Embed Size (px)
DESCRIPTION
Information Flow Control. Nick Feamster CS 6262 Spring 2009. Lattice-Based Models. Denning's axioms Bell-LaPadula model (BLP) Biba model. Denning’s Lattice Model. SCset of security classes SC X SCflow relation (i.e., can-flow) SC X SC -> SCclass-combining operator. - PowerPoint PPT Presentation
Citation preview
1
Information Flow Control
Nick FeamsterCS 6262
Spring 2009
2
• Denning's axioms
• Bell-LaPadula model (BLP)
• Biba model
Lattice-Based Models
3
Denning’s Lattice Model
< SC, , >
SC set of security classes
SC X SC flow relation (i.e., can-flow)
SC X SC -> SCclass-combining operator
4
Denning’s Axioms
< SC, , >
1 SC is finite
2 is a partial order on SC
3 SC has a lower bound L such that L A for all A SC
4 is a least upper bound (lub) operator on SC
5
Implications
• SC is a universally bounded lattice
• there exists a Greatest Lower Bound (glb) operator (also called meet)
• there exists a highest security class H
6
Lattice Structures
Unclassified
Confidential
Secret
Top Secret
HierarchicalClasses
can-flow
reflexive and transitive edges are implied but not shown
reflexive and transitive edges are implied but not shown
7
Lattice Structures
Unclassified
Confidential
Secret
Top Secret
can-flowdominance
8
Lattice Structures
{ARMY, CRYPTO}Compartmentsand Categories
{ARMY } {CRYPTO}
{}
9
Lattices Structures
{ARMY, NUCLEAR, CRYPTO}
Compartmentsand Categories
{ARMY, NUCLEAR} {ARMY, CRYPTO} {NUCLEAR, CRYPTO}
{ARMY} {NUCLEAR} {CRYPTO}
{}
10
Lattice Structures
HierarchicalClasses with
CompartmentsTS
S
{A,B}
{}
{A} {B}
product of 2 lattices is a latticeproduct of 2 lattices is a lattice
11
Challenges
• Implicit information flow– Conditional statements can implicitly leak information
• Implementing a system that explicitly controls the flow of information
12
Static Binding: Run-Time
• Objects are statically bound to classes• Can operate either at runtime, or at compile-time
• Run-time mechanisms– Each process has a mechanism that specifies the
highest class p can write from and the lowest class p can write to
13
Static Binding: Compile-Time
• Certify program at compile-time• Advantages
– Security guarantees before execution– Does not affect the execution speed
• Disadvantages– Flows not specified by the program cannot be verified– Hardware could malfunction
14
Static Binding, Run-Time
15
Dynamic Binding
• Objects can dynamically change their classification
• One approach: Update the class of an object whenever data flows into it– Nondecreasing class mechanisms– Main problem: requires explicit flow to update the
class of an object
16
Possible Applications
• Confinement– No leaking information about confidential processes
• Databases– Control information flow for different classes of
information in the database
• Decoupling right of access from right of control
17
Taint Tracking
18
Motivation
• Malicious software sneaks onto computers– Collects users’ private information– Causes havoc on Internet
• Slows performance• Costs to remove
– Reputable vendors violate users’ privacy• Google Desktop• Sony Media Player
19
Traditional Malware detection
• Signature-based– Cannot detect new malware or variants
• Heuristics– High false positives– High false negatives
20
Panorama Approach
• Input– Suspicious behavior
• Inappropriate data access, stealthfully
• Process– Whole-system, fine-grained taint tracking
• Marking data– Operating-system-aware taint analysis
• What touches the tainted data and how
• Output– Taint Graphs
• Tracked tainted data
21
Taint Graph
• Information flow that shows the process that accessed the tainted data
• Make policies based on Taint Graph
• Compare unknown samples against Taint Graph– Automatic– Numerous categories
22
Taint Graph generation
• Similar to a mapped out logic/process tree– Conceptually, horizontal branching
• 9 different types of Root taint sources– Text, password, http, https, icmp, ftp, document, and directory
• Non-root entries can be– OS objects (processes, modules)– OS resource (such as a file)
23
Conceptual Structure
• Works with closed code– Windows OS– FireFox
• Monitors the whole system in a processor emulator
• Shadow memory stores taint status of– Each byte of physical memory– CPU’s general purpose registers– Hard disk and network interface buffer
24
Taint Sources
• Test information is inputted and marked as taint source
• Inputted from hardware such as– Keyboard– Network interface– Hard disk
• Tainting at hardware level– Malware could hook before input reaches the
software
25
Taint Propagation
• Monitors CPU instructions and DMA operations dealing with tainted data
• OS-Aware taint tracking– Developed a kernel module
• Authenticated communications to taint engine
26
OS-Aware Taint Tracking
• Resolving process and module information– Which process does an operation come from?– Module notifier– Tampering?
• Mapping file and network information to taints– File system forensics– Mapping connections back to processes
27
Code Identification
• Identifying the code under analysis and its actions– Entire code segment is labeled
• Dynamic or Encrypted code is labeled too• A similar method labels trusted code
• What does the analysis do about various derivatives of the code– Dynamic generation– Calling trusted code
28
Three Categorized Behaviors
• Anomalous information access– MS Paint accessing passwords
• Anomalous information leakage– BHO reporting home about surfed websites
• Excessive information access– Repeatedly accessed directory to hide rootkit
29
Malware detections
• 42 real-world malware samples• 56 benign applications were tested• Only 3 false positives, no false negatives
– 2 from a personal firewall– 1 from a browser accelerator
30
Summary
• A new system to detect malware– System-Wide Information Flow
• Taint tracking– Data access and process tracking
– Taint graphs• Policies
31
Contributions
• Unified approach to detect and analyze diverse malware
• Designed and developed a functional prototype
• Detected all malware samples– Keystroke loggers, password sniffers, packet sniffers,
stealth backdoors, rootkits, and spyware
32
Weaknesses
• Performance Overhead– Using Cygwin utilities– Prototype is not optimized– Slowdown average is 20 times– Intended as a offline tool
• Evasive malware– Time bombs– Selective keystroke loggers– Virtual environment detection
33
How to Improve
• Optimize the code
• Automate taint graph analysis and policy implementation
• Virtual environment shielding– Or switch out of emulated environment
• Implement mentioned improvements– Unicode conversion- switch case issue
