Making Software Resistant to DoS Attacks Through Defensive Programming

We believe the lack of a general and effective defense against Denial-of-Service attacks is due to two reasons. First, DoS attacks do not attempt to intrude the target system by breaching security measures. Nor do they rely on software bugs. DoS attacks prevail by abusing legitimate system functionalities, to the extent that the server becomes irresponsive or the quality of its service is seriously damaged. Due to this unique nature, current techniques that offer protection by checking for security violations and buffer overflow bugs are not effective against DoS attacks. Second, many DoS vulnerabilities can be attributed to the separation of software functionality and protection. When developing software, programmers primarily focus on functionality. Protecting code from attacks is often considered the responsibility of the OS, firewalls and intrusion detection systems. As a result, many DoS vulnerabilities are not discovered until the system is attacked and the damage is done.

Instead of reacting to attacks after the fact, we are exploring a more active approach: making the software itself defensive, by which we mean the programmer embeds general protection mechanisms into the software. These mechanisms offer systematic and proactive protection against DoS attacks. In our ongoing work, we are studying common DoS attack characteristics, and have built a toolkit that provides an interface programmers use to annotate their code as a means of specifying a general resource management policy. With compiler assistance, these annotations are translated into runtime sensors and actuators that watch for resource abuse and take appropriate action should abuse be detected. Preliminary results with three widely-deployed network services are promising. We found that several DoS vulnerabilities exist in all test cases and software augmented with the annotation toolkit are more resilient under attacks.