1 / 19

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and Engin Kirda Publication: ACM Conference on Computer and Communications Security, 2007 Presenter: Brad Mundt for CAP6133 Spring ‘08.

gilon
Download Presentation

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Panorama:Capturing System-wide Information Flow for Malware Detection and Analysis Authors:Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and Engin Kirda Publication:ACM Conference on Computer and Communications Security, 2007 Presenter:Brad Mundt for CAP6133 Spring ‘08

  2. Motivation • Malicious software sneaks onto computers • Collects users’ private information • Causes havoc on Internet • Slows performance • Costs to remove • Reputable vendors violate users’ privacy • Google Desktop • Sony Media Player

  3. Traditional Malware detection • Signature-based • Cannot detect new malware or variants • Heuristics • High false positives • High false negatives

  4. The Panorama way • Input • Suspicious behavior • Inappropriate data access, stealthfully • Process • Whole-system, fine-grained taint tracking • Marking data • Operating-system-aware taint analysis • What touches the tainted data and how • Output • Taint Graphs • Tracked tainted data

  5. Taint Graph • Information flow that shows the process that accessed the tainted data • Make policies based on Taint Graph • Compare unknown samples against Taint Graph • Automatic • Numerous categories

  6. Taint Graph example

  7. Taint Graph generation • Similar to a mapped out logic/process tree • Conceptually, horizontal branching • 9 different types of Root taint sources • Text, password, http, https, icmp, ftp, document, and directory • Non-root entries can be • OS objects (processes, modules) • OS resource (such as a file)

  8. System Overview

  9. Conceptual Structure • Works with closed code • Windows OS • FireFox • Monitors the whole system in a processor emulator • Shadow memory stores taint status of • Each byte of physical memory • CPU’s general purpose registers • Hard disk and network interface buffer

  10. Taint Sources • Test information is inputted and marked as taint source • Inputted from hardware such as • Keyboard • Network interface • Hard disk • Tainting at hardware level • Malware could hook before input reaches the software

  11. Taint propagation • Monitors CPU instructions and DMA operations dealing with tainted data • OS-Aware taint tracking • Developed a kernel module • Authenticated communications to taint engine

  12. Code identification • Identifying the code under analysis and it’s actions • Entire code segment is labeled • Dynamic or Encrypted code is labeled too • A similar method labels trusted code

  13. Three categorized behaviors • Anomalous information access • MS Paint accessing passwords • Anomalous information leakage • BHO reporting home about surfed websites • Excessive information access • Repeatedly accessed directory to hide rootkit

  14. Malware detections • 42 real-world malware samples • 56 benign applications were tested • Only 3 false positives, no false negatives • 2 from a personal firewall • 1 from a browser accelerator

  15. Summary • A new system to detect malware • System-Wide Information Flow • Taint tracking • Data access and process tracking • Taint graphs • Policies

  16. Contributions • Unified approach to detect and analyze diverse malware • Designed and developed a functional prototype • Detected all malware samples • Keystroke loggers, password sniffers, packet sniffers, stealth backdoors, rootkits, and spyware

  17. Weaknesses • Performance Overhead • Using Cygwin utilities • Prototype is not optimized • Slowdown average is 20 times • Intended as a offline tool • Evasive malware • Time bombs • Selective keystroke loggers • Virtual environment detection

  18. How to Improve • Optimize the code • Automate taint graph analysis and policy implementation • Virtual environment shielding • Or switch out of emulated environment • Implement mentioned improvements • Unicode conversion- switch case issue

  19. The End Thank you…

More Related