OS-Level Taint Analysis for Malware Investigation and Defense

Page Content

Dongyan Xu - Purdue University

Nov 29, 2006

Size: 219.5MB

Download: Video Icon MP4 Video   Flash Icon Watch in your Browser (Flash Required)  

Abstract

The Internet is facing threats from increasingly stealthy and
sophisticated malware. Recent reports have suggested that new
computer worms and malware deliberately avoid fast massive
propagation. Instead, they lurk in infected machines and inflict
contaminations over time, such as rootkit and backdoor
installation, botnet creation, and data/identity theft. In defense
against Internet malware, the following tasks are critical: (1)
raising timely alerts to trigger a malware investigation, (2)
determining the break-in point of malware, i.e. the vulnerable
software via which the malware initially infiltrates the victim,
and (3) identifying all contaminations inflicted by the malware
during its residence in the victim. In this talk, I will present
Process Coloring, an information flow-preserving, provenance-aware
approach to malware investigation. In particular, I will
demonstrate that through the preservation and tainting of malware
break-in provenance along OS-level information flows, malware
investigators will be able to improve the efficiency and
effectiveness of existing log-based intrusion investigation tools.
Furthermore, process coloring brings the new capability of runtime
malware alert, which cannot be achieved by existing log-based
tools. I will also present results of our experiments with a
number of real-world Internet worms as well as a highly
tamper-resistant implementation of process coloring using
virtualization-based techniques.

About the Speaker

Dongyan Xu is an assistant professor of computer science at Purdue
University. He received his Ph.D. in computer science from the
University of Illinois at Urbana-Champaign in 2001. His current
research focuses on virtualization technologies and their
applications to malware defense on the Internet and virtual
distributed computing in the cyberinfrastructure.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...

© 1999-2013 Purdue University. All rights reserved.

Use/Reuse Guidelines

CERIAS Seminar materials are intended for educational, non-commercial use only and any or all commercial use is prohibited. Any use must attribute "The CERIAS Seminar at Purdue University." Opinions expressed in the recordings are not necessarily representative of the views of CERIAS or of Purdue University.