Friday, April 28, 2006

Host Intrusion Detection Systems (HIDS)

When you say Intrusion Detection Systems or IDS, people immediately think of network-based IDS--very few think of Host Intrusion Detection Systems or HIDS. Jordan was preparing a presentation on IDS for a DIS graduate class. He was looking for the history of IDS and found several early papers on HIDS. Apparently, "back in the day," those individuals looking into IDS starting thinking of it from the host perspective. So, what happened? Why did everyone move their focus to the network by developing NIDS? My guess is someone was looking for the best bang for the buck by developing a solution that would cover as many hosts as possible instead of just one. So, NIDS lived and HIDS fell by the wayside.

Enough of my rambling intro...the whole point of this entry was to discuss a couple of HIDS products and a tool for breaking them that was updated to coincide with CanSecWest. I did not go to CanSecWest, but Jordan did and so did one of the smart guys from nCircle who posted his notes from all the presentations on their blog--definitely check it out their blog and excellent write-up of CanSecWest.

I was planning on running through a demo of slipfest running within CoreForce and WehnTrust with screenshots but time has gotten away from me--thanks to 3 hrs on the phone troubleshooting a problem on my mom's laptop--so it will have to wait until this weekend. To wet your appetite, check out the descriptions from the products' websites below.

WehnTrust is a Host-based Intrusion Prevention System (HIPS) that provides secure buffer overflow exploitation countermeasures. While other Windows based intrusion prevention systems are only capable of working with a pre-defined group of applications, WehnTrust's technology allows it to work with virtually all software products. Perhaps best of all, WehnTrust is currently free for home use.


CORE FORCE can be used to:
  • Protect your computer from compromises by worms, virus and email-borne malware
  • Prevent your computer from being used as a staging point to amplify attacks and compromise others
  • Prevent exploitation of known bugs in the operating system and applications running on your computer
  • Prevent exploitation of unknown bugs (0-day) in the operating system and applications running on your computer
  • Detect and prevent execution of adware, spyware, trojan horses and other malware on you computer
CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular file system and registry access control and programs' integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc.

Officially SLIPFEST is an acronym for "System level intrusion prevention system evaluation suite and toolkit". But the name is really a french joke meaning something like "Panty's party".

It's a tool which can help you to understand how your Windows HIPS (or personal firewall, or advanced anti-virus) works. With it you can list SDT (in kernel) or userland (in library) hooks, caracterize address space layout randomization (ASLR) or non executability, inject shellcodes in a process' address space to try to fool the heuristic or test the MAC mecanism with common flaws.

2 comments:

astroman said...

No mention of CSA?

-->jason

John H. Sawyer said...

I can only but assume that you are referring to Cisco Security Agent. Reading back through my post, I realize that I didn't mention I was primarily sticking to free and/or Open Source tools and projects--something that I tend to favor having developed my skills in a university setting.

CSA is probably good, but I have no experience whatsoever. Cisco is too expensive for me to play with...we leave all the Cisco stuff to our network engineers.

If you want to provide me with a copy, I would be happy to test it also. Or, if you have extensive experience, feel free to post it here. Thanks,

-jhs