ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Defensive programming: using an annotation toolkit to build DoS-resistant software
Source Operating Systems Design and Implementation archive
Proceedings of the 5th symposium on Operating systems design and implementation

Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading

 table of contents
Boston, Massachusetts
SESSION: Robustness table of contents
Pages: 45 - 60  
Year of Publication: 2002
ISSN:0163-5980
Authors
Xiaohu Qie  Princeton University
Ruoming Pang  Princeton University
Larry Peterson  Princeton University
Sponsor
SIGOPS: ACM Special Interest Group on Operating Systems
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): n/a,   Downloads (12 Months): n/a,   Citation Count: 6
Additional Information:

abstract   references   cited by   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1060289.1060295
What is a DOI?

ABSTRACT

This paper describes a toolkit to help improve the robustness of code against DoS attacks. We observe that when developing software, programmers primarily focus on functionality. Protecting code from attacks is often considered the responsibility of the OS, firewalls and intrusion detection systems. As a result, many DoS vulnerabilities are not discovered until the system is attacked and the damage is done. Instead of reacting to attacks after the fact, this paper argues that a better solution is to make software defensive by systematically injecting protection mechanisms into the code itself. Our toolkit provides an API that programmers use to annotate their code. At runtime, these annotations serve as both sensors and actuators: watching for resource abuse and taking the appropriate action should abuse be detected. This paper presents the design and implementation of the toolkit, as well as evaluation of its effectiveness with three widely-deployed network services.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
D. Andersen, D. Bansal, D. Curtis, S. Seshan, and H. Balakrishnan. System Support for Bandwidth Management and Content Adaptation in Internet Applications. In Proceedings of the Fourth USENIX Symposium on Operating System Design and Implementation (OSDI), Februray 2000.
 
2
Apache Software Foundation. Apache Web Server. http://www.apache.org/.
 
3
Gaurav Banga , Peter Druschel , Jeffrey C. Mogul, Resource containers: a new facility for resource management in server systems, Proceedings of the third symposium on Operating systems design and implementation, p.45-58, February 1999, New Orleans, Louisiana, United States
 
4
D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions. In Proceedings of the Fourth USENIX Symposium on Operating System Design and Implementation (OSDI), October 2000.
5
Dawson Engler , David Yu Chen , Seth Hallem , Andy Chou , Benjamin Chelf, Bugs as deviant behavior: a general approach to inferring errors in systems code, Proceedings of the eighteenth ACM symposium on Operating systems principles, October 21-24, 2001, Banff, Alberta, Canada
 
6
Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
 
7
K. Kendall. A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Master Thesis, MIT, June 1999.
 
8
Linux NIS(YP) Server. http://www.linux-nis.org/nis/.
9
David Mosberger , Larry L. Peterson, Making paths explicit in the Scout operating system, Proceedings of the second USENIX symposium on Operating systems design and implementation, p.153-167, October 29-November 01, 1996, Seattle, Washington, United States
 
10
V. Pai, P. Druschel, and W. Zwaenepoel. Flash: An Efficient and Portable Web Server. In Proceedings of the USENIX '99 Annual Technical Conference, June 1999.
11
Sharon E. Perl , William E. Weihl, Performance assertion checking, Proceedings of the fourteenth ACM symposium on Operating systems principles, p.134-145, December 05-08, 1993, Asheville, North Carolina, United States
12
Stefan Savage , Michael Burrows , Greg Nelson , Patrick Sobalvarro , Thomas Anderson, Eraser: a dynamic data race detector for multithreaded programs, ACM Transactions on Computer Systems (TOCS), v.15 n.4, p.391-411, Nov. 1997  [doi>10.1145/265924.265927]
 
13
Christoph L. Schuba , Ivan V. Krsul , Markus G. Kuhn , Eugene H. spafford , Aurobindo Sundaram , Diego Zamboni, Analysis of a Denial of Service Attack on TCP, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.208, May 04-07, 1997
 
14
A. Somayaji and S. Forrest. Automated Response Using System-Call Delays. In Proceedings of the 9th USENIX Security Symposium, August 2000.
 
15
Oliver Spatscheck , Larry L. Peterson, Defending against denial of service attacks in Scout, Proceedings of the third symposium on Operating systems design and implementation, p.59-72, February 1999, New Orleans, Louisiana, United States
 
16
R. Srinivasan. RPC: Remote Procedure Call Protocol Specification Version 2. Request for Comments (RFC) 1831, August 1995.
 
17
C. Villamizar, R. Chandra, and R. Govindan. BGP Route Flap Damping. Request for Comments (RFC) 2439, November 1998.
 
18
David Wagner , Drew Dean, Intrusion Detection via Static Analysis, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.156, May 14-16, 2001
19
Matt Welsh , David Culler , Eric Brewer, SEDA: an architecture for well-conditioned, scalable internet services, Proceedings of the eighteenth ACM symposium on Operating systems principles, October 21-24, 2001, Banff, Alberta, Canada

CITED BY  6
Cheng Jin , Haining Wang , Kang G. Shin, Hop-count filtering: an effective defense against spoofed DDoS traffic, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
Mick Jordan , Grzegorz Czajkowski , Kirill Kouklinski , Glenn Skinner, Extending a J2EE™ server with dynamic and flexible resource management, Proceedings of the 5th ACM/IFIP/USENIX international conference on Middleware, October 18-22, 2004, Toronto, Canada
Haining Wang , Danlu Zhang , Kang G. Shin, Change-Point Monitoring for the Detection of DoS Attacks, IEEE Transactions on Dependable and Secure Computing, v.1 n.4, p.193-208, October 2004
Haining Wang , Abhijit Bose , Mohamed El-Gendy , Kang G. Shin, IP Easy-pass: a light-weight network-edge resource access control, IEEE/ACM Transactions on Networking (TON), v.13 n.6, p.1247-1260, December 2005
Lenin Singaravelu , Calton Pu , Hermann Härtig , Christian Helmuth, Reducing TCB complexity for security-sensitive applications: three case studies, ACM SIGOPS Operating Systems Review, v.40 n.4, October 2006
Haining Wang , Cheng Jin , Kang G. Shin, Defense against spoofed IP traffic using hop-count filtering, IEEE/ACM Transactions on Networking (TON), v.15 n.1, p.40-53, February 2007
Collaborative Colleagues:
Xiaohu Qie: colleagues
Ruoming Pang: colleagues
Larry Peterson: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player