(Kids Coloring) Dancers Coloring Book-costumes for Coloring-By Pddef
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation
description
Transcript of Process Coloring: An Information Flow-Preserving Approach to Malware Investigation
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation
Eugene Spafford, Dongyan Xu, Ryan RileyDepartment of Computer Science and
Center for Education and Research in Information Assurance and Security (CERIAS)
Purdue University
Xuxian JiangDepartment of Computer ScienceNorth Carolina State University
NICIAR PI Meeting, Washington, DC, September 24, 2008
One-sentence summary: Propagating and logging provenance information (“colors”) along OS-level information flows for malware detection and sensitive data protection
Process Coloring (PC) Overview
httpd
s80httpdrcinit
s45named
s30sendmail
s55sshd
s80httpd
s30sendmail
s45named
s55sshd
/bin/sh
wgetRootkitRootkit
Local filesLocal files
netcat • /etc/shadow• Confidential
Info
• /etc/shadow• Confidential
Info
Initial coloring
Coloring diffusion
SyscallLog
Capability 3: Color-based log
partition for contamination analysis
Capability 3: Color-based log
partition for contamination analysis
PC Usage Scenario: Server-Side Malware Attack
Capability 1: PC malware alert
“No shell process should have the color
of Apache”
Capability 1: PC malware alert
“No shell process should have the color
of Apache”
Capability 2: Color-based
identification of malware break-in point
Capability 2: Color-based
identification of malware break-in point
Demo at: http://friends.cs.purdue.edu/projects/pc/pc-demo.htmlDemo at: http://friends.cs.purdue.edu/projects/pc/pc-demo.html
firefox
notepad
turbotax
warcraft
Web Browser
Tax
Editor
Games
AgobotAgobot
Tax filesTax files
PC Usage Scenario: Client-Side Malware Attack
Agobot
www.malicious.net
PC malware alert
“Web browser and tax colors should never
mix”
PC malware alert
“Web browser and tax colors should never
mix”
Demo at: http://friends.cs.purdue.edu/projects/pc/files/sinkfile.aviDemo at: http://friends.cs.purdue.edu/projects/pc/files/sinkfile.avi
Heilmeier Question 1:What are you trying to do?
Tracking and logging OS-level information flows Being extended to both OS and language
levels (“PC+DDFA”)
Tainting processes and data with provenance information (“colors”) for Detecting and investigating malware activities Enforcing sensitive data protection policies
Using virtualization for stronger tamper-resistance
Heilmeier Question 2:How is it done now?
Information flow tracking at multiple levels OS level
Only considering direct causality in each system call
No provenance (“color”) tainting and propagation
Language level Only tracking information Flow within a program No information flow tracking across programs
Instruction level Difficult to understand attack semantics Significant runtime performance overhead
Heilmeier Question 3:What’s new and why will it succeed?
What’s new? Color-based malware alert and sensitive data
protection Supporting on-line detection and off-line forensics One of the first to combine OS and language-level
information flows
Why will it succeed? Practical, deployable system based on classic theory Running prototype showing effectiveness and
practicality Attracting external interests (SwRI, Lockheed Martin)
Heilmeier Question 4:If successful, what difference will it make?
A system-level framework for attack/violation detection, investigation and recovery
Specification and enforcement of color-based policies for malware alert and data protection
Ready for virtualization-based infrastructures (e.g. honeynets, enterprises and data centers)
Timeline
Heilmeier Question 5:Your timeline, cost and success metrics?
6/2007 12/07 6/08 12/08
- Basic PC prototype for server-side operation
- Basic PC prototype for server-side operation
- PC prototype for client-side operation (“brown problem” solution)
- Set up “living lab” VM for evaluation
- PC prototype for client-side operation (“brown problem” solution)
- Set up “living lab” VM for evaluation
- Extensive evaluation- Design, prototyping and
demonstration of “PC+DDFA” integration
- Extensive evaluation- Design, prototyping and
demonstration of “PC+DDFA” integration
- Recovery and replay- PC across machines- Data lifetime analysis
for data theft defense
- Recovery and replay- PC across machines- Data lifetime analysis
for data theft defense
Summary of Achievement (Since April)
Improved sink insulation implementation Cleaned up log management and
visualization Set up “living lab” client VM for evaluation Performed benchmark evaluation of PC Started technology transfer activities Completed preliminary design and
prototype for “PC+DDFA” Joint presentation in a moment
“Living Lab” VM: End User’s View
“Living Lab” VM: Administrator’s View
Evaluation Metrics – Efficiency
Evaluation with Malware (Agobot, PUD bot…)
APPROACH• Track OS-level information flows•Taint processes/data based on their influence between each other• Record color(s) in log entries• Integrate with intra-process DDFA
PLAN / PROGRESS• Model process color diffusion in real OS (done)•Demonstrate PC prototype in a malware scenario
Includes both server (done) and client (done) side solutions
• Mitigate color saturation effect in malware alertProfiling and visualization (done)Reducing false positives caused by legitimate
color mixing (done)Proof-of-concept demo of “PC+DDFA” (Dec.08)
• Evaluate PC in “living lab” VMs (July.08 – Dec.08)
Process Coloring (PC) For Malware Alert and Investigation - An OS-level Information Flow Preserving Approach
LSSD
NEW CAPABILITIES• Color-based malware alert•Color-based malware break-in point identification•Color-based log partitioning
APPLICATIONS•System monitoring and malware (e.g. bots) detection•Malware forensics•Sensitive data protection
Thank you!For more information about the Process Coloring project:
http://friends.cs.purdue.edu/projects/[email protected]