Retour au site du LAAS-CNRS

Mots-Clés / Keywords

Résumé

L'interêt que suscitent les logiciels malicieux a crû d'une façon telle qu'aujourd'hui, toute une partie de l'industrie du logiciel leur est consacrée (antivirus, pare-feux, etc). Cependant, les événements passés nous ont montré que les logiciels tels que les antivirus, les mécanismes de protection des disques compact, les implémentations des protocoles cryptographiques ou les systèmes de mises a jour automatisés, possèdent eux aussi des vulnérabilités. Le but de cet article est de remettre en cause la confiance implicite accordée à une nouvelle catégorie de logiciels appelés collecteur de maliciels, plus particulièrement Nepenethes et PhP.HOP. Cet article présente deux exemples de détournement de ces logiciels (a priori destinés à améliorer la sécurité) de façon à ce qu'ils propagent des tentatives d'intrusion. Nous proposons ensuite quelques directions de recherche pour réduire le risque d'utilisation de ce type de logiciels, dont nous ne remettons en aucun cas le bien fondé.

Abstract

Nowadays, more and more information systems are connected to the Internet and offer Web interfaces to the general public or to a restricted set of users. Such openness makes them likely targets for intruders, and conventional protection techniques have been shown insufficient to prevent all intrusions in such open systems. This paper proposes a generic architecture to implement intrusion-tolerant Web servers. This architecture is based on redundancy and diversification principles, in order to increase the system resilience to attacks: usually, an attack targets a particular software, running on a particular platform, and fails on others. The architecture is composed of redundant proxies that mediate client requests to a redundant bank of diversified COTSfootnote{Commercial Off The Shelf.} application servers. The redundancy is deployed here to increase system availability and integrity. To improve performance, adaptive redundancy is applied: the redundancy level is selected according to the current alert level. The architecture can be used for static servers, i.e., for Web distribution of stable information (updated off-line), as well as for fully dynamic systems where information updates are executed immediately on an on-line database. The feasibility of this architecture has been demonstrated by implementing an example of a travel agency Web server.

Mots-Clés / Keywords

Mots-Clés / Keywords

Abstract

High-interaction honeypots are interesting as they help understand how attacks unfold on a compromised machine. However, observations are generally limited to the operations performed by the attackers on the honeypot itself. Outgoing malicious activities carried out from the honeypot towards remote machines on the Internet are generally disallowed for legal liability reasons. It is particularly instructive, however, to observe activities initiated from the honeypot in order to monitor attacker behavior across different, possibly compromised remote machines. This paper proposes to this end a dynamic redirection mechanism of connections initiated from the honeypot. This mechanism gives the attacker the illusion of being actually connected to a remote machine whereas he is redirected to another local honeypot. The originality of the proposed redirection mechanism lies in its dynamic aspect: the redirections are made automatically on the fly. This mechanism has been implemented and tested on a Linux kernel. This paper presents the design and the implementation of this mechanism.

Abstract

This article deals with rootkit conception. We show how these particular malicious codes are innovative comparing to usual malware like virus, Trojan horses, etc. From that comparison, we introduce a functional architecture for rootkits. We also propose some criteria to characterize a rootkit and thus, to qualify and assess the different kinds of rootkits. We purposely adopt a global view with respect to this topic, that is, we do not restrict our study to the rootkit software. Namely, we also consider the communication between the attacker and his tool, and the induced interactions with the system. Obviously, we notice that the problems faced up during rootkit conception are close to those of steganography, while however showing the limits of such a comparison. Finally, we present a rootkit paradigm that runs in kernel-mode under Linux and also some new techniques in order to improve its stealth features.

Mots-Clés / Keywords

Mots-Clés / Keywords