System-call monitoring has become the basis for many host-based intrusion detection as well as policy enforcement techniques. Mimicry attacks attempt to evade system-call monitoring IDS by executing innocuous-looking sequences of system calls that accomplish the attacker's goals. Mimicry attacks may execute a sequence of dozens of system calls in order to evade detection. Finding such a sequence is difficult, so researchers have focused on tools for automating mimicry attacks and extending them to gray-box IDS¹. In this paper, we describe an alternative approach for building mimicry attacks using only skills and technologies that hackers possess today, making this attack a more immediate and realistic threat. These attacks, which we call persistent interposition attacks, are not as powerful as traditional mimicry attacks --- an adversary cannot obtain a root shell using a persistent interposition attack --- but are sufficient to accomplish the goals of today's cyber-criminals. Persistent interposition attacks are stealthier than standard mimicry attacks and are amenable to covert information-harvesting attacks, features that are likely to be attractive to profit-motivated criminals. Persistent interposition attacks are not IDS specific -- they can evade a large class of system-call-monitoring intrusion-detection systems, which we call I/O-data-oblivious. I/O-data-oblivious monitors have perfect knowledge of the values of all system call arguments as well as their relationships, with the exception of data buffer arguments to read and write. Many of today's black-box and gray-box IDS are I/O-data-oblivious and hence vulnerable to persistent interposition attacks.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	The PaX team. http://pax.grsecurity.net.
	2	Martín Abadi , Mihai Budiu , Úlfar Erlingsson , Jay Ligatti, Control-flow integrity, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA  [doi>10.1145/1102120.1102165]
	3	Sandeep Bhatkar , Abhishek Chaturvedi , R. Sekar, Dataflow Anomaly Detection, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.48-62, May 21-24, 2006  [doi>10.1109/SP.2006.12]
	4	Sandeep Bhatkar , R. Sekar , Daniel C. DuVarney, Efficient techniques for comprehensive protection from memory error exploits, Proceedings of the 14th conference on USENIX Security Symposium, p.17-17, July 31-August 05, 2005, Baltimore, MD
	5	Shuo Chen , Jun Xu , Emre C. Sezer , Prachi Gauriar , Ravishankar K. Iyer, Non-control-data attacks are realistic threats, Proceedings of the 14th conference on USENIX Security Symposium, p.12-12, July 31-August 05, 2005, Baltimore, MD
	6	"Solar Eclipse". openssl-too-open. http://www.phreedom.org/solar/exploits/apache-openssl/.
	7	H. Feng, J. T. Giffin, Y. Huang, S. Jha, W. Lee, and B. P. Miller. Formalizing sensitivity in static analysis for intrusion detection. In IEEE Symposium on Security and Privacy, 2004.
	8	Henry Hanping Feng , Oleg M. Kolesnikov , Prahlad Fogla , Wenke Lee , Weibo Gong, Anomaly Detection Using Call Stack Information, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.62, May 11-14, 2003
	9	Prahlad Fogla , Monirul Sharif , Roberto Perdisci , Oleg Kolesnikov , Wenke Lee, Polymorphic blending attacks, Proceedings of the 15th conference on USENIX Security Symposium, p.17-17, July 31-August 04, 2006, Vancouver, B.C., Canada
	10	Debin Gao , Michael K. Reiter , Dawn Song, Gray-box extraction of execution graphs for anomaly detection, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030126]
	11	Debin Gao , Michael K. Reiter , Dawn Song, On gray-box program tracking for anomaly detection, Proceedings of the 13th conference on USENIX Security Symposium, p.8-8, August 09-13, 2004, San Diego, CA
	12	T. Garfinkel, B. Pfaff, and M. Rosenblum. Ostia: A delegating architecture for secure system call interposition. In USENIX Security Symposium, Washington, DC, USA, August 2003.
	13	Jonathon T. Giffin, David Dagon, Somesh Jha, Wenke Lee, and Barton P. Miller. Environment-sensitive intrusion detection. In Recent Advances in Intrusion Detection (RAID), September 2005.
	14	Jonathon T Giffin, Somesh Jha, and Barton P. Miller. Efficient context-sensitive intrusion detection. In Network and Distributed System Security Symposium, San Diego, CA, February 2004.
	15	Jonathon T. Giffin, Somesh Jha, and Barton P. Miller. Automated discovery of mimicry attacks. In Diego Zamboni and Christopher Krügel, editors, RAID, volume 4219 of Lecture Notes in Computer Science, pages 41--60. Springer, 2006.
	16	Steven A. Hofmeyr , Stephanie Forrest , Anil Somayaji, Intrusion detection using sequences of system calls, Journal of Computer Security, v.6 n.3, p.151-180, August 1998
	17	Robert W. M. Jones and Paul H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In M. Kamkar and D. Byers, editors, Third International Workshop on Automated Debugging. Linkoping University Electronic Press, 1997.
	18	Calvin Ko, George Fink, and Karl Levitt. Automated detection of vulnerabilities in privileged programs by execution monitoring. In Annual Computer Security Applications Conference (ACSAC), December 1994.
	19	C. Kruegel, D. Mutz, F. Valeur, and G. Vigna. On the detection of anomalous system call arguments. In European Symposium on Research in Computer Security, Gjøvik, Norway, October 2003.
	20	Christopher Kruegel , Engin Kirda , Darren Mutz , William Robertson , Giovanni Vigna, Automating mimicry attacks using static binary analysis, Proceedings of the 14th conference on USENIX Security Symposium, p.11-11, July 31-August 05, 2005, Baltimore, MD
	21	Christopher Kruegel , Giovanni Vigna, Anomaly detection of web-based attacks, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948144]
	22	Lap Chung Lam and T. Chiueh. Automatic extraction of accurate application-specific sandboxing policy. In Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, French Riviera, France, September 2004.
	23	Peter Loscocco , Stephen Smalley, Integrating Flexible Support for Security Policies into the Linux Operating System, Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, p.29-42, June 25-30, 2001
	24	George C. Necula , Scott McPeak , Westley Weimer, CCured: type-safe retrofitting of legacy code, Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.128-139, January 16-18, 2002, Portland, Oregon
	25	Niels Provos, Improving host security with system call policies, Proceedings of the 12th conference on USENIX Security Symposium, p.18-18, August 04-08, 2003, Washington, DC
	26	Olatunji Ruwase and Monica S. Lam. A practical dynamic buffer overflow detector. In Network and Distributed System Security Symposium (NDSS), February 2004.
	27	R. Sekar , M. Bendre , D. Dhurjati , P. Bollineni, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.144, May 14-16, 2001
	28	R. Sekar , P. Uppuluri, Synthesizing fast intrusion prevention/detection systems from high-level specifications, Proceedings of the 8th conference on USENIX Security Symposium, p.6-6, August 23-26, 1999, Washington, D.C.
	29	Kymie Tan, Kevin Killourhy, and Roy Maxion. Undermining an anomaly-based intrusion detection system using common exploits. In Recent Advances in Intrusion Detection (RAID), LNCS 2516, pages 54--73, Zurich, Switzerland, October 2002. Springer-Verlag.
	30	G. Tandon and P. Chan. Learning rules from system call arguments and sequences for anomaly detection. In ICDM Workshop on Data Mining for Computer Security (DMSEC), pages 20--29, 2003.
	31	David Wagner , Paolo Soto, Mimicry attacks on host-based intrusion detection systems, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586145]
	32	David Wagner , Drew Dean, Intrusion Detection via Static Analysis, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.156, May 14-16, 2001
	33	Ke Wang and Salvatore J. Stolfo. Anomalous payload-based network intrusion detection. In Proceeding of 7th International Symposium on Recent Advances in Intrusion Detection (RAID), 2004.
	34	Andreas Wespi , Marc Dacier , Hervé Debar, Intrusion Detection Using Variable-Length Audit Trail Patterns, Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection, p.110-129, October 02-04, 2000