Korset

“zero false positives” are NOT “zero failures”

ohad — Sun, 14 Sep 2008 06:30:12 +0000

Korset statically preconstructs a Control Flow Graph (CFG) of an application it wants to protect. If such a CFG is successfully created (currently there are severe limitations about the supported applications), every legitimate system call sequence of the application is represented as a path in the CFG. That means that every deviation from the CFG cannot have been issued by the original application, and thus must be a (code injection) attack. So every alarm that is raised by Korset is justifiable. That’s zero false positives. BUT! That’s definitely not “zero failures”. Attacks can still go unnoticed – These are false negatives – and until the precision of the models will not be improved – Korset’s going to have lots of those.

Korset OLS paper

ohad — Sat, 13 Sep 2008 09:57:09 +0000

Read the Korset paper [PDF] published in the proceedings of the Linux Symposium.

That paper briefly describes the concept of Code-based Intrusion Detection and then it delves into implementation issues.

The next big thing

ohad — Thu, 11 Sep 2008 11:50:34 +0000

Korset is still only a proof of concept for Code-based Intrusion Detection – it cannot yet be used to protect real world applications. There is a lot to improve, and bugs to fix, but the really big thing Korset currently lacks is advanced data flow analysis, with which a reasonable indirect calls support can be provided. Supporting that will pave the way for protecting real world servers.

Korset is NOT about computer viruses

ohad — Thu, 11 Sep 2008 06:50:22 +0000

Korset aims to prevent code injection attacks by looking for anomalies in the control flow of the application it’s protecting. This has little to do with classic computer viruses, which are traditionally being executed by the user himself and, from the OS perspective, are as legitimate as any other piece of software. You need anti-virus software to find them. Korset will never do that. It has completely different goals.

OWASP IL 2008 Korset Talk

ohad — Mon, 18 Aug 2008 19:27:28 +0000

There is going to be a Korset talk at OWASP IL 2008 on Sep 14th.

Forbes.com Article on Korset

ohad — Tue, 12 Aug 2008 22:26:26 +0000

Forbes.com has published an article on Korset.

BlackHat Presentation

ohad — Tue, 12 Aug 2008 22:24:41 +0000

The BlackHat presentation is now available for download in the Talks page.

Availability of Korset

ohad — Tue, 12 Aug 2008 22:22:06 +0000

Korset v0.01 has been released. Check out the Download page !

Summer Talks

ohad — Fri, 01 Aug 2008 00:41:18 +0000

Korset talks are given this summer at two prominent locations: OLS and Blackhat.

Check the Talks page for additional information.