You are here

Deterministic Detection for Hijacked Program Execution


TECHNOLOGY AREAS: Information Systems

OBJECTIVE:  The objective of this SBIR topic is to design and develop a method for reliable and deterministic detection method for hijacked execution (D2HE), and to evaluate its capability, performance, and cost.

DESCRIPTION:  Achieving information dominance requires Department of Defense (DoD) to provide information assurance within its information infrastructures. COTS based hardware and software in our computing systems and the network are large, complex and hence inherently insecure. Malwares and adversaries regularly exploit our inherently insecure computing infrastructure.  Many approaches have been used to detect malwares and adversarial intrusion activities. The approach varies from detecting the malware signatures, heuristics behavior monitoring, white-listing, marking data entering the system (taint tracking), etc. However, even with all of these security mechanisms, malwares and adversaries still manage to penetrate our system.

One of the often used detection approaches is to insert checkpoints or assertions into the body of the program via code rewriting process. The location of the check points can be derived from code-analysis or from formal model of the program. This approach can be effective in detecting error and improper state in a program. An issue with this approach, in an adversarial situation, is that if the execution of the program is maliciously diverted by an adversary (or malware), the subsequent checkpoint may never be reached, and the execution flow diversion may never raise any alarm.

It is desirable to have a reliable and deterministic alarm which will always ring every time a program is hijacked. The word reliable indicates that the alarm cannot be circumvented and deterministic means that the detection mechanism is has 0% false positive (not statistical or probabilistic). Furthermore, it can be observed that a simple mechanism operating on one or small number of invariants, as oppose to complex state/rule-based system operating on multiple events/sequence of events, such as behavior based detection [3][4][5], may be advantageous for achieving 0% false positive while minimizing false negatives. An example of a deterministic method for recognizing hijacked execution is the venerable taint-tracking method [1][2]. An invariant in this case is a physical and/or logical condition which always occurs during execution hijacking, for example, an external data/string being executed during execution hijacking is the invariant used in the taint tracking methods [1][2].

Understanding of the invariants in an execution hijacking process plays important roles in deterministically recognizing it. The challenge in this topic is to develop a reliable and deterministic detection method for hijacked execution, making use of one or small number of the invariant properties of the execution hijacking process.

PHSE I:  Design and develop an efficient method for a reliable and deterministic detection method for hijacked execution flow (D2HE).  Develop a proof of concept prototype for D2HE in an open-source OS environment, and investigate its cost and effectiveness.

PHASE II:  Further develop and mature D2HE method, develop a full scale D2HE protected system, and perform full-scale evaluation on the system.

PHASE III Dual Use Application:  This system could be used in a broad range of information security products within the military, as well as in civilian enterprise applications. The technologies developed in this SBIR will be beneficial in providing additional resiliency to networked enterprise computing system against malwares and intrusions.

US Flag An Official Website of the United States Government