Ravi Sahita

Capturing Information Flow with Concatenated Dynamic Taint Analysis

Dynamic taint analysis (DTA) is a technique used for tracking information flow by propagating taint propagation across memory locations during program execution. Most implementations of DTA are based on dynamic binary instrumentation (DBI) frameworks or whole-system emulators/virtual machine monitors. The boundary of information tracking with DBI frameworks is a single process, while system emulators can cover a host, including the OS. Using system emulators, it may be possible to consider taint propagation across multiple processes executing locally, within the emulator. However, there is an increasing need for tracking information flow across single-system boundaries and across the whole enterprise. We describe a proof-of-concept architecture for tracking multiple mixed-information flows among several processes across a distributed enterprise. Our DTA tool is based on PIN, a DBI framework by Intel, and the concatenated DTA processing is realized with per-host flow managers. We have tested our prototype with typical enterprise applications. As a motivating example, we track information leakage due to a SQL injection attack from a web-based database server query. Our work is of an exploratory nature, aiming to expose our early findings and identify areas where additional research is needed in improving usability and performance.

Mitigating the lying-endpoint problem in virtualized network access frameworks

Malicious root-kits modify the in-memory state of programs executing on an endpoint to hide themselves from security software. Such attacks negatively affect network-based security frameworks that depend on the trustworthiness of endpoint software. In network access control frameworks this issue is called the lying-endpoint problem, where a compromised endpoint spoofs software integrity reports to render the framework untrustworthy. We present a novel architecture called Virtualization-enabled Integrity Services (VIS) to protect the run-time integrity of network-access software in an untrusted environment. We describe the design of a VIS-protected network access stack, and characterize its performance. We show that a network access stack running on an existing operating system can be protected using VIS with less than 5% overhead, even when each network packet causes protection enforcement.

Towards a Virtualization-enabled Framework for Information Traceability (VFIT)

Automated and targeted attacks to steal sensitive information from computers are increasing in frequency along with the stealthiness of these attacks. Tools for generating attacks on existing Information Technology infrastructure are readily available. These attacks can easily evade detection from today’s countermeasures. Information theft is thus an important threat vector for networked communities where sensitive information is exchanged with partners in different administrative domains, with dissimilar security policies and configurations. The combination of disparately managed networks, ability to store information offline, and remote access functionality complicate the enforcement of information security policies. We tackle the issue of protecting sensitive information by applying a systemintegrity and information-auditing perspective. We believe this is the first step towards mitigating insider abuse of data-use privileges. We present a Virtualization- enabled Framework for Information Traceability (VFIT) to prevent unauthorized handling of sensitive information. We show that this hardware platform on which information is created, transformed and stored is a key enforcement point to provide accountable information flow. We describe the application of our previous work on Virtualization-enabled Integrity Service (VIS) to implement VFIT. Our approach is data-centric and provides a mechanism that can deterministically audit use of information while it is in use in volatile or non-volatile memory. Using this mechanism, we describe how existing network security mechanisms and our proposed framework can be applied to applications to provide traceability for sensitive information in a distributed system.

Protocol decode based stateful firewall policy definition language

The policies for thwarting attacks on systems vary greatly in complexity, ranging from simple static firewall rules to complex stateful protocol state machine analysis. As intrusion detection systems are getting integrated into firewall solutions, there is a need for a language that can define both firewall policies and system intrusion behavior and exhibit inter-operable traits. This paper presents an XML based, self-documenting State-Aware Firewall Language (SAFire) that is designed to express the various kind of firewall and intrusion behavior.

POSTER: Semi-supervised Classification for Dynamic Android Malware Detection

Manually labeling the large number of samples of Android APKs into benign or different malicious families requires tremendous human effort, while it is comparably easy and cheap to obtain a large amount of unlabeled APKs from various sources. Moreover, the fast-paced evolution of Android malware continuously generates derivative and new malware families. These families often contain new signatures, which can escape detection that uses static analysis. These practical challenges can also cause classical supervised machine learning algorithms to degrade in performance. We propose a framework that uses model-based semi-supervised (MBSS) classification scheme built using dynamic Android API call logs. The semi-supervised approach efficiently uses the labeled and unlabeled APKs to estimate a finite mixture model of Gaussian distributions via conditional expectation-maximization and efficiently detects malware during out-of-sample testing. We compare MBSS with the popular malware detection classifiers such as support vector machine (SVM), k-nearest neighbor (kNN) and linear discriminant analysis (LDA). Under the ideal classification setting, MBSS has competitive performance with 98% accuracy and very low false positive rate for in-sample classification. For out-of-sample testing, the out-of-sample test data exhibit similar behavior of retrieving phone information and sending to the network, compared with in-sample training set. When this similarity is strong, MBSS and SVM with linear kernel maintain 90% detection rate while kNN and LDA suffer great performance degradation. When this similarity is slightly weaker, all classifiers degrade in performance, but MBSS still performs significantly better than other classifiers.