Disarming Offense to Facilitate Defense

Disarming Offense to Facilitate Defense (2000)

Cached

Download Links

by D. Bruschi , E. Rosti

Venue:	In Proceedings of the New Security Paradigms Workshop
Citations:	3 - 0 self

BibTeX

@INPROCEEDINGS{Bruschi00disarmingoffense,
    author = {D. Bruschi and E. Rosti},
    title = {Disarming Offense to Facilitate Defense},
    booktitle = {In Proceedings of the New Security Paradigms Workshop},
    year = {2000},
    pages = {69--75},
    publisher = {ACM Press}
}

Bookmark

OpenURL

Abstract

Computer security has traditionally focused on system defense, concentrating on protection and recovery of victim machines. Moving from the opposite perspective, we propose a complementary approach that focuses on limiting the attacking capabilities of the hosts. Software design and implementation weaknesses usually are at the basis of computer offensive capacities. Since software redesign or patching on an extensive basis is not possible, we propose the adoption of a filtering strategy to block abuse attempts at the originating machines. As an example, applications of such an approach are presented at host level, in order to prevent root compromise attacks, and at network level, in order to prevent DoS attacks, among others. The proposed solution is not a silver bullet and could be bypassed by sophisticated users. However, we believe it can effectively restrain the offensive capabilities of hosts that could be easily seized by crackers. We discuss the pros and cons of the proposed so...

Citations

407	Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks - Cowan, Pu, et al.
331	The Design of the UNIX Operating System - Bach - 1986
326	Kerberos: An authentication service for computer networks - Neuman, Ts’o - 1994
142	Smashing the stack for fun and profit - One - 1996
10	The latest in denial of service attacks: smurfing. Description and information to minimize effects,” http://users.quadrunner.com/chuegen/smurf.cgi, last update - Huegen - 2000
10	A Middleware Approach to Asynchronous and Backward Compatible Detection and - Tripunithara, Dutta - 1999
5	A tool for pro-active defense against the buffer overrun attack - Bruschi, Rosti, et al. - 1998
5	Bounds Checking for C," http://www-ala.doc.ic.ac.uk/phjk/ BoundsChecking.html - Jones, Kelly - 1995
5	to Write Buffer Overflows - Mudge - 1997
4	The Setuid Feature in UNIX and Security - Bunch - 1987
3	Network ingress ltering: Defeating denial of service attacks which employ IP source address spoo ng." Request for Comments 2267 - Ferguson, Senie - 1998
2	Less harm, less worry or hot to improve network security by bounding system offensiveness," accepted at - Bruschi, Cavallaro, et al. - 2000
2	SYN flooding attacks and IP Spoofing attacks - CERT-CC
2	of service attack via ping - CERT-CC
2	Denial of service attacks - CERT-CC
2	and D.Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", RFC 2827 - Ferguson - 1998
2	The limitations of intrusion detection systems on high speed networks,” presented at the “First - Kleinwaechter - 1998
2	NonExecutable User Stack." http://www.false.com/security/linux-stack - Designer
1	Linux Security Toolkit - Bandel - 2000
1	Sundaram A., Zamboni D., "Analysis of a denial of service attack on TCP - Schuba, Krsul, et al. - 1997
1	FreeBSD Stack integrity patch," ftp://ftp.lucky.net/pub/unix/local/libc-letter - Snarskii - 1997
1	Rosti E., \Less harm, less worry," submitted for publication - Bruschi, Cavallaro - 2000
1	SYN ooding attacks and IP Spoo ng attacks - CERT-CC
1	The latest in denial of service attacks: smur ng. Description and information to minimize e ects," http://users.quadrunner.com/chuegen/smurf.cgi, last update - Huegen - 2000
1	Spa ord E.H., Sundaram A., Zamboni D., \Analysis of a denial of service attack onTCP - Schuba, Krsul, et al. - 1997