The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.02 - March/April (2012 vol.9)
pp: 173-183
Kui Xu , Virginia Tech, Blacksburg
Huijun Xiong , Virginia Tech, Blacksburg
Chehai Wu , AppFolio.com
Deian Stefan , Stanford University, Stanford
Danfeng Yao , Virginia Tech, Blacksburg
ABSTRACT
Malicious software typically resides stealthily on a user's computer and interacts with the user's computing resources. Our goal in this work is to improve the trustworthiness of a host and its system data. Specifically, we provide a new mechanism that ensures the correct origin or provenance of critical system information and prevents adversaries from utilizing host resources. We define data-provenance integrity as the security property stating that the source where a piece of data is generated cannot be spoofed or tampered with. We describe a cryptographic provenance verification approach for ensuring system properties and system-data integrity at kernel-level. Its two concrete applications are demonstrated in the keystroke integrity verification and malicious traffic detection. Specifically, we first design and implement an efficient cryptographic protocol that enforces keystroke integrity by utilizing on-chip Trusted Computing Platform (TPM). The protocol prevents the forgery of fake key events by malware under reasonable assumptions. Then, we demonstrate our provenance verification approach by realizing a lightweight framework for restricting outbound malware traffic. This traffic-monitoring framework helps identify network activities of stealthy malware, and lends itself to a powerful personal firewall for examining all outbound traffic of a host that cannot be bypassed.
INDEX TERMS
Authentication, malware, cryptography, provenance, networking.
CITATION
Kui Xu, Huijun Xiong, Chehai Wu, Deian Stefan, Danfeng Yao, "Data-Provenance Verification For Secure Hosts", IEEE Transactions on Dependable and Secure Computing, vol.9, no. 2, pp. 173-183, March/April 2012, doi:10.1109/TDSC.2011.50
REFERENCES
[1] A. Baliga, V. Ganapathy, and L. Iftode, “Automatic Inference and Enforcement of Kernel Data Structure Invariants,” Proc. 24th Ann. Computer Security Applications Conf. (ACSAC '08), 2008.
[2] A. Baliga, P. Kamat, and L. Iftode, “Lurking in the Shadows: Identifying Systemic Threats to Kernel Data,” Proc. IEEE Symp. Security and Privacy, pp. 246-251, 2007.
[3] B. Blackburn and R. Ranger, Barbara Blackburn, the World's Fastest Typist. 1999.
[4] M. Christodorescu, S. Jha, and C. Kruegel, “Mining Specifications of Malicious Behavior,” Proc. Sixth Joint Meeting of the European Software Eng. Conf. and the ACM SIGSOFT Symp. the Foundations of Software Eng. (ESEC-FSE '07), pp. 5-14, 2007.
[5] W. Cui, R.H. Katz, and W. tian Tan, “Design and Implementation of an Extrusion-Based Break-in Detector for Personal Computers,” Proc. 21st Ann. IEEE Computer Security Applications Conf. (ACSAC '05), pp. 361-370, 2005.
[6] D.E. Denning, “A Lattice Model of Secure Information Flow,” Comm. ACM, vol. 19, pp. 236-243, May 1976.
[7] D.E. Denning and P.J. Denning, “Certification of Programs for Secure Information Flow,” Comm. ACM, vol. 20, pp. 504-513, July 1977.
[8] M. Dhawan and V. Ganapathy, “Analyzing Information Flow in Javascript-Based Browser Extensions,” Proc. Ann. IEEE Computer Security Applications Conf. (ACSAC '09), pp. 382-391, 2009.
[9] A. Dinaburg, P. Royal, M. Sharif, and W. Lee, “Ether: Malware Analysis via Hardware Virtualization Extensions,” Proc. 15th ACM Conf. Computer and Comm. Security (CCS '08), pp. 51-62, 2008.
[10] S. Garriss, R. Cáceres, S. Berger, R. Sailer, L. van Doorn, and X. Zhang, “Trustworthy and Personalized Computing on Public Kiosks,” Proc. Sixth Int'l Conf. Mobile Systems, Applications, and Services, pp. 199-210, 2008.
[11] J. Goebel and T. Holz, “Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation,” Proc. First USENIX Workshop Hot Topics in Understanding Botnets, Apr. 2007.
[12] J.B. Grizzard, V. Sharma, C. Nunnery, B.B. Kang, and D. Dagon, “Peer-to-Peer Botnets: Overview and Case Study,” Proc. First USENIX Workshop Hot Topics in Understanding Botnets, Apr. 2007.
[13] G. Gu, R. Perdisci, J. Zhang, and W. Lee, “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection,” Proc. 17th USENIX Security Symp., 2008.
[14] R. Gummadi, H. Balakrishnan, P. Maniatis, and S. Ratnasamy, “Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks,” Proc. Sixth USENIX Symp. Networked Systems Design and Implementation (NDSI '09), 2009.
[15] M.G. Jaatun, J. Jensen, H. Vegge, F.M. Halvorsen, and R.W. Nergârd, “Fools Download where Angels Fear to Tread,” IEEE Security & Privacy, vol. 7, no. 2, pp. 83-86, 2009.
[16] H.C. Kim, A.D. Keromytis, M. Covington, and R. Sahita, “Capturing Information Flow with Concatenated Dynamic Taint Analysis,” Proc. Int'l Conf. Availability, Reliability, and Security (ARES '09), pp. 355-362, 2009.
[17] T. Krovetz, “UMAC: Fast and Provably Secure Message Authentication,” http://fastcrypto.orgumac, 2011.
[18] L. Lu, V. Yegneswaran, P. Porras, and W. Lee, “BLADE: An Attack-agnostic Approach for Preventing Drive-By Malware Infections,” Proc. 17th ACM Conf. Computer and Comm. Security, 2010.
[19] J.M. McCune, B.J. Parno, A. Perrig, M.K. Reiter, and H. Isozaki, “Flicker: An Execution Infrastructure for TCB Minimization,” Proc. Third ACM SIGOPS/EuroSys European Conf. Computer Systems, pp. 315-328, 2008.
[20] J.M. McCune, A. Perrig, and M.K. Reiter, “Bump in the Ether: A Framework for Securing Sensitive User Input,” Proc. USENIX Ann. Technical Conf., General Track, pp. 185-198, 2006.
[21] J.M. McCune, A. Perrig, and M.K. Reiter, “Safe Passage for Passwords and Other Sensitive Data,” Proc. Annual Network and Distributed System Security Symp. (NDSS '09), 2009.
[22] B.D. Payne and W. Lee, “Secure and Flexible Monitoring of Virtual Machines,” Proc. 23rd Ann. Computer Security Applications Conf. (ACSAC '07), pp. 385-397, 2007.
[23] M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, “My Botnet Is Bigger Than Yours (Maybe, Better Than Yours),” Proc. First USENIX Workshop Hot Topics in Understanding Botnets, Apr. 2007.
[24] R. Riley, X. Jiang, and D. Xu, “Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing,” R. Lippmann, E. Kirda, and A. Trachtenberg, eds., pp. 1-20, Springer, 2008.
[25] B. Schneier and N. Ferguson, Practical Cryptography, John Wiley and Sons, 2003.
[26] R. Sekar, “An Efficient Black-Box Technique for Defeating Web Application Attacks,” Proc. ISOC Network and Distributed Systems Symp. (NDSS '09), Feb. 2009.
[27] C. Shannon, “Prediction and Entropy of Printed English,” Bell System Technical J., vol. 30, no. 1, pp. 50-64, 1951.
[28] S.W. Smith, Trusted Computing Platforms: Design and Applications, Springer-Verlag, 2005.
[29] E. Sparks, “A Security Assessment of Trusted Platform Modules,” senior hons. thesis, Dept. of Computer Science, Dartmouth College, 2007.
[30] A. Srivastava and J. Giffin, “Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections,” Proc. 11th Int'l Symp. Recent Advances in Intrusion Detection, pp. 39-58, Springer-Verlag, 2008.
[31] D. Stefan and D. Yao, “Keystroke-Dynamics Authentication against Synthetic Forgeries,” Proc. Int'l Conf. Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom '10), Nov. 2010.
[32] Z. Wang, X. Jiang, W. Cui, and X. Wang, “Countering Persistent Kernel Rootkits through Systematic Hook Discovery,” Proc. 11th Int'l Symp. Recent Advances in Intrusion Detection, pp. 21-38, Springer-Verlag, 2008.
[33] J. Wei, B.D. Payne, J. Giffin, and C. Pu, “Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense,” Proc. Ann. Computer Security Applications Conf., pp. 97-107, 2008.
[34] H. Xiong, P. Malhotra, D. Stefan, C. Wu, and D. Yao, “User-Assisted Host-Based Detection of Outbound Malware Traffic,” Proc. Int'l Conf. Information and Comm. Security (ICICS '09), Dec. 2009.
[35] G. Xu, C. Borcea, and L. Iftode, “Satem: Trusted Service Code Execution Across Transactions,” Proc. 25th IEEE Symp. Reliable Distributed Systems (SRDS '06), pp. 321-336, 2006.
[36] K. Xu, D. Yao, Q. Ma, and A. Crowell, “Detecting Infection Onset with Behavior-Based Policies,” Proc. Fifth Int'l Conf. Network and System Security (NSS '11), Sept. 2011.
[37] H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, “Panorama: Capturing Systemwide Information Flow for Malware Detection and Analysis,” Proc. 14th ACM Conf. Computer and Communication Security (CCS '07), 2007.
21 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool