High Accuracy Attack Provenance via Binary-based Execution Partition

An important aspect of cyber attack forensics is to understand the provenance of suspicious events, as it discloses the root cause and ramifications of cyber attacks. Traditionally, this is done by analyzing audit log. However, the presence of long running programs makes a live process receiving a large volume of inputs and produce many outputs and each output may be causally related to all the preceding inputs, leading to dependence explosion and making attack investigations almost infeasible. We observe that a long running execution can be partitioned into individual units by monitoring the execution of the program’s event-handling loops, with each iteration corresponding to the processing of an independent input/request. We reverse engineer such loops from application binaries. We also reverse engineer instructions that could cause workflows between units. Detecting such a workflow is critical to disclosing causality between units. We then perform selective logging for unit boundaries and unit dependences. Our experiments show that our technique, called BEEP, has negligible runtime overhead (< 1.4%) and low space overhead (12.28% on average). It is effective in capturing the minimal causal graph for every attack case we have studied, without any dependence explosion.

[1]  Sushil Jajodia,et al.  Recovery from Malicious Transactions , 2002, IEEE Trans. Knowl. Data Eng..

[2]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[3]  Tzi-cker Chiueh,et al.  Design, implementation, and evaluation of repairable file service , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[4]  Richard Mortier,et al.  Using Magpie for Request Extraction and Workload Modelling , 2004, OSDI.

[5]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[6]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[7]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[8]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[9]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[10]  Subbarayan Venkatesan,et al.  Forensic analysis of file system intrusions using improved backtracking , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[11]  Xuxian Jiang,et al.  Provenance-Aware Tracing ofWorm Break-in and Contaminations: A Process Coloring Approach , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[12]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[13]  Wu-chi Feng,et al.  Automatic high-performance reconstruction and recovery , 2007, Comput. Networks.

[14]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[15]  Chun Zhang,et al.  vPath: Precise Discovery of Request Processing Paths from Black-Box Observations of Thread and Network Activities , 2009, USENIX Annual Technical Conference.

[16]  Margo I. Seltzer,et al.  Layering in Provenance Systems , 2009, USENIX Annual Technical Conference.

[17]  Markus Jakobsson,et al.  Server-side detection of malware infection , 2009, NSPW '09.

[18]  Sencun Zhu,et al.  Behavior based software theft detection , 2009, CCS.

[19]  Xi Wang,et al.  Intrusion Recovery Using Selective Re-execution , 2010, OSDI.

[20]  Fabian Monrose,et al.  Trail of bytes: efficient support for forensic analysis , 2010, CCS '10.

[21]  Somesh Jha,et al.  A Declarative Framework for Intrusion Analysis , 2010, Cyber Situational Awareness.

[22]  Michael Laurenzano,et al.  PEBIL: Efficient static binary instrumentation for Linux , 2010, 2010 IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS).

[23]  Adrian Perrig,et al.  XTRec: Secure Real-Time Execution Trace Recording on Commodity Platforms , 2011, 2011 44th Hawaii International Conference on System Sciences.

[24]  Stephen McCamant,et al.  Statically-directed dynamic automated test generation , 2011, ISSTA '11.

[25]  Nickolai Zeldovich,et al.  Intrusion recovery for database-backed web applications , 2011, SOSP.

[26]  Xiangyu Zhang,et al.  Toward generating reducible replay logs , 2011, PLDI '11.

[27]  Angelos D. Keromytis,et al.  A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware , 2012, NDSS.

[28]  Angelos D. Keromytis,et al.  libdft: practical dynamic data flow tracking for commodity systems , 2012, VEE '12.