Computer security has traditionally focused on system de- fense, concentrating on protection and recovery of victim machines. Moving from the opposite perspective, we pro- pose a complementary approach that focuses on limiting the attacking capabilities of the hosts. Software design and implementation weaknesses usually are at the basis of com- puter offensive capacities. Since software redesign or patch- ing on an extensive basis is not possible, we propose the adoption of a filtering strategy to block abuse attempts at the originating machines. As an example, applications of such an approach axe presented at host level, in order to prevent root compromise attacks, and at network level, in order to prevent DoS attacks, among others. The proposed solution is not a silver bullet and could be bypassed by sophisticated users. However, we believe it can effectively restrain the offensive capabilities of hosts that could be easily seized by crackers. We discuss the pros and cons of the proposed solution and present an application to host and network security.
Disarming offense to facilitate defense / D. Bruschi, E. Rosti - In: New Security Paradigms Workshop : proceedings, September 18th-22nd, 2000, Ballycotton, County Cork, IrelandNew York : ACM, 2000 Sep. - ISBN 1581132603. - pp. 69-75 (( convegno New security paradigms workshop tenutosi a Ballycotton nel 2999 [10.1145/366173.366192].
Disarming offense to facilitate defense
D. BruschiPrimo
;E. RostiUltimo
2000
Abstract
Computer security has traditionally focused on system de- fense, concentrating on protection and recovery of victim machines. Moving from the opposite perspective, we pro- pose a complementary approach that focuses on limiting the attacking capabilities of the hosts. Software design and implementation weaknesses usually are at the basis of com- puter offensive capacities. Since software redesign or patch- ing on an extensive basis is not possible, we propose the adoption of a filtering strategy to block abuse attempts at the originating machines. As an example, applications of such an approach axe presented at host level, in order to prevent root compromise attacks, and at network level, in order to prevent DoS attacks, among others. The proposed solution is not a silver bullet and could be bypassed by sophisticated users. However, we believe it can effectively restrain the offensive capabilities of hosts that could be easily seized by crackers. We discuss the pros and cons of the proposed solution and present an application to host and network security.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
