A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL.
The file type is
Despite the deployment of preventive security mechanisms to protect the assets and computing platforms of users, intrusions eventually occur. We propose a novel intrusion survivability approach to withstand ongoing intrusions. Our approach relies on an orchestration of fine-grained recovery and per-service responses (e.g., privileges removal). Such an approach may put the system into a degraded mode. This degraded mode prevents attackers to reinfect the system or to achieve their goals if theydoi:10.1145/3419471 fatcat:3kelxw4m6zebhj5toquv73xo7i
more »... anaged to reinfect it. It maintains the availability of core functions while waiting for patches to be deployed. We devised a cost-sensitive response selection process to ensure that while the service is in a degraded mode, its core functions are still operating. We built a Linux-based prototype and evaluated the effectiveness of our approach against different types of intrusions. The results show that our solution removes the effects of the intrusions, that it can select appropriate responses, and that it allows services to survive when reinfected. In terms of performance overhead, in most cases, we observed a small overhead, except in the rare case of services that write many small files asynchronously in a burst, where we observed a higher but acceptable overhead. The idea of Intrusion Detection Systems (IDSs) dates back to the 1980s [1, 21] . Since then, more intrusion detection approaches were introduced, refined, and transferred from academia to industry. Most of today's commodity Operating Systems (OSs) can be deployed with some kind of Intrusion Detection System (IDS). However, as the name suggests, IDSs only focus on the detection and do not provide the ability to survive or withstand an intrusion once it has been detected. To limit the damage done by security incidents, intrusion recovery systems help administrators restore a compromised system into a sane state. Common limitations are that they do not preserve availability [31, 35, 44] (e.g., they force a system shutdown) or that they neither stop intrusions from reoccurring nor withstand reinfections [31, 35, 44, 84, 87] . If the recovery mechanism restores the system to a sane state, the system continues to run with the same vulnerabilities and nothing stops attackers from reinfecting it. Thus, the system could enter a loop of infections and recoveries. Existing intrusion response systems, however, apply responses  to stop an intrusion or limit its impact on the system; but existing approaches apply coarse-grained responses that affect the whole system and not just the compromised services  (e.g., blocking port 80 for the whole system, because a single compromised service uses this port maliciously). They also rely on a strong assumption of having complete knowledge of the vulnerabilities present and used by the attacker [27, 73] to select responses. These limitations mean that they cannot respond to intrusions without affecting the availability of the system or of some services. Whether it is due to business continuity, safety reasons, or the user experience, the availability of services is an important aspect of a computing platform. For example, while web sites, code repositories, or databases are not safety-critical, they can be important for a company or for the workflow of a user. Therefore, the problem that we address is the following: How to design an Operating System (OS) so its services can survive ongoing intrusions while maintaining availability? Our approach distinguishes itself from prior work on three fronts. First, we combine the restoration of files and processes of a service with the ability to apply responses after the restoration to withstand a reinfection. Second, we apply per-service responses that affect the compromised services instead of the whole system (e.g., only one service views the file system as read-only). Third, after recovering a compromised service, the responses we apply can put the recovered service into a degraded mode, because they remove some privileges normally needed by the service. The degraded mode is introduced on purpose. When the intrusion is detected, we do not have precise information about the vulnerabilities exploited to patch them or we do not have a patch available. The degraded mode allows the system to survive the intrusion for two reasons. First, after the recovery, the degraded mode either stops the attackers from reinfecting the service or from achieving their malicious goals. Second, it keeps as many functions of the service available as possible, thus maintaining availability while waiting for a patch. We maintain the availability by ensuring that core functions of services are still operating, while non-essential functions might not be working due to some responses. For example, a web server could have "provide read access to the website" as core function and "log accesses" as non-essential. Thus, if we remove the write access to the file system it would degrade the service's state (i.e., it cannot log anymore), but we would still maintain its core function. We developed a cost-sensitive response selection where administrators describe a policy consisting of cost models for responses and malicious behaviors. Our solution then selects a response that maximizes the effectiveness while minimizing its impact on the service based on the policy. This approach gives time for administrators to plan an update to fix the vulnerabilities (e.g., wait for a vendor to release a patch). Finally, once they patched the system, we can remove the responses, and the system can leave the degraded mode. Contributions. Our main contributions are the following: • We propose a novel intrusion survivability approach to withstand ongoing intrusions and maintain the availability of core functions of services (Sections 3.1 and 4). Intrusion Survivability for Commodity Operating Systems • 21:3 • We introduce a cost-sensitive response selection process to help select optimal responses (Section 5). • We develop a Linux-based prototype implementation by modifying the Linux kernel, systemd , CRIU , Linux audit , and snapper  (Section 6). • We evaluate our prototype by measuring the effectiveness of the responses applied, the ability to select appropriate responses, the availability cost of a checkpoint and a restore, the overhead of our solution, and the stability of the degraded services (Section 7). Outline. The rest of this article is structured as follows: First, in Section 2, we mention related concepts about our work, and we review the state-of-the-art on intrusion recovery and response systems. In Section 3, we give an overview of our approach, and we define the scope of our work. In Section 4, we specify the requirements and architecture of our approach. In Section 5, we describe how we select cost-sensitive responses and maintain core functions. In Section 6, we describe a prototype implementation that we then evaluate in Section 7. In Section 8, we discuss some limitations of our work, and we give a summary of the comparison with the related work. We conclude and give the next steps regarding our work in Section 9.
doi:10.1007/s00167-013-2752-0 pmid:24213735 fatcat:yp2ti6bov5ebhi4qt7foli74wa
Boot firmware, like UEFI-compliant firmware, has been the target of numerous attacks, giving the attacker control over the entire system while being undetected. The measured boot mechanism of a computer platform ensures its integrity by using cryptographic measurements to detect such attacks. This is typically performed by relying on a Trusted Platform Module (TPM). Recent work, however, shows that vendors do not respect the specifications that have been devised to ensure the integrity of thedoi:10.1145/3292006.3300026 dblp:conf/codaspy/ChevalierCHS0KV19 fatcat:4iqjbqjzvrdape3rx6ssxcuhde
more »... rmware's loading process. As a result, attackers may bypass such measurement mechanisms and successfully load a modified firmware image while remaining unnoticed. In this paper we introduce BootKeeper, a static analysis approach verifying a set of key security properties on boot firmware images before deployment, to ensure the integrity of the measured boot process. We evaluate BootKeeper against several attacks on common boot firmware implementations and demonstrate its applicability.
Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that relies on an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to thedoi:10.1145/3134600.3134622 dblp:conf/acsac/ChevalierVPH17 fatcat:jizvvr647rgmpfbvc7xp7x7rsu
more »... . This information helps to resolve the semantic gap issue. Our approach does not depend on a specific model of the behavior nor on a specific target. We apply this approach to detect attacks targeting the System Management Mode (SMM), a highly privileged x86 execution mode executing firmware code at runtime. We model the behavior of SMM using invariants of its control-flow and relevant CPU registers (CR3 and SMBASE). We instrument two open-source firmware implementations: EDK II and coreboot. We evaluate the ability of our approach to detect state-of-the-art attacks and its runtime execution overhead by simulating an x86 system coupled with an ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (i.e., less than the 150 μs threshold defined by Intel).
Despite the deployment of preventive security mechanisms to protect the assets and computing platforms of users, intrusions eventually occur. We propose a novel intrusion survivability approach to withstand ongoing intrusions. Our approach relies on an orchestration of fine-grained recovery and per-service responses (e.g., privileges removal). Such an approach may put the system into a degraded mode. This degraded mode prevents attackers to reinfect the system or to achieve their goals if theydoi:10.1145/3359789.3359792 dblp:conf/acsac/ChevalierPDH19 fatcat:b33z6bmnjrcdnaaqzi7qhfldce
more »... anaged to reinfect it. It maintains the availability of core functions while waiting for patches to be deployed. We devised a cost-sensitive response selection process to ensure that while the service is in a degraded mode, its core functions are still operating. We built a Linux-based prototype and evaluated the effectiveness of our approach against different types of intrusions. The results show that our solution removes the effects of the intrusions, that it can select appropriate responses, and that it allows services to survive when reinfected. In terms of performance overhead, in most cases, we observed a small overhead, except in the rare case of services that write many small files asynchronously in a burst, where we observed a higher but acceptable overhead.
Canadian Journal of History
Dube, Jean-Claude, Le Chevalier de Montmagny. Premier gouverneur de la Nouvelle-France. Saint-Laurent, Quebec, Fides, 1999. 432 pp. ... Ellenblum, Ronnie, Frankish Rural Settlement in the Latin Kingdom of Jerusa- lem. New York, Cambridge University Press, 1998. 321 pp. Elvin, Mark, Changing Stories in the Chinese World. ...
The Lady's Pearl
The Chevalier stood near, and he felt! ... Wisse ian nat. apart e m manna Pista pains ERS 4p 5 te ana RONNIE ia ...
423 Classification of small UAVs and birds by micro-Doppler signatures Pavlo Molchanov, Ronny I.A. ... Tamborg and Vitaliy Zhurbenko 235 Self-similarity matrix based slow-time feature extraction for human target in high-resolution radar Yuan He, Pascal Aubry, Francois Le Chevalier and Alexander Yarovoy ...doi:10.1017/s1759078714000762 fatcat:eysh23gtejemfkfyvfbu3rp4xe
Critical Digest, NYC & London Theatre
,Maurice Chevalier-4/18, Love's Labour's Lost-Central Park-6/9 Coriolanus-Central Park 7/7 Troilus & Cressida-Central Park- 8/4 Coriolanus- 10/18. ... commendable, "Cole Porter Revisited'' album produced by Ben Bagley of 14 not-so-well known songs from Broadway shows drew rave from Wilson, Times.It is a festive array with the help of a capable company-Ronny ...
about this journal please go to the journal web site at: http://journals.cambridge.org/mrf Special Issue: European Microwave Week 2012 Guest Editors: Bart Nauwelaers, Frank E. van Vliet, Franç ois le Chevalier ... Timofey Savelyev and Alexander Yarovoy 381 Human motion classification using a particle filter approach: multiple model particle filtering applied to the micro-Doppler spectrum Stephan Groot, Ronny ...doi:10.1017/s1759078713000664 fatcat:4dydq3vujbgq3o6anyvilqtqba
Critical Digest, NYC & London Theatre
Maurice Chevalier- Zieg- feld- 1/28...Hollow Crown-Miller- 1/29., Brigadoon- City Center- 1/30.,.Natural Affection- Booth- 1/31... The Laun- dry- Gate- 1/31... ... Graham Crackers- Upstairs at theDownstairs ( 37 W 58)- 1723. 2 pro- World Telegram & Sun, Standard- filed on new revue written and staged by Ronnie Graham with Pat Stanley, Bill McCutcheon, Anita Darian ...
' le flum Jordain LX ; de la terre de la le flum XL chevaliers.» 18. ... En fait, comme le soulignait récemment Ronnie Ellenblum dans un article consacré à la forteresse du Gué de Jacob sur le haut Jourdain, un château frontalier devait avant tout être édifié rapidement et ...doi:10.4000/beo.153 fatcat:sbmzu6wtazfdlfd3o3j25zh3ae
Chevalier and J. Gupta, 971:00010 Portfolio managements: a multicriteria process. The situation of take over bids (161-181). ... Ronny Aboudi and Dominique Thon, Expected utility and the Siegel paradox: a generalization (1-4); A. M. Aguilera, M. J. Del Moral and M. A. ...
Suresh, 9500254 Candelier, Michel, 95700098 Canger, Una, 9501194 Cann, Ronnie, 95r00099 Cannon, Garland, 9501299 Cano, José Ignacio, 9501623 Cantor, Judy, 9500104 Cantor, Selena, 9501134 Capilouto, Gilson ... Chela-Flores, Bertha, 9500379 Chen, Chao-jung, 9501467 Chen, Ping, 9501514 Cheneau, Veronique, 9500817 Cheng, Tzung-Yu, 9500624 Chériguen, Foudil, 9501443 Chesterman, Andrew, 95r00470 Cheung, Him, 9500107 Chevalier ...
National Union Catalog
Les chevaliers servants; roman. Paris, Plon ; 1964, 241 p. 19cm. I. Title. IU OU RPB NN WU NUC65-5993 NN WU Ganne, Gilbert. Douze minutes de vérité. Pus, L. Table ronde, 1966. 23 p. ... Duign r, joint author. 1 DT: 165.63 325,24096 62-4509 rev ~ NIC CLU FU IaU OU OCU PSt NeD InU CMIG IEN MH CSt-H CaAEU CaOKQ CaOTCIA KU WU TxU Ronald L The wizard of odds, Gann, by Ronnie Gann, With illus ...
« Previous Showing results 1 — 15 out of 172 results