Process Coloring: an Information Flow-Preserving Approach to Malware Investigation

Eugene Spafford, Dongyan Xu (Presenter)Department of Computer Science and

Center for Education and Research in Information Assurance and Security (CERIAS)

Purdue University

Xuxian JiangDepartment of Information and Software Engineering

George Mason University

NICIAR PI Meeting, Boston, MA, September 19, 2007

Motivation

Internet malware remains a top threat Malware: virus, worms, rootkits, spyware, bots…

Motivation

The Challenge: Enabling Timely, Efficient Malware Investigation

Raising timely alerts to trigger a malware investigation Identifying the break-in point of the malware Reconstructing all contaminations by the malware

Time

External detection

point

Infection

Break-in point

trace-back

Contamination

reconstruction

Break-inpoint

LogLog

Detection

State-of-the-art log-based intrusion investigation tools

LogLog

Limitations of Today’s Tools

Long “infection-to-detection” interval Entire log needed for both trace-back and reconstruction Questionable trustworthiness of log data

Time

External detection

point

Infection

Break-in point

trace-back

Contamination

reconstruction

Break-inpoint

LogLog

Detection

State-of-the-art log-based intrusion investigation tools

LogLog

Technical Approach: Process Coloring Key idea: propagating and logging malware break-in

provenance information (“colors”) along OS-level information flows Existing tools only consider direct causality relations without

preserving and exploiting break-in provenance information

Runtime alert triggered by log color anomalies

ApacheSendmailDNSMySQL

Logger

Guest OS

Virtual Machine Monitor (VMM)

LogMonitor

Virtual Machine

Attacker

…

Log

httpd

New Capabilities Enabled by Process Coloring

s80httpdrcinit

s45named

s30sendmail

s55sshd

s80httpd

s30sendmail

s45named

s55sshd

/bin/sh

wgetRootkitRootkit

Local filesLocal files

netcat • /etc/shadow• Confidential

Info

• /etc/shadow• Confidential

Info

Initial coloring

Coloring diffusion

SyscallLog

Capability 3: Color-based log

partition for contamination analysis

Capability 2: Color-based

identification of malware break-in point

Capability 1: Color-based malware

warning

...BLUE: 673["sendmail"]: 5_open("/proc/loadavg", 0, 438) = 5BLUE: 673["sendmail"]: 192_mmap2(0, 4096, 3, 34, 4294967295, 0) =

1073868800BLUE: 673["sendmail"]: 3_read(5, "0.26 0.10 0.03 2...", 4096) = 25BLUE: 673["sendmail"]: 6_close(5) = 0BLUE: 673["sendmail"]: 91_munmap(1073868800, 4096) = 0...RED: 2568["httpd"]: 102_accept(16, sockaddr{2, cbbdff3a}, cbbdff38) = 5RED: 2568["httpd"]: 3_read(5, "\1281\1\0\2\0\24...", 11) = 11RED: 2568["httpd"]: 3_read(5, "\7\0À\5\0\128\3\...", 40) = 40RED: 2568["httpd"]: 4_write(5, "\132@\4\0\1\0\2\...", 1090) = 1090…RED: 2568["httpd"]: 4_write(5, "\128\19Ê\136\18\...", 21) = 21RED: 2568["httpd"]: 63_dup2(5, 2) = 2RED: 2568["httpd"]: 63_dup2(5, 1) = 1RED: 2568["httpd"]: 63_dup2(5, 0) = 0RED: 2568["httpd"]: 11_execve("/bin//sh", bffff4e8, 00000000)RED: 2568["sh"]: 5_open("/etc/ld.so.prelo...", 0, 8) = −2RED: 2568["sh"]: 5_open("/etc/ld.so.cache", 0, 0) = 6

Color-Based Malware Warning

Capability 1: Color-based malware

warning: “unusual color inheritance”

Color-Based Malware Warning

Another example: “color mixing”RED: 1234 ["httpd"]: …RED: 1234 ["httpd"]: …RED: 1234 ["httpd"]: …RED+BLUE: 1234 ["httpd"]: system call to read file index.html

cp defaced.html index.html

bindhttpd

index.html

index.html

httpd

Efficiency through Process Coloring

Lion Slapper SARSTime period

being analyzed

24 hours 24 hours 24 hours

# worm-related entries

66,504 195,884 19,494

Exploited Service

BIND(CVE-2001-

0010)

Apache(CAN-2002-0656)

Samba(CAN-2003-

0085)

% of Log Inspected

48.7% 65.9% 12.1%

Capability 2: Color-based break-in point

identification

Capability 2: Color-based break-in point

identification

Capability 3: Color-based log partitioning

Capability 3: Color-based log partitioning

Impact of Success

How will it benefit the NIC? Accountability of NIC cyber infrastructure Readiness against current and emerging

malware threats (e.g., botnets, rootkits, spyware) to NIC

Protection of NIC critical data, information, and computation activities

Reduction of NIC human labor in malware investigation

Evaluation Metrics

Timeliness Malware infection-to-warning interval

Efficiency Percentage of log reduction for malware

contamination reconstruction Accuracy

False positive rate of malware warning False negative rate of malware warning Correctness of malware action graphs

Work in Progress: Color Diffusion Modeling (Month 1-6)

Color Diffusion Model

Operation Diffusion syscalls

CREATE create <s1, o1>create <s1, s2>

color(o1) = color(s1)color(s2) = color(s1)

create, mkdir, linkfork, vfork,

clone

READ read <s1, o1>read <s1, s2>

color(s1) = color(s1)υ color(o1)

color(s1) = color(s1)υ color(s2)

read, readv, recvptrace

WRITEwrite <s1, o1>write <s1, s2>

color(o1) = color(s1)υ color(o1)

color(s2) = color(s1)υ color(s2)

write, writev, sendPtrace, wait,

signal

DESTROY destroy <s1, o1>destroy <s1, s2>

unlink, rmdir, closeexit, kill

Object and process relationships in Linux analyzed.

Work in Progress: Process Coloring for Client and Server Side Malware Investigation (Month 2-18)

Server-side malware investigation Consolidated server environment with

independent server applications “Clustered” information flows partitioned by

server applications Color mixing highly unlikely between applications

Client-side malware investigation Inter-dependent client applications (e.g., text

editor compiler; latex dvips ps2pdf) More inter-application information flows Legal color mixing exists

Color diffusion and logging implemented on Xen. A demo is on-line at:http://cairo.cs.purdue.edu/projects/pc/pc-demo.html

A motivating example of client-side process coloring

Work in Progress: Process Coloring for Client and Server Side Malware Investigation (Month 2-18)

FTP

Quick Tax

Time

Quick Tax

FTP

+

A number of client-side applications are being tested (e.g., Skype, Firefox).

Technology Transfer Plan

Potential adopters Computer forensics/malware investigators and

researchers System administrators Anti-malware software companies Open source communities (e.g., XenSource)

Software release and documentation Presentations and demos to potential NIC

adopters Presentations and demos to anti-malware

software companies (Symantec, Microsoft, VMware)

Thank you!For more information about the Process Coloring project:

http://cairo.cs.purdue.edu/projects/pcPC@cs.purdue.edu