Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

13517398.ppt

Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Prochain SlideShare
ids.ppt
ids.ppt
Chargement dans…3
×

Consultez-les par la suite

1 sur 33 Publicité
Publicité

Plus De Contenu Connexe

Publicité

13517398.ppt

  1. 1. 1 Information Flow Control Nick Feamster CS 6262 Spring 2009
  2. 2. 2 • Denning's axioms • Bell-LaPadula model (BLP) • Biba model Lattice-Based Models
  3. 3. 3 Denning’s Lattice Model < SC, ,  > SC set of security classes SC X SC flow relation (i.e., can- flow)  SC X SC -> SC class-combining operator
  4. 4. 4 Denning’s Axioms < SC, ,  > 1 SC is finite 2  is a partial order on SC 3 SC has a lower bound L such that L  A for all A  SC 4  is a least upper bound (lub) operator on SC
  5. 5. 5 Implications • SC is a universally bounded lattice • there exists a Greatest Lower Bound (glb) operator  (also called meet) • there exists a highest security class H
  6. 6. 6 Lattice Structures Unclassified Confidential Secret Top Secret Hierarchical Classes can-flow reflexive and transitive edges are implied but not shown
  7. 7. 7 Lattice Structures Unclassified Confidential Secret Top Secret can-flow dominance 
  8. 8. 8 Lattice Structures {ARMY, CRYPTO} Compartments and Categories {ARMY } {CRYPTO} {}
  9. 9. 9 Lattices Structures {ARMY, NUCLEAR, CRYPTO} Compartments and Categories {ARMY, NUCLEAR} {ARMY, CRYPTO} {NUCLEAR, CRYPTO} {ARMY} {NUCLEAR} {CRYPTO} {}
  10. 10. 10 Lattice Structures Hierarchical Classes with Compartments TS S {A,B} {} {A} {B} product of 2 lattices is a lattice
  11. 11. 11 Challenges • Implicit information flow – Conditional statements can implicitly leak information • Implementing a system that explicitly controls the flow of information
  12. 12. 12 Static Binding: Run-Time • Objects are statically bound to classes • Can operate either at runtime, or at compile-time • Run-time mechanisms – Each process has a mechanism that specifies the highest class p can write from and the lowest class p can write to
  13. 13. 13 Static Binding: Compile-Time • Certify program at compile-time • Advantages – Security guarantees before execution – Does not affect the execution speed • Disadvantages – Flows not specified by the program cannot be verified – Hardware could malfunction
  14. 14. 14 Static Binding, Run-Time
  15. 15. 15 Dynamic Binding • Objects can dynamically change their classification • One approach: Update the class of an object whenever data flows into it – Nondecreasing class mechanisms – Main problem: requires explicit flow to update the class of an object
  16. 16. 16 Possible Applications • Confinement – No leaking information about confidential processes • Databases – Control information flow for different classes of information in the database • Decoupling right of access from right of control
  17. 17. 17 Taint Tracking
  18. 18. 18 Motivation • Malicious software sneaks onto computers – Collects users’ private information – Causes havoc on Internet • Slows performance • Costs to remove – Reputable vendors violate users’ privacy • Google Desktop • Sony Media Player
  19. 19. 19 Traditional Malware detection • Signature-based – Cannot detect new malware or variants • Heuristics – High false positives – High false negatives
  20. 20. 20 Panorama Approach • Input – Suspicious behavior • Inappropriate data access, stealthfully • Process – Whole-system, fine-grained taint tracking • Marking data – Operating-system-aware taint analysis • What touches the tainted data and how • Output – Taint Graphs • Tracked tainted data
  21. 21. 21 Taint Graph • Information flow that shows the process that accessed the tainted data • Make policies based on Taint Graph • Compare unknown samples against Taint Graph – Automatic – Numerous categories
  22. 22. 22 Taint Graph generation • Similar to a mapped out logic/process tree – Conceptually, horizontal branching • 9 different types of Root taint sources – Text, password, http, https, icmp, ftp, document, and directory • Non-root entries can be – OS objects (processes, modules) – OS resource (such as a file)
  23. 23. 23 Conceptual Structure • Works with closed code – Windows OS – FireFox • Monitors the whole system in a processor emulator • Shadow memory stores taint status of – Each byte of physical memory – CPU’s general purpose registers – Hard disk and network interface buffer
  24. 24. 24 Taint Sources • Test information is inputted and marked as taint source • Inputted from hardware such as – Keyboard – Network interface – Hard disk • Tainting at hardware level – Malware could hook before input reaches the software
  25. 25. 25 Taint Propagation • Monitors CPU instructions and DMA operations dealing with tainted data • OS-Aware taint tracking – Developed a kernel module • Authenticated communications to taint engine
  26. 26. 26 OS-Aware Taint Tracking • Resolving process and module information – Which process does an operation come from? – Module notifier – Tampering? • Mapping file and network information to taints – File system forensics – Mapping connections back to processes
  27. 27. 27 Code Identification • Identifying the code under analysis and its actions – Entire code segment is labeled • Dynamic or Encrypted code is labeled too • A similar method labels trusted code • What does the analysis do about various derivatives of the code – Dynamic generation – Calling trusted code
  28. 28. 28 Three Categorized Behaviors • Anomalous information access – MS Paint accessing passwords • Anomalous information leakage – BHO reporting home about surfed websites • Excessive information access – Repeatedly accessed directory to hide rootkit
  29. 29. 29 Malware detections • 42 real-world malware samples • 56 benign applications were tested • Only 3 false positives, no false negatives – 2 from a personal firewall – 1 from a browser accelerator
  30. 30. 30 Summary • A new system to detect malware – System-Wide Information Flow • Taint tracking – Data access and process tracking – Taint graphs • Policies
  31. 31. 31 Contributions • Unified approach to detect and analyze diverse malware • Designed and developed a functional prototype • Detected all malware samples – Keystroke loggers, password sniffers, packet sniffers, stealth backdoors, rootkits, and spyware
  32. 32. 32 Weaknesses • Performance Overhead – Using Cygwin utilities – Prototype is not optimized – Slowdown average is 20 times – Intended as a offline tool • Evasive malware – Time bombs – Selective keystroke loggers – Virtual environment detection
  33. 33. 33 How to Improve • Optimize the code • Automate taint graph analysis and policy implementation • Virtual environment shielding – Or switch out of emulated environment • Implement mentioned improvements – Unicode conversion- switch case issue

×