Issue No.02 - March/April (2012 vol.9)
Kui Xu , Virginia Tech, Blacksburg
Huijun Xiong , Virginia Tech, Blacksburg
Chehai Wu , AppFolio.com
Deian Stefan , Stanford University, Stanford
Danfeng Yao , Virginia Tech, Blacksburg
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.50
Malicious software typically resides stealthily on a user's computer and interacts with the user's computing resources. Our goal in this work is to improve the trustworthiness of a host and its system data. Specifically, we provide a new mechanism that ensures the correct origin or provenance of critical system information and prevents adversaries from utilizing host resources. We define data-provenance integrity as the security property stating that the source where a piece of data is generated cannot be spoofed or tampered with. We describe a cryptographic provenance verification approach for ensuring system properties and system-data integrity at kernel-level. Its two concrete applications are demonstrated in the keystroke integrity verification and malicious traffic detection. Specifically, we first design and implement an efficient cryptographic protocol that enforces keystroke integrity by utilizing on-chip Trusted Computing Platform (TPM). The protocol prevents the forgery of fake key events by malware under reasonable assumptions. Then, we demonstrate our provenance verification approach by realizing a lightweight framework for restricting outbound malware traffic. This traffic-monitoring framework helps identify network activities of stealthy malware, and lends itself to a powerful personal firewall for examining all outbound traffic of a host that cannot be bypassed.
Authentication, malware, cryptography, provenance, networking.
Kui Xu, Huijun Xiong, Chehai Wu, Deian Stefan, Danfeng Yao, "Data-Provenance Verification For Secure Hosts", IEEE Transactions on Dependable and Secure Computing, vol.9, no. 2, pp. 173-183, March/April 2012, doi:10.1109/TDSC.2011.50