information flow control
DESCRIPTION
Information Flow Control. Nick Feamster CS 6262 Spring 2009. Lattice-Based Models. Denning's axioms Bell-LaPadula model (BLP) Biba model. Denning’s Lattice Model. SCset of security classes SC X SCflow relation (i.e., can-flow) SC X SC -> SCclass-combining operator. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/1.jpg)
1
Information Flow Control
Nick FeamsterCS 6262
Spring 2009
![Page 2: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/2.jpg)
2
• Denning's axioms
• Bell-LaPadula model (BLP)
• Biba model
Lattice-Based Models
![Page 3: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/3.jpg)
3
Denning’s Lattice Model
< SC, , >
SC set of security classes
SC X SC flow relation (i.e., can-flow)
SC X SC -> SCclass-combining operator
![Page 4: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/4.jpg)
4
Denning’s Axioms
< SC, , >
1 SC is finite
2 is a partial order on SC
3 SC has a lower bound L such that L A for all A SC
4 is a least upper bound (lub) operator on SC
![Page 5: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/5.jpg)
5
Implications
• SC is a universally bounded lattice
• there exists a Greatest Lower Bound (glb) operator (also called meet)
• there exists a highest security class H
![Page 6: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/6.jpg)
6
Lattice Structures
Unclassified
Confidential
Secret
Top Secret
HierarchicalClasses
can-flow
reflexive and transitive edges are implied but not shown
reflexive and transitive edges are implied but not shown
![Page 7: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/7.jpg)
7
Lattice Structures
Unclassified
Confidential
Secret
Top Secret
can-flowdominance
![Page 8: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/8.jpg)
8
Lattice Structures
{ARMY, CRYPTO}Compartmentsand Categories
{ARMY } {CRYPTO}
{}
![Page 9: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/9.jpg)
9
Lattices Structures
{ARMY, NUCLEAR, CRYPTO}
Compartmentsand Categories
{ARMY, NUCLEAR} {ARMY, CRYPTO} {NUCLEAR, CRYPTO}
{ARMY} {NUCLEAR} {CRYPTO}
{}
![Page 10: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/10.jpg)
10
Lattice Structures
HierarchicalClasses with
CompartmentsTS
S
{A,B}
{}
{A} {B}
product of 2 lattices is a latticeproduct of 2 lattices is a lattice
![Page 11: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/11.jpg)
11
Challenges
• Implicit information flow– Conditional statements can implicitly leak information
• Implementing a system that explicitly controls the flow of information
![Page 12: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/12.jpg)
12
Static Binding: Run-Time
• Objects are statically bound to classes• Can operate either at runtime, or at compile-time
• Run-time mechanisms– Each process has a mechanism that specifies the
highest class p can write from and the lowest class p can write to
![Page 13: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/13.jpg)
13
Static Binding: Compile-Time
• Certify program at compile-time• Advantages
– Security guarantees before execution– Does not affect the execution speed
• Disadvantages– Flows not specified by the program cannot be verified– Hardware could malfunction
![Page 14: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/14.jpg)
14
Static Binding, Run-Time
![Page 15: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/15.jpg)
15
Dynamic Binding
• Objects can dynamically change their classification
• One approach: Update the class of an object whenever data flows into it– Nondecreasing class mechanisms– Main problem: requires explicit flow to update the
class of an object
![Page 16: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/16.jpg)
16
Possible Applications
• Confinement– No leaking information about confidential processes
• Databases– Control information flow for different classes of
information in the database
• Decoupling right of access from right of control
![Page 17: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/17.jpg)
17
Taint Tracking
![Page 18: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/18.jpg)
18
Motivation
• Malicious software sneaks onto computers– Collects users’ private information– Causes havoc on Internet
• Slows performance• Costs to remove
– Reputable vendors violate users’ privacy• Google Desktop• Sony Media Player
![Page 19: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/19.jpg)
19
Traditional Malware detection
• Signature-based– Cannot detect new malware or variants
• Heuristics– High false positives– High false negatives
![Page 20: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/20.jpg)
20
Panorama Approach
• Input– Suspicious behavior
• Inappropriate data access, stealthfully
• Process– Whole-system, fine-grained taint tracking
• Marking data– Operating-system-aware taint analysis
• What touches the tainted data and how
• Output– Taint Graphs
• Tracked tainted data
![Page 21: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/21.jpg)
21
Taint Graph
• Information flow that shows the process that accessed the tainted data
• Make policies based on Taint Graph
• Compare unknown samples against Taint Graph– Automatic– Numerous categories
![Page 22: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/22.jpg)
22
Taint Graph generation
• Similar to a mapped out logic/process tree– Conceptually, horizontal branching
• 9 different types of Root taint sources– Text, password, http, https, icmp, ftp, document, and directory
• Non-root entries can be– OS objects (processes, modules)– OS resource (such as a file)
![Page 23: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/23.jpg)
23
Conceptual Structure
• Works with closed code– Windows OS– FireFox
• Monitors the whole system in a processor emulator
• Shadow memory stores taint status of– Each byte of physical memory– CPU’s general purpose registers– Hard disk and network interface buffer
![Page 24: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/24.jpg)
24
Taint Sources
• Test information is inputted and marked as taint source
• Inputted from hardware such as– Keyboard– Network interface– Hard disk
• Tainting at hardware level– Malware could hook before input reaches the
software
![Page 25: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/25.jpg)
25
Taint Propagation
• Monitors CPU instructions and DMA operations dealing with tainted data
• OS-Aware taint tracking– Developed a kernel module
• Authenticated communications to taint engine
![Page 26: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/26.jpg)
26
OS-Aware Taint Tracking
• Resolving process and module information– Which process does an operation come from?– Module notifier– Tampering?
• Mapping file and network information to taints– File system forensics– Mapping connections back to processes
![Page 27: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/27.jpg)
27
Code Identification
• Identifying the code under analysis and its actions– Entire code segment is labeled
• Dynamic or Encrypted code is labeled too• A similar method labels trusted code
• What does the analysis do about various derivatives of the code– Dynamic generation– Calling trusted code
![Page 28: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/28.jpg)
28
Three Categorized Behaviors
• Anomalous information access– MS Paint accessing passwords
• Anomalous information leakage– BHO reporting home about surfed websites
• Excessive information access– Repeatedly accessed directory to hide rootkit
![Page 29: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/29.jpg)
29
Malware detections
• 42 real-world malware samples• 56 benign applications were tested• Only 3 false positives, no false negatives
– 2 from a personal firewall– 1 from a browser accelerator
![Page 30: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/30.jpg)
30
Summary
• A new system to detect malware– System-Wide Information Flow
• Taint tracking– Data access and process tracking
– Taint graphs• Policies
![Page 31: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/31.jpg)
31
Contributions
• Unified approach to detect and analyze diverse malware
• Designed and developed a functional prototype
• Detected all malware samples– Keystroke loggers, password sniffers, packet sniffers,
stealth backdoors, rootkits, and spyware
![Page 32: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/32.jpg)
32
Weaknesses
• Performance Overhead– Using Cygwin utilities– Prototype is not optimized– Slowdown average is 20 times– Intended as a offline tool
• Evasive malware– Time bombs– Selective keystroke loggers– Virtual environment detection
![Page 33: Information Flow Control](https://reader035.vdocuments.site/reader035/viewer/2022062422/56813ad0550346895da2f751/html5/thumbnails/33.jpg)
33
How to Improve
• Optimize the code
• Automate taint graph analysis and policy implementation
• Virtual environment shielding– Or switch out of emulated environment
• Implement mentioned improvements– Unicode conversion- switch case issue