FSL Sponsor Abstract: Dolphin Technology, Inc.

Security attacks against an enterprise computing system are classified into two major categories, depending on how the attacks are triggered. In an active attack, attackers initiate a break-in with the goal of taking control of the victim machine in the end. In a passive attack, end users perform ostensibly legitimate operations that eventually lead to system compromises such as data corruption or injection of back-door programs. Active attacks exploit flaws in the design and/or implementation of network applications installed on the enterprise computing system, whereas passive attacks rely on imprudent invocation of mobile code.

Given a network application such as a Domain Name System (DNS) server, how does an active attacker take control of the application and possibly of the machine on which the application runs? The attacker first injects a piece of code into the victim application, and then hijacks its locus of execution by transferring the program's control to the injected code. Once the injected code takes control, it can wreak havoc on the underlying system, such as forking a shell process, reading files, deleting files, communicating with the outside world, etc. Fundamentally such attacks are possible because they exploit flaws in the computer system, which include software design/implementation bugs, configuration mistakes and operator errors.

Mobile code refers to programs that come into an enterprise system not through an official installation process, but through various ad hoc channels: email attachments, web pages, ftp payload, etc. In all cases, users are the ones that, in many cases unknowingly, invoke the mobile code embedded in these contents. Because a piece of mobile code is started on behalf of the user who invokes it, it executes with the privilege of that user, and is thus allowed to delete the user's files, scan the user's address book, send email messages, etc.

The difference between active and passive attacks lies in how a piece of code is injected to the victim system and gets started eventually. Once the injected code runs, these two attacks behave the same from this point onward. Given that the injected code is able to issue the system calls it desires, the only way that a victim system can escape from lasting damage is for it to have the ability to erase all the updates that the attacker induced directly or indirectly.

Based on the above analysis, a comprehensive enterprise protection system should consist of the following elements:

In this project, we are conducting a survey of available technologies (commercial and otherwise) for enterprise protection. In the FSL, we are specifically looking into Operating System security, file system and storage security, and Database security.


(Last updated: Sun Jan 15 21:00:51 EST 2006)