As network threats continue to grow in number and sophistication, a new technology offers an additional layer of protection. Host-based intrusion-prevention system (HIPS) technology protects endpoints behind the network perimeter. It combats infections and attacks at the device and server level of a network, providing a layered approach that complements investments in network-based IPS without relying on signatures that require near-constant updates.
HIPS technology is extremely accurate. It works by enforcing a set of basic software conventions that never changes called the Application Binary Interface (ABI). The ABI sits one step beyond the application program interface (API) and defines the API plus the machine language for a particular CPU family. Because these conventions are universal among compiled applications, it is nearly impossible to hijack an application without violating the ABI.
HIPS deployments generally involve two components, a series of agents and a management and reporting interface. Installed on servers, HIPS agents are designed to run indefinitely with little or no administrative overhead, and prevent malicious code that enters a machine from being executed without the need for a check against threat signatures.
In practice, agents continually verify the validity of application instructions by performing checks against their origin, preventing unintended injected code from being executed. They also catch malicious code masquerading as user data. In addition, they perform checks on program control to ensure that control transfer always conforms to the ABI. This prevents applications from being tricked into handing over control to external injected code. It also catches code-reuse attacks that are emerging as the next generation of advanced attack techniques worrying security professionals.
The HIPS management and reporting interface enables thousands of agents to be deployed, managed and upgraded across an enterprise network. The interface, which is often Web-based to provide universal accessibility, allows network and security staff to perform configuration changes, monitor alerts and view reports. Many interfaces notify security professionals of issues via SMTP or other alerts. The interface also is key for analyzing trend reports, assigning users and roles according to policy, and maintaining a comprehensive audit trail.
As shown in the diagram in Computerworldl's print edition, an HIPS deployment could block the threat of the Sasser worm. The worm exploited a memory flaw in Microsoft operating systems to cause billions of dollars of damage worldwide. The attack path shows how the previously unknown Sasser code passes through unpatched firewalls undetected, reaching two servers -- one protected by HIPS, one unprotected. As the code enters the memory of the unprotected server, it immediately executes a buffer overflow that gives a remote host system-level control of that server, enabling further attacks from within an enterprise network.
In contrast, the protected server's HIPS agent examines the Sasser code as it enters the server's memory. The agent's real-time check of the code reveals the buffer overflow mechanism, a process that violates the ABI. It immediately stops the code from execution without affecting the server's performance, and notifies the management component that an attack is underway so that network and security staff can begin remediation efforts.
Saman Amarasinghe is CTO at Determina and an associate professor of the Department of Electrical Engineering and Computer Science at MIT