Presentation is loading. Please wait.

Presentation is loading. Please wait.

Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda Presentation by Mridula Menon N.

Published byEdward Hines Modified over 9 years ago

Similar presentations

Presentation on theme: "Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda Presentation by Mridula Menon N."— Presentation transcript:

1 Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda Presentation by Mridula Menon N.

2 INDEX  INTRODUCTION  CONTRIBUTION  OVERVIEW OF APPROACH  DESIGN & IMPLEMENTATION  TAINT-GRAPH-BASED MALWARE DETECTION AND ANALYSIS  EVALUATION  CONCLUSION

3 INTRODUCTION Malicious software provided by reputable vendors perform undesirable actions violating users privacy. Eg: Google Desktop, Sony media player. Traditional Malware Detection:  Signature-based  Cannot detect new malware or variants  Heuristics- based  High false positives  High false negatives End-to-end approach to automatically identify the fundamental trait of malicious information access and processing behavior of a given program. Monitor and record the information access and processing behavior of the sample in the test cases: use whole-system, fine-grained taint tracking. (operating-system-aware taint analysis)

4 CONTRIBUTION Observed the fundamental trait of privacy-breaching malware lies in their information access and processing behavior to sensitive information, and proposed an end-to-end automatic approach to classify and detect malware using their information access and processing behaviors. Designed and developed a critical component of Panorama, a whole system, fine-grained, operating-system-aware, dynamic taint tracking system to monitor and investigate the unknown sample. In their extensive experiments, their system detected all the malware samples(keyloggers, password sniffers, stealth backdoors, rootkits and spyware) and had very few false positives.

5 OVERVIEW OF APPROACH Figure 1: System Overview

6 DESIGN AND IMPLEMENTATION Hardware-level Dynamic Taint Tracking OS-Aware Taint Tracking Automated Testing and Taint Graph Generation

7 1)Hardware-level Dynamic Taint Tracking They monitor the whole system execution in a processor emulator and dynamically instrument code to keep track of how tainted data propagates during program execution. Implemented Panorama on QEMU. Our approach can deal with multiple processes, memory swapping and disks.  Shadow Memory: To store taint status, for efficient memory usage.  Taint Sources: All sensitive information that is introduced into the system in the automated tests is marked as taint source.  Taint Propagation: Monitor CPU instructions and DMA operations.

8 Taint Propagation For arithmetic instructions, the result will be tainted if and only if any byte of the operands is tainted. For data movement instructions and DMA operations, destination will be tainted if and only if bytes of operands is tainted. Special cases:  Constant function: Eg: “xor eax, eax” - Untaint the result.  Table lookup: Updated rule: If any byte used to calculate the address of a memory locations is tainted, then, the result of a memory read using this address is tainted as well.  Control flow evasion: Taint tracking stops at a keystroke Unicode conversion routine called _xxxInternalToUnicode while examining Windows kernel code. Solved by instrumenting an instruction within the function. This instrumentation checks the taint status of the input parameter of the function, and appropriately propagates the taint status to its output parameter.

9 2) OS-Aware Taint Tracking Resolving process and module information. Resolving filesystem and network information. Identifying the code under analysis and its actions.

10 Resolving process and module information Developed a kernel module called module notifier. Load this module into the guest operating system to collect the updated memory map information. All the information is passed on to Panorama through a predefined I/O port. To ensure the authenticity of the messages that Panorama receives from the module notifier, we check the program counter of the instruction that is responsible for sending this message.

11 Resolving filesystem and network information Filesystem: Integrated a disk forensic tool called “The Sleuth Kit” (TSK) into Panorama for gathering filesystem information. Network: When tainted data is sent out, check the packet header to find out which connection it belongs to.

12 Identifying the code under analysis and its actions Two Cases: The sample under analysis dynamically generates new code : Taint the complete code segment of the sample under analysis, using a special label. The given code calls a piece of trusted code in order to perform tainted operations on its behalf: We record the current value of the stack pointer, together with the current thread identifier..

13 3) Automated Testing and Taint Graph Generation Automated Testing Taint Graph Generation

14 Automated Testing The system defines nine different types of taint sources: text, password, HTTP, HTTPS, ICMP, FTP, document, and directory. The communication between the test engine and the taint engine is via an intercepted registry writing API.

15 Taint Graph Generation Generate one graph for each taint source with different label. For each taint source, the taint propagation originating from this source forms a directed graph (taint graph). Taint graph can be represented as g = (V,E), where V is set of vertices and E is a set of directed edges connection vertices. Each vertex is labeled with a (type, value) pair, where value is the unique name that identifies the vertex.

16 Taint Graph Generation Type of a vertex defined in a hierarchical form: type ::= taint_source | os_object taint_source ::= text | password | HTTP | HTTPS| FTP | ICMP | document | directory os_object ::= process | module | network | file

17 Taint Graph Generation Figure 2: An example of taint graph. This graph reflects the procedure for Windows user authentication. While a password thief is running in the background, it catches the password and saves them to its log file “c:\ginalog.log”.

18 TAINT-GRAPH-BASED MALWARE DETECTION AND ANALYSIS Taint-Graph-Based Malware Detection Taint-Graph-Based Malware Analysis

19 Taint-Graph-Based Malware Detection Anomalous information access behavior Anomalous information leakage behavior Excessive information access behavior Policies enforced on the taint graphs:

20 Taint-Graph-Based Malware Analysis Given a taint graph, the first step is to check this graph for the presence of a node that corresponds to the sample under analysis. If such a node is present, we obtain the information that the sample has accessed certain tainted input data because the test cases are designed such that input data is sent to trusted applications, but never to the sample under analysis.

21 EVALUATION Two of these false positives were personal firewall programs. The third false positive was a browser accelerator. Malware Detection

22 Case Study Here, %INST DIR% represents “c:\Program Files\Google\Google Desktop Search”, and %TEMP% is “c:\Documents and Settings\user\Local Settings\ Temporary Internet Files”. Malware Analysis

23 Conclusion Whole system fine grained taint analysis to discern fine- grained information access and processing behaviour of unknown code. Panorama yields zero false negative and very few false positives.

24 Thank you !

Download ppt "Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda Presentation by Mridula Menon N."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
System Integration and Performance

System Integration and Performance
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Computer Organization. This module surveys the physical resources of a computer system. –Basic components CPUMemoryBus I/O devices –CPU structure Registers.

Computer Organization. This module surveys the physical resources of a computer system. –Basic components CPUMemoryBus I/O devices –CPU structure Registers.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
File Management Systems

File Management Systems
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
CS 550 Amoeba-A Distributed Operation System by Saie M Mulay.

CS 550 Amoeba-A Distributed Operation System by Saie M Mulay.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
Interpret Application Specifications

Interpret Application Specifications
Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.

Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.
16: Distributed Systems1 DISTRIBUTED SYSTEM STRUCTURES NETWORK OPERATING SYSTEMS The users are aware of the physical structure of the network. Each site.

16: Distributed Systems1 DISTRIBUTED SYSTEM STRUCTURES NETWORK OPERATING SYSTEMS The users are aware of the physical structure of the network. Each site.
OS Spring’04 Introduction Operating Systems Spring 2004.

OS Spring’04 Introduction Operating Systems Spring 2004.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Similar presentations

Ads by Google