3. 3
Denning’s Lattice Model
< SC, , >
SC set of security classes
SC X SC flow relation (i.e., can-
flow)
SC X SC -> SC class-combining
operator
4. 4
Denning’s Axioms
< SC, , >
1 SC is finite
2 is a partial order on SC
3 SC has a lower bound L such that L A for all A
SC
4 is a least upper bound (lub) operator on SC
5. 5
Implications
• SC is a universally bounded lattice
• there exists a Greatest Lower
Bound (glb) operator (also
called meet)
• there exists a highest security
class H
11. 11
Challenges
• Implicit information flow
– Conditional statements can implicitly leak information
• Implementing a system that explicitly controls
the flow of information
12. 12
Static Binding: Run-Time
• Objects are statically bound to classes
• Can operate either at runtime, or at compile-time
• Run-time mechanisms
– Each process has a mechanism that specifies the
highest class p can write from and the lowest class p
can write to
13. 13
Static Binding: Compile-Time
• Certify program at compile-time
• Advantages
– Security guarantees before execution
– Does not affect the execution speed
• Disadvantages
– Flows not specified by the program cannot be verified
– Hardware could malfunction
15. 15
Dynamic Binding
• Objects can dynamically change their
classification
• One approach: Update the class of an object
whenever data flows into it
– Nondecreasing class mechanisms
– Main problem: requires explicit flow to update the
class of an object
16. 16
Possible Applications
• Confinement
– No leaking information about confidential processes
• Databases
– Control information flow for different classes of
information in the database
• Decoupling right of access from right of control
18. 18
Motivation
• Malicious software sneaks onto computers
– Collects users’ private information
– Causes havoc on Internet
• Slows performance
• Costs to remove
– Reputable vendors violate users’ privacy
• Google Desktop
• Sony Media Player
19. 19
Traditional Malware detection
• Signature-based
– Cannot detect new malware or variants
• Heuristics
– High false positives
– High false negatives
20. 20
Panorama Approach
• Input
– Suspicious behavior
• Inappropriate data access, stealthfully
• Process
– Whole-system, fine-grained taint tracking
• Marking data
– Operating-system-aware taint analysis
• What touches the tainted data and how
• Output
– Taint Graphs
• Tracked tainted data
21. 21
Taint Graph
• Information flow that shows the process that
accessed the tainted data
• Make policies based on Taint Graph
• Compare unknown samples against Taint Graph
– Automatic
– Numerous categories
22. 22
Taint Graph generation
• Similar to a mapped out logic/process tree
– Conceptually, horizontal branching
• 9 different types of Root taint sources
– Text, password, http, https, icmp, ftp, document, and directory
• Non-root entries can be
– OS objects (processes, modules)
– OS resource (such as a file)
23. 23
Conceptual Structure
• Works with closed code
– Windows OS
– FireFox
• Monitors the whole system in a processor emulator
• Shadow memory stores taint status of
– Each byte of physical memory
– CPU’s general purpose registers
– Hard disk and network interface buffer
24. 24
Taint Sources
• Test information is inputted and marked as taint
source
• Inputted from hardware such as
– Keyboard
– Network interface
– Hard disk
• Tainting at hardware level
– Malware could hook before input reaches the
software
25. 25
Taint Propagation
• Monitors CPU instructions and DMA operations
dealing with tainted data
• OS-Aware taint tracking
– Developed a kernel module
• Authenticated communications to taint engine
26. 26
OS-Aware Taint Tracking
• Resolving process and module information
– Which process does an operation come from?
– Module notifier
– Tampering?
• Mapping file and network information to taints
– File system forensics
– Mapping connections back to processes
27. 27
Code Identification
• Identifying the code under analysis and its
actions
– Entire code segment is labeled
• Dynamic or Encrypted code is labeled too
• A similar method labels trusted code
• What does the analysis do about various
derivatives of the code
– Dynamic generation
– Calling trusted code
28. 28
Three Categorized Behaviors
• Anomalous information access
– MS Paint accessing passwords
• Anomalous information leakage
– BHO reporting home about surfed websites
• Excessive information access
– Repeatedly accessed directory to hide rootkit
29. 29
Malware detections
• 42 real-world malware samples
• 56 benign applications were tested
• Only 3 false positives, no false negatives
– 2 from a personal firewall
– 1 from a browser accelerator
30. 30
Summary
• A new system to detect malware
– System-Wide Information Flow
• Taint tracking
– Data access and process tracking
– Taint graphs
• Policies
31. 31
Contributions
• Unified approach to detect and analyze diverse
malware
• Designed and developed a functional prototype
• Detected all malware samples
– Keystroke loggers, password sniffers, packet sniffers,
stealth backdoors, rootkits, and spyware
32. 32
Weaknesses
• Performance Overhead
– Using Cygwin utilities
– Prototype is not optimized
– Slowdown average is 20 times
– Intended as a offline tool
• Evasive malware
– Time bombs
– Selective keystroke loggers
– Virtual environment detection
33. 33
How to Improve
• Optimize the code
• Automate taint graph analysis and policy implementation
• Virtual environment shielding
– Or switch out of emulated environment
• Implement mentioned improvements
– Unicode conversion- switch case issue