1. Information Flow Control
Nick Feamster CS 6262 Spring 2009

2. Lattice-Based Models Denning's axioms Bell-LaPadula model (BLP)
Biba model

3. Denning’s Lattice Model
< SC, ,  >
SC set of security classes
SC X SC flow relation (i.e., can- flow)
 SC X SC -> SC class-combining operator

4. Denning’s Axioms < SC, ,  > SC is finite
 is a partial order on SC
SC has a lower bound L such that L  A for all A  SC
 is a least upper bound (lub) operator on SC

5. Implications SC is a universally bounded lattice
there exists a Greatest Lower Bound (glb) operator  (also called meet)
there exists a highest security class H

6. Lattice Structures
Hierarchical
Classes
Top Secret
Secret
Confidential
reflexive and transitive edges are implied but not shown
Unclassified
can-flow

7. Lattice Structures Top Secret Secret Confidential Unclassified
dominance 
can-flow

8. Lattice Structures Compartments and Categories {ARMY, CRYPTO} {ARMY }{}

9. Lattices Structures Compartments and Categories
{ARMY, NUCLEAR, CRYPTO}
{ARMY, NUCLEAR}
{ARMY, CRYPTO}
{NUCLEAR, CRYPTO}
{ARMY}
{NUCLEAR}
{CRYPTO} {}

10. product of 2 lattices is a lattice
Lattice Structures
Hierarchical
Classes with
Compartments
{A,B} TS
{A}
{B} S {}
product of 2 lattices is a lattice

11. Challenges Implicit information flow
Conditional statements can implicitly leak information
Implementing a system that explicitly controls the flow of information

12. Static Binding: Run-Time
Objects are statically bound to classes
Can operate either at runtime, or at compile-time
Run-time mechanisms
Each process has a mechanism that specifies the highest class p can write from and the lowest class p can write to

13. Static Binding: Compile-Time
Certify program at compile-time
Advantages
Security guarantees before execution
Does not affect the execution speed
Disadvantages
Flows not specified by the program cannot be verified
Hardware could malfunction

14. Static Binding, Run-Time

15. Dynamic Binding Objects can dynamically change their classification
One approach: Update the class of an object whenever data flows into it
Nondecreasing class mechanisms
Main problem: requires explicit flow to update the class of an object

16. Possible Applications
Confinement
No leaking information about confidential processes
Databases
Control information flow for different classes of information in the database
Decoupling right of access from right of control

17. Taint Tracking

18. Motivation Malicious software sneaks onto computers
Collects users’ private information
Causes havoc on Internet
Slows performance
Costs to remove
Reputable vendors violate users’ privacy
Google Desktop
Sony Media Player

19. Traditional Malware detection
Signature-based
Cannot detect new malware or variants
Heuristics
High false positives
High false negatives

20. Panorama Approach Input Process Output Suspicious behavior
Inappropriate data access, stealthfully
Process
Whole-system, fine-grained taint tracking
Marking data
Operating-system-aware taint analysis
What touches the tainted data and how
Output
Taint Graphs
Tracked tainted data

21. Taint Graph
Information flow that shows the process that accessed the tainted data
Make policies based on Taint Graph
Compare unknown samples against Taint Graph
Automatic
Numerous categories

22. Taint Graph generation
Similar to a mapped out logic/process tree
Conceptually, horizontal branching
9 different types of Root taint sources
Text, password, http, https, icmp, ftp, document, and directory
Non-root entries can be
OS objects (processes, modules)
OS resource (such as a file)

23. Conceptual Structure Works with closed code
Windows OS
FireFox
Monitors the whole system in a processor emulator
Shadow memory stores taint status of
Each byte of physical memory
CPU’s general purpose registers
Hard disk and network interface buffer

24. Taint Sources Test information is inputted and marked as taint source
Inputted from hardware such as
Keyboard
Network interface
Hard disk
Tainting at hardware level
Malware could hook before input reaches the software

25. Taint Propagation
Monitors CPU instructions and DMA operations dealing with tainted data
OS-Aware taint tracking
Developed a kernel module
Authenticated communications to taint engine

26. OS-Aware Taint Tracking
Resolving process and module information
Which process does an operation come from?
Module notifier
Tampering?
Mapping file and network information to taints
File system forensics
Mapping connections back to processes

27. Code Identification
Identifying the code under analysis and its actions
Entire code segment is labeled
Dynamic or Encrypted code is labeled too
A similar method labels trusted code
What does the analysis do about various derivatives of the code
Dynamic generation
Calling trusted code

28. Three Categorized Behaviors
Anomalous information access
MS Paint accessing passwords
Anomalous information leakage
BHO reporting home about surfed websites
Excessive information access
Repeatedly accessed directory to hide rootkit

29. Malware detections 42 real-world malware samples
56 benign applications were tested
Only 3 false positives, no false negatives
2 from a personal firewall
1 from a browser accelerator

30. Summary A new system to detect malware System-Wide Information Flow
Taint tracking
Data access and process tracking
Taint graphs
Policies

31. Contributions Unified approach to detect and analyze diverse malware
Designed and developed a functional prototype
Detected all malware samples
Keystroke loggers, password sniffers, packet sniffers, stealth backdoors, rootkits, and spyware

32. Weaknesses Performance Overhead Evasive malware Using Cygwin utilities
Prototype is not optimized
Slowdown average is 20 times
Intended as a offline tool
Evasive malware
Time bombs
Selective keystroke loggers
Virtual environment detection

33. How to Improve Optimize the code
Automate taint graph analysis and policy implementation
Virtual environment shielding
Or switch out of emulated environment
Implement mentioned improvements
Unicode conversion- switch case issue