Friday, April 28, 2006

Host Intrusion Detection Systems (HIDS)

When you say Intrusion Detection Systems or IDS, people immediately think of network-based IDS--very few think of Host Intrusion Detection Systems or HIDS. Jordan was preparing a presentation on IDS for a DIS graduate class. He was looking for the history of IDS and found several early papers on HIDS. Apparently, "back in the day," those individuals looking into IDS starting thinking of it from the host perspective. So, what happened? Why did everyone move their focus to the network by developing NIDS? My guess is someone was looking for the best bang for the buck by developing a solution that would cover as many hosts as possible instead of just one. So, NIDS lived and HIDS fell by the wayside.

Enough of my rambling intro...the whole point of this entry was to discuss a couple of HIDS products and a tool for breaking them that was updated to coincide with CanSecWest. I did not go to CanSecWest, but Jordan did and so did one of the smart guys from nCircle who posted his notes from all the presentations on their blog--definitely check it out their blog and excellent write-up of CanSecWest.

I was planning on running through a demo of slipfest running within CoreForce and WehnTrust with screenshots but time has gotten away from me--thanks to 3 hrs on the phone troubleshooting a problem on my mom's laptop--so it will have to wait until this weekend. To wet your appetite, check out the descriptions from the products' websites below.

WehnTrust is a Host-based Intrusion Prevention System (HIPS) that provides secure buffer overflow exploitation countermeasures. While other Windows based intrusion prevention systems are only capable of working with a pre-defined group of applications, WehnTrust's technology allows it to work with virtually all software products. Perhaps best of all, WehnTrust is currently free for home use.


CORE FORCE can be used to:
  • Protect your computer from compromises by worms, virus and email-borne malware
  • Prevent your computer from being used as a staging point to amplify attacks and compromise others
  • Prevent exploitation of known bugs in the operating system and applications running on your computer
  • Prevent exploitation of unknown bugs (0-day) in the operating system and applications running on your computer
  • Detect and prevent execution of adware, spyware, trojan horses and other malware on you computer
CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular file system and registry access control and programs' integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc.

Officially SLIPFEST is an acronym for "System level intrusion prevention system evaluation suite and toolkit". But the name is really a french joke meaning something like "Panty's party".

It's a tool which can help you to understand how your Windows HIPS (or personal firewall, or advanced anti-virus) works. With it you can list SDT (in kernel) or userland (in library) hooks, caracterize address space layout randomization (ASLR) or non executability, inject shellcodes in a process' address space to try to fool the heuristic or test the MAC mecanism with common flaws.

Wednesday, April 26, 2006

The Latest Happenings...

Work has been busy lately. You might think that or you might just think I have been slacking since its been a month since my last post. Definitely not the latter--having a pregnant wife and 10 month old daughter require reprioritizing of my time. ;-) I also had food poisoning that put me out of commission for days, but I recuperated nicely on a 8 night Western Caribbean cruise the following week.

At work, I have finally had the chance to start flexing my forensic muscle. I really do enjoy forensics but never quite get the chance to do full analysis of a box including filesystem timelines, event logs, flow data, etc. The last three weeks have been exciting in this arena. I will be analyzing one, maybe two, hosts tomorrow.

I will be speaking on Open Source forensics at the May GatorLUG meeting. That should be fun. Right now, I am trying to decide if I want to use PowerPoint or Keynote. I thought about using OpenOffice Impress but I am thinking all the shiny effects of Keynote is what I really want. It will detract from the Open Source tools a bit but people will get over it.

And finally...why don't I update my blog or write those cool how to's or other things I have said I wanted to do on this site? Well, I am a bit of a perfectionist. When I think about putting content up here, I don't want to put it up unless I am perfectly happy with it and feel that it is "perfect." After speaking with a coworker about my tendency to act this way, she mentioned it was something she has read about in self-help books and it just leads people to never get things done. I want to overcome that so expect to see daily posts, perfect or not.