Process Coloring: An Information FlowPreserving Approach to Malware Investigation

1

• Process Coloring An Information Flow-Preserving
  Approach to Malware Investigation
• Eugene Spafford, Dongyan Xu, Ryan Riley
• Department of Computer Science and
• Center for Education and Research in Information
  Assurance and Security (CERIAS)
• Purdue University
• Xuxian Jiang
• Department of Computer Science
• North Carolina State University

NICIAR PI Meeting, Washington, DC, September 24,
2008
2
Process Coloring (PC) Overview

• One-sentence summary
• Propagating and logging provenance information
  (colors) along OS-level information flows for
  malware detection and sensitive data protection

3
PC Usage Scenario Server-Side Malware Attack
Capability 1 PC malware alert No shell
process should have the color of Apache
Initial coloring
s30sendmail
s30sendmail
s55sshd
s55sshd
Syscall Log
s45named
s45named
s80httpd
rc
init
s80httpd

• /etc/shadow
• Confidential Info

httpd
netcat
Capability 3 Color-based log partition for
contamination analysis
Local files
/bin/sh
Coloring diffusion
Capability 2 Color-based identification of
malware break-in point
wget
Rootkit
Demo at http//friends.cs.purdue.edu/projects/pc/
pc-demo.html
4
PC Usage Scenario Client-Side Malware Attack
www.malicious.net
turbotax
Tax
warcraft
Games
notepad
Editor
firefox
Web Browser
PC malware alert Web browser and tax colors
should never mix
Agobot
Tax files
Agobot
Demo at http//friends.cs.purdue.edu/projects/pc/
files/sinkfile.avi
5
Heilmeier Question 1What are you trying to do?

• Tracking and logging OS-level information flows
• Being extended to both OS and language levels
  (PCDDFA)
• Tainting processes and data with provenance
  information (colors) for
• Detecting and investigating malware activities
• Enforcing sensitive data protection policies
• Using virtualization for stronger
  tamper-resistance

6
Heilmeier Question 2How is it done now?

• Information flow tracking at multiple levels
• OS level
• Only considering direct causality in each system
  call
• No provenance (color) tainting and propagation
  
• Language level
• Only tracking information Flow within a program
• No information flow tracking across programs
• Instruction level
• Difficult to understand attack semantics
• Significant runtime performance overhead

7
Heilmeier Question 3Whats new and why will it
succeed?

• Whats new?
• Color-based malware alert and sensitive data
  protection
• Supporting on-line detection and off-line
  forensics
• One of the first to combine OS and language-level
  information flows
• Why will it succeed?
• Practical, deployable system based on classic
  theory
• Running prototype showing effectiveness and
  practicality
• Attracting external interests (SwRI, Lockheed
  Martin)

8
Heilmeier Question 4If successful, what
difference will it make?

• A system-level framework for attack/violation
  detection, investigation and recovery
• Specification and enforcement of color-based
  policies for malware alert and data protection
• Ready for virtualization-based infrastructures
  (e.g. honeynets, enterprises and data centers)

9
Heilmeier Question 5Your timeline, cost and
success metrics?

• Timeline

6/2007
12/07
6/08
12/08
- Basic PC prototype for server-side operation
- PC prototype for client-side operation (brown
problem solution) - Set up living lab VM for
evaluation
- Extensive evaluation - Design, prototyping and
demonstration of PCDDFA integration

• - Recovery and replay
• - PC across machines
• - Data lifetime analysis for data theft defense

10
Summary of Achievement (Since April)

• Improved sink insulation implementation
• Cleaned up log management and visualization
• Set up living lab client VM for evaluation
• Performed benchmark evaluation of PC
• Started technology transfer activities
• Completed preliminary design and prototype for
  PCDDFA
• Joint presentation in a moment

11
Living Lab VM End Users View
12
Living Lab VM Administrators View
13
Evaluation Metrics Efficiency
14
Evaluation with Malware (Agobot, PUD bot)
15
Process Coloring (PC) For Malware Alert and
Investigation - An OS-level Information Flow
Preserving Approach
LSSD

• APPROACH
• Track OS-level information flows
• Taint processes/data based on their influence
  between each other
• Record color(s) in log entries
• Integrate with intra-process DDFA

• NEW CAPABILITIES
• Color-based malware alert
• Color-based malware break-in point identification
• Color-based log partitioning

• PLAN / PROGRESS
• Model process color diffusion in real OS (done)
• Demonstrate PC prototype in a malware scenario
• Includes both server (done) and client (done)
  side solutions
• Mitigate color saturation effect in malware
  alert
• Profiling and visualization (done)
• Reducing false positives caused by legitimate
  color mixing (done)
• Proof-of-concept demo of PCDDFA (Dec.08)
• Evaluate PC in living lab VMs (July.08
  Dec.08)

• APPLICATIONS
• System monitoring and malware (e.g. bots)
  detection
• Malware forensics
• Sensitive data protection

16
Thank you! For more information about the
Process Coloring project http//friends.cs.purdue
.edu/projects/pc PC_at_cs.purdue.edu