1 / 18

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang

beverlywatson
Download Presentation

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Computer Science George Mason University NICIAR PI Meeting Chicago, IL April 7-10, 2008

  2. Process Coloring For Malware Alert and Investigation - An OS-level Information Flow Preserving Approach LSSD • APPROACH • Track OS-level information flows • Taint processes/data based on their influence between each other • Record color(s) in log entries • NEW CAPABILITIES • Color-based malware alert • Color-based malware break-in point identification • Color-based log partitioning • PLAN / PROGRESS • Model process color diffusion in real OS (done) • Demonstrate process coloring prototype in a malware scenario • Includes both server (done) and client (Aug.08) side solutions • Mitigate color saturation effect in malware alert • Profiling and visualization (done) • Reducing false positives caused by legitimate color mixing (Jul.08) • Tracking cross-border color mixing (Sept.08) • Deploy in a real-world environment (Sept.08 – Dec.08) • APPLICATIONS • System monitoring and malware (e.g. bots) detection • Malware forensics • Sensitive information protection

  3. Log HQ1: What are you trying to do? HQ2: How is it done now? Any limitations? • Key idea: propagating and logging malware break-in provenance information (“colors”) along OS-level information flows • Existing tools only consider direct causality relations without preserving and exploiting break-in provenance information Virtual Machine Log Monitor Apache MySQL DNS Sendmail Logger Guest OS Virtual Machine Monitor (VMM)

  4. HQ4: What difference will it make? HQ3: What’s new? Why do you think it’ll succeed? Capability 1: Color-based malware alert Initial coloring s30sendmail s30sendmail s55sshd s55sshd Syscall Log s45named s45named init rc s80httpd s80httpd • /etc/shadow • Confidential Info httpd netcat Capability 3: Color-based log partition for contamination analysis Local files /bin/sh Capability 2: Color-based identification of malware break-in point Coloring diffusion wget Rootkit

  5. Released a PC prototype for server-side deployment (Dec. 07) Investigated color saturation problem (i.e. “brown problem” ) on client side (Feb. 08) Implemented two techniques to mitigate the “brown problem” (Apr. 08) In talks with UT/SwRI team on integrating program-level and OS-level information flows HQ5: What about its duration, cost, and milestones?

  6. Finance Browser agobot3 agobot3 Current Work: Color Saturation Mitigation (Brown Problem) Policy:Data written by financial software should not be read by software that can transmit it outside of the system agobot3 Finances.pdf Finances.pdf agobot3

  7. Browser Finance Doc Edit Browser Doc Edit Current Work: Color Saturation Mitigation (Brown Problem) Policy:Data written by financial software should not be read by software that can transmit it outside of the system notes.txt .recently_used Finances.pdf

  8. Technique 1: Sink File Insulation

  9. Technique 1: Sink File Insulation F1040.pdf

  10. Technique 1: Sink File Insulation • Some files become color sinks • Color transfers unnecessarily • Simply “insulate” these sinks

  11. Technique 1: Sink File Insulation

  12. Technique 1: Sink File Insulation F1040.pdf

  13. Technique 2: Contextual Insulation • Is that secure? • Depends on your goals • Certainly not ideal • Let’s give some brains to the insulation… • Look at application context • Call stacks

  14. Technique 2: Contextual Insulation

  15. Technique 2: Contextual Insulation

  16. 0xb72914eb 0xb77155cc 0x00000000 0xb7582c74 - - - 0xb56a5b0c - 0x00000044 ... Technique 2: Contextual Insulation • Call stack tells us application context • Functions called, arguments used, etc. • Take a union of valid call stacks to find commonalities • Compare it to runtime stack

  17. A Demo of Sink File Insulationhttp://friends.cs.purdue.edu/projects/pc/

  18. Thank you! For more information about the ProcessColoring project: http://friends.cs.purdue.edu/projects/pc PC@cs.purdue.edu

More Related