39
Process Coloring: An Information Flow- Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Computer Science George Mason University NICIAR Site Visit, West Lafayette, IN, July 25, 2008

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

  • Upload
    sabine

  • View
    28

  • Download
    0

Embed Size (px)

DESCRIPTION

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang - PowerPoint PPT Presentation

Citation preview

Page 1: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Eugene Spafford, Dongyan Xu, Ryan RileyDepartment of Computer Science and

Center for Education and Research in Information Assurance and Security (CERIAS)

Purdue University

Xuxian JiangDepartment of Computer Science

George Mason University

NICIAR Site Visit, West Lafayette, IN, July 25, 2008

Page 2: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Outline

Project overview and Heilmeier Q&A Quarterly update and demo “PC+DDFA” integration Administrative issues

Page 3: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Key idea: propagating and logging application provenance information (“colors”) along OS-level information flows Existing tools only consider direct causality relations

without preserving and exploiting application provenance information

Tax Express

Web Browser

Text Editor

File Manager

Logger

Guest OS

Virtual Machine Monitor (VMM)

LogMonitor

Virtual Machine

Log

Process Coloring (PC) Overview

Page 4: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

httpd

s80httpdrcinit

s45named

s30sendmail

s55sshd

s80httpd

s30sendmail

s45named

s55sshd

/bin/sh

wgetRootkitRootkit

Local filesLocal files

netcat • /etc/shadow• Confidential

Info

• /etc/shadow• Confidential

Info

Initial coloring

Coloring diffusion

SyscallLog

Capability 3: Color-based log

partition for contamination analysis

Capability 3: Color-based log

partition for contamination analysis

PC Usage Scenario: Server-Side Malware Attack

Capability 1: PC malware alert

“No shell process should have the color

of Apache”

Capability 1: PC malware alert

“No shell process should have the color

of Apache”

Capability 2: Color-based

identification of malware break-in point

Capability 2: Color-based

identification of malware break-in point

Page 5: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

firefox

notepad

turbotax

warcraft

Web Browser

Tax

Editor

Games

AgobotAgobot

Tax filesTax files

PC Usage Scenario: Client-Side Malware Attack

Agobot

www.malicious.net

PC malware alert

“Web browser and tax colors should never

mix”

PC malware alert

“Web browser and tax colors should never

mix”

Page 6: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Tax filesTax filesDate filesDate files

outlook

notepad

turbotax

warcraft

Email

Tax

Editor

Games

PC Usage Scenario: Client-Side Sensitive Data Protection

PC data theft alert

“Tax file should never leave this computer”

PC data theft alert

“Tax file should never leave this computer”

Tax filesTax filesData filesData files

This is not as simple as it sounds!This is not as simple as it sounds!

Page 7: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Heilmeier Question 1:What are you trying to do?

Tracking and logging OS-level information flows Being extended to both OS and language levels

(“PC+DDFA”)

Tainting processes and data with application provenance information (“colors”) for Detecting and investigating malware activities Enforcing sensitive data protection policies

Using virtualization for stronger tamper-resistance Taking logging and real-time detection to outside

Page 8: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Heilmeier Question 2:How is it done now?

Information flow tracking at multiple levels OS level

Only considering direct causality in each system call

No provenance (“color”) tainting and propagation

Language level Only tracking information Flow within a program No information flow tracking across programs

Instruction level Difficult to understand attack semantics Significant runtime performance overhead

Page 9: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Heilmeier Question 3:What’s new and why will it succeed?

What’s new? Color-based malware alert and sensitive data protection Supporting both on-line detection and off-line forensics Stronger tamper-resistance and non-stop VM operation One of the first to combine OS and language-level

information flows

Why will it succeed? Practical, deployable system based on classic theory Running prototype showing effectiveness and practicality Technical challenges identified and addressed Attracting external interests (SWRI, Lockheed Martin)

Page 10: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Heilmeier Question 4:If successful, what difference will it make?

An extensible, system-level framework for attack/violation detection, investigation and recovery

Specification and enforcement of log and color-based policies for malware alert and data protection

Lower false positive and false negative rates; more timely detection; higher investigation efficiency

Ready for virtualization-based infrastructures (e.g. honeynets, enterprises and data centers)

Page 11: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Timeline

Cost: $xxx,xxx ($xxx,xxx subcontract) Success metrics

Accuracy, efficiency and timeliness (more later)

Heilmeier Question 5:Your timeline, cost and success metrics?

6/2007 12/07 6/08 12/08

- Basic PC prototype for server-side operation

- Basic PC prototype for server-side operation

- PC prototype for client-side operation (“brown problem” solution)

- Set up “living lab” VM for evaluation

- PC prototype for client-side operation (“brown problem” solution)

- Set up “living lab” VM for evaluation

- Extensive evaluation- Design, prototyping and

demonstration of “PC+DDFA” integration

- Extensive evaluation- Design, prototyping and

demonstration of “PC+DDFA” integration

- Recovery and replay- PC across machines- Data lifetime analysis

for data theft defense

- Recovery and replay- PC across machines- Data lifetime analysis

for data theft defense

Page 12: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Quarterly Update and Demo

Page 13: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Summary of Achievement

Improved sink insulation implementation Cleaned up log management and

visualization Set up “living lab” client VM for evaluation Preliminary design for “PC+DDFA”

Page 14: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Color Saturation Mitigation (Brown Problem)

Finance

Finances.pdf Doc Edit

Policy:“Data written by financial application should not be read by applications that can transmit it outside of the system.”

Policy:“Data written by financial application should not be read by applications that can transmit it outside of the system.”

.recently_used

notes.txtBrowser

Doc Edit

False Alarm

Page 15: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

The Root Cause: Sink File

Page 16: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Zoom-in View of Sink File

F1040.pdf

Page 17: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Sink File Insulation

Some files become color sinks Examples:

.recently_used .gnome2/accels/evince .gnome2/accels/gedit

Color propagated unnecessarily Simply “insulate” these sinks

Page 18: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Result w/ Sink File Insulation

Page 19: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Zoom-in View

F1040.pdf

Page 20: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

“Living Lab” VM for Evaluation

A Linux VM running on Xen System configuration:

256MB RAM 1.8GHz CPU Connected to the Internet

Applications: Firefox OpenOffice Standard GNOME applications

To be used daily by Ryan (more users in the Fall)

Page 21: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

“Living Lab” VM: End User’s View

Page 22: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

“Living Lab” VM: Administrator’s View

Page 23: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

“Living Lab” VM: Demo

A live Demo

Page 24: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Evaluation Metrics – Accuracy of Alerts

False positive and false negative rates Living lab experiment

Specify malware detection and sensitive data protection policies

Analyze alerts raised (true or false) Attack injection experiments

Specify malware detection and sensitive data protection policies

Launch malware instances or sensitive data thefts

Count number of instances caught and missed

Page 25: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Evaluation Metrics - Efficiency

System runtime efficiency Performance of LMBench, UNIXBench and

ApacheBench w/ process coloring w/o process coloring

Malware investigation efficiency Number of colors in alert-raising log entry Total number of colors in system % of log entries w/ “problematic” color(s)

Page 26: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Evaluation Metrics – Timeliness of Alerts

Measure the interval between A malware attack or data protection breach Its detection

Duration of interval depending on malware behavior (in-action or dormant)

Page 27: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Technology Transfer

Within NICECAP Program (ongoing) “PC+DDFA” integration with SWRI/UTexas

team

To Lockheed Martin (ongoing) Target environment: Virtual honeynet

architecture with both server and client VMs PC a good fit for attack detection,

monitoring and investigation Effort starting this summer

Page 28: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

“PC+DDFA” Integration

Page 29: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Summary of Integration Activities

Held multiple meetings with SWRI/UTexas team

Identified motivating usage scenarios Defined API between PC and DDFA Planned detailed design and

implementation

Page 30: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

SensitiveSensitive

outlook

notepad

turbotax

warcraft

Email

Tax

Editor

Games

A Motivating Scenario

PC false alert

“Sensitive file should never leave this

computer”

Date filesDate filesTax filesTax filesMy photoMy photo

File Manager

Sink file insulation doesn’t help…Sink file insulation doesn’t help…

Page 31: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

PC or DDFA Alone Cannot Solve It

PC Process-level information flow treating processes

as blackboxes Overly conservative color tainting Color tainting across processes

DDFA Language-level information flow confined within

one process Not aware of colors across the system Fine-grain data flow tracking within a process

Page 32: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Process

Example: Without “PC+DDFA” Integration

Process

File 2File 2

File 1File 1

New fileNew file

Page 33: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Process Coloring (Operating System level)

Example: With “PC+DDFA” Integration

File 1File 1

File 2File 2

Process (w/ DDFA) New fileNew file

fetch_color(file1)fetch_color(file2)push_color(new_file, )

New fileNew file

Page 34: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Prototyping Plan

SWRI+UTexas Making DDFA color-aware Instrumenting a real-world file manager

PCManFM with DDFA capability

Purdue Implementing fetch_color() and

push_color() in PC Testing instrumented PCManFM in living lab

VM

To show a joint demo before end of project

Page 35: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Administrative Issues

Page 36: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

1. Moving the Subcontract

GMU Subcontract PI Xuxian Jiang will move to North Carolina State University in August

Remaining balance in subcontract $xx,xxx Seeking approval moving the subcontract to

NCSU

Page 37: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

2. No-cost Extension

Purdue balance as of 7/22/2008: $xxx,xxx.xx

Not expected to run out by 12/06/2008 Inquiring about possibility of no-cost

extension

Page 38: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

APPROACH• Track OS-level information flows•Taint processes/data based on their influence between each other• Record color(s) in log entries• Integrate with intra-process DDFA

PLAN / PROGRESS• Model process color diffusion in real OS (done)•Demonstrate PC prototype in a malware scenario

Includes both server (done) and client (done) side solutions

• Mitigate color saturation effect in malware alertProfiling and visualization (done)Reducing false positives caused by legitimate

color mixing (done)Proof-of-concept demo of “PC+DDFA” (Dec.08)

• Evaluate PC in “living lab” VMs (July.08 – Dec.08)

Process Coloring (PC) For Malware Alert and Investigation - An OS-level Information Flow Preserving Approach

LSSD

NEW CAPABILITIES• Color-based malware alert•Color-based malware break-in point identification•Color-based log partitioning

APPLICATIONS•System monitoring and malware (e.g. bots) detection•Malware forensics•Sensitive data protection

Page 39: Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Thank you!For more information about the Process Coloring project:

http://friends.cs.purdue.edu/projects/[email protected]