SecureCore shields server memory

Holes left by perimeter security and conventional anti-virus solutions are being filled by host-based IPS solutions, many of which mirror their network-based kin by inserting themselves between the wild outside network and the vulnerable destination.

Determina’s SecureCore and its Memory Firewall technology, however, abandon signature- and behavior-based detection. Instead, the memory firewall protects the server memory that runs the applications, shielding vulnerable servers and hosts inside the enterprise.

SecureCore jump-starts protection by requiring neither attack signatures nor the time needed to baseline behavior. Determina hypothesizes that the hijacking process always consists of activity that is contrary to appropriate software procedural execution, so SecureCore detects the steps associated with the hijacking of a process running on a server or host and stops the action.

For example, McAfee Entercept stopped an exploit attempt with BOPT (buffer overflow protection technology) that was monitoring for a specific type of unconventional activity -- code executing from writeable memory.

But SecureCode picks up where BOPT leaves off: It stops code from executing from writeable memory, and it monitors for other activities that do not fit within the scope of convention, including buffer overflows, heap overflows, and format strings.

Nearly silent security

SecureCore works by creating a VM environment for each process you want to protect. It monitors each call made in or out of the VM, covering all paths, versus other BOPTs that monitor only calls to and from the kernel or API.

SecureCode’s installation process is painless. On Windows platforms, a Microsoft Installer package (.msi) can be pushed through domain policy. The installation package can also be downloaded directly from the management server Web interface. After installing SecureCore, we found that the test server had to be rebooted -- but we weren’t overtly notified that the server had to be rebooted to add the Determina protection. This was a definite no-no in our book.

The management interface, a Web-based UI running on a Tomcat engine, is intuitive and easy to use. Events can be queried by multiple dimensions, and assets -- servers and hosts -- can be grouped by administration. Protection profiles for remote hosts, aka configuration sets, are configured through the centralized management interface.

Determina’s management front end is a clean, simple interface that allows protection profiles to be changed on individual hosts or administrative groups. Because SecureCore does not require updates, it is fortunate that the management engine can send you an e-mail when the attacks begin. Otherwise, it would be easy to forget you had installed it.

SecureCore does not require tweaking or monitoring to ensure protection. The only configuration necessary is determining which processes should be protected by SecureCore. For that, Determina’s management engine provides several preconfigured templates. The templates are geared toward protecting OS and enterprise-critical services such as Microsoft’s IIS and SQL. Although SecureCore does not currently have the flexibility to protect additional services, Determina plans to add this capability in a future release.

We liked the protection afforded by the Memory Firewall technology but found it a bit unnerving that SecureCore didn’t protect its own management server. The lack of protection for internal applications was curious and somewhat disconcerting. (Determina says it will add this protection to the next version of SecureCore, too.)

Exploit explosion

To test SecureCore’s expertise, we launched exploits of vulnerabilities on the SANS Institute/FBI Top 20 Internet Security Vulnerabilities list using our standard Core Impact penetration tool. On a Windows 2000 Advanced Server with SP0 (Service Pack 0), we were able to exploit six exposed vulnerabilities. After installing SecureCore, all six exploit attempts failed; it also stopped the Sasser and Welchia worms.

We did run into some problems. During the first round of testing, our Windows 2000 SP0 Server had significant stability problems; most notably, we frequently received kernel dumps -- “blue screen of death.” It’s possible that our previously moderately compromised server may have contributed to its own demise; a second and third test run yielded no problems after we cleaned off our testing server. (Determina recommends all OS Service Packs be applied when installing agents on Windows 2000.) Determina is researching potential causes of our problem. 

When things were rolling, we received no notification of attack during testing, but notifications were stored on the local machine’s event log. Hijack attempts were logged at the management interface, and sparked SecureCore’s forensic logging capability. These more detailed forensic logs contain memory dumps of the service running and other useful information such as related registry strings and associated files.

SecureCore runs a separate VM environment for each process. To find out how much overhead this added to the system, we ran a remote script that downloaded a variety of pages from an IIS server. Prior to SecureCore installation, the script execution took an average of 68.82 seconds; after installing the memory engine, the script ran in 68.91 seconds -- very little difference, and with no change in system responsiveness.

We found SecureCore extremely effective against current memory attacks, but we did have some stability and security concerns. Determina’s unique approach may protect your company from the next generation of worms, but comprehensive stability testing is needed before SecureCore becomes your host- and server-based memory firewall.