Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Information and Software Engineering George Mason University NICIAR PI Meeting, Boston, MA, September 19, 2007
Motivation Internet malware remains a top threat Malware: virus, worms, rootkits, spyware, bots…
Motivation
The Challenge: Enabling Timely, Efficient Malware Investigation Raising timely alerts to trigger a malware investigation Identifying the break-in point of the malware Reconstructing all contaminations by the malware Time External detection point Infection Break-in point trace-back Contamination reconstruction Break-in point Log Detection State-of-the-art log-based intrusion investigation tools Log
Limitations of Today’s Tools Long “infection-to-detection” interval Entire log needed for both trace-back and reconstruction Questionable trustworthiness of log data Time External detection point Infection Break-in point trace-back Contamination reconstruction Break-in point Log Detection State-of-the-art log-based intrusion investigation tools Log
Technical Approach: Process Coloring Key idea: propagating and logging malware break-in provenance information (“colors”) along OS-level information flows Existing tools only consider direct causality relations without preserving and exploiting break-in provenance information Runtime alert triggered by log color anomalies Apache SendmailDNSMySQL Logger Guest OS Virtual Machine Monitor (VMM) Log Monitor Virtual Machine Attacker … Log
httpd New Capabilities Enabled by Process Coloring s80httpdrcinit s45named s30sendmail s55sshd s80httpd s30sendmail s45named s55sshd /bin/sh wget Rootkit Local files netcat /etc/shado w Confidential Info /etc/shado w Confidential Info Initial coloring Coloring diffusion Syscall Log Capability 3: Color-based log partition for contamination analysis Capability 2: Color-based identification of malware break-in point Capability 1: Color-based malware warning
... BLUE: 673["sendmail"]: 5_open("/proc/loadavg", 0, 438) = 5 BLUE: 673["sendmail"]: 192_mmap2(0, 4096, 3, 34, , 0) = BLUE: 673["sendmail"]: 3_read(5, " ", 4096) = 25 BLUE: 673["sendmail"]: 6_close(5) = 0 BLUE: 673["sendmail"]: 91_munmap( , 4096) = 0... RED: 2568["httpd"]: 102_accept(16, sockaddr{2, cbbdff3a}, cbbdff38) = 5 RED: 2568["httpd"]: 3_read(5, "\1281\1\0\2\0\24...", 11) = 11 RED: 2568["httpd"]: 3_read(5, "\7\0À\5\0\128\3\...", 40) = 40 RED: 2568["httpd"]: 4_write(5, 1090) = 1090 … RED: 2568["httpd"]: 4_write(5, "\128\19Ê\136\18\...", 21) = 21 RED: 2568["httpd"]: 63_dup2(5, 2) = 2 RED: 2568["httpd"]: 63_dup2(5, 1) = 1 RED: 2568["httpd"]: 63_dup2(5, 0) = 0 RED: 2568["httpd"]: 11_execve("/bin//sh", bffff4e8, ) RED: 2568["sh"]: 5_open("/etc/ld.so.prelo...", 0, 8) = −2 RED: 2568["sh"]: 5_open("/etc/ld.so.cache", 0, 0) = 6 Color-Based Malware Warning Capability 1: Color-based malware warning: “unusual color inheritance”
Color-Based Malware Warning Another example: “ color mixing ” RED: 1234 ["httpd"]: … RED+BLUE: 1234 ["httpd"]: system call to read file index.html cp defaced.html index.html bind httpd index.html httpd
Efficiency through Process Coloring LionSlapperSARS Time period being analyzed 24 hours # worm- related entries 66,504195,88419,494 Exploited Service BIND (CVE ) Apache (CAN ) Samba (CAN ) % of Log Inspected 48.7%65.9%12.1% Capability 2: Color-based break-in point identification Capability 2: Color-based break-in point identification Capability 3: Color-based log partitioning Capability 3: Color-based log partitioning
Impact of Success How will it benefit the NIC? Accountability of NIC cyber infrastructure Readiness against current and emerging malware threats (e.g., botnets, rootkits, spyware) to NIC Protection of NIC critical data, information, and computation activities Reduction of NIC human labor in malware investigation
Evaluation Metrics Timeliness Malware infection-to-warning interval Efficiency Percentage of log reduction for malware contamination reconstruction Accuracy False positive rate of malware warning False negative rate of malware warning Correctness of malware action graphs
Work in Progress: Color Diffusion Modeling (Month 1-6) Color Diffusion Model OperationDiffusion syscalls CREATE create color(o 1 ) = color(s 1 ) color(s 2 ) = color(s 1 ) create, mkdir, link fork, vfork, clone READ read color(s 1 ) = color(s 1 ) υ color(o 1 ) color(s 1 ) = color(s 1 ) υ color(s 2 ) read, readv, recv ptrace WRITE write color(o 1 ) = color(s 1 ) υ color(o 1 ) color(s 2 ) = color(s 1 ) υ color(s 2 ) write, writev, send Ptrace, wait, signal DESTROY destroy unlink, rmdir, close exit, kill Object and process relationships in Linux analyzed.
Work in Progress: Process Coloring for Client and Server Side Malware Investigation (Month 2-18) Server-side malware investigation Consolidated server environment with independent server applications “Clustered” information flows partitioned by server applications Color mixing highly unlikely between applications Client-side malware investigation Inter-dependent client applications (e.g., text editor compiler; latex dvips ps2pdf) More inter-application information flows Legal color mixing exists Color diffusion and logging implemented on Xen. A demo is on-line at:
A motivating example of client-side process coloring Work in Progress: Process Coloring for Client and Server Side Malware Investigation (Month 2-18) FTP Quick Tax Time Quick Tax FTP + A number of client-side applications are being tested (e.g., Skype, Firefox).
Technology Transfer Plan Potential adopters Computer forensics/malware investigators and researchers System administrators Anti-malware software companies Open source communities (e.g., XenSource) Software release and documentation Presentations and demos to potential NIC adopters Presentations and demos to anti-malware software companies (Symantec, Microsoft, VMware)
Thank you! For more information about the Process Coloring project: