BlueBox: A Policy-Driven Host-Based Intrusion Avoidance System - overview
BlueBox is an intrusion prevention system which creates an infrastructure for defining and enforcing very fine grained process capabilities in the kernel. Process capabilities are specified as a set of rules (policies) for regulating access to system resources on a per executable basis. The language for expressing the rules is intuitive and sufficiently expressive to effectively capture security boundaries. We have designed the system to be very fast so that the IDS has minimal impact on system performance.
We have prototyped our approach on Linux 2.2.14 kernel, and have built rule templates for popular daemons such as Apache 2.0 and wu-ftpd. We are validating our design by testing against a comprehensive database of known attacks. Our system has been designed to minimize the kernel changes and performance impact and thus can be ported easily to new kernels.
A preliminary paper which describes our rationale, system design and other details was published as:
- Suresh N. Chari, Pau-Chen Cheng BlueBox: A Policy-Driven, Host-Based Intrusion Detection System, Network and Distributed System Security Symposium, 2002.