Tracing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach

Xuxian Jiang; Dongyan Xu; Yi-Min Wang; Florian Buchholz; Aaron Walters; Eugene H. Spafford

doi:10.1109/TPDS.2007.70765

Publication
2008
Issue No. 7 - July
Abstract - Tracing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Xuxian Jiang Articles by Florian Buchholz Articles by Aaron Walters Articles by Dongyan Xu Articles by Yi-Min Wang Articles by Eugene H. Spafford

Tracing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach

July 2008 (vol. 19 no. 7)

pp. 890-902

	ASCII Text	x
	Xuxian Jiang, Florian Buchholz, Aaron Walters, Dongyan Xu, Yi-Min Wang, Eugene H. Spafford, "Tracing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach," IEEE Transactions on Parallel and Distributed Systems, vol. 19, no. 7, pp. 890-902, July, 2008.

	BibTex	x
	@article{ 10.1109/TPDS.2007.70765, author = {Xuxian Jiang and Florian Buchholz and Aaron Walters and Dongyan Xu and Yi-Min Wang and Eugene H. Spafford}, title = {Tracing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach}, journal ={IEEE Transactions on Parallel and Distributed Systems}, volume = {19}, number = {7}, issn = {1045-9219}, year = {2008}, pages = {890-902}, doi = {http://doi.ieeecomputersociety.org/10.1109/TPDS.2007.70765}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - JOUR JO - IEEE Transactions on Parallel and Distributed Systems TI - Tracing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach IS - 7 SN - 1045-9219 SP890 EP902 EPD - 890-902 A1 - Xuxian Jiang, A1 - Florian Buchholz, A1 - Aaron Walters, A1 - Dongyan Xu, A1 - Yi-Min Wang, A1 - Eugene H. Spafford, PY - 2008 KW - Servers KW - (viruses KW - worms KW - Trojan horses) KW - Security and Protection VL - 19 JA - IEEE Transactions on Parallel and Distributed Systems ER -

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TPDS.2007.70765

To detect and investigate self-propagating worm attacks against networked servers, the following capabilities are desirable: (1) raising timely alerts to trigger a worm investigation, (2) determining the break-in point of a worm, i.e. the vulnerable service from which the worm infiltrates the victim, and (3) identifying all contaminations inflicted by the worm during its residence in the victim. In this paper, we argue that the worm break-in provenance information has not been exploited in achieving these capabilities and thus propose process coloring, a new approach that preserves worm break-in provenance information and propagates it along operating system level information flows. More specifically, process coloring assigns a "color", a unique system-wide identifier, to each remotely-accessible server process. The color will be either inherited by spawned child processes or diffused transitively through process actions. Process coloring achieves three new capabilities: color-based worm warning generation, break-in point identification, and log file partitioning. The virtualization-based implementation enables more tamper- resistant log collection, storage, and real-time monitoring. Beyond the overhead introduced by virtualization, process coloring only incurs very small additional system overhead. Experiments with real-world worms demonstrate the advantages of processing coloring over non-provenance-preserving tools.

[1] Linux Adore Worms, http://securityresponse.symantec.com/avcenter/ venc/datalinux.adore.worm.htm, 2007.
[2] Linux Ramen Worm, http://service1.symantec.com/sarc/sarc.nsf/ html/pflinux.ramen.worm.html, 2007.
[3] SANS Institute: Lion Worm, http://www.sans.com/y2klion.htm, 2007.
[4] Sebek, http://www.honeynet.org/toolssebek/, 2007.
[5] The Honeynet Project, http:/www.honeynet.org, 2007.
[6] The Strange Decline of Computer Worms, http://www.theregister. co.uk/2005/03/17/ f-secure_websecprint.html, 2007.
[7] Virus Writers Get Stealthy, http://news.zdnet.co.uk/internet/security 0,39020375,39191840,00.htm, 2007.
[8] SARS Worms, http://www.xfocus.net/tools/200306413.html , June 2003.
[9] P. Ammann, S. Jajodia, and P. Liu, “Recovery from Malicious Transactions,” IEEE Trans. Knowledge and Data Eng., vol. 14, no. 5, pp. 1167-1185, Sept. 2002.
[10] D. Bell and L. LaPadula, “MITRE Technical Report 2547 (Secure Computer System): Volume II,” J. Computer Security, vol. 4, nos.2/3, pp. 239-263, 1996.
[11] F. Buchholz, “Pervasive Binding of Labels to System Processes,” PhD dissertation, Purdue Univ., also as CERIAS Technical Report 2005-54, 2005.
[12] F. Buchholz and E.H. Spafford, “On the Role of File System Metadata in Digital Forensics,” J. Digital Investigation, Dec. 2004.
[13] J. Butler, Direct Kernel Object Manipulation (DKOM), http://www. blackhat.com/presentations/win-usa-04 bh-win-04-butler.pdf, 2004.
[14] J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum, “Understanding Data Lifetime via Whole System Simulation,” Proc. 13th Usenix Security Symp., Aug. 2004.
[15] J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum, “Shredding Your Garbage: Reducing Data Lifetime through Secure Deallocation,” Proc. 14th Usenix Security Symp., Aug. 2005.
[16] D.R. Clark and D.R. Wilson, “A Comparison of Commercial and Military Computer Security Policies,” Proc. IEEE Symp. Security and Privacy (S&P '87), pp. 184-194, 1987.
[17] D.E. Denning, “A Lattice Model of Secure Information Flow,” Comm. ACM, vol. 19, pp. 236-243, May 1976.
[18] J. Dike, User Mode Linux, http:/user-mode-linux.sourceforge.net, 2007.
[19] M. Dornseif, T. Holz, and C. Klein, “NoSEBrEaK—Attacking Honeynets,” Proc. Fifth Ann. IEEE Information Assurance Workshop, June 2004.
[20] B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer, “Xen and the Art of Virtualization,” Proc. 19th ACM Symp. Operating Systems Principles (SOSP '03), Oct. 2003.
[21] G.W. Dunlap, S.T. King, S. Cinar, M.A. Basrai, and P.M. Chen, “ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay,” Proc. Fifth Symp. Operating Systems Design and Implementation (OSDI '02), Dec. 2002.
[22] R. Uhlig et al., “Intel Virtualization Technology,” Computer, special issue on virtualization tech nology, May 2005.
[23] T. Garfinkel and M. Rosenblum, “A Virtual Machine Introspection Based Architecture for Intrusion Detection,” Proc. Network and Distributed System Security Symp. (NDSS '03), Feb. 2003.
[24] A. Goel, W.-C. Feng, D. Maier, W.-C. Feng, and J. Walpole, “Forensix: A Robust, High-Performance Reconstruction System,” Proc. Second Int'l Workshop Security in Distributed Computing Systems (SDCS '05), June 2005.
[25] A. Goel, K. Po, K. Farhadi, Z. Li, and E. de Lara, “The Taser Intrusion Recovery System,” Proc. 20th ACM Symp. Operating Systems Principles (SOSP '05), Oct. 2005.
[26] J.A. Goguen and J. Meseguer, “Security Policies and Security Models,” Proc. IEEE Symp. Security and Privacy (S&P '82), pp. 11-20, 1982.
[27] J. Grizzard, J. Levine, and H. Owen, “Re-Establishing Trust in Compromised Systems: Recovering from Rootkits that Trojan the System Call Table,” Proc. Ninth European Symp. Research in Computer Security (ESORICS '04), Sept. 2004.
[28] V. Halder, D. Chandra, and M. Franz, “Practical, Dynamic Information Flow for Virtual Machines,” Proc. Second Int'l Workshop Programming Language Interference and Dependence (PLID '05), 2005.
[29] X. Jiang, D. Xu, H.J. Wang, and E.H. Spafford, “Virtual Playgrounds for Worm Behavior Investigation,” Proc. Eighth Int'l Symp. Recent Advances in Intrusion Detection (RAID '05), Sept. 2005.
[30] X. Jiang and D. Xu, “Collapsar: A VM-Based Architecture for Network Attack Detention Center,” Proc. 13th Usenix Security Symp., Aug. 2004.
[31] S.T. King and P.M. Chen, “Backtracking Intrusions,” Proc. 19th ACM Symp. Operating Systems Principles (SOSP '03), Oct. 2003.
[32] S.T. King, G.W. Dunlap, and P.M. Chen, “Debugging Operating Systems with Time-Traveling Virtual Machines,” Proc. Usenix Ann. Technical Conf., Apr. 2005.
[33] S.T. King, Z.M. Mao, D.G. Lucchetti, and P.M. Chen, “Enriching Intrusion Alerts through Multi-Host Causality,” Proc. Network and Distributed System Security Symp. (NDSS '05), Feb. 2005.
[34] B. Lampson, “Protection,” Proc. Fifth Princeton Conf. Information Sciences and Systems, pp. 437-443, 1971.
[35] Z. Liang, V.N. Venkatakrishnan, and R. Sekar, “Isolated Program Execution: An Application Transparent Approach for Executing Untrusted Programs,” Proc. 19th Ann. Computer Security Applications Conf. (ACSAC '03), Dec. 2003.
[36] L. McVoy and C. Staelin, “LMbench: Portable Tools for Performance Analysis,” Proc. Usenix Ann. Technical Conf., 1996.
[37] A.C. Myers, “JFlow: Practical Mostly-Static Information Flow Control,” Proc. 26th ACM SIGPLAN-SIGACT Symp. Principles of Programming Languages (POPL '99), 1999.
[38] J. Newsome and D. Song, “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software,” Proc. Network and Distributed System Security Symp. (NDSS '05), Feb. 2005.
[39] F. Perriot and P. Szor, An Analysis of the Slapper Worm Exploit, white paper, Symantec, http://securityresponse.symantec.com/avcenter/ referenceanalysis.slapper.worm.pdf , 2007.
[40] N.L. Petroni, T. Fraser, J. Molina, and W.A. Arbaugh, “Copilot—A Coprocessor-Based Kernel Runtime Integrity Monitor,” Proc. 13th Usenix Security Symp., Aug. 2004.
[41] N. Provos, “Improving Host Security with System Call Policies,” Proc. 12th Usenix Security Symp., Aug. 2003.
[42] A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla, “Pioneer: Verifying Integrity and Guaranteeing Execution of Code on Legacy Platforms,” Proc. 20th ACM Symp. Operating Systems Principles (SOSP '05), Oct. 2005.
[43] A. Stavrou, A.D. Keromytis, J. Nieh, V. Misra, and D. Rubenstein, “MOVE: An End-to-End Solution to Network Denial of Service,” Proc. Symp. Network and Distributed System Security (NDSS '05), Feb. 2005.
[44] A.M. Turing, “On Computable Numbers, with an Application to the Entscheidungs Problem,” Proc. London Math. Soc. Series 2, vol. 42, pp. 230-265, 1937.
[45] A. Whitaker, R.S. Cox, and S.D. Gribble, “Configuration Debugging as Search: Finding the Needle in the Haystack,” Proc. Sixth Symp. Operating Systems Design and Implementation (OSDI '04), Dec. 2004.
[46] A. Whitaker, R.S. Cox, and S.D. Gribble, “Using Time Travel to Diagnose Computer Problems,” Proc. 11th ACM SIGOPS European Workshop, Sept. 2004.
[47] W. Xu, S. Bhatkar, and R. Sekar, “Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks,” Proc. 15th Usenix Security Symp., 2006.
[48] N. Zhu and T. Chiueh, “Design, Implementation and Evaluation of Repairable File Service,” Proc. Int'l Conf. Dependable Systems and Networks (DSN '03). , June 2003.
[49] X. Jiang, A. Walters, F. Buchholz, D. Xu, Y.M. Wang, and E.H. Spafford, “Provenance-Aware Tracing of Worm Break-in and Contaminations: A Process Coloring Approach,” Proc. 26th IEEE Int'l Conf. Distributed Computing Systems (ICDCS '06), July 2006.

Index Terms:

Servers, (viruses, worms, Trojan horses), Security and Protection

Citation:

Xuxian Jiang, Florian Buchholz, Aaron Walters, Dongyan Xu, Yi-Min Wang, Eugene H. Spafford, "Tracing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach," IEEE Transactions on Parallel and Distributed Systems, vol. 19, no. 7, pp. 890-902, July 2008, doi:10.1109/TPDS.2007.70765

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.