RRABIDS (Ruby on Rails Anomaly Based Intrusion Detection System) is an application level intrusion detection system (IDS) for applications implemented with the Ruby on Rails framework. The goal of this intrusion detection system is to detect attacks against data in the context of web applications. This anomaly based IDS focuses on the modelling of the normal application profile using invariants. These invariants are discovered during a learning phase. Then, they are used to instrument the web application at source code level, so that a deviation from the normal profile can be detected at run-time. This paper illustrates on simple examples how the approach detects well-known categories of web attacks that involve a state violation of the application, such as SQL injections. Finally, an assessment phase is performed to evaluate the accuracy of the detection provided by the proposed approach.
TopState Of The Art
Most work in the context of web attack detection focuses on abnormal network packets (Robertson, Vigna, Kruegel, & Kemmerer, 2006) or requests (Vigna, Robertson, Kher, & Kemmerer, 2003) and do not take into account the state of the web application itself. We believe that application level mechanisms can help improving the intrusion detection performance as they are able to take advantage of the internal state of the monitored program. Indeed, they have access to all the internal data structures and algorithms used by the program.
Three types of approaches can be distinguished for detecting intrusions at application level: the first approach focuses on the correctness of the Control Flow Graph of the program such as Abadi, Budiu, Erlingsson, and Ligatti (2005) and Kiriansky, Bruening, and Amarasinghe (2002) and consists in verifying that the actions in the program are executed in a correct order. This work does not permit to detect attacks on data. The second approach focuses on the correctness of the data manipulations during program execution such as in Akritidis, Cadar, Raiciu, Costa, and Castro (2008) or in Castro, Costa, and Harris (2006). In this case, a data-flow graph is computed prior to the execution that contains, for each data item read by an instruction, the set of instructions that may have written its current value. This data-flow graph is then used at run time to verify the integrity of the process data flow that really occurs. If a vulnerability is exploited in the monitored program that corrupts some data, a deviation from the data-flow graph will be detected the next time this data is read. A third approach, as defined by Sarrouy, Totel, and Jouga (2009), consists in checking the correctness of the data used by the program during its execution, rather than verifying the consistency of the data flow. This approach permits to detect a different kind of attacks on data compared to the data-flow approach (such as the use of incorrect values in legitimate variables). In Sarrouy et al. (2009) the application normal profile is modelled as a set of constraints on the data used by the application. This model is built during a two-fold learning phase. First the data items used by the application are logged. Then, a set of invariants is generated by a dedicated tool stemming from the testing field called Daikon (Ernst et al., 2007). These invariants are then checked at run-time to perform the detection.
All these approaches are relevant in the context of both traditional and web applications. For instance, similar approaches have already been investigated by Cova, Balzarotti, Felmetsger, and Vigna (2007) in the context of PHP applications. In this work the authors focus both on the web application control flow and on the correctness of the data items used by the program. Felmetsger, Cavedon, Kruegel, and Vigna (2010) is an extension of this work to JSP. The authors propose to build the application normal behaviour during a learning phase where the invariant behaviour of the application is modelled using the Daikon tool. Then a model checking approach is used to verify if the invariants can be violated by the application, leading thus to the discovery of vulnerabilities in the application. This interesting approach suffers from several limitations, such as the discovery of invariants restricted to only inputs and outputs of the functions executed by a servlet, and the lack of consideration of temporal relationships between the variables used by the program.
In our work, we focus on the correctness of data only, but at a finer granularity (i.e., at the instruction execution level) like in Sarrouy et al. (2009), and we study the evolution of variables with respect to time so as to discover invariants on these variables. Compared to Swaddler developed by Cova et al. (2007), we additionally introduce the notion of tainted data (Cavallaro & Sekar, 2008) to reduce the set of variables we are checking.