NFP (No False Positives)

Mocana NFP

“The team was very impressed by the effectiveness of Mocana NFP to protect against real-world exploits”

- Danny Quist,
CEO, Offensive Computing

Mocana NFP is a unique, embedded security solution that approaches intrusion detection in a completely different way. Instead of relying on an attack database for defense, Mocana NFP tracks the function flow within an application.

Mocana NFP is advanced malware protection without the possibility of false positives. With Mocana NFP, each function or system call within the application is checked against a known “good behavior” model. If the function call doesn’t match the known “good behavior” model, the application is terminated and the security breach is logged. Any exploit that manages to take over is shut down as soon as it attempts any sort of access outside the application scope. Mocana NFP is simply validating under normal use scenario that the code is behaving as expected with very little impact on the system overall.

In the past, in order to prevent this type of breach, several manual options were used to:

analyze a static snapshot of the code and try to visually detect coding errors that allow execution of shell code or
replace unsafe functions with safe versions or
modify the compiler to detect runtime stack compromises or
modify the OS to prevent execution of code on the stack or
modify the OS to randomize address space and make attacks more difficult or
place limits on the number of system calls that can be made

There are inherent weaknesses with all of these approaches. They

rely on internal, IT resources and man hours
require security expertise in order to be handled properly
require physical assets (mobile, edge devices) be on hand
must be ongoing and continually managed
target only specific types of attacks leaving systems open to other vulnerabilities
must be employed simultaneously to achieve minimum levels of security

Mocana NFP provides an entirely new software solution to this existing problem. Mocana NFP automates the process: it monitors calls, detects if arbitrary code has been input, and places preventive measures necessary to ensure that no arbitrary code can be executed.

Attack protection
Mocana NFP is designed to prevent malicious code execution in the context of an existing application or process. Any exploit that is able to change the function flow within running code can be shut down by Mocana NFP before it has the chance to do any damage. Some of the attacks Mocana NFP protects against include the following:

Remote and local stack based overflow
Format string attacks/string exploits
Heap overflows
Return-to-libc Integer overflows

NFP Overview
For the past few years, corporate IT and security staffs have been monitoring the rising tide of malware that threatens to invade and take over business systems - stealing, corrupting and destroying sensitive and critical data. Significant portions of IT budgets today are dedicated to security and companies have aggressively deployed firewalls, anti-virus and anti-spam software, VPNs, and ID and access management systems to protect themselves. The most recent addition to the arsenal of enterprise data protection is Intrusion Detection and Prevention Systems (IDS/IPS).

While there are several tools and methods for operating systems like Windows and network based IDS/IPS solutions, they often provide minimal protection from new and highly sophisticated malware. Some solutions are based on the anti-viral signature or pattern matching approach on the host network or use behavioral based detection. Both of these approaches leave devices open to attack - zero day, polymorphism, metamorphosing, encrypted, alternating rate attacks and more. The use of embedded devices is increasing every day and these devices are gaining access to networks and becoming the targets of attack themselves along with the host systems.

An intrusion detection system (IDS) is typically used to detect malicious behavior that can compromise the security and trust of a computer system. An IDS can range from a network/protocol analysis package to file system activity monitors. The computer systems being protected can include clusters to local LANs to small embedded devices. While not quite as specialized as anti-virus security software, most existing IDSes remain limited in scope.

Anti-virus software is not the answer - it is only part of a complete, security solution and it has its own limitations. For example anti-virus software for the mail server can often contribute to excess message traffic and CPU utilization through their “alerts and notifications”. The very thing you want to protect you, can clog up your network by sending your notices for each and every message that it has blocked.

Mobile, wireless, and edge device manufacturers, handheld computing devices, gateways, routers, modems, and printers are at the front line of attack as they reside outside of the corporate network yet continuously gain remote entry into it. These devices, that run network dependent applications like email, web browsers and instant messaging, can be prime targets for malware intent on finding an entry point into a corporate network and are ideally suited for Mocana NFP.

Free Source Code Evaluation

Download Product PDF

Download White Paper

Contact Mocana

Free Source Code Evaluation

Download Product PDF

Download White Paper

Contact Mocana

Key Benefits
	Runtime intrusion detection
	Protects common code libraries
	Prevents system takeover
	Minimal CPU usage
	Protects against zero-day attacks
	No false positives
	Easily integrated into applications - no code changes are required
	Supports common platforms such as Linux or BSD
	Suppports real-time operating systems such as VxWorks