pltsec is a technique designed to prevent the hijacking of procedure linkage table (PLT) and global offset table (GOT) entries by verifying the source of writes to the tables. These tables are used by the dynamic linking infrastructure on ELF-based systems to defer the resolution of external functions (among other things) referenced by a dynamically-linked application until runtime. Malicious users can use these function pointers to gain control of the execution of a process whenever an external function (e.g., a function located in a dynamically-linked library) is called by legitimate application code. This system, however, detects whether a write to a PLT entry is legitimate or malicious, and in the malicious case will terminate the process.

itrace is a dynamic application execution tracer, essentially analagous to strace except that it traces application-level function calls instead of syscalls. The tool has also been extended to provide automatic disassembling and program state inspection (registers, memory, etc.). With it, one can trace the control flow of a running process, generate control flow graphs, determine how input data to a program is used, and other helpful tasks which can facilitate program debugging or reverse engineering of obfuscated binaries.

One of the greatest issues plaguing IDSs today is their unacceptably high false positive rates. Ask anyone who has had to scan Snort logs for attacks for any non-trivial network: false positives completely dominate the produced alerts, which can number into the hundreds of thousands per day for large networks and badly-tuned rulesets. Researchers have shown that high false positive rates clearly reduce the effectiveness of IDSs by desensitizing network administrators to alerts and hiding the signs of real attacks.



Active alert verification is a technique designed to reduce the false positive rate of IDSs by actively probing for a vulnerability associated with detected attacks. If the vulnerability corresponding to a detected attack is found to exist in the host or network against which the attack was directed, the alert is generated, invoking any logging and response functions as normal. If, however, the vulnerability is determined not to exist, the alert is considered a false positive and is suppressed.



The goal of this project is to integrate active alert verification into popular IDSs such as Snort in order to suppress false positives.

Buffer overflow exploits are the most popular class of attacks against remote hosts on today's Internet, and while stack overflows which overwrite a function return address remain the most popular and well-understood method of exploitation, heap overflows are becoming more and more popular as a means of exploiting systems. Furthermore, while there exist many methods of protecting software against stack overflows such as ProPolice or StackGuard, no comparable protection schemes have heretofore existed for heap-based overflows.



In this paper, we discuss a technique which protects the management information of boundary-tag-based heap managers against malicious or accidental modification. The technique has been implemented in Doug Lea's dlmalloc, which is included with glibc and is thus utilized by such OSes as Linux and the HURD. This project consists of a technical summary of the design and implementation of the heap protection technique, an evaluation of its detection and performance capabilities, and patches and packages for various major operating systems.