Intrusion detection in open source software via dynamic aspects

Aspect-Oriented Programming (AOP) is an emerging software engineering methodology, which has been used to assist in the removal of crosscutting concerns from traditional methods of software development. As an example, software used to determine whether a user has appropriate security clearance might be scattered throughout the many modules, which require this check. Utilising AOP, "aspects" are "woven" into the software either in a "static" method, during compilation, or a "dynamic" method while the program is executing. The "join points" in a program are the points where these aspects are applied. The "aspect" code is written once and "woven" in to the modules at join points. Typical aspects involve logging changes to a database and monitoring memory usage. Our focus is on aspects related to security and intrusion incident detection. Dynamic weaving allows aspects to be woven in and out as the program is executing. However the base code often must be compiled with additional "syntactic sugar"-additions that are required for the later connection of dynamic aspects. This paper presents a new technique to enable dynamically loaded security modules to be added into existing C/C++ code on the fly while the program is executing. Our tool is a Run-Time Event Monitoring System called "dynamicHook", implemented on a standard Linux platform using existing Linux tools, which tests each potential join point for the required activation of advice. Our system does not need to modify the executable files, but instead we compile in special "linkage" between the base code and potential aspects which are then called as dynamically linked routines located in shared libraries. Our scheme does not require any new syntax or language extensions or rely on code transformations; we thus use it for adding intrusion detection methodologies to pre-existing off-the-shelf open source software.