TY - GEN
T1 - Eudaemon
T2 - 3rd ACM European Conference on Computer Systems - EuroSys'08
AU - Portokalidis, Georgios
AU - Bos, Herbert
PY - 2008
Y1 - 2008
N2 - Eudaemon is a technique that aims to blur the borders between protected and unprotected applications, and brings together honeypot technology and end-user intrusion detection and prevention. Eudaemon is able to attach to any running process, and redirect execution to a user-space emulator that will dynamically instrument the binary by means of taint analysis. Any attempts to subvert control flow, or to inject malicious code will be detected and averted. When desired Eudaemon can reattach itself to the emulated process, and return execution to the native binary. Selective emulation has been investigated before as a mean to heal an attacked program or to generate a vaccine after an attack is detected, by applying intensive instrumentation to the vulnerable region of the program. Eudaemon can move an application between protected and native mode at will, e.g., when spare cycles are available, when a system policy ordains it, or when it is explicitly requested. The transition is performed transparently and in very little time, thus incurring minimal disturbance to an actively used system Systems offering constant protection against similar attacks have also been proposed, but require access to source code or explicit operating system support, and often induce significant performance penalties We believe that Eudaemon offers a flexible mechanism to detect a series of attacks in end-user systems with acceptable overhead. Moreover, we require no modification to the running system and/or installation of a hypervisor, with an eye on putting taint analysis within reach of the average user.
AB - Eudaemon is a technique that aims to blur the borders between protected and unprotected applications, and brings together honeypot technology and end-user intrusion detection and prevention. Eudaemon is able to attach to any running process, and redirect execution to a user-space emulator that will dynamically instrument the binary by means of taint analysis. Any attempts to subvert control flow, or to inject malicious code will be detected and averted. When desired Eudaemon can reattach itself to the emulated process, and return execution to the native binary. Selective emulation has been investigated before as a mean to heal an attacked program or to generate a vaccine after an attack is detected, by applying intensive instrumentation to the vulnerable region of the program. Eudaemon can move an application between protected and native mode at will, e.g., when spare cycles are available, when a system policy ordains it, or when it is explicitly requested. The transition is performed transparently and in very little time, thus incurring minimal disturbance to an actively used system Systems offering constant protection against similar attacks have also been proposed, but require access to source code or explicit operating system support, and often induce significant performance penalties We believe that Eudaemon offers a flexible mechanism to detect a series of attacks in end-user systems with acceptable overhead. Moreover, we require no modification to the running system and/or installation of a hypervisor, with an eye on putting taint analysis within reach of the average user.
KW - Honeypots
KW - Operating systems
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=59249104752&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=59249104752&partnerID=8YFLogxK
U2 - 10.1145/1352592.1352622
DO - 10.1145/1352592.1352622
M3 - Conference contribution
AN - SCOPUS:59249104752
SN - 9781605580135
T3 - EuroSys'08 - Proceedings of the EuroSys 2008 Conference
SP - 287
EP - 299
BT - EuroSys'08 - Proceedings of the EuroSys 2008 Conference
Y2 - 31 March 2008 through 4 April 2008
ER -