Detecting Manipulated Remote Call Streams
In the Internet, mobile code is ubiquitous and includes such examples
as browser plug-ins, Java applets, and document macros. In this paper,
we address an important vulnerability in mobile code security that
exists in remote execution systems such as Condor, Globus, and
SETI@Home. These systems schedule user jobs for execution on remote
idle machines. However, they send most of their important system calls
back to the local machine for execution. Hence, an evil process on the
remote machine can manipulate a user’s job to send destructive system
calls back to the local machine. We have developed techniques to
remotely detect such manipulation.
Before the job is submitted for remote execution, we construct a model
of the users binary program using static analysis. This binary
analysis is applicable to commodity remote execution systems and
applications. During remote job execution, the model checks all system
calls arriving at the local machine. Execution is only allowed to
continue while the model remains valid. We begin with a finite-state
machine model that accepts sequences of system calls and then build
optimizations into the model to improve its precision and
efficiency. We also propose two program transformations, renaming and
null call insertion, that have a significant impact on the precision
and efficiency. As a desirable side-effect, these techniques also
obfuscate the program, thus making it harder for the adversary to
reverse engineer the code. We have implemented a simulated remote
execution environment to demonstrate how optimizations and
transformations of the binary program increase the precision and
efficiency. In our test programs, unoptimized models increase run-time
by 0.5% or less. At moderate levels of optimization, run-time
increases by less than 13% with precision gains reaching 74%.
Download:[PS,PDF]
Somesh Jha
Last modified: Fri Apr 11 14:53:29 CDT 2003