Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis

1
PanoramaCapturing System-wide Information Flow
for Malware Detection and Analysis

• Authors Heng Yin, Dawn Song, Manuel Egele,
  Christoper Kruegel, and Engin Kirda
• Publication ACM Conference on Computer and
  Communications Security, 2007
• Presenter Brad Mundt for CAP6133 Spring 08

2
Motivation

• Malicious software sneaks onto computers
• Collects users private information
• Causes havoc on Internet
• Slows performance
• Costs to remove
• Reputable vendors violate users privacy
• Google Desktop
• Sony Media Player

3
Traditional Malware detection

• Signature-based
• Cannot detect new malware or variants
• Heuristics
• High false positives
• High false negatives

4
The Panorama way

• Input
• Suspicious behavior
• Inappropriate data access, stealthfully
• Process
• Whole-system, fine-grained taint tracking
• Marking data
• Operating-system-aware taint analysis
• What touches the tainted data and how
• Output
• Taint Graphs
• Tracked tainted data

5
Taint Graph

• Information flow that shows the process that
  accessed the tainted data
• Make policies based on Taint Graph
• Compare unknown samples against Taint Graph
• Automatic
• Numerous categories

6
Taint Graph example
7
Taint Graph generation

• Similar to a mapped out logic/process tree
• Conceptually, horizontal branching
• 9 different types of Root taint sources
• Text, password, http, https, icmp, ftp, document,
  and directory
• Non-root entries can be
• OS objects (processes, modules)
• OS resource (such as a file)

8
System Overview
9
Conceptual Structure

• Works with closed code
• Windows OS
• FireFox
• Monitors the whole system in a processor emulator
• Shadow memory stores taint status of
• Each byte of physical memory
• CPUs general purpose registers
• Hard disk and network interface buffer

10
Taint Sources

• Test information is inputted and marked as taint
  source
• Inputted from hardware such as
• Keyboard
• Network interface
• Hard disk
• Tainting at hardware level
• Malware could hook before input reaches the
  software

11
Taint propagation

• Monitors CPU instructions and DMA operations
  dealing with tainted data
• OS-Aware taint tracking
• Developed a kernel module
• Authenticated communications to taint engine

12
Code identification

• Identifying the code under analysis and its
  actions
• Entire code segment is labeled
• Dynamic or Encrypted code is labeled too
• A similar method labels trusted code

13
Three categorized behaviors

• Anomalous information access
• MS Paint accessing passwords
• Anomalous information leakage
• BHO reporting home about surfed websites
• Excessive information access
• Repeatedly accessed directory to hide rootkit

14
Malware detections

• 42 real-world malware samples
• 56 benign applications were tested
• Only 3 false positives, no false negatives
• 2 from a personal firewall
• 1 from a browser accelerator

15
Summary

• A new system to detect malware
• System-Wide Information Flow
• Taint tracking
• Data access and process tracking
• Taint graphs
• Policies

16
Contributions

• Unified approach to detect and analyze diverse
  malware
• Designed and developed a functional prototype
• Detected all malware samples
• Keystroke loggers, password sniffers, packet
  sniffers, stealth backdoors, rootkits, and spyware

17
Weaknesses

• Performance Overhead
• Using Cygwin utilities
• Prototype is not optimized
• Slowdown average is 20 times
• Intended as a offline tool
• Evasive malware
• Time bombs
• Selective keystroke loggers
• Virtual environment detection

18
How to Improve

• Optimize the code
• Automate taint graph analysis and policy
  implementation
• Virtual environment shielding
• Or switch out of emulated environment
• Implement mentioned improvements
• Unicode conversion- switch case issue

19
The End

• Thank you