Information Flow Control

Slides:



Advertisements
Similar presentations
George Mason University
Advertisements

ACCESS-CONTROL MODELS
Information Flow and Covert Channels November, 2006.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Operating System - Overview Lecture 2. OPERATING SYSTEM STRUCTURES Main componants of an O/S Process Management Main Memory Management File Management.
Verifiable Security Goals
Information Systems Security Security Architecture Domain #5.
G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.
Computer System System Software. Learning Objective Students should understand the different types of systems software and their functions. Students should.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
© Paradigm Publishing Inc. 4-1 Chapter 4 System Software.
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October /9/31.
Hacker Zombie Computer Reflectors Target.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda Presentation by Mridula Menon N.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
Li Xiong CS573 Data Privacy and Security Access Control.
Information Flow Language and System Level 1Dennis Kafura – CS5204 – Operating Systems.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Dealing with Malware By: Brandon Payne Image source: TechTips.com.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Information Flow Control Language and System Level.
Malicious Logic and Defenses. Malicious Logic Trojan Horse – A Trojan horse is a program with an overt (documented or known) effect and covert (undocumented.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Operating Systems Security
A.Abhari CPS1251 Topic 1: Introduction to Computers Computer Hardware Computer components Connecting Computers Computer Software Operating System (OS)
DATA COMPROMISE Controlling the flow of sensitive electronic information remains a major challenge, ranging from theft to accidental violation of policies.
COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:
A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Security Models Xinming Ou. Security Policy vs. Security Goals In a mandatory access control system, the system defines security policy to achieve security.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
9- 1 Last time ● User Authentication ● Beyond passwords ● Biometrics ● Security Policies and Models ● Trusted Operating Systems and Software ● Military.
Computer Basics and Vocabulary Lecture: 1 Mrs. Najwa Almazroei1.
Introduction to Operating Systems Concepts
DISCOVERING COMPUTERS 2018 Digital Technology, Data, and Devices
Chapter Goals Describe the application development process and the role of methodologies, models, and tools Compare and contrast programming language generations.
Android Mobile Application Development
Trusted Computing and the Trusted Platform Module
Introduction to Operating Systems
SSD951: Secure Software Development Language-based Security
Chapter 13: I/O Systems Modified by Dr. Neerja Mhaskar for CS 3SH3.
Lecture 1-Part 2: Operating-System Structures
Verifiable Security Goals
Mandatory Access Control (MAC)
Security Models and Designing a Trusted Operating System
Secure Software Confidentiality Integrity Data Security Authentication
MCTS Guide to Microsoft Windows 7
Outline What does the OS protect? Authentication for operating systems
TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.
Outline What does the OS protect? Authentication for operating systems
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
Xutong Chen and Yan Chen
Computer Science I CSC 135.
Introduction to Operating Systems
MEMORY MANAGEMENT & their issues
Mandatory Access Control (MAC)
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Lecture Topics: 11/1 General Operating System Concepts Processes
RHMD: Evasion-Resilient Hardware Malware Detectors
Prof. Leonardo Mostarda University of Camerino
ONLINE SECURE DATA SERVICE
CS 143A Principles of Operating Systems
Computer Security Access Control
TOPIC: HARDWARE AND SOFTWARE
Chapter-1 Computer is an advanced electronic device that takes raw data as an input from the user and processes it under the control of a set of instructions.
Presentation transcript:

Information Flow Control Nick Feamster CS 6262 Spring 2009

Lattice-Based Models Denning's axioms Bell-LaPadula model (BLP) Biba model

Denning’s Lattice Model < SC, ,  > SC set of security classes SC X SC flow relation (i.e., can- flow)  SC X SC -> SC class-combining operator

Denning’s Axioms < SC, ,  > SC is finite  is a partial order on SC SC has a lower bound L such that L  A for all A  SC  is a least upper bound (lub) operator on SC

Implications SC is a universally bounded lattice there exists a Greatest Lower Bound (glb) operator  (also called meet) there exists a highest security class H

Lattice Structures Hierarchical Classes Top Secret Secret Confidential reflexive and transitive edges are implied but not shown Unclassified can-flow

Lattice Structures Top Secret Secret Confidential Unclassified dominance  can-flow

Lattice Structures Compartments and Categories {ARMY, CRYPTO} {ARMY } {}

Lattices Structures Compartments and Categories {ARMY, NUCLEAR, CRYPTO} {ARMY, NUCLEAR} {ARMY, CRYPTO} {NUCLEAR, CRYPTO} {ARMY} {NUCLEAR} {CRYPTO} {}

product of 2 lattices is a lattice Lattice Structures Hierarchical Classes with Compartments {A,B} TS {A} {B} S {} product of 2 lattices is a lattice

Challenges Implicit information flow Conditional statements can implicitly leak information Implementing a system that explicitly controls the flow of information

Static Binding: Run-Time Objects are statically bound to classes Can operate either at runtime, or at compile-time Run-time mechanisms Each process has a mechanism that specifies the highest class p can write from and the lowest class p can write to

Static Binding: Compile-Time Certify program at compile-time Advantages Security guarantees before execution Does not affect the execution speed Disadvantages Flows not specified by the program cannot be verified Hardware could malfunction

Static Binding, Run-Time

Dynamic Binding Objects can dynamically change their classification One approach: Update the class of an object whenever data flows into it Nondecreasing class mechanisms Main problem: requires explicit flow to update the class of an object

Possible Applications Confinement No leaking information about confidential processes Databases Control information flow for different classes of information in the database Decoupling right of access from right of control

Taint Tracking

Motivation Malicious software sneaks onto computers Collects users’ private information Causes havoc on Internet Slows performance Costs to remove Reputable vendors violate users’ privacy Google Desktop Sony Media Player

Traditional Malware detection Signature-based Cannot detect new malware or variants Heuristics High false positives High false negatives

Panorama Approach Input Process Output Suspicious behavior Inappropriate data access, stealthfully Process Whole-system, fine-grained taint tracking Marking data Operating-system-aware taint analysis What touches the tainted data and how Output Taint Graphs Tracked tainted data

Taint Graph Information flow that shows the process that accessed the tainted data Make policies based on Taint Graph Compare unknown samples against Taint Graph Automatic Numerous categories

Taint Graph generation Similar to a mapped out logic/process tree Conceptually, horizontal branching 9 different types of Root taint sources Text, password, http, https, icmp, ftp, document, and directory Non-root entries can be OS objects (processes, modules) OS resource (such as a file)

Conceptual Structure Works with closed code Windows OS FireFox Monitors the whole system in a processor emulator Shadow memory stores taint status of Each byte of physical memory CPU’s general purpose registers Hard disk and network interface buffer

Taint Sources Test information is inputted and marked as taint source Inputted from hardware such as Keyboard Network interface Hard disk Tainting at hardware level Malware could hook before input reaches the software

Taint Propagation Monitors CPU instructions and DMA operations dealing with tainted data OS-Aware taint tracking Developed a kernel module Authenticated communications to taint engine

OS-Aware Taint Tracking Resolving process and module information Which process does an operation come from? Module notifier Tampering? Mapping file and network information to taints File system forensics Mapping connections back to processes

Code Identification Identifying the code under analysis and its actions Entire code segment is labeled Dynamic or Encrypted code is labeled too A similar method labels trusted code What does the analysis do about various derivatives of the code Dynamic generation Calling trusted code

Three Categorized Behaviors Anomalous information access MS Paint accessing passwords Anomalous information leakage BHO reporting home about surfed websites Excessive information access Repeatedly accessed directory to hide rootkit

Malware detections 42 real-world malware samples 56 benign applications were tested Only 3 false positives, no false negatives 2 from a personal firewall 1 from a browser accelerator

Summary A new system to detect malware System-Wide Information Flow Taint tracking Data access and process tracking Taint graphs Policies

Contributions Unified approach to detect and analyze diverse malware Designed and developed a functional prototype Detected all malware samples Keystroke loggers, password sniffers, packet sniffers, stealth backdoors, rootkits, and spyware

Weaknesses Performance Overhead Evasive malware Using Cygwin utilities Prototype is not optimized Slowdown average is 20 times Intended as a offline tool Evasive malware Time bombs Selective keystroke loggers Virtual environment detection

How to Improve Optimize the code Automate taint graph analysis and policy implementation Virtual environment shielding Or switch out of emulated environment Implement mentioned improvements Unicode conversion- switch case issue