Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Eugene Spafford, Dongyan Xu, Ryan RileyDepartment of Computer Science and

Center for Education and Research in Information Assurance and Security (CERIAS)

Purdue University

Xuxian JiangDepartment of Computer Science

George Mason University

NICIAR Site Visit, West Lafayette, IN, July 25, 2008

Outline

Project overview and Heilmeier Q&A Quarterly update and demo “PC+DDFA” integration Administrative issues

Key idea: propagating and logging application provenance information (“colors”) along OS-level information flows Existing tools only consider direct causality relations

without preserving and exploiting application provenance information

Tax Express

Web Browser

Text Editor

File Manager

Logger

Guest OS

Virtual Machine Monitor (VMM)

LogMonitor

Virtual Machine

Log

Process Coloring (PC) Overview

httpd

s80httpdrcinit

s45named

s30sendmail

s55sshd

s80httpd

s30sendmail

s45named

s55sshd

/bin/sh

wgetRootkitRootkit

Local filesLocal files

netcat • /etc/shadow• Confidential

Info

• /etc/shadow• Confidential

Info

Initial coloring

Coloring diffusion

SyscallLog

Capability 3: Color-based log

partition for contamination analysis

Capability 3: Color-based log

partition for contamination analysis

PC Usage Scenario: Server-Side Malware Attack

Capability 1: PC malware alert

“No shell process should have the color

of Apache”

Capability 1: PC malware alert

“No shell process should have the color

of Apache”

Capability 2: Color-based

identification of malware break-in point

Capability 2: Color-based

identification of malware break-in point

firefox

notepad

turbotax

warcraft

Web Browser

Tax

Editor

Games

AgobotAgobot

Tax filesTax files

PC Usage Scenario: Client-Side Malware Attack

Agobot

www.malicious.net

PC malware alert

“Web browser and tax colors should never

mix”

PC malware alert

“Web browser and tax colors should never

mix”

Tax filesTax filesDate filesDate files

outlook

notepad

turbotax

warcraft

Email

Tax

Editor

Games

PC Usage Scenario: Client-Side Sensitive Data Protection

PC data theft alert

“Tax file should never leave this computer”

PC data theft alert

“Tax file should never leave this computer”

Tax filesTax filesData filesData files

This is not as simple as it sounds!This is not as simple as it sounds!

Heilmeier Question 1:What are you trying to do?

Tracking and logging OS-level information flows Being extended to both OS and language levels

(“PC+DDFA”)

Tainting processes and data with application provenance information (“colors”) for Detecting and investigating malware activities Enforcing sensitive data protection policies

Using virtualization for stronger tamper-resistance Taking logging and real-time detection to outside

Heilmeier Question 2:How is it done now?

Information flow tracking at multiple levels OS level

Only considering direct causality in each system call

No provenance (“color”) tainting and propagation

Language level Only tracking information Flow within a program No information flow tracking across programs

Instruction level Difficult to understand attack semantics Significant runtime performance overhead

Heilmeier Question 3:What’s new and why will it succeed?

What’s new? Color-based malware alert and sensitive data protection Supporting both on-line detection and off-line forensics Stronger tamper-resistance and non-stop VM operation One of the first to combine OS and language-level

information flows

Why will it succeed? Practical, deployable system based on classic theory Running prototype showing effectiveness and practicality Technical challenges identified and addressed Attracting external interests (SWRI, Lockheed Martin)

Heilmeier Question 4:If successful, what difference will it make?

An extensible, system-level framework for attack/violation detection, investigation and recovery

Specification and enforcement of log and color-based policies for malware alert and data protection

Lower false positive and false negative rates; more timely detection; higher investigation efficiency

Ready for virtualization-based infrastructures (e.g. honeynets, enterprises and data centers)

Timeline

Cost: $xxx,xxx ($xxx,xxx subcontract) Success metrics

Accuracy, efficiency and timeliness (more later)

Heilmeier Question 5:Your timeline, cost and success metrics?

6/2007 12/07 6/08 12/08

- Basic PC prototype for server-side operation

- Basic PC prototype for server-side operation

- PC prototype for client-side operation (“brown problem” solution)

- Set up “living lab” VM for evaluation

- PC prototype for client-side operation (“brown problem” solution)

- Set up “living lab” VM for evaluation

- Extensive evaluation- Design, prototyping and

demonstration of “PC+DDFA” integration

- Extensive evaluation- Design, prototyping and

demonstration of “PC+DDFA” integration

- Recovery and replay- PC across machines- Data lifetime analysis

for data theft defense

- Recovery and replay- PC across machines- Data lifetime analysis

for data theft defense

Quarterly Update and Demo

Summary of Achievement

Improved sink insulation implementation Cleaned up log management and

visualization Set up “living lab” client VM for evaluation Preliminary design for “PC+DDFA”

Color Saturation Mitigation (Brown Problem)

Finance

Finances.pdf Doc Edit

Policy:“Data written by financial application should not be read by applications that can transmit it outside of the system.”

Policy:“Data written by financial application should not be read by applications that can transmit it outside of the system.”

.recently_used

notes.txtBrowser

Doc Edit

False Alarm

The Root Cause: Sink File

Zoom-in View of Sink File

F1040.pdf

Sink File Insulation

Some files become color sinks Examples:

.recently_used .gnome2/accels/evince .gnome2/accels/gedit

Color propagated unnecessarily Simply “insulate” these sinks

Result w/ Sink File Insulation

Zoom-in View

F1040.pdf

“Living Lab” VM for Evaluation

A Linux VM running on Xen System configuration:

256MB RAM 1.8GHz CPU Connected to the Internet

Applications: Firefox OpenOffice Standard GNOME applications

To be used daily by Ryan (more users in the Fall)

“Living Lab” VM: End User’s View

“Living Lab” VM: Administrator’s View

“Living Lab” VM: Demo

A live Demo

Evaluation Metrics – Accuracy of Alerts

False positive and false negative rates Living lab experiment

Specify malware detection and sensitive data protection policies

Analyze alerts raised (true or false) Attack injection experiments

Specify malware detection and sensitive data protection policies

Launch malware instances or sensitive data thefts

Count number of instances caught and missed

Evaluation Metrics - Efficiency

System runtime efficiency Performance of LMBench, UNIXBench and

ApacheBench w/ process coloring w/o process coloring

Malware investigation efficiency Number of colors in alert-raising log entry Total number of colors in system % of log entries w/ “problematic” color(s)

Evaluation Metrics – Timeliness of Alerts

Measure the interval between A malware attack or data protection breach Its detection

Duration of interval depending on malware behavior (in-action or dormant)

Technology Transfer

Within NICECAP Program (ongoing) “PC+DDFA” integration with SWRI/UTexas

team

To Lockheed Martin (ongoing) Target environment: Virtual honeynet

architecture with both server and client VMs PC a good fit for attack detection,

monitoring and investigation Effort starting this summer

“PC+DDFA” Integration

Summary of Integration Activities

Held multiple meetings with SWRI/UTexas team

Identified motivating usage scenarios Defined API between PC and DDFA Planned detailed design and

implementation

SensitiveSensitive

outlook

notepad

turbotax

warcraft

Email

Tax

Editor

Games

A Motivating Scenario

PC false alert

“Sensitive file should never leave this

computer”

Date filesDate filesTax filesTax filesMy photoMy photo

File Manager

Sink file insulation doesn’t help…Sink file insulation doesn’t help…

PC or DDFA Alone Cannot Solve It

PC Process-level information flow treating processes

as blackboxes Overly conservative color tainting Color tainting across processes

DDFA Language-level information flow confined within

one process Not aware of colors across the system Fine-grain data flow tracking within a process

Process

Example: Without “PC+DDFA” Integration

Process

File 2File 2

File 1File 1

New fileNew file

Process Coloring (Operating System level)

Example: With “PC+DDFA” Integration

File 1File 1

File 2File 2

Process (w/ DDFA) New fileNew file

fetch_color(file1)fetch_color(file2)push_color(new_file, )

New fileNew file

Prototyping Plan

SWRI+UTexas Making DDFA color-aware Instrumenting a real-world file manager

PCManFM with DDFA capability

Purdue Implementing fetch_color() and

push_color() in PC Testing instrumented PCManFM in living lab

VM

To show a joint demo before end of project

Administrative Issues

1. Moving the Subcontract

GMU Subcontract PI Xuxian Jiang will move to North Carolina State University in August

Remaining balance in subcontract $xx,xxx Seeking approval moving the subcontract to

NCSU

2. No-cost Extension

Purdue balance as of 7/22/2008: $xxx,xxx.xx

Not expected to run out by 12/06/2008 Inquiring about possibility of no-cost

extension

APPROACH• Track OS-level information flows•Taint processes/data based on their influence between each other• Record color(s) in log entries• Integrate with intra-process DDFA

PLAN / PROGRESS• Model process color diffusion in real OS (done)•Demonstrate PC prototype in a malware scenario

Includes both server (done) and client (done) side solutions

• Mitigate color saturation effect in malware alertProfiling and visualization (done)Reducing false positives caused by legitimate

color mixing (done)Proof-of-concept demo of “PC+DDFA” (Dec.08)

• Evaluate PC in “living lab” VMs (July.08 – Dec.08)

Process Coloring (PC) For Malware Alert and Investigation - An OS-level Information Flow Preserving Approach

LSSD

NEW CAPABILITIES• Color-based malware alert•Color-based malware break-in point identification•Color-based log partitioning

APPLICATIONS•System monitoring and malware (e.g. bots) detection•Malware forensics•Sensitive data protection

Thank you!For more information about the Process Coloring project:

http://friends.cs.purdue.edu/projects/pcPC@cs.purdue.edu