• » AFRL-RomeAir Force Research Laboratory (Rome)
• » AFRL-SPIAir Force Research Laboratory (Wright Paterson)
  Anti-Tamper/Software Protection Initiative (AT-SPI)
• » AFRL-WPAir Force Research Laboratory (Wright Paterson)
• » DARPADefense Advanced Research Projects Agency (DARPA)
• » HSARPADepartment of Homeland Security (DHS)
  Homeland Security Advanced Research Projects Agency (HSARPA)
• » MDAMissile Defense Agency (MDA)
• » NASANational Aeronautics and Space Administration (NASA)
• » NISTNational Institute of Standards and Technology (NIST)
• » NSFNational Science Foundation (NSF)
• » ARMYUnited States Army
• » NAVYUnited States Navy (USN)
• » ONRUnited States Navy (USN)
  Office of Naval Research (ONR)

Software Protection to Fight through an Attack

New vulnerabilities and attacks on software applications and the underlying systems are discovered daily. While most security research focuses on early detection and prevention of attacks, in reality, successful attacks will continue to be carried out. Recently, the Confiker worm demonstrated that standard software defenses can still be breached with ease. The next line of defense is placed at the application level. At that level, defensive techniques monitor application behavior for abnormalities (e.g., unexpected control transfers or unexpected sequences of system calls) and respond when an abnormality is detected. A typical response is to terminate and restart the attacked program. While such a response eliminates the threat of being compromised, it is not appropriate for many types of systems. In particular, for safety-critical systems, systems that must remain operational for long periods of time, and systems that use persistent data (such as file systems and databases), rebooting to restore a safe state (even when an attack is detected) is often not an option. Such systems need to be able to maintain a safe operating environment through attacks and environment faults.

A particularly nefarious class of attacks is the so-called non-control-data attacks. Instead of directly modifying targets of control-flow transfers, non-control-data attacks corrupt application data in a way that makes an apparently normal execution of the application carry out the attacker's goals. Work at the University of Illinois and NCSU demonstrated the existence and exploitability of non-control-data attacks in FTP, SSH, Telnet, and HTTP servers. It is hard to recover from non-control-data attacks because they may corrupt data structures whose consistency is crucial for the safe execution of a program and the underlying systems code. For instance, free-heap data structures maintained by operating-system code responsible for memory management, request queues maintained by web servers, and flight paths maintained by aviation controllers, are all essential to the correct execution of their respective systems.

There is a need for tools and techniques that allow critical applications to recover and maintain safe operational state while under cyber attacks and, in particular, under non-control-data attacks. We envision a tool that will allow critical applications to recover from attacks and remain operational. The tool will operate as follows: it will analyze the application offline to learn important data-structure invariants of the application. Online, the tool will monitor the operation of the program to detect anomalies that may be indicative of attacks or faults. Once an anomaly is detected, the tool will use the invariants learned offline to repair the corrupted data structures and restore the application to its operational state.

Keywords: Software Protection, anti-tamper, cyber defense, denial of service, graded response, autonomic computing