Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eugene Spafford, Dongyan Xu, Ryan Riley

Published byMelvin Sims Modified over 6 years ago

Similar presentations

Presentation on theme: "Eugene Spafford, Dongyan Xu, Ryan Riley"— Presentation transcript:

1 Process Coloring: An Information Flow-Preserving Approach to Malware Investigation
Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Computer Science George Mason University NICIAR PI Meeting Chicago, IL April 7-10, 2008

2 LSSD Process Coloring For Malware Alert and Investigation An OS-level Information Flow Preserving Approach APPROACH Track OS-level information flows Taint processes/data based on their influence between each other Record color(s) in log entries NEW CAPABILITIES Color-based malware alert Color-based malware break-in point identification Color-based log partitioning PLAN / PROGRESS Model process color diffusion in real OS (done) Demonstrate process coloring prototype in a malware scenario Includes both server (done) and client (Aug.08) side solutions Mitigate color saturation effect in malware alert Profiling and visualization (done) Reducing false positives caused by legitimate color mixing (Jul.08) Tracking cross-border color mixing (Sept.08) Deploy in a real-world environment (Sept.08 – Dec.08) APPLICATIONS System monitoring and malware (e.g. bots) detection Malware forensics Sensitive information protection 2

3 Virtual Machine Monitor (VMM)
HQ2: How is it done now? Any limitations? HQ1: What are you trying to do? Key idea: propagating and logging malware break-in provenance information (“colors”) along OS-level information flows Existing tools only consider direct causality relations without preserving and exploiting break-in provenance information Virtual Machine Log Monitor Log MySQL DNS Sendmail Apache Logger Guest OS Virtual Machine Monitor (VMM) 3

4 HQ4: What difference will it make?
HQ3: What’s new? Why do you think it’ll succeed? Capability 1: Color-based malware alert Initial coloring s30sendmail s30sendmail s55sshd s55sshd Syscall Log s45named s45named init rc s80httpd s80httpd /etc/shadow Confidential Info httpd netcat Capability 3: Color-based log partition for contamination analysis Local files /bin/sh Capability 2: Color-based identification of malware break-in point Coloring diffusion wget Rootkit

5 HQ5: What about its duration, cost, and milestones?
Released a PC prototype for server-side deployment (Dec. 07) Investigated color saturation problem (i.e. “brown problem” ) on client side (Feb. 08) Implemented two techniques to mitigate the “brown problem” (Apr. 08) In talks with UT/SwRI team on integrating program-level and OS-level information flows

6 Current Work: Color Saturation Mitigation (Brown Problem)
Policy: Data written by financial software should not be read by software that can transmit it outside of the system Finance agobot3 agobot3 Browser Finances.pdf Finances.pdf agobot3 agobot3

7 Current Work: Color Saturation Mitigation (Brown Problem)
Policy: Data written by financial software should not be read by software that can transmit it outside of the system Finance Browser Browser notes.txt Doc Edit Doc Edit Finances.pdf .recently_used

8 Technique 1: Sink File Insulation

9 Technique 1: Sink File Insulation
F1040.pdf

10 Technique 1: Sink File Insulation
Some files become color sinks Color transfers unnecessarily Simply “insulate” these sinks

11 Technique 1: Sink File Insulation

12 Technique 1: Sink File Insulation
F1040.pdf

13 Technique 2: Contextual Insulation
Is that secure? Depends on your goals Certainly not ideal Let’s give some brains to the insulation… Look at application context Call stacks

14 Technique 2: Contextual Insulation

15 Technique 2: Contextual Insulation

16 Technique 2: Contextual Insulation
Call stack tells us application context Functions called, arguments used, etc. Take a union of valid call stacks to find commonalities Compare it to runtime stack 0xb72914eb 0xb77155cc 0x 0xb7582c74 - 0xb56a5b0c 0x ...

17 A Demo of Sink File Insulation http://friends. cs. purdue

18 For more information about the Process Coloring project:
Thank you! For more information about the Process Coloring project:

Download ppt "Eugene Spafford, Dongyan Xu, Ryan Riley"

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.

Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.
MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.

MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.
Towards an Integrated Multimedia Service Hosting Overlay Dongyan Xu, Xuxian Jiang Department of Computer Sciences Center for Education and Research in.

Towards an Integrated Multimedia Service Hosting Overlay Dongyan Xu, Xuxian Jiang Department of Computer Sciences Center for Education and Research in.
Purdue University Pag. 1 CS 397 Dongyan Xu Department of Computer Science and CERIAS Purdue University Office:

Purdue University Pag. 1 CS 397 Dongyan Xu Department of Computer Science and CERIAS Purdue University Office:
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
Nilesh Mandani Competencies include: Volume Licensing Enterprise Resource Planning Customer Relationship Management Business Intelligence Proposal for.

Nilesh Mandani Competencies include: Volume Licensing Enterprise Resource Planning Customer Relationship Management Business Intelligence Proposal for.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
Client Management. Introduction In a typical organization there are a lot of client machines used for day to day operations Client management is a necessary.

Client Management. Introduction In a typical organization there are a lot of client machines used for day to day operations Client management is a necessary.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
Computer-Based Trading Room Dec04-05 Client: ISU College of Business Advisor: Dr. Gerald B. Sheblé Team Members Steve Saillard Vipul Tiwari Dan Fitch Fahim.

Computer-Based Trading Room Dec04-05 Client: ISU College of Business Advisor: Dr. Gerald B. Sheblé Team Members Steve Saillard Vipul Tiwari Dan Fitch Fahim.
H YPER S AFE : A L IGHTWEIGHT A PPROACH TO P ROVIDE L IFETIME H YPERVISOR C ONTROL -F LOW I NTEGRITY Self Protection for the Hypervisor.

H YPER S AFE : A L IGHTWEIGHT A PPROACH TO P ROVIDE L IFETIME H YPERVISOR C ONTROL -F LOW I NTEGRITY Self Protection for the Hypervisor.

Similar presentations

Ads by Google