CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
CERIAS Logo
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

OS-Level Taint Analysis for Malware Investigation and Defense

Dongyan Xu - Purdue University

Nov 29, 2006

Size: 219.5MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube

Abstract

The Internet is facing threats from increasingly stealthy and
sophisticated malware. Recent reports have suggested that new
computer worms and malware deliberately avoid fast massive
propagation. Instead, they lurk in infected machines and inflict
contaminations over time, such as rootkit and backdoor
installation, botnet creation, and data/identity theft. In defense
against Internet malware, the following tasks are critical: (1)
raising timely alerts to trigger a malware investigation, (2)
determining the break-in point of malware, i.e. the vulnerable
software via which the malware initially infiltrates the victim,
and (3) identifying all contaminations inflicted by the malware
during its residence in the victim. In this talk, I will present
Process Coloring, an information flow-preserving, provenance-aware
approach to malware investigation. In particular, I will
demonstrate that through the preservation and tainting of malware
break-in provenance along OS-level information flows, malware
investigators will be able to improve the efficiency and
effectiveness of existing log-based intrusion investigation tools.
Furthermore, process coloring brings the new capability of runtime
malware alert, which cannot be achieved by existing log-based
tools. I will also present results of our experiments with a
number of real-world Internet worms as well as a highly
tamper-resistant implementation of process coloring using
virtualization-based techniques.

About the Speaker

Dongyan Xu is an assistant professor of computer science at Purdue
University. He received his Ph.D. in computer science from the
University of Illinois at Urbana-Champaign in 2001. His current
research focuses on virtualization technologies and their
applications to malware defense on the Internet and virtual
distributed computing in the cyberinfrastructure.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...

Disclaimer

The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.