At present, there are several ways to prevent this kind of attack: one is to patch the program with overflow holes. This is the most common prevention method, and it needs to rely on the corresponding patches provided by the program manufacturers to take effect. However, with the increasing frequency of network attacks, the time from finding vulnerabilities to applying them to large-scale attacks has been greatly shortened. Often, the program manufacturer has not released the corresponding patch, and the attack has already occurred. Therefore, this method is very passive and cannot prevent new vulnerabilities from invading. Second, the buffer is made unexecutable through the setting of the operating system, thus preventing the attacker from implanting attack code. The main problem of this method is that it may conflict with existing applications at first, and then the prevention of overflow attacks is not comprehensive. Because some attacks do not require the implantation process of attack code. Third, compile the checker with a special compiler to prevent overflow. This is a relatively perfect protection measure, but it needs to pay a very high price of time and cost.
None of the above methods can be successfully used in real business systems. Host intrusion prevention system provides another feasible and easy-to-implement method to prevent stack overflow attack. There is a STOP (Stack Overflow Protection) technology in the host intrusion prevention system, which can prevent this kind of intrusion and prevent users or programs from gaining super user rights.
All buffer vulnerability mining programs are based on the assumption that the data address space offset of problematic parameters pushed into the stack every time the program runs is certain (or the difference is small). If the operating system defines and assigns a randomized offset to the application when the program is running, the overflow program specially designed for this defective program will return an incorrect ret address when it overflows, instead of jumping to the maliciously constructed shell code. Although most buffer overflow programs can also provide adjustable offset variables, because each defective program will have a randomized offset when it runs, the address space and content obtained through the last unsuccessful overflow guess cannot guide the correction of the next adjusted offset. STOP technology provided by host intrusion prevention system works at the same level without changing the operating system kernel, which can help define and allocate a randomized offset and dynamically realize the above functions without modifying the system kernel.
Through this preventive measure, users can not only take high-intensity preventive measures against all known and unknown types of push stack overflow attacks, but also do not need to modify any existing operating system and application programs, thus ensuring the continuous operation of the original system and protecting investment. Information tampering destroys the integrity of information and is an attack purpose of intruders. There are two main forms of information tampering: tampering in information transmission and tampering in information storage. Tampering in information transmission mainly occurs in online transactions, which will bring serious economic losses to both parties. Tampering with the control information of network equipment may lead to abnormal network work, and even change the information transmission channel, resulting in leakage. The prevention of this attack mainly depends on the encryption, digital signature and strong verification of the information exchanged between the two parties. Tampering with information storage is the most common attack means, which often shows that the data on the key business server changes, resulting in the normal operation of the business; Tampering with some key documents, such as the homepage of the website, will lead to the loss of the image of the attacked person and potential economic losses. For example, if a web page of an online marketing unit is tampered with, the consequences may lead to the loss of a large number of customers, even if the invasion does not endanger key transaction data. Another most threatening attack means is tampering with executable programs. Intruders can achieve many destructive purposes by tampering with the original executable file of the system. For example, by illegally modifying the procedures of the securities trading system or the banking system to obtain huge benefits; By tampering with some key applications, the system cannot operate normally. But the most common purpose of tampering is to tamper with some applications that administrators or users often use, so that they can run Trojans placed by intruders outside their normal operations. In this way, in the eyes of administrators or users, the system is running normally, but the Trojan horse program runs unconsciously, causing the back door to open. The consequences of this invasion are very serious, which may lead to serious information leakage.
The solution of host intrusion prevention system is to start from the root cause, which greatly refines the control granularity of resources. Both UNIX and Windows server operating systems have very limited security permissions for files and directories. However, the host intrusion prevention system can greatly enhance the access control of files and directories. As shown in the figure, in addition to reading, writing and executing, eight licenses, such as deletion, renaming, mode change, owner change, time update, ACL change, creation and directory change, have been added to the license type, which provides sufficient authorization space for administrators, and can authorize resources for each account in the most appropriate way to prevent internal security risks caused by excessive authorization. At the same time, the same account using different applications to access resources may also obtain different levels of access rights, which provides great convenience for the special needs of some industries.
Through the detailed control of file permissions, the information tampering incidents caused by authorization can be greatly reduced. However, in order to completely prevent key information from being tampered with, the host intrusion prevention system also provides the function of digital signature, which can check the integrity of ordinary files, data files and executable files, especially the programs of suid and sgid in UNIX, which are the primary targets of intruders' attacks. If ordinary files and data files are accidentally changed, the host intrusion prevention system will alarm; If the executable file is changed accidentally, the host intrusion prevention system will automatically reject the execution of the executable file and give an alarm at the same time. In this way, even if illegal intruders tamper with the target file, its purpose is difficult to succeed. Of course, if these key files are protected by the file protection function of the host intrusion prevention system, intruders cannot achieve the purpose of illegal tampering. Trojan horse (hereinafter referred to as Trojan horse) is called Trojan horse in English, and its name is taken from the siege story of Trojan horse in ancient Greece. I believe everyone is familiar with it. It is this ancient siege method that has become a fascinating way of network intrusion.
First of all, the host intrusion prevention system has the function of program access control list (PACL), which makes the same user get different rights when using different applications to access the same resources. That is to say, for some important resources, we can use the function of host intrusion prevention system to restrict the access rights of different applications and only allow known legitimate applications to access these resources. In this way, even if an intruder runs a Trojan horse program on the attacked server, the Trojan horse program must pass the security verification of the host intrusion prevention system when it needs to steal key information. Because PACL doesn't define the access right of Trojan horse program, it can't be accessed according to the default right, which plays a role in preventing Trojan horse information from being stolen.
In addition, once the computer is connected to the network, it is integrated into a whole and needs to be responsible for the overall security. Through the above analysis, we find that Trojans not only steal local information, but more seriously, intruders can invade other computers in the network through local computers, such as DDoS attacks. American government law stipulates that the owner of a computer with security problems should be responsible for the invasion of other networked computers directly caused by the security problems of one computer. At present, other countries are gradually introducing relevant regulations. Therefore, it is not enough to just adopt the self-protection strategy of preserving our sanity on the Internet. In order to prevent the server implanted in Trojan horse from becoming a springboard and puppet for intruders, the host intrusion prevention system also has the function of network access control. Network access control rules can not only define who can access which services of the machine when and where, but more importantly, it can also define what types of network connections the machine can send. In this way, any link that does not conform to the rules will not be sent from this machine. For example, when the red queue is flooded, many servers running IIS services will scan the network in a large scale after being infected with the virus, looking for potential attackers when TCP 80 port is open. But this behavior of the Web server is obviously very abnormal. Therefore, by defining the type of chain in the host intrusion prevention system, we can fundamentally avoid external attacks initiated by Trojans, especially avoid becoming a puppet of DDoS attacks. In many critical business environments, there are bound to be several more important services running. For example, an e-commerce trading website, the HTTP service or daemon on the server is very critical. On the database server running in the background support environment, the daemon of the database is the soul of this server. Similarly, for a new paid mailbox service provider, it will be more difficult to attract users if the SMTP service on the background mail server suddenly stops. Therefore, the cornerstone of the information society is various services running on key servers. Once the service stops, the upper application has no foundation. In the operating system, these key services exist as background processes.
At present, the most attacked services are HTTP, SMTP and database processes, and of course there are other key service processes. There are generally two ways for intruders to stop these processes: one is to use some loopholes in these services to invade, and the other is to obtain the permission to stop the process in the operating system, usually the permission of super user, and then stop the process.
The security of a process depends entirely on the security level provided by the operating system. Generally speaking, watchdog technology is mainly used to prevent the process from stopping. The so-called Watchdog means watchdog, whose main function is to watch over the process and prevent it from stopping unexpectedly. If the process is abnormally interrupted due to some unexpected factors, Watchdog can quickly restart the monitored process in a short time.
Host intrusion prevention system has this watchdog function. In fact, the service provided by the host intrusion prevention system itself is based on three processes. In order to protect the operating system, the host intrusion prevention system first needs to protect itself and prevent its own process from terminating unexpectedly. In practice, these three processes not only fulfill their respective functions, but also have the relationship of mutual protection. That is, process one is the watchdog of process two, process two is the watchdog of process three and process three is the watchdog of process one. In this way, if one of the processes stops unexpectedly, there will always be a process to restart it. Even if two processes are unexpectedly interrupted at the same time in extraordinary circumstances, the remaining processes can still start another process and then start the last process. Therefore, this security mechanism of host intrusion prevention system is very strict, not only for self-protection, but also for the security protection of key service processes. The existence of super users has brought great convenience to managers. Once you log in, you can complete all the management work, execute all the commands and carry out all the system maintenance. But at the same time, it is precisely because of the omnipotent super authority of the super user that it has caused a lot of trouble.
First of all, regardless of the intruder's attack, the super permission brings many problems only when the administrator performs normal operations. Once the superuser is used to log in, the administrator must be careful in all kinds of operations. Many actions in the system are irreversible, and once the administrator improperly operates due to human error, it will often cause irreparable losses. Especially in the critical business server system, such catastrophic errors often occur, and we can often see some related reports in the media. According to statistics, administrator's human error is one of the biggest security threats to the whole network system. In fact, some operations can be completed without the permission of the super user, but most people still choose to log in with the account of the super user. The most fundamental reason is probably for convenience, which leads to a big mistake.
Secondly, it is unreasonable to set up superuser in the operating system. Generally speaking, administrators are responsible for maintaining the normal operation of the system, establishing and maintaining various accounts, and assigning access rights to resources. They usually have no right to read or even modify or delete some confidential information stored on the server. But in reality, people with super-user rights can handle these data at will, and even encrypted data can be easily destroyed or even deleted. This is not in line with the normal security policy and needs to be controlled by some measures.
Finally, in the world of intruders, I'm afraid there is nothing better than getting the super user identity of a new important system. The ultimate goal of almost all attacks is to gain full control of the attacked system, which is basically the same as obtaining the account name and password of the system superuser. Password cracking, stack overflow, network eavesdropping, etc. , are aimed at this. Once the super user's permission is obtained, the intruder can not only complete the above-mentioned series of actions, but also switch to other people's identities at will, even without any password verification; You can erase all audit records of your actions at will, leaving auditors with no evidence to check. Of course, the existence of super users also puts network security personnel in an awkward position. No matter how unbreakable the firewall is, how observant IDS is, and how advanced the encryption algorithm is, as long as the intruder gets the permission of the super user, all this is useless.
In order to cope with the above situation, the host intrusion prevention system redistributes the authority of super user at the operating system level, treating all users equally, so that the concept of super user no longer exists in the system. After decentralization, every administrator can work within the scope of his own duties and have no other privileges. For example, security administrators can have the right to allocate resources, but they can't delete logs at will; The responsibility of the security auditor is to analyze the logs and find suspicious behaviors of all users, but he does not have all other system privileges. It's like adding three locks to a safe. You can't get the contents of the safe with only one key. In order to allow users to decentralize according to their own wishes, the host intrusion prevention system also provides a task delegation interface for more detailed configuration, so that ordinary users have permissions that only some super users can execute. After the authority allocation and refinement, it can greatly avoid the administrator's human misoperation and prevent intruders from running amok once they get the ownership of an account.
In order to track the activities on the system more carefully and accurately, the host intrusion prevention system provides the function of auditing according to the original login ID. That is to say, no matter which login ID number the registrant switches to later through su, the activity is always tracked and recorded in the log with its original login ID, and the intruder can't destroy the log even if he gets the password of root. In addition, the host intrusion prevention system also manages the use right of ID as a resource, that is, if an account needs to be su to another account, it must be authorized by the host intrusion prevention system, otherwise it will not succeed. Even if the root user wants to su to another account. This greatly reduces the false attack behavior achieved by switching ID.
Host intrusion prevention system is based on a solid security system and a brand-new security design concept, with stable operation characteristics and strong security, which provides great security for various UNIX platforms and Windows server platforms and is compatible with the security mechanism of mainframes. The system is an important security tool to protect key server resources, and it has been paid more and more attention by users.
Of course, the protection measures provided by host intrusion prevention system mainly focus on the protection of server resources and behaviors, and cannot replace all security products. Firewall, antivirus, network intrusion detection system, VPN, etc. It is a useful supplement to the host intrusion prevention system. Only by combining the protection of key servers with the protection of the overall network architecture can we provide the most perfect guarantee for our cyberspace. In view of the mixed threats of viruses, worms, intrusions and other threats, the host intrusion prevention system will undoubtedly provide a more active defense method for our key resources.