1 / 16

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

This research paper presents a method called Process Coloring (PC) that propagates and logs provenance information ("colors") along OS-level information flows for effective malware detection and sensitive data protection. PC can track and log OS-level information flows, detect malware activities, and enforce sensitive data protection policies. It combines OS and language-level information flows, making it a practical and deployable system with potential applications in virtualization-based infrastructures.

mcarver
Download Presentation

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Computer Science North Carolina State University NICIAR PI Meeting, Washington, DC, September 24, 2008

  2. Process Coloring (PC) Overview • One-sentence summary: • Propagating and logging provenance information (“colors”) along OS-level information flows for malware detection and sensitive data protection

  3. PC Usage Scenario: Server-Side Malware Attack Capability 1: PC malware alert “No shell process should have the color of Apache” Initial coloring s30sendmail s30sendmail s55sshd s55sshd Syscall Log s45named s45named init rc s80httpd s80httpd • /etc/shadow • Confidential Info httpd netcat Capability 3: Color-based log partition for contamination analysis Local files /bin/sh Capability 2: Color-based identification of malware break-in point Coloring diffusion wget Rootkit Demo at: http://friends.cs.purdue.edu/projects/pc/pc-demo.html

  4. PC Usage Scenario: Client-Side Malware Attack www.malicious.net turbotax Tax warcraft Games notepad Editor firefox Web Browser PC malware alert “Web browser and tax colors should never mix” Agobot Tax files Agobot Demo at: http://friends.cs.purdue.edu/projects/pc/files/sinkfile.avi

  5. Heilmeier Question 1:What are you trying to do? • Tracking and logging OS-level information flows • Being extended to both OS and language levels (“PC+DDFA”) • Tainting processes and data with provenance information (“colors”) for • Detecting and investigating malware activities • Enforcing sensitive data protection policies • Using virtualization for stronger tamper-resistance

  6. Heilmeier Question 2:How is it done now? • Information flow tracking at multiple levels • OS level • Only considering direct causality in each system call • No provenance (“color”) tainting and propagation • Language level • Only tracking information Flow within a program • No information flow tracking across programs • Instruction level • Difficult to understand attack semantics • Significant runtime performance overhead

  7. Heilmeier Question 3:What’s new and why will it succeed? • What’s new? • Color-based malware alert and sensitive data protection • Supporting on-line detection and off-line forensics • One of the first to combine OS and language-level information flows • Why will it succeed? • Practical, deployable system based on classic theory • Running prototype showing effectiveness and practicality • Attracting external interests (SwRI, Lockheed Martin)

  8. Heilmeier Question 4:If successful, what difference will it make? • A system-level framework for attack/violation detection, investigation and recovery • Specification and enforcement of color-based policies for malware alert and data protection • Ready for virtualization-based infrastructures (e.g. honeynets, enterprises and data centers)

  9. Heilmeier Question 5:Your timeline, cost and success metrics? • Timeline 6/2007 12/07 6/08 12/08 - Basic PC prototype for server-side operation - PC prototype for client-side operation (“brown problem” solution) - Set up “living lab” VM for evaluation - Extensive evaluation - Design, prototyping and demonstration of “PC+DDFA” integration • - Recovery and replay • - PC across machines • - Data lifetime analysis for data theft defense

  10. Summary of Achievement (Since April) • Improved sink insulation implementation • Cleaned up log management and visualization • Set up “living lab” client VM for evaluation • Performed benchmark evaluation of PC • Started technology transfer activities • Completed preliminary design and prototype for “PC+DDFA” • Joint presentation in a moment

  11. “Living Lab” VM: End User’s View

  12. “Living Lab” VM: Administrator’s View

  13. Evaluation Metrics – Efficiency

  14. Evaluation with Malware (Agobot, PUD bot…)

  15. LSSD Process Coloring (PC) For Malware Alert and Investigation- An OS-level Information Flow Preserving Approach • APPROACH • Track OS-level information flows • Taint processes/data based on their influence between each other • Record color(s) in log entries • Integrate with intra-process DDFA • NEW CAPABILITIES • Color-based malware alert • Color-based malware break-in point identification • Color-based log partitioning • PLAN / PROGRESS • Model process color diffusion in real OS (done) • Demonstrate PC prototype in a malware scenario • Includes both server (done) and client (done) side solutions • Mitigate color saturation effect in malware alert • Profiling and visualization (done) • Reducing false positives caused by legitimate color mixing (done) • Proof-of-concept demo of “PC+DDFA” (Dec.08) • Evaluate PC in “living lab” VMs (July.08 – Dec.08) • APPLICATIONS • System monitoring and malware (e.g. bots) detection • Malware forensics • Sensitive data protection

  16. Thank you! For more information about the ProcessColoring project: http://friends.cs.purdue.edu/projects/pc PC@cs.purdue.edu

More Related