Dongyan Xu - Purdue University

Nov 29, 2006

Size: 219.5MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube

"OS-Level Taint Analysis for Malware Investigation and Defense"


The Internet is facing threats from increasingly stealthy and
sophisticated malware. Recent reports have suggested that new
computer worms and malware deliberately avoid fast massive
propagation. Instead, they lurk in infected machines and inflict
contaminations over time, such as rootkit and backdoor
installation, botnet creation, and data/identity theft. In defense
against Internet malware, the following tasks are critical: (1)
raising timely alerts to trigger a malware investigation, (2)
determining the break-in point of malware, i.e. the vulnerable
software via which the malware initially infiltrates the victim,
and (3) identifying all contaminations inflicted by the malware
during its residence in the victim. In this talk, I will present
Process Coloring, an information flow-preserving, provenance-aware
approach to malware investigation. In particular, I will
demonstrate that through the preservation and tainting of malware
break-in provenance along OS-level information flows, malware
investigators will be able to improve the efficiency and
effectiveness of existing log-based intrusion investigation tools.
Furthermore, process coloring brings the new capability of runtime
malware alert, which cannot be achieved by existing log-based
tools. I will also present results of our experiments with a
number of real-world Internet worms as well as a highly
tamper-resistant implementation of process coloring using
virtualization-based techniques.

About the Speaker

Dongyan Xu is an assistant professor of computer science at Purdue
University. He received his Ph.D. in computer science from the
University of Illinois at Urbana-Champaign in 2001. His current
research focuses on virtualization technologies and their
applications to malware defense on the Internet and virtual
distributed computing in the cyberinfrastructure.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52 (Suite 050B), West Lafayette Campus. More information...