240 likes | 447 Views
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and Engin Kirda Publication: ACM Conference on Computer and Communications Security, 2007 Presenter: Brad Mundt for CAP6133 Spring ‘08.
E N D
Panorama:Capturing System-wide Information Flow for Malware Detection and Analysis Authors:Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and Engin Kirda Publication:ACM Conference on Computer and Communications Security, 2007 Presenter:Brad Mundt for CAP6133 Spring ‘08
Motivation • Malicious software sneaks onto computers • Collects users’ private information • Causes havoc on Internet • Slows performance • Costs to remove • Reputable vendors violate users’ privacy • Google Desktop • Sony Media Player
Traditional Malware detection • Signature-based • Cannot detect new malware or variants • Heuristics • High false positives • High false negatives
The Panorama way • Input • Suspicious behavior • Inappropriate data access, stealthfully • Process • Whole-system, fine-grained taint tracking • Marking data • Operating-system-aware taint analysis • What touches the tainted data and how • Output • Taint Graphs • Tracked tainted data
Taint Graph • Information flow that shows the process that accessed the tainted data • Make policies based on Taint Graph • Compare unknown samples against Taint Graph • Automatic • Numerous categories
Taint Graph generation • Similar to a mapped out logic/process tree • Conceptually, horizontal branching • 9 different types of Root taint sources • Text, password, http, https, icmp, ftp, document, and directory • Non-root entries can be • OS objects (processes, modules) • OS resource (such as a file)
Conceptual Structure • Works with closed code • Windows OS • FireFox • Monitors the whole system in a processor emulator • Shadow memory stores taint status of • Each byte of physical memory • CPU’s general purpose registers • Hard disk and network interface buffer
Taint Sources • Test information is inputted and marked as taint source • Inputted from hardware such as • Keyboard • Network interface • Hard disk • Tainting at hardware level • Malware could hook before input reaches the software
Taint propagation • Monitors CPU instructions and DMA operations dealing with tainted data • OS-Aware taint tracking • Developed a kernel module • Authenticated communications to taint engine
Code identification • Identifying the code under analysis and it’s actions • Entire code segment is labeled • Dynamic or Encrypted code is labeled too • A similar method labels trusted code
Three categorized behaviors • Anomalous information access • MS Paint accessing passwords • Anomalous information leakage • BHO reporting home about surfed websites • Excessive information access • Repeatedly accessed directory to hide rootkit
Malware detections • 42 real-world malware samples • 56 benign applications were tested • Only 3 false positives, no false negatives • 2 from a personal firewall • 1 from a browser accelerator
Summary • A new system to detect malware • System-Wide Information Flow • Taint tracking • Data access and process tracking • Taint graphs • Policies
Contributions • Unified approach to detect and analyze diverse malware • Designed and developed a functional prototype • Detected all malware samples • Keystroke loggers, password sniffers, packet sniffers, stealth backdoors, rootkits, and spyware
Weaknesses • Performance Overhead • Using Cygwin utilities • Prototype is not optimized • Slowdown average is 20 times • Intended as a offline tool • Evasive malware • Time bombs • Selective keystroke loggers • Virtual environment detection
How to Improve • Optimize the code • Automate taint graph analysis and policy implementation • Virtual environment shielding • Or switch out of emulated environment • Implement mentioned improvements • Unicode conversion- switch case issue
The End Thank you…