Seccuris Labs: Research & Development
In part, Seccuris' service methodologies are due to innovations developed through our R&D division: Seccuris Laboratories. Current and recent research includes high-speed packet capture, advanced host-based intrusion detection models, and operating system security extensions.
Click title to display further detail...
Zero Copy Berkeley Packet Filter
This project was conducted in collaboration with Robert Watson, of the University of Cambridge, to solve capacity issues which commonly result in intrusion detection software experiencing packet loss.
Operating system kernels use various methods to transport packet data from network interfaces into intrusion detection software. Under high load, the overhead associated with packet copies can be quite high, resulting in internal store buffers to fill, causing the loss. The goal of this research was to modify the Berkeley Packet Filter so that it can scale for 1000 and 10000 Mbit/s network links.
The zero copy research focused on changing how the memory model is structured in the intrusion detection software to enable packets to be moved into the the IDS without having to use a system call, eliminating an expensive copy and context switch. This is done by having the IDS and kernel share a memory buffer. The IDS and kernel communicate with each other through a series of atomic integer operations that are immediately visible to both the kernel and IDS process. This ensures that the kernel will not overwrite data while the IDS process is analyzing it.
This work is now part of the FreeBSD source tree. In addition to the FreeBSD changes, modification was made to libpcap so that existing libpcap consumers can benefit transparently.
Interface Stability: Evolving
Presentation: Zero-Copy BPF Buffers [pdf]
WWW: http://www.freebsd.org
BSMtrace (Host-Based IDS)
Seccuris Laboratories has collected an enormous amount of information regarding intrusion detection—specifically related to the analysis of false positives and valid attacks. A significant amount of time has been spent analyzing attack information, which generally leads to the identification of false positives or failed attacks.
The core reason that these false positives exist is because intrusion detection knows very little about the systems that are being attacked: the operating systems, service revision information, and other countermeasures that may exist.
BSMtrace is a utility that processes audit trails or real-time audit feeds provided by audit pipes. It loads a set of finite state machines or sequences from the supplied configuration file and watches the audit streams for instances of these sequences. This approach to intrusion detection will ensure that intrusion decisions are made based on the execution patterns of the machine, eliminating many false positives.
This work has been merged into the TrustedBSD project and is available under the BSD open-source software license.
Interface Stability: Evolving
WWW: http://www.trustedbsd.org
WWW: http://www.trustedbsd.org/bsmtrace.html
Much of the research performed by Seccuris is available under the BSD open-source license.
