Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie 13517398.ppt
Ähnlich wie 13517398.ppt (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
13517398.ppt
- 1. 1 Information Flow Control Nick Feamster CS 6262 Spring 2009
- 2. 2 • Denning's axioms • Bell-LaPadula model (BLP) • Biba model Lattice-Based Models
- 3. 3 Denning’s Lattice Model < SC, , > SC set of security classes SC X SC flow relation (i.e., can- flow) SC X SC -> SC class-combining operator
- 4. 4 Denning’s Axioms < SC, , > 1 SC is finite 2 is a partial order on SC 3 SC has a lower bound L such that L A for all A SC 4 is a least upper bound (lub) operator on SC
- 5. 5 Implications • SC is a universally bounded lattice • there exists a Greatest Lower Bound (glb) operator (also called meet) • there exists a highest security class H
- 6. 6 Lattice Structures Unclassified Confidential Secret Top Secret Hierarchical Classes can-flow reflexive and transitive edges are implied but not shown
- 8. 8 Lattice Structures {ARMY, CRYPTO} Compartments and Categories {ARMY } {CRYPTO} {}
- 9. 9 Lattices Structures {ARMY, NUCLEAR, CRYPTO} Compartments and Categories {ARMY, NUCLEAR} {ARMY, CRYPTO} {NUCLEAR, CRYPTO} {ARMY} {NUCLEAR} {CRYPTO} {}
- 10. 10 Lattice Structures Hierarchical Classes with Compartments TS S {A,B} {} {A} {B} product of 2 lattices is a lattice
- 11. 11 Challenges • Implicit information flow – Conditional statements can implicitly leak information • Implementing a system that explicitly controls the flow of information
- 12. 12 Static Binding: Run-Time • Objects are statically bound to classes • Can operate either at runtime, or at compile-time • Run-time mechanisms – Each process has a mechanism that specifies the highest class p can write from and the lowest class p can write to
- 13. 13 Static Binding: Compile-Time • Certify program at compile-time • Advantages – Security guarantees before execution – Does not affect the execution speed • Disadvantages – Flows not specified by the program cannot be verified – Hardware could malfunction
- 15. 15 Dynamic Binding • Objects can dynamically change their classification • One approach: Update the class of an object whenever data flows into it – Nondecreasing class mechanisms – Main problem: requires explicit flow to update the class of an object
- 16. 16 Possible Applications • Confinement – No leaking information about confidential processes • Databases – Control information flow for different classes of information in the database • Decoupling right of access from right of control
- 18. 18 Motivation • Malicious software sneaks onto computers – Collects users’ private information – Causes havoc on Internet • Slows performance • Costs to remove – Reputable vendors violate users’ privacy • Google Desktop • Sony Media Player
- 19. 19 Traditional Malware detection • Signature-based – Cannot detect new malware or variants • Heuristics – High false positives – High false negatives
- 20. 20 Panorama Approach • Input – Suspicious behavior • Inappropriate data access, stealthfully • Process – Whole-system, fine-grained taint tracking • Marking data – Operating-system-aware taint analysis • What touches the tainted data and how • Output – Taint Graphs • Tracked tainted data
- 21. 21 Taint Graph • Information flow that shows the process that accessed the tainted data • Make policies based on Taint Graph • Compare unknown samples against Taint Graph – Automatic – Numerous categories
- 22. 22 Taint Graph generation • Similar to a mapped out logic/process tree – Conceptually, horizontal branching • 9 different types of Root taint sources – Text, password, http, https, icmp, ftp, document, and directory • Non-root entries can be – OS objects (processes, modules) – OS resource (such as a file)
- 23. 23 Conceptual Structure • Works with closed code – Windows OS – FireFox • Monitors the whole system in a processor emulator • Shadow memory stores taint status of – Each byte of physical memory – CPU’s general purpose registers – Hard disk and network interface buffer
- 24. 24 Taint Sources • Test information is inputted and marked as taint source • Inputted from hardware such as – Keyboard – Network interface – Hard disk • Tainting at hardware level – Malware could hook before input reaches the software
- 25. 25 Taint Propagation • Monitors CPU instructions and DMA operations dealing with tainted data • OS-Aware taint tracking – Developed a kernel module • Authenticated communications to taint engine
- 26. 26 OS-Aware Taint Tracking • Resolving process and module information – Which process does an operation come from? – Module notifier – Tampering? • Mapping file and network information to taints – File system forensics – Mapping connections back to processes
- 27. 27 Code Identification • Identifying the code under analysis and its actions – Entire code segment is labeled • Dynamic or Encrypted code is labeled too • A similar method labels trusted code • What does the analysis do about various derivatives of the code – Dynamic generation – Calling trusted code
- 28. 28 Three Categorized Behaviors • Anomalous information access – MS Paint accessing passwords • Anomalous information leakage – BHO reporting home about surfed websites • Excessive information access – Repeatedly accessed directory to hide rootkit
- 29. 29 Malware detections • 42 real-world malware samples • 56 benign applications were tested • Only 3 false positives, no false negatives – 2 from a personal firewall – 1 from a browser accelerator
- 30. 30 Summary • A new system to detect malware – System-Wide Information Flow • Taint tracking – Data access and process tracking – Taint graphs • Policies
- 31. 31 Contributions • Unified approach to detect and analyze diverse malware • Designed and developed a functional prototype • Detected all malware samples – Keystroke loggers, password sniffers, packet sniffers, stealth backdoors, rootkits, and spyware
- 32. 32 Weaknesses • Performance Overhead – Using Cygwin utilities – Prototype is not optimized – Slowdown average is 20 times – Intended as a offline tool • Evasive malware – Time bombs – Selective keystroke loggers – Virtual environment detection
- 33. 33 How to Improve • Optimize the code • Automate taint graph analysis and policy implementation • Virtual environment shielding – Or switch out of emulated environment • Implement mentioned improvements – Unicode conversion- switch case issue