This document discusses information flow control and taint tracking as techniques for detecting malware. It describes Denning's lattice model for mandatory access control and how taint tracking works by marking and propagating tainted data through a system. Taint graphs are generated to show information flows, which can then be used to detect anomalous behavior and categorize unknown programs as malicious or benign. The approach was able to detect all tested malware samples with few false positives. Performance overhead and evasive malware are identified as weaknesses.

1. 1
Information Flow Control
Nick Feamster
CS 6262
Spring 2009

2. 2
• Denning's axioms
• Bell-LaPadula model (BLP)
• Biba model
Lattice-Based Models

3. 3
Denning’s Lattice Model
< SC, ,  >
SC set of security classes
SC X SC flow relation (i.e., can-
flow)
 SC X SC -> SC class-combining
operator

4. 4
Denning’s Axioms
< SC, ,  >
1 SC is finite
2  is a partial order on SC
3 SC has a lower bound L such that L  A for all A
 SC
4  is a least upper bound (lub) operator on SC

5. 5
Implications
• SC is a universally bounded lattice
• there exists a Greatest Lower
Bound (glb) operator  (also
called meet)
• there exists a highest security
class H

6. 6
Lattice Structures
Unclassified
Confidential
Secret
Top Secret
Hierarchical
Classes
can-flow
reflexive and
transitive
edges are
implied but not
shown

7. 7
Lattice Structures
Unclassified
Confidential
Secret
Top Secret
can-flow
dominance


8. 8
Lattice Structures
{ARMY, CRYPTO}
Compartments
and Categories
{ARMY } {CRYPTO}
{}

9. 9
Lattices Structures
{ARMY, NUCLEAR, CRYPTO}
Compartments
and Categories
{ARMY, NUCLEAR} {ARMY, CRYPTO} {NUCLEAR, CRYPTO}
{ARMY} {NUCLEAR} {CRYPTO}
{}

10. 10
Lattice Structures
Hierarchical
Classes with
Compartments
TS
S
{A,B}
{}
{A} {B}
product of 2 lattices is a lattice

11. 11
Challenges
• Implicit information flow
– Conditional statements can implicitly leak information
• Implementing a system that explicitly controls
the flow of information

12. 12
Static Binding: Run-Time
• Objects are statically bound to classes
• Can operate either at runtime, or at compile-time
• Run-time mechanisms
– Each process has a mechanism that specifies the
highest class p can write from and the lowest class p
can write to

13. 13
Static Binding: Compile-Time
• Certify program at compile-time
• Advantages
– Security guarantees before execution
– Does not affect the execution speed
• Disadvantages
– Flows not specified by the program cannot be verified
– Hardware could malfunction

14. 14
Static Binding, Run-Time

15. 15
Dynamic Binding
• Objects can dynamically change their
classification
• One approach: Update the class of an object
whenever data flows into it
– Nondecreasing class mechanisms
– Main problem: requires explicit flow to update the
class of an object

16. 16
Possible Applications
• Confinement
– No leaking information about confidential processes
• Databases
– Control information flow for different classes of
information in the database
• Decoupling right of access from right of control

17. 17
Taint Tracking

18. 18
Motivation
• Malicious software sneaks onto computers
– Collects users’ private information
– Causes havoc on Internet
• Slows performance
• Costs to remove
– Reputable vendors violate users’ privacy
• Google Desktop
• Sony Media Player

19. 19
Traditional Malware detection
• Signature-based
– Cannot detect new malware or variants
• Heuristics
– High false positives
– High false negatives

20. 20
Panorama Approach
• Input
– Suspicious behavior
• Inappropriate data access, stealthfully
• Process
– Whole-system, fine-grained taint tracking
• Marking data
– Operating-system-aware taint analysis
• What touches the tainted data and how
• Output
– Taint Graphs
• Tracked tainted data

21. 21
Taint Graph
• Information flow that shows the process that
accessed the tainted data
• Make policies based on Taint Graph
• Compare unknown samples against Taint Graph
– Automatic
– Numerous categories

22. 22
Taint Graph generation
• Similar to a mapped out logic/process tree
– Conceptually, horizontal branching
• 9 different types of Root taint sources
– Text, password, http, https, icmp, ftp, document, and directory
• Non-root entries can be
– OS objects (processes, modules)
– OS resource (such as a file)

23. 23
Conceptual Structure
• Works with closed code
– Windows OS
– FireFox
• Monitors the whole system in a processor emulator
• Shadow memory stores taint status of
– Each byte of physical memory
– CPU’s general purpose registers
– Hard disk and network interface buffer

24. 24
Taint Sources
• Test information is inputted and marked as taint
source
• Inputted from hardware such as
– Keyboard
– Network interface
– Hard disk
• Tainting at hardware level
– Malware could hook before input reaches the
software

25. 25
Taint Propagation
• Monitors CPU instructions and DMA operations
dealing with tainted data
• OS-Aware taint tracking
– Developed a kernel module
• Authenticated communications to taint engine

26. 26
OS-Aware Taint Tracking
• Resolving process and module information
– Which process does an operation come from?
– Module notifier
– Tampering?
• Mapping file and network information to taints
– File system forensics
– Mapping connections back to processes

27. 27
Code Identification
• Identifying the code under analysis and its
actions
– Entire code segment is labeled
• Dynamic or Encrypted code is labeled too
• A similar method labels trusted code
• What does the analysis do about various
derivatives of the code
– Dynamic generation
– Calling trusted code

28. 28
Three Categorized Behaviors
• Anomalous information access
– MS Paint accessing passwords
• Anomalous information leakage
– BHO reporting home about surfed websites
• Excessive information access
– Repeatedly accessed directory to hide rootkit

29. 29
Malware detections
• 42 real-world malware samples
• 56 benign applications were tested
• Only 3 false positives, no false negatives
– 2 from a personal firewall
– 1 from a browser accelerator

30. 30
Summary
• A new system to detect malware
– System-Wide Information Flow
• Taint tracking
– Data access and process tracking
– Taint graphs
• Policies

31. 31
Contributions
• Unified approach to detect and analyze diverse
malware
• Designed and developed a functional prototype
• Detected all malware samples
– Keystroke loggers, password sniffers, packet sniffers,
stealth backdoors, rootkits, and spyware

32. 32
Weaknesses
• Performance Overhead
– Using Cygwin utilities
– Prototype is not optimized
– Slowdown average is 20 times
– Intended as a offline tool
• Evasive malware
– Time bombs
– Selective keystroke loggers
– Virtual environment detection

33. 33
How to Improve
• Optimize the code
• Automate taint graph analysis and policy implementation
• Virtual environment shielding
– Or switch out of emulated environment
• Implement mentioned improvements
– Unicode conversion- switch case issue