While Privilege Separation increases an application's resilience against
programming errors, it does not prevent all possible intrusions.
Many system services and applications perform specific tasks. By
confining applications to only those operations that required for
its correct execution, we prevent adversaries who gain control
over these system services from causing damage to the system.
In Unix operating systems, persistent changes are possibly only via
System Calls. By carefully monitoring and restricting an
application's system calls, we can limit or even prevent an adversary
from causing damage.
We offer Systrace as solution. Systrace provides
fine-grained application confinement based on configurable security
policies. Additionally, it can detect and prevent intrusions. It
also records audit trails that can used in forensic analysis.
- System Call Policy Enforcement -
Systrace enforces system call policies. It supports automatic
and interactive policy generation, intrusion detection and prevention,
and audit trails for forensic analysis.
One problem of many security solutions is the difficulty to create
comprehensive security policies. The Systrace system provides
automatic and interactive policy generation to facilitate correct
configuration. Systrace can be used to confine all system services
including BGP, DNS and SSH.
The impact of new security problems can be reduced by early threat
detection. Threat detection and assessment allows us to quickly
identify so far unknown attacks, prioritize their threat and protect
vulnerable systems. Honeypot technology serves this purpose by
providing computer systems that we expect to be compromised. The
honeypot systems are network sensors that allows us to detect new
As computer security problems are inherently repeatable, we obtain
threat detection by populating our network with honeypots. New
attacks can easily be identified by monitoring the state of deployed
honeypots including new worms or widespread scans for vulnerabilities.
We offer Honeyd, a virtual honeypot daemon, as solution.
- Honeyd -
Honeyd creates virtual honeypots for general network monitoring. Monitoring
traffic to Honeyd systems allows us to identify new threats and assess
their danger to other computer systems.
Additionally, Honeyd deters adversaries by hiding the real computer
systems in the middle of virtual systems that have no production value.
While directed attacks can not be deterred, many attacks are based on
Internet scanning. These scans are unable to differentiate between
real and virtual systems.