Host-based Intrusion Prevention

White Oak Labs has contributed to advances in computer systems intrusion prevention through peer-reviewed publications and international conferences.

Our contrubtuions include software source code implementation and training as described in the slides for our Defcon 2003 presentation, 'Host Based Intrusion Prevention on Windows and Unix.'

Source code for kernel extensions for intrusion prevention are available here:

• Host-based Intrusion Prevention on FreeBSD 4.5
• Host-based Intrusion Prevention on FreeBSD 5.2

Compared to sandboxing using jails and chroots, Intrusion Prevention offers much finer grained control of an application's access to the interface to the kernel. Jails and chroots are popular methods of hardening web services, beyond what the application's configuration itself allows. They provide a restricted view of the file system and devices. In contrast, Intrusion Prevention provides fine grained control or argument filtering for specified system calls..

For example, Intrusion Prevention can be used to blacklist certain systems calls or certain argument values. It can specify that a service can fork processes as any user except root. Or, a process running as a normal user can open a specified socket as root, thereby avoiding the need to run it as root. Or, a process can read any file except /etc.

Better yet, one can create a "default deny" white-list by monitoring an application to observe all the system calls it makes under normal circumstances. White lists can be tuned and exchanged just like firewall rules. In that sense, one can view Intrusion Prevention as a sort of firewall for messages between user applications and the kernel.