PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE...
Transcript of PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE...
![Page 1: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/1.jpg)
PROVENANCE-BASED INTEGRITY PROTECTION FOR WINDOWSWai Kit Sze and R. SekarStony Brook University
This work was supported in part by NSF (grants CNS-0831298 and CNS-1319137) and DARPA (contract FA8650-15-C-7561).
![Page 2: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/2.jpg)
2
Total number of unique malwareincreases exponentially
![Page 3: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/3.jpg)
Existing defenses• Antivirus• Not effective against novel malware
• Behavior monitoring• Malware can often “fly under the radar”
• Sandboxing/protected view/broker architecture• Sandbox escape attacks
• Result: Sophisticated malware can chain exploits to escape all deployed defenses
Demo• Chaining Adobe Reader exploit + Stuxnet to bypass existing defenses
3
![Page 4: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/4.jpg)
Adobe + Stuxnet
4
Unknown Sources
abc.lnk
Unknown Sources
BehaviorMonitoring
Arbitrary Code
Execution
Antivirus
Sandboxing
![Page 5: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/5.jpg)
Our Approach: Provenance Tracking
• Key idea for breaking such attacks• Track malware effects, prevent benign code from being tricked by them
5
Unknown Sources
abc.lnk
Unknown Sources
No Arbitrary Code
Execution ✗
![Page 6: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/6.jpg)
How to realize?• Design brand new OS (HiStar, Asbestos)?• New abstractions for capturing provenance and fully customizable policy enforcement
• No adoption and hard to evaluate technique effectiveness with real malware
• Build mechanisms in today’s OSes (Flume, PPI, UMIP, IFEDAC)?• Work with open-source OSes• Questionable completeness: Are all resources tracked? Are all hooks implemented properly?
• Reuse existing mechanisms for both tracking and policy enforcement?• Portable, support contemporary OSes where source code is not available• Lack of flexibility => poor usability?
6
![Page 7: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/7.jpg)
SPIFAvoid changes• Same OSes• Implemented on Windows XP, 7, 8, and 10
• Same COTS applications• Support Microsoft Office, Adobe Reader, Google Chrome, Photoshop CC, …
• Same policy for all applications• Simple, effortless policy development
• Same user experience• Minimize changes to user interactions
7
![Page 8: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/8.jpg)
Tracking Provenance with userid• Every resource in OSes is already labeled using userid
8
Benign UserBenign User
System
Untrusted User
Untrusted User
System
✗
![Page 9: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/9.jpg)
Dual-sandbox architecture
Untrusted SandboxConfine untrusted processes from attacking benign processes directly• No signaling/IPC with benign processes
• Cannot modify benign files
9
Benign SandboxConfine benign processes from consuming untrusted resources accidentally• No IPC with untrusted processes• Read/access no untrusted files
✗✗✔• Create files in user directory
• Open user files for reading• … ✔
![Page 10: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/10.jpg)
Properties of Dual-sandbox architecture• Simple generic policy• Each sandbox blocks impermissible flows from its own perspective: No guessing
• Usable yet secure policy• Policies are enforced at two stages (avoid being overly conservative)• Permit untrusted operations that do not directly compromise benign processes
• Example: Create new files in user directories
• Preserve normal user experience• Data from benign and untrusted can be saved in user directories, just as they are on today’s OSes
10
![Page 11: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/11.jpg)
Dual-sandbox architecture
• Run untrusted processes as a different user
• Non-bypassable & robust policy enforcement mechanism
11
Processes can be malicious and be actively seeking ways to compromise benign processes
Processes have no intention to circumvent the protection
mechanism
• Wrap calls to protect benign processes
• Circumventable, but no reason or incentive for benign processes to do so
![Page 12: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/12.jpg)
Implementation• 4000 lines of C++, 1500 lines of header• Initially developed on Windows XP, then on Windows 8.1. Also tested on Windows 7 specifically for the high profile Sandworm malware
• Handled both files and registry entries• Instead of modifying libraries, relies on Detours to hook on Windows APIs dynamically• Bootstrap using App_Init (Requires loading of User32.dll)• Propagate via library injection
12
[Sandworm] Sandworm Windows zero-day vulnerability being actively exploited in targeted attacks, 14 Oct 2014, http://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks[Detours] http://research.microsoft.com/en-us/projects/detours/
![Page 13: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/13.jpg)
Compatible with all ofthe applications tested!
13
![Page 14: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/14.jpg)
Micro-benchmarks• Postmark (File I/O):
14
File Size Benign Untrusted
Small (500B-5KB) 6.53% 12.38%
Medium (5KB-300KB) 3.05% 4.58%
Large (300KB-3MB) 1.27% -0.62%
![Page 15: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/15.jpg)
Micro-benchmarks• SPEC2006 (CPU):
15
Unprotected Time (s)
Benign Overhead
Untrusted Overhead
401.bzip2 1785.9 -0.33% 0.26%429.mcf 716.4 -1.69% -0.96%433.milc 3314.1 1.15% -0.53%445.gobmk 1094.9 0.26% -0.08%450.soplex 1108.0 0.58% 2.34%456.hmmer 2386.2 0.02% 0.13%458.sjeng 1442.5 -0.25% 0.20%470.lbm 1203.0 -1.51% -0.32%471.omnetpp 750.9 0.96% 1.83%482.sphinx3 2653.6 -2.55% -3.45%Overall -0.336% -0.059%
![Page 16: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/16.jpg)
Firefox Loading Top 1000 Alexa Pages
16
Benign Overhead: 3.32% Untrusted Overhead: 3.62%
0 2000 6000 10000
020
0060
0010
000 Benign Firefox
Unprotected (ms)
Beni
gn (m
s)
0 2000 6000 10000
020
0060
0010
000 Untrusted Firefox
Unprotected (ms)
Unt
rust
ed (m
s)
![Page 17: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/17.jpg)
Protection against malware• Samples from Metasploit published in 2014 that can be exploited in our testbed
17
CVE/OSVDB-ID Application Attack
2013-4696 WinAmp Preference file (ini)
2013-3934 Kingsoft Office Data (wps)
2010-2568 Windows Explorer Data (lnk) <-Stuxnet104141 Calavera Uploader Preference file (dat)
2014-2013 MuPDF Data (xps)
102205 CCProxy Preference file (ini)
100619 Total Video Player Preference file (ini)
2013-6874 Light Alloy Data (m4u)
2014-0568 Adobe Reader Code
2014-4114 Microsoft Windows Data (ppsx) <-Sandworm
![Page 18: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/18.jpg)
Conclusion• We proposed SPIF, an integrity protection system to protect against malware on Windows.• SPIF requires no modification to OS, applications, and user experience.• SPIF defends against high-profile malware such as Stuxnet and Sandworm.
• Installation package & source code are available for downloading at http://seclab.cs.sunysb.edu/seclab/download.html. Comment and feedback welcome!
18
![Page 19: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/19.jpg)
QUESTIONS
19
![Page 20: PROVENANCE )BASED-INTEGRITY- PROTECTION-FOR-WINDOWS … · PROVENANCE )BASED-INTEGRITY-PROTECTION-FOR-WINDOWS Wai Kit-Sze-and-R.-Sekar StonyBrookUniversity This work was supported](https://reader031.fdocuments.net/reader031/viewer/2022022702/5bc4c34009d3f264788ba72a/html5/thumbnails/20.jpg)
THANK YOU
20