OS-Level Taint Analysis for Malware Investigation and Defense

Nov 29, 2006

Download: MP4 Video Size: 219.5MB  
Watch on YouTube

Abstract

The Internet is facing threats from increasingly stealthy and
sophisticated malware. Recent reports have suggested that new
computer worms and malware deliberately avoid fast massive
propagation. Instead, they lurk in infected machines and inflict
contaminations over time, such as rootkit and backdoor
installation, botnet creation, and data/identity theft. In defense
against Internet malware, the following tasks are critical: (1)
raising timely alerts to trigger a malware investigation, (2)
determining the break-in point of malware, i.e. the vulnerable
software via which the malware initially infiltrates the victim,
and (3) identifying all contaminations inflicted by the malware
during its residence in the victim. In this talk, I will present
Process Coloring, an information flow-preserving, provenance-aware
approach to malware investigation. In particular, I will
demonstrate that through the preservation and tainting of malware
break-in provenance along OS-level information flows, malware
investigators will be able to improve the efficiency and
effectiveness of existing log-based intrusion investigation tools.
Furthermore, process coloring brings the new capability of runtime
malware alert, which cannot be achieved by existing log-based
tools. I will also present results of our experiments with a
number of real-world Internet worms as well as a highly
tamper-resistant implementation of process coloring using
virtualization-based techniques.