting unknown attacks. A system call is a command issued when the process requests a kernel for an important task in the system. The attacker causes the system to execute an arbitrary action by use of the system call as if it is requested by the process. For this reason, validity of the system call is verified at the time of monitoring the operation of the program.
As a method of verifying a validity of a system call during execution of a program, for example, there has been disclosed an anti-attack device including a system call table, a validity inspection functioning unit, an anti-attack functioning unit and a system call. The device checks whether a function requesting a system call is in code area or not. When it is not in the area, the device decides that the request is abnormal. The system call table inputs a system call request issued by a program (a task), and outputs a jump address to the validity inspecting functioning unit. The validity inspection functioning unit determines the validity of the system call request by use of a return function address of a system call issuer, the return function address being stored in a specified memory area by an operating system (OS) at the time of issuing the system call request, and outputs a determination result. In a case where presence of an unauthorized system call request is determined, the validity inspection functioning unit rejects the system call request. The anti-attack functioning unit inputs a result of determination on the unauthorized system call, the determination being made by the authority inspection functioning unit, and takes measures. The system call is called out by inputting a result of determination on an authorized system call request, the determination being made by the authority inspection functioning unit, and executes a command (for example, see JPA2004-126854 which is hereinafter referred to as Patent Document 1).
Meanwhile, in order to verify an authority of a system call, there has been disclosed an attack detection system which utilizes a state of a call stack (a return address sequence loaded on a stack) (for example, see H. Feng et al., “Anomaly Detection Using Call Stack Information,” The proc. of IEEE Symposium on Security and Privacy 2003, pp. 62 which is hereinafter referred to as Non-patent Document 1). This system is configured to execute a program first in advance, and is configured to learn a model by use of an obtained result. In the course of executing the program, the system obtains a state of a call stack at the time when a system call occurs, and generates a virtual stack list recorded together with a program counter at the time when the system call occurs. Moreover, the system sequentially executes comparative verification from a bottom stack of a state of a call stack targeted for comparison, and thus finds a different return address. Accordingly, the system generates a subsequent return address sequence (a virtual path). A hash table is formed by use of the virtual stack list and the virtual path thus generated, and the table is used as a program model. When verifying the program, the virtual stack list and the virtual path are formed in the course of executing the program. The system then conducts the matching of the list and the path with those of the hash table used as the model. If the virtual stack list and the virtual path match those of the hash table, a system call request is permitted. If not, the system call request is determined as abnormal.
In an OS such as Linux, a system call is usually issued by use of a wrapper function. Since the wrapper function is located in a code area, the function of the system call issuer always exists in the code area. In a case of a Return-to-libc attack representing a typical attack, the attacker induces the OS to return to “libc,” and thereby issues an arbitrary system call. Considering this situation, there is an attack undetectable by the anti-attack device disclosed in Patent Document 1 because this device determines the validity of the address of the function of the system call issuer located in the code area. On the other hand, the attack detection system disclosed in Non-patent Document 1 performs verification by use of the return address loaded on the call stack. In this context, it is likely that the system performs more detailed modeling than the anti-attack device as disclosed in Patent Document 1. Accordingly, it is likely that the attack detection system disclosed in Non-patent Document 1 reduces chances of overseeing the attacks as compared to the anti-attack device disclosed in Patent Document 1.
Nevertheless, the attack detection system disclosed in Non-patent Document 1 performs hash matching at the time of verification. For this reason, if the system fails to learn sufficiently at the time of modeling, the system is forced to determine a normal state as an anomaly (false alarm) when an unlearned action occurs at the time of verification. As a result, the incidence of the false alarm may be increased.
Meanwhile, it is important to accelerate processing with limited resources, and to suppress memory usage in order to mount a system for verifying operation on a computing machine such as a cellular telephone with a small processing capacity.