SUBMMITTED TO:SUBMITTED BY:Miss. Simrat ( Mam). Capt. Gulshan Khan

Roll No:Regn.No:-

RJ1801A59 10803495


B.C.A(5th) sem. {Backlog} J1801

How Does McAfee Entercept Use System Call 5. What Is the Performance Impact Associated with System Call Interception? 8. 7. 2. Introduction. How Does System Call Interception Work? 4. Conclusion .Contents 1. What Are System Calls? 3. Interception to Protect Servers? 6.

but it cannot get the information directly. But often. it requests the operating system to supply it the information. A system call is used by application (user) programs to request service from the operating system.). Most operations interacting with the system require permissions not available to a user level process. It also passes the system call number to the kernel using the EAX register. ECX. a system call is how a program requests a service from an operating system's kernel that it does not normally have permission to run. etc. The library routine issues a trap to the Linux operating system by executing INT 0x80 assembly instruction.g.g. but a user program is not given direct access to the hardware. When a user program issues a system call. e. Every system call has a number associated with it. If the system call needs to . This is done so that the kernel can keep the system safe and secure from malicious user programs.. or any form of communication with other processes requires the use of system calls. System calls provide the interface between a process and the operating system. So. I/O performed with a device present on the system. it is actually calling a library routine. The following statements illustrate why system calls are needed. The kernel executes the system call and returns the result to the user program using a register.INTRODUCTION In computing. A system call executes in the kernel mode. An operating system can access a system's hardware directly. This request is made by using an appropriate system call. The arguments of the system call are also passed to the kernel using other registers (EBX. a user program requires some information from the hardware (e. from a web camera to show you the picture). This number is passed to the kernel and that's how the kernel knows which system call was made.

. copy_to_user call).supply the user program with large amounts of data.g. This paper addresses the followin questions: • What are system calls? • How does system call interception work? • How does McAfee Entercept use system call interception to protect . it will use another mechanism (e. Introduction System call interception enables many McAfee Entercept proactive server protection capabilities.

. System calls. network connections. The system call table relates each system call to a specific function address within the OS kernel. no user-mode program can access kernel memory directly. User-mode programs need to utilize the functionality provided by the kernel in order to access disk drives. and shared memory. usermode programs must use system calls. If a user-mode program attempts to access anything in the kernel memory space. modern operating systems separate code executed by users from code executed by the operating system itself. user-mode code is executing). which form the only permitted interface between user-mode and kernel-mode. Thus. modern processors include a mode bit that specifies whether the processor is executing kernel-mode code or user-mode code. such as “fopen.” which opens a file. the processor generates an illegal access exception. are implemented inside the OS using a system call table. Since the processor prevents direct access to kernel-mode functions. System calls expose all kernel functionality that user-mode programs require. the processor hardware prevents all access to the kernel memory space. If the mode bit is set (i.e. To achieve this.Servers ? • What is the performance impact associated with system call interception? What Are System Calls? In order to protect the core of the operating system from damage by errant or malicious programs..

the structure of a system call table is as follows: System Call Fopen Unlink Rmdir Kernel Function Address 0x0000A1F2* 0x00003F16* 0x00009C57* .Conceptually.

\ Figure 2 graphically illustrates this concept. } When the above C-language program is executed. which then points to a corresponding function in the OS kernel. . looks-up “fopen” in the system call table. handle = fopen ("explorer.h> void main() { FILE* handle.exe". and transfers control to the kernel-mode function at 0x0000A1F2. "w").The following C-language program illustrates how system calls are used: #include <stdio. the processor encounters the “fopen” instruction. Each system call has an entry in the system call table.

if necessary. .How Does System Call Interception Work? McAfee Entercept adjusts the entries in the system call table. As shown in Figure 3. System Call Fopen Unlink Rmdir Kernel Function Address (McAfee Entercept Driver Address) (McAfee Entercept Driver Address) (McAfee Entercept Driver Address) This inserts McAfee Entercept into the command chain anytime a system call is made. block access to any system resources by any program. pointing them at the kernelmode driver. This makes the above system call table look like this. If McAfee Entercept determines that access should be allowed. the McAfee Entercept driver calls the original kernel function. System call interception allows McAfee Entercept to intercept and.

How Does McAfee Entercept Use System Call. including most anti-virus products.McAfee Entercept does not modify the kernel. Several commercial products. The intricate details of all the rules are beyond the scope of this paper. use system call interception for various purposes. It simply inserts itself into the command execution chain. Interception to Protect Servers? McAfee Entercept behavioral rules determine whether a system call is allowed or blocked. McAfee Entercept asks three main questions when a system call is made: • What process is making the call? • What user authority is the process running under? . McAfee Entercept applies this wellunderstood technique to protecting servers from intrusions and misuse. but in general.

All other accesses will be blocked. like so many before it. Since this matches Rule 1 above.” which contains the credit card numbers of the users of a particular e-commerce site.” McAfee Entercept intercepts the call to open the file and determines the following: • Process making the call: inetinfo. previously undiscovered Web-server security vulnerability. Case 2—An attacker uncovers a new. attempting to access the file “credit_cards. .mdb. McAfee Entercept determines that this call involves the Web server running under the proper user authority and accessing a Web file. The following case examples illustrate how McAfee Entercept enforces this behavioral rule: Case 1—The Web-server process attempts to access the Web file “index. This new vulnerability.” the system call to open the file is intercepted. allows a remote user to access arbitrary files on the Web server.• What is the call trying to access? One of McAfee Entercept’s many behavioral rules can be summarized as follows: Rule 1—The Web server can only access Web files and Web-server resources. McAfee Entercept allows the call. The attacker exploits this vulnerability.html.html. With the above information.exe • User authority: IUSR_<machine> • Resource accessed: index. When the Web server attempts to access “credit_cards.mdb.

but the process and user accessing it are not the Web-server process and user. using social engineering.html. and the exploit is prevented. • Resource accessed: company_homepage. opens the company’s homepage in Notepad and attempts to modify it. this violates Rule 1. McAfee Entercept intercepts the call to modify the file “company_hompage.html” is a Web file.html” and determines the following: • Process making the call: notepad. the converse of Rule1. Since “credit_cards.exe • User authority: IUSR_<machine> • Resource accessed: credit_cards. and the defacement is prevented. Since “company_homepage. The following example illustrates how McAfee Entercept enforces this behavioral rule: Case 3—An attacker obtains the administrator’s account password to the Web server. Another McAfee Entercept behavioral rule. Any other process or user that attempts to access Web files and/or resources will be blocked. McAfee Entercept blocks the call to open the file.McAfee Entercept then determines the following: • Process making the call: inetinfo. What Is the Performance Impact Associated with System Call Interception? . He or she then logs in to the server as the administrator. is: Rule 2—Only the Web server can access Web files and Web-server resources.exe. • User authority: Administrator.mdb.mdb” is not a Web file. McAfee Entercept blocks the call to open the file.

consequently. As illustrated in the examples. without accessing the disk. the amount of information needed by McAfee Entercept to decide whether to allow or disallow a system call is small. Fileintegrity monitors. and transferring data. the overall system latency and response time is unaffected. The value of preventing known and unknown attacks far outweighs this minimal impact. A traditional host-based IDS can easily use 50 percent of the CPU if all its functionality is enabled. the percentage of CPU utilized by McAfee Entercept has typically been 1 to 5 percent. most servers are I/O bound. McAfee Entercept has minimal impact on CPU utilization. Web servers. and its impact on disk utilization and overall latency is negligible. occupying less than 10MB of RAM. meaning they spend most of their time waiting on disk and network I/O and have CPU cycles to spare. it can make system call decisions quickly. During performance testing with customers who have the heaviest-use profiles. spending most of their time accessing disk and network resources. McAfee Entercept runs entirely in memory. do little processing on the data they serve. As a result. . Since McAfee Entercept does not usually access the disk. for example. In these days of gigahertz processors. the number of CPU cycles consumed is also small. McAfee Entercept generally does not access the disk once it has been loaded. causing poor disk-throughput response latency. can use large amounts of CPU and are constantly accessing the disk.System administrators are rightly concerned about any performance impact introduced by security software loaded on their servers. and. Other host-security products use much more of the system resources. such as Tripwire.

system-call interception is an excellent way to protect system resources.conclusion McAfee Entercept uses system-call interception and behavioral rules to protect servers from both known and unknown attacks. McAfee Entercept blocks attempted attacks before they can compromise the system. . System-call interception allows McAfee Entercept to intercept and. and does so without modification to the kernel. block accesses to any system resources by any program. the performance impact of McAfee Entercept versus traditional IDS systems is minimal. if necessary. Because all programs running on servers must use system calls to access system resources. which allows for maximum security with minimal performance impact. Additionally.

Sign up to vote on this title
UsefulNot useful