1 / 11

Defensive Programming: Using an Annotation Toolkit to Build DoS-Resistant Software

Learn how to safeguard your systems from DoS attacks using an innovative annotation toolkit to monitor and control resource usage at a granular level during runtime.

tkristin
Download Presentation

Defensive Programming: Using an Annotation Toolkit to Build DoS-Resistant Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defensive Programming: Using an Annotation Toolkit to Build DoS-Resistant Software Xiaohu Qie, Ruoming Pang and Larry Peterson. Presenter: Vaishnavi Sannidhanam Guide: Dr. Brian Bershad

  2. Why DoS Attacks Occur? • The authors claim that Intrusion Detection Systems, Performance Monitoring, Static Code Analysis and inbuilt OS Mechanisms would all fail due to the lack of -- • proper anomaly detection techniques • appropriate methods to profile resource usage • fitting ways to monitor program execution and make decisions at run time • accounting for resource usage and service isolation

  3. Toolkit • Qie, Pang and Peterson developed a toolkit that could annotate any code to monitor and control the program execution at runtime. Because of which, we can monitor and control resource usage at a finer level and hence can detect and protect the systems from DoS attacks.

  4. API • The Toolkit’s API needs programmer’s motivation to include the macros into the program. • The API provides • Sensor and Actuator macros to detect and counter busy attacks • Progress and Pressure macros to detect and counter claim and hold attacks

  5. Advantages • Offers fine grained intra process protection • Easy to use • Macros can be introduced systematically • Not much code to be added on part of the programmer

  6. Disadvantages • Unnecessary overhead on the CPU. • Biased against low bandwidth users. • Estimating a good defensive policy is hard. • Resource usage identification in a program is non trivial.

  7. Would Anyone Use This Toolkit? • The toolkit lays ground and throws light on how to protect systems and services from DoS attacks. • IRSA, CAS, WIPES all could be subjected to DoS attacks.

  8. DoS on IRSA User 1 2:00 PM – 3:00 PM User 2 3:00 PM – 3:30 PM User Hacker Error Server

  9. Toolkit on IRSA • We know what time slots are free and what time slots are allocated • PROGRESS_SENSOR (resid, p, prog) and TIME_SENSOR (max_time) macros can be used • If the program is spending all the time on a function that rejects admission with no other progress then there is a DoS attack.

  10. Automation • Though it solves a smaller problem of providing an API that could monitor and control resource usage, this solution to the smaller problem would however inspire us to look into the bigger problem of how we could automate the process of introducing the macros provided by the toolkit into existing systems. • The process of automation needs to happen for • Disjoint Services & • Nested Services

  11. Questions To Ask • Can we do automation? • If so • How? • Naïve Method: • List out what services are being provided by the system, map them to the resources they use, write a function that does a basic search-replace of read, write, connect, bind, close…with the specific macro and the function. • And an interface can be designed that helps the programmer/administrator set the various parameters passed to the macros. • Can it be generalized? • And with how much effort?

More Related