Title: Process Coloring: An Information FlowPreserving Approach to Malware Investigation
1- Process Coloring An Information Flow-Preserving
Approach to Malware Investigation - Eugene Spafford, Dongyan Xu, Ryan Riley
- Department of Computer Science and
- Center for Education and Research in Information
Assurance and Security (CERIAS) - Purdue University
- Xuxian Jiang
- Department of Computer Science
- North Carolina State University
NICIAR PI Meeting, Washington, DC, September 24,
2008
2Process Coloring (PC) Overview
- One-sentence summary
- Propagating and logging provenance information
(colors) along OS-level information flows for
malware detection and sensitive data protection
3PC Usage Scenario Server-Side Malware Attack
Capability 1 PC malware alert No shell
process should have the color of Apache
Initial coloring
s30sendmail
s30sendmail
s55sshd
s55sshd
Syscall Log
s45named
s45named
s80httpd
rc
init
s80httpd
- /etc/shadow
- Confidential Info
httpd
netcat
Capability 3 Color-based log partition for
contamination analysis
Local files
/bin/sh
Coloring diffusion
Capability 2 Color-based identification of
malware break-in point
wget
Rootkit
Demo at http//friends.cs.purdue.edu/projects/pc/
pc-demo.html
4PC Usage Scenario Client-Side Malware Attack
www.malicious.net
turbotax
Tax
warcraft
Games
notepad
Editor
firefox
Web Browser
PC malware alert Web browser and tax colors
should never mix
Agobot
Tax files
Agobot
Demo at http//friends.cs.purdue.edu/projects/pc/
files/sinkfile.avi
5Heilmeier Question 1What are you trying to do?
- Tracking and logging OS-level information flows
- Being extended to both OS and language levels
(PCDDFA) - Tainting processes and data with provenance
information (colors) for - Detecting and investigating malware activities
- Enforcing sensitive data protection policies
- Using virtualization for stronger
tamper-resistance
6Heilmeier Question 2How is it done now?
- Information flow tracking at multiple levels
- OS level
- Only considering direct causality in each system
call - No provenance (color) tainting and propagation
- Language level
- Only tracking information Flow within a program
- No information flow tracking across programs
- Instruction level
- Difficult to understand attack semantics
- Significant runtime performance overhead
7Heilmeier Question 3Whats new and why will it
succeed?
- Whats new?
- Color-based malware alert and sensitive data
protection - Supporting on-line detection and off-line
forensics - One of the first to combine OS and language-level
information flows - Why will it succeed?
- Practical, deployable system based on classic
theory - Running prototype showing effectiveness and
practicality - Attracting external interests (SwRI, Lockheed
Martin)
8Heilmeier Question 4If successful, what
difference will it make?
- A system-level framework for attack/violation
detection, investigation and recovery - Specification and enforcement of color-based
policies for malware alert and data protection - Ready for virtualization-based infrastructures
(e.g. honeynets, enterprises and data centers)
9Heilmeier Question 5Your timeline, cost and
success metrics?
6/2007
12/07
6/08
12/08
- Basic PC prototype for server-side operation
- PC prototype for client-side operation (brown
problem solution) - Set up living lab VM for
evaluation
- Extensive evaluation - Design, prototyping and
demonstration of PCDDFA integration
- - Recovery and replay
- - PC across machines
- - Data lifetime analysis for data theft defense
10Summary of Achievement (Since April)
- Improved sink insulation implementation
- Cleaned up log management and visualization
- Set up living lab client VM for evaluation
- Performed benchmark evaluation of PC
- Started technology transfer activities
- Completed preliminary design and prototype for
PCDDFA - Joint presentation in a moment
11Living Lab VM End Users View
12Living Lab VM Administrators View
13Evaluation Metrics Efficiency
14Evaluation with Malware (Agobot, PUD bot)
15Process Coloring (PC) For Malware Alert and
Investigation - An OS-level Information Flow
Preserving Approach
LSSD
- APPROACH
- Track OS-level information flows
- Taint processes/data based on their influence
between each other - Record color(s) in log entries
- Integrate with intra-process DDFA
- NEW CAPABILITIES
- Color-based malware alert
- Color-based malware break-in point identification
- Color-based log partitioning
- PLAN / PROGRESS
- Model process color diffusion in real OS (done)
- Demonstrate PC prototype in a malware scenario
- Includes both server (done) and client (done)
side solutions - Mitigate color saturation effect in malware
alert - Profiling and visualization (done)
- Reducing false positives caused by legitimate
color mixing (done) - Proof-of-concept demo of PCDDFA (Dec.08)
- Evaluate PC in living lab VMs (July.08
Dec.08)
- APPLICATIONS
- System monitoring and malware (e.g. bots)
detection - Malware forensics
- Sensitive data protection
16Thank you! For more information about the
Process Coloring project http//friends.cs.purdue
.edu/projects/pc PC_at_cs.purdue.edu