Wednesday, August 03, 2005

Anything That Blocks Access Is A Firewall

Just now I was reading David Cowan's blog. David is a partner at Bessemer Venture Partners. This means he is paid to gamble with rich people's money by helping to fund new companies. If a start-up succeeds, the investors get a nice return on their investment. One of David's funding recipients is Determina, whose CTO is Saman Amarasinghe.

So why does anyone care? I think this ad from the Determina Web site is interesting:

<

I've heard of an intrusion prevention firewall, a database firewall, and even a human firewall, but this is the first memory firewall. The technology has been public for about a year, but it's starting to make new appearances in articles like this.

Clearly Determina is following the standard start-up model.

  1. Invent product.

  2. Brand product to create a new market not filled by others, even though product is similar to others.

  3. Claim market leading product in newly created market.

  4. Profit!


In other words, a "memory firewall" is more commonly known as a host-based intrusion prevention system. I think I like the term memory firewall better than HIPS, since its use of the term "firewall" properly refers to a product that blocks access. Whether their implementation is better than other HIPS is beyond my ability to speculate!

I'm wondering if anything that restricts actions on a host should be called a host policy enforcement system (HPES) and anything that restricts actions on a network should be called a network policy enforcement system (NPES) While accurate, neither term is catchy nor easy to say. I see Tina Bird used PES to refer to Cisco NAC and Microsoft NAP in this article. PES is also associated with 802.11X.

6 comments:

David Cowan said...

Richard,

Thank you for the endorsement. Indeed I coined the term "memory firewall" because I wanted to convey something critical about Determina's product that sets it apart from the other HIPS products...

Spotting old attacks is easy--anyone with a signature database can filter them out. But what about spotting new attacks? Other HIPS products from Cisco, McAfee and Sana try to spot new attacks by identifying anomalous traffic. BUT attacks do not always generate anomalies, and anomalies do not always indicate attacks (sometimes they're just, well, anomalies). So anomaly-tracking HIPS products sometimes give you the right answer, and sometimes they don't. Now that would be fine for an intrusion detection system, but an intrusion PREVENTION system has to be sure before it kills a session or thread. Otherwise, customers simply run it monitor-only mode, pouring alerts onto the avalanche of IDS alerts for human analysts to possibly review hours later.

Determina, however, sells a HIPS product that is DETERMINISTIC (that's why I coined the company name, too). By creating a memory partition in which the software runs (as in a trusted OS), the memory firewall can guarantee that the software runs only valid executables, preventing code injection through buffer overflows or other memory attacks. It generates ZERO false positives, so you can set and forget. (Plus, it doesn't add latency, like the anomaly products that have to analyze every packet.) In this way, Determina's memory firewall reminded me of a network firewall, which is completely deterministic (either the port is open, or it's closed--no such thing as a false positive).

I hope that explains why the memory firewall is qualitatively different from, and better than, other HIPS products. Thanks.

Richard Bejtlich said...

David,

Thanks for the detail on Determina's product. Are you familiar with Systrace? Could you compare the two?

Brandon Franklin said...

Richard,

Although I normally agree with your assessment of network security terminology, I think you're going a little far with "anything that blocks access is a firewall." Where does a router with an ACL fall? A switch with MAC-based port restriction?

Perhaps a better definition is "any device that has a primary function of access control is a firewall."

I agree with your assessment that your average IPS is a glorified firewall, but HIPS generally offer more functionality than simple access control, such as the policy enforcement that you mention. Additionally, a number of products will protect against local attacks, such as shatter attacks.

Ultimately, I think the different names for these devices do a service to the consumer by conveying the relative maturity of each model of access control.

Anonymous said...

And, imagine that, trusted functionality without the trusted OS and truth as a result of determinism. Wait until the philosphers hear about this.

I feel so much better now... ;)

Sorry, it still sounds like a bunch of marketing tripe.

Saman Amarasinghe said...

Hi Richard,
Let me take a stab at differentiating Memory Firewall and Systrace (and other system call interception based HIPS technologies). The holy grail of intrusion prevention is the ability to separate good from the bad. Mistaking a normal operation as bad and stopping it, a false positive, lead to system disruption. Mistaking an attack as good or normal behavior and letting it continue, a false negative, leads to system compromise.

Now how do you identify good vs. bad at the system call level? Both application activity and attacks will invoke the same set of system calls like open file, create new process etc. There is no clear and universal differentiator between normal activity and attacks at the system call level. Thus, these solutions try to understand (learn or manually configure) the types or patterns of system calls an application does and restrict anything outside that boundary. Unfortunately it is hard to fit a program’s behavior into a simple model, leading to many false positives. Another approach is to look at the call stack at a system call to see if the system call originated from a location where instructions should not reside – like the stack. This can catch a simple attack that uses a buffer overflow in the stack. However, circumventing this check is trivial and is well documented. Changing the “call” instruction in the payload to a “jump” will eliminate any trace from the call stack. The moral is that if you allow the bad guys to execute instructions before you attempt to locate them, they have time to hide their trail, making it impossible to identify a system call issued by an attack.

Memory Firewall takes a very different approach to this problem. What is an activity all attacks have to do and normal applications never do? Attacks have to hijack the control from the application in order to execute its malicious payload. Since the application has the control it never needs to hijack itself! This distinction is as black and white as you can get. Attackers hijack control by violating basic operating principles, i.e. the Application Binary Interface or the ABI, that all applications follow all the time. Memory Firewall enforces the universal rules of the ABI. Thus, it can stop memory-based attacks without any signatures, learning or customization and without any false positives or false negatives. It does this before a single instruction of the payload is executed.

If you want more technical information, read the following paper (http://cag.lcs.mit.edu/commit/papers/02/RIO-security-usenix.pdf) we wrote while we were developing the technology at MIT. It conveys most of the basic concepts. Note that Program Shepherding is the original name given by the inventors to Memory Firewall.

-Saman

Richard Bejtlich said...

Saman,

Thank you for your post!