process coloring: an information flow-preserving approach to malware investigation eugene spafford,...
Post on 19-Dec-2015
215 views
TRANSCRIPT
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation
Eugene Spafford, Dongyan Xu (Presenter)Department of Computer Science and
Center for Education and Research in Information Assurance and Security (CERIAS)
Purdue University
Xuxian JiangDepartment of Information and Software Engineering
George Mason University
NICIAR PI Meeting, Boston, MA, September 19, 2007
The Challenge: Enabling Timely, Efficient Malware Investigation
Raising timely alerts to trigger a malware investigation Identifying the break-in point of the malware Reconstructing all contaminations by the malware
Time
External detection
point
Infection
Break-in point
trace-back
Contamination
reconstruction
Break-inpoint
LogLog
Detection
State-of-the-art log-based intrusion investigation tools
LogLog
Limitations of Today’s Tools
Long “infection-to-detection” interval Entire log needed for both trace-back and reconstruction Questionable trustworthiness of log data
Time
External detection
point
Infection
Break-in point
trace-back
Contamination
reconstruction
Break-inpoint
LogLog
Detection
State-of-the-art log-based intrusion investigation tools
LogLog
Technical Approach: Process Coloring Key idea: propagating and logging malware break-in
provenance information (“colors”) along OS-level information flows Existing tools only consider direct causality relations without
preserving and exploiting break-in provenance information
Runtime alert triggered by log color anomalies
ApacheSendmailDNSMySQL
Logger
Guest OS
Virtual Machine Monitor (VMM)
LogMonitor
Virtual Machine
Attacker
…
Log
httpd
New Capabilities Enabled by Process Coloring
s80httpdrcinit
s45named
s30sendmail
s55sshd
s80httpd
s30sendmail
s45named
s55sshd
/bin/sh
wgetRootkitRootkit
Local filesLocal files
netcat • /etc/shadow• Confidential
Info
• /etc/shadow• Confidential
Info
Initial coloring
Coloring diffusion
SyscallLog
Capability 3: Color-based log
partition for contamination analysis
Capability 2: Color-based
identification of malware break-in point
Capability 1: Color-based malware
warning
...BLUE: 673["sendmail"]: 5_open("/proc/loadavg", 0, 438) = 5BLUE: 673["sendmail"]: 192_mmap2(0, 4096, 3, 34, 4294967295, 0) =
1073868800BLUE: 673["sendmail"]: 3_read(5, "0.26 0.10 0.03 2...", 4096) = 25BLUE: 673["sendmail"]: 6_close(5) = 0BLUE: 673["sendmail"]: 91_munmap(1073868800, 4096) = 0...RED: 2568["httpd"]: 102_accept(16, sockaddr{2, cbbdff3a}, cbbdff38) = 5RED: 2568["httpd"]: 3_read(5, "\1281\1\0\2\0\24...", 11) = 11RED: 2568["httpd"]: 3_read(5, "\7\0À\5\0\128\3\...", 40) = 40RED: 2568["httpd"]: 4_write(5, "\132@\4\0\1\0\2\...", 1090) = 1090…RED: 2568["httpd"]: 4_write(5, "\128\19Ê\136\18\...", 21) = 21RED: 2568["httpd"]: 63_dup2(5, 2) = 2RED: 2568["httpd"]: 63_dup2(5, 1) = 1RED: 2568["httpd"]: 63_dup2(5, 0) = 0RED: 2568["httpd"]: 11_execve("/bin//sh", bffff4e8, 00000000)RED: 2568["sh"]: 5_open("/etc/ld.so.prelo...", 0, 8) = −2RED: 2568["sh"]: 5_open("/etc/ld.so.cache", 0, 0) = 6
Color-Based Malware Warning
Capability 1: Color-based malware
warning: “unusual color inheritance”
Color-Based Malware Warning
Another example: “color mixing”RED: 1234 ["httpd"]: …RED: 1234 ["httpd"]: …RED: 1234 ["httpd"]: …RED+BLUE: 1234 ["httpd"]: system call to read file index.html
cp defaced.html index.html
bindhttpd
index.html
index.html
httpd
Efficiency through Process Coloring
Lion Slapper SARSTime period
being analyzed
24 hours 24 hours 24 hours
# worm-related entries
66,504 195,884 19,494
Exploited Service
BIND(CVE-2001-
0010)
Apache(CAN-2002-0656)
Samba(CAN-2003-
0085)
% of Log Inspected
48.7% 65.9% 12.1%
Capability 2: Color-based break-in point
identification
Capability 2: Color-based break-in point
identification
Capability 3: Color-based log partitioning
Capability 3: Color-based log partitioning
Impact of Success
How will it benefit the NIC? Accountability of NIC cyber infrastructure Readiness against current and emerging
malware threats (e.g., botnets, rootkits, spyware) to NIC
Protection of NIC critical data, information, and computation activities
Reduction of NIC human labor in malware investigation
Evaluation Metrics
Timeliness Malware infection-to-warning interval
Efficiency Percentage of log reduction for malware
contamination reconstruction Accuracy
False positive rate of malware warning False negative rate of malware warning Correctness of malware action graphs
Work in Progress: Color Diffusion Modeling (Month 1-6)
Color Diffusion Model
Operation Diffusion syscalls
CREATE create <s1, o1>create <s1, s2>
color(o1) = color(s1)color(s2) = color(s1)
create, mkdir, linkfork, vfork,
clone
READ read <s1, o1>read <s1, s2>
color(s1) = color(s1)υ color(o1)
color(s1) = color(s1)υ color(s2)
read, readv, recvptrace
WRITEwrite <s1, o1>write <s1, s2>
color(o1) = color(s1)υ color(o1)
color(s2) = color(s1)υ color(s2)
write, writev, sendPtrace, wait,
signal
DESTROY destroy <s1, o1>destroy <s1, s2>
unlink, rmdir, closeexit, kill
Object and process relationships in Linux analyzed.
Work in Progress: Process Coloring for Client and Server Side Malware Investigation (Month 2-18)
Server-side malware investigation Consolidated server environment with
independent server applications “Clustered” information flows partitioned by
server applications Color mixing highly unlikely between applications
Client-side malware investigation Inter-dependent client applications (e.g., text
editor compiler; latex dvips ps2pdf) More inter-application information flows Legal color mixing exists
Color diffusion and logging implemented on Xen. A demo is on-line at:http://cairo.cs.purdue.edu/projects/pc/pc-demo.html
A motivating example of client-side process coloring
Work in Progress: Process Coloring for Client and Server Side Malware Investigation (Month 2-18)
FTP
Quick Tax
Time
Quick Tax
FTP
+
A number of client-side applications are being tested (e.g., Skype, Firefox).
Technology Transfer Plan
Potential adopters Computer forensics/malware investigators and
researchers System administrators Anti-malware software companies Open source communities (e.g., XenSource)
Software release and documentation Presentations and demos to potential NIC
adopters Presentations and demos to anti-malware
software companies (Symantec, Microsoft, VMware)
Thank you!For more information about the Process Coloring project:
http://cairo.cs.purdue.edu/projects/[email protected]