Generation of Application Level Audit Data via Library Interposition

One difficulty encountered by intrusion and misuse detection systems is a lack of application level audit data. Frequently, applications used are written by third parties and may be distributed only in a binary format. In this paper we present a technique to generate application level audit data using library interposition. Interposition allows the generation of audit data without needing to recompile either the system libraries or the application of interest. We created a library that detects some types of unsafe programming practices, and discovered two unreported race conditions in common applications. A prototype interposition library that dynamically detects and prevents some forms of buffer overflow attacks is also introduced. This second prototype library was able to successfully detect and prevent several buffer overflow attacks against privileged programs.