Process Coloring: An Information Flow-Preserving Approach to Malware Investigation
1 / 39

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation - PowerPoint PPT Presentation

  • Uploaded on

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Process Coloring: An Information Flow-Preserving Approach to Malware Investigation' - sabine

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Eugene Spafford, Dongyan Xu, Ryan Riley

Department of Computer Science and

Center for Education and Research in Information Assurance and Security (CERIAS)

Purdue University

Xuxian Jiang

Department of Computer Science

George Mason University

NICIAR Site Visit, West Lafayette, IN, July 25, 2008

Outline Malware Investigation

  • Project overview and Heilmeier Q&A

  • Quarterly update and demo

  • “PC+DDFA” integration

  • Administrative issues

Process coloring pc overview

Log Malware Investigation

Process Coloring (PC) Overview

  • Key idea: propagating and logging application provenance information (“colors”) along OS-level information flows

    • Existing tools only consider direct causality relations without preserving and exploiting application provenance information

Virtual Machine



Text Editor

File Manager

Web Browser

Tax Express


Guest OS

Virtual Machine Monitor (VMM)

Pc usage scenario server side malware attack
PC Usage Scenario: Malware InvestigationServer-Side Malware Attack

Capability 1:

PC malware alert

“No shell process should have the color of Apache”

Initial coloring













  • /etc/shadow

  • Confidential Info



Capability 3:

Color-based log partition for contamination analysis

Local files


Capability 2:

Color-based identification of malware break-in point

Coloring diffusion



Pc usage scenario client side malware attack
PC Usage Scenario: Malware InvestigationClient-Side Malware Attack








Web Browser

PC malware alert

“Web browser and tax colors should never mix”


Tax files


Pc usage scenario client side sensitive data protection
PC Usage Scenario: Malware InvestigationClient-Side Sensitive Data Protection







PC data theft alert

“Tax file should never leave this computer”



Tax files

Date files

Tax files

Data files

This is not as simple as it sounds!

Heilmeier question 1 what are you trying to do
Heilmeier Question 1: Malware InvestigationWhat are you trying to do?

  • Tracking and logging OS-level information flows

    • Being extended to both OS and language levels (“PC+DDFA”)

  • Tainting processes and data with application provenance information (“colors”) for

    • Detecting and investigating malware activities

    • Enforcing sensitive data protection policies

  • Using virtualization for stronger tamper-resistance

    • Taking logging and real-time detection to outside

Heilmeier question 2 how is it done now
Heilmeier Question 2: Malware InvestigationHow is it done now?

  • Information flow tracking at multiple levels

    • OS level

      • Only considering direct causality in each system call

      • No provenance (“color”) tainting and propagation

    • Language level

      • Only tracking information Flow within a program

      • No information flow tracking across programs

    • Instruction level

      • Difficult to understand attack semantics

      • Significant runtime performance overhead

Heilmeier question 3 what s new and why will it succeed
Heilmeier Question 3: Malware InvestigationWhat’s new and why will it succeed?

  • What’s new?

    • Color-based malware alert and sensitive data protection

    • Supporting both on-line detection and off-line forensics

    • Stronger tamper-resistance and non-stop VM operation

    • One of the first to combine OS and language-level information flows

  • Why will it succeed?

    • Practical, deployable system based on classic theory

    • Running prototype showing effectiveness and practicality

    • Technical challenges identified and addressed

    • Attracting external interests (SWRI, Lockheed Martin)

Heilmeier question 4 if successful what difference will it make
Heilmeier Question 4: Malware InvestigationIf successful, what difference will it make?

  • An extensible, system-level framework for attack/violation detection, investigation and recovery

  • Specification and enforcement of log and color-based policies for malware alert and data protection

  • Lower false positive and false negative rates; more timely detection; higher investigation efficiency

  • Ready for virtualization-based infrastructures (e.g. honeynets, enterprises and data centers)

Heilmeier question 5 your timeline cost and success metrics
Heilmeier Question 5: Malware InvestigationYour timeline, cost and success metrics?

  • Timeline

  • Cost: $xxx,xxx ($xxx,xxx subcontract)

  • Success metrics

    • Accuracy, efficiency and timeliness (more later)





- Basic PC prototype for server-side operation

- PC prototype for client-side operation (“brown problem” solution)

- Set up “living lab” VM for evaluation

- Extensive evaluation

- Design, prototyping and demonstration of “PC+DDFA” integration

  • - Recovery and replay

  • - PC across machines

  • - Data lifetime analysis for data theft defense

Quarterly Update and Demo Malware Investigation

Summary of achievement
Summary of Achievement Malware Investigation

  • Improved sink insulation implementation

  • Cleaned up log management and visualization

  • Set up “living lab” client VM for evaluation

  • Preliminary design for “PC+DDFA”

Color saturation mitigation brown problem

Browser Malware Investigation


Doc Edit


Doc Edit

Color Saturation Mitigation (Brown Problem)

Policy:“Data written by financial application should not be read by applications that can transmit it outside of the system.”

False Alarm




The root cause sink file
The Root Cause: Sink File Malware Investigation

Zoom in view of sink file
Zoom-in View of Sink File Malware Investigation


Sink file insulation
Sink File Insulation Malware Investigation

  • Some files become color sinks

    • Examples:

      • .recently_used

      • .gnome2/accels/evince

      • .gnome2/accels/gedit

  • Color propagated unnecessarily

  • Simply “insulate” these sinks

Result w sink file insulation
Result w/ Sink File Insulation Malware Investigation

Zoom in view
Zoom-in View Malware Investigation


Living lab vm for evaluation
“Living Lab” VM for Evaluation Malware Investigation

  • A Linux VM running on Xen

  • System configuration:

    • 256MB RAM

    • 1.8GHz CPU

    • Connected to the Internet

  • Applications:

    • Firefox

    • OpenOffice

    • Standard GNOME applications

  • To be used daily by Ryan (more users in the Fall)

Living lab vm demo
“Living Lab” VM: Demo Malware Investigation

A live Demo

Evaluation metrics accuracy of alerts
Evaluation Metrics – Accuracy of Alerts Malware Investigation

  • False positive and false negative rates

    • Living lab experiment

      • Specify malware detection and sensitive data protection policies

      • Analyze alerts raised (true or false)

    • Attack injection experiments

      • Specify malware detection and sensitive data protection policies

      • Launch malware instances or sensitive data thefts

      • Count number of instances caught and missed

Evaluation metrics efficiency
Evaluation Metrics - Efficiency Malware Investigation

  • System runtime efficiency

    • Performance of LMBench, UNIXBench and ApacheBench

      • w/ process coloring

      • w/o process coloring

  • Malware investigation efficiency

    • Number of colors in alert-raising log entry

    • Total number of colors in system

    • % of log entries w/ “problematic” color(s)

Evaluation metrics timeliness of alerts
Evaluation Metrics – Timeliness of Alerts Malware Investigation

  • Measure the interval between

    • A malware attack or data protection breach

    • Its detection

  • Duration of interval depending on malware behavior (in-action or dormant)

Technology transfer
Technology Transfer Malware Investigation

  • Within NICECAP Program (ongoing)

    • “PC+DDFA” integration with SWRI/UTexas team

  • To Lockheed Martin (ongoing)

    • Target environment: Virtual honeynet architecture with both server and client VMs

    • PC a good fit for attack detection, monitoring and investigation

    • Effort starting this summer

“PC+DDFA” Integration Malware Investigation

Summary of integration activities
Summary of Integration Activities Malware Investigation

  • Held multiple meetings with SWRI/UTexas team

  • Identified motivating usage scenarios

  • Defined API between PC and DDFA

  • Planned detailed design and implementation

A motivating scenario
A Motivating Scenario Malware Investigation





PCfalse alert

“Sensitive file should never leave this computer”






Date files

Tax files

My photo

File Manager

Sink file insulation doesn’t help…

Pc or ddfa alone cannot solve it
PC or DDFA Alone Cannot Solve It Malware Investigation


 Process-level information flow treating processes as blackboxes

 Overly conservative color tainting

 Color tainting across processes


 Language-level information flow confined within one process

 Not aware of colors across the system

 Fine-grain data flow tracking within a process

Example without pc ddfa integration
Example: Malware InvestigationWithout “PC+DDFA” Integration



File 1

New file

File 2

Example with pc ddfa integration
Example: Malware InvestigationWith “PC+DDFA” Integration

push_color(new_file, )

File 1

New file

Process (w/ DDFA)

New file

File 2



Process Coloring (Operating System level)

Prototyping plan
Prototyping Plan Malware Investigation

  • SWRI+UTexas

    • Making DDFA color-aware

    • Instrumenting a real-world file manager PCManFM with DDFA capability

  • Purdue

    • Implementing fetch_color()and push_color()in PC

    • Testing instrumented PCManFMin living lab VM

  • To show a joint demo before end of project

Administrative Issues Malware Investigation

1 moving the subcontract
1. Moving the Subcontract Malware Investigation

  • GMU Subcontract PI Xuxian Jiang will move to North Carolina State University in August

  • Remaining balance in subcontract $xx,xxx

  • Seeking approval moving the subcontract to NCSU

2 no cost extension
2. No-cost Extension Malware Investigation

  • Purdue balance as of 7/22/2008: $xxx,xxx.xx

  • Not expected to run out by 12/06/2008

  • Inquiring about possibility of no-cost extension

LSSD Malware Investigation

Process Coloring (PC) For Malware Alert and Investigation- An OS-level Information Flow Preserving Approach


  • Track OS-level information flows

  • Taint processes/data based on their influence between each other

  • Record color(s) in log entries

  • Integrate with intra-process DDFA


  • Color-based malware alert

  • Color-based malware break-in point identification

  • Color-based log partitioning


  • Model process color diffusion in real OS (done)

  • Demonstrate PC prototype in a malware scenario

    • Includes both server (done) and client (done) side solutions

  • Mitigate color saturation effect in malware alert

    • Profiling and visualization (done)

    • Reducing false positives caused by legitimate color mixing (done)

    • Proof-of-concept demo of “PC+DDFA” (Dec.08)

  • Evaluate PC in “living lab” VMs (July.08 – Dec.08)


  • System monitoring and malware (e.g. bots) detection

  • Malware forensics

  • Sensitive data protection

Thank you! Malware Investigation

For more information about the ProcessColoring project: