Korset is a research project aiming to provide zero false-alarms intrusion detection against code-injection attacks.
By statically analyzing an application’s source/object code, Korset builds its control flow graph (CFG), which is then used by the Kernel to verify the legitimacy of the issued system calls and their order. This method enjoys a powerful property of provable zero false positives, since a deviation from a (non self-modifying) program’s CFG can only be explained as an intrusion.
Korset is consisted of two primary modules:
- An automatic static analyzer that builds the CFG as part of the compilation process
- A kernel agent that enforces the policy induced by the CFG, and terminates subverted processes.
We have successfully used Korset to automatically construct CFGs for the entire GNU C library, and demonstrated its ability to blockĀ attacks with negligible runtime overhead.
Korset is Free and Open Source Software and is currently available only for Linux.
Korset is still in the proof-of-concept level of maturity as it still doesn’t support basic system primitives like signals, dynamic linking and more. But maybe it’s biggest limitation is the lack of indirect calls support, which requires advanced data flow analysis techniques. Therefore Korset is still far from being able to protect real-world applications.
Korset was developed by Ohad Ben-Cohen and Avishai Wool, Tel-Aviv University.
