160 likes | 168 Views
This research paper presents a method called Process Coloring (PC) that propagates and logs provenance information ("colors") along OS-level information flows for effective malware detection and sensitive data protection. PC can track and log OS-level information flows, detect malware activities, and enforce sensitive data protection policies. It combines OS and language-level information flows, making it a practical and deployable system with potential applications in virtualization-based infrastructures.
E N D
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Computer Science North Carolina State University NICIAR PI Meeting, Washington, DC, September 24, 2008
Process Coloring (PC) Overview • One-sentence summary: • Propagating and logging provenance information (“colors”) along OS-level information flows for malware detection and sensitive data protection
PC Usage Scenario: Server-Side Malware Attack Capability 1: PC malware alert “No shell process should have the color of Apache” Initial coloring s30sendmail s30sendmail s55sshd s55sshd Syscall Log s45named s45named init rc s80httpd s80httpd • /etc/shadow • Confidential Info httpd netcat Capability 3: Color-based log partition for contamination analysis Local files /bin/sh Capability 2: Color-based identification of malware break-in point Coloring diffusion wget Rootkit Demo at: http://friends.cs.purdue.edu/projects/pc/pc-demo.html
PC Usage Scenario: Client-Side Malware Attack www.malicious.net turbotax Tax warcraft Games notepad Editor firefox Web Browser PC malware alert “Web browser and tax colors should never mix” Agobot Tax files Agobot Demo at: http://friends.cs.purdue.edu/projects/pc/files/sinkfile.avi
Heilmeier Question 1:What are you trying to do? • Tracking and logging OS-level information flows • Being extended to both OS and language levels (“PC+DDFA”) • Tainting processes and data with provenance information (“colors”) for • Detecting and investigating malware activities • Enforcing sensitive data protection policies • Using virtualization for stronger tamper-resistance
Heilmeier Question 2:How is it done now? • Information flow tracking at multiple levels • OS level • Only considering direct causality in each system call • No provenance (“color”) tainting and propagation • Language level • Only tracking information Flow within a program • No information flow tracking across programs • Instruction level • Difficult to understand attack semantics • Significant runtime performance overhead
Heilmeier Question 3:What’s new and why will it succeed? • What’s new? • Color-based malware alert and sensitive data protection • Supporting on-line detection and off-line forensics • One of the first to combine OS and language-level information flows • Why will it succeed? • Practical, deployable system based on classic theory • Running prototype showing effectiveness and practicality • Attracting external interests (SwRI, Lockheed Martin)
Heilmeier Question 4:If successful, what difference will it make? • A system-level framework for attack/violation detection, investigation and recovery • Specification and enforcement of color-based policies for malware alert and data protection • Ready for virtualization-based infrastructures (e.g. honeynets, enterprises and data centers)
Heilmeier Question 5:Your timeline, cost and success metrics? • Timeline 6/2007 12/07 6/08 12/08 - Basic PC prototype for server-side operation - PC prototype for client-side operation (“brown problem” solution) - Set up “living lab” VM for evaluation - Extensive evaluation - Design, prototyping and demonstration of “PC+DDFA” integration • - Recovery and replay • - PC across machines • - Data lifetime analysis for data theft defense
Summary of Achievement (Since April) • Improved sink insulation implementation • Cleaned up log management and visualization • Set up “living lab” client VM for evaluation • Performed benchmark evaluation of PC • Started technology transfer activities • Completed preliminary design and prototype for “PC+DDFA” • Joint presentation in a moment
LSSD Process Coloring (PC) For Malware Alert and Investigation- An OS-level Information Flow Preserving Approach • APPROACH • Track OS-level information flows • Taint processes/data based on their influence between each other • Record color(s) in log entries • Integrate with intra-process DDFA • NEW CAPABILITIES • Color-based malware alert • Color-based malware break-in point identification • Color-based log partitioning • PLAN / PROGRESS • Model process color diffusion in real OS (done) • Demonstrate PC prototype in a malware scenario • Includes both server (done) and client (done) side solutions • Mitigate color saturation effect in malware alert • Profiling and visualization (done) • Reducing false positives caused by legitimate color mixing (done) • Proof-of-concept demo of “PC+DDFA” (Dec.08) • Evaluate PC in “living lab” VMs (July.08 – Dec.08) • APPLICATIONS • System monitoring and malware (e.g. bots) detection • Malware forensics • Sensitive data protection
Thank you! For more information about the ProcessColoring project: http://friends.cs.purdue.edu/projects/pc PC@cs.purdue.edu