Provenance-based Integrity Protection for Windows

Existing malware defenses are primarily reactive in nature, with defenses effective only on malware that has previously been observed. Unfortunately, we are witnessing a generation of stealthy, highly targeted exploits and malware that these defenses are unprepared for. Thwarting such malware requires new defenses that are, by design, secure against unknown malware. In this paper, we present Spif, an approach that defends against malware by tracking code and data origin, and ensuring that any process that is influenced by code or data from untrusted sources will be prevented from modifying important system resources, and interacting with benign processes. Spif is designed for Windows, the most widely deployed desktop OS, and the primary platform targeted by malware. Spif is compatible with all recent Windows versions (Windows XP to Windows 10), and supports a wide range of feature rich, unmodified applications, including all popular browsers, office software and media players. Spif imposes minimal performance overheads while being able to stop a variety of malware attacks, including Stuxnet and the recently reported Sandworm malware. An open-source implementation of our system is available.

[1]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[2]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[3]  R. Sekar,et al.  A portable user-level approach for system-wide integrity protection , 2013, ACSAC.

[4]  Thomas Moyer,et al.  Trustworthy Whole-System Provenance for the Linux Kernel , 2015, USENIX Security Symposium.

[5]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[6]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[7]  Hong Chen,et al.  Combining Discretionary Policy with Mandatory Information Flow in Operating Systems , 2011, TSEC.

[8]  R. Sekar,et al.  Towards more usable information flow policies for contemporary operating systems , 2014, SACMAT '14.

[9]  Marianne Winslett,et al.  Introducing secure provenance: problems and challenges , 2007, StorageSS '07.

[10]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[11]  Hong Chen,et al.  Usable Mandatory Integrity Protection for Operating Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[12]  R. Sunitha,et al.  DATA-PROVENANCE VERIFICATION FOR SECURE HOSTS , 2013 .

[13]  Zhenkai Liang,et al.  Isolated program execution: an application transparent approach for executing untrusted programs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[14]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[15]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[16]  Jonathon T. Giffin,et al.  Automated remote repair for mobile malware , 2011, ACSAC '11.

[17]  Niranjan Hasabnis,et al.  Light-weight bounds checking , 2012, CGO '12.

[18]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[19]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[20]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[21]  Daniel C. DuVarney,et al.  Model-carrying code: a practical approach for safe execution of untrusted applications , 2003, SOSP '03.

[22]  Peter Loscocco,et al.  Meeting Critical Security Objectives with Security-Enhanced Linux , 2001 .

[23]  Weiqing Sun,et al.  Practical Proactive Integrity Preservation: A Basis for Malware Defense , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[24]  Jeffrey Katcher,et al.  PostMark: A New File System Benchmark , 1997 .

[25]  Zhenkai Liang,et al.  Alcatraz: An Isolated Environment for Experimenting with Untrusted Software , 2009, TSEC.

[26]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[27]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[28]  Sanjeev Khanna,et al.  Why and Where: A Characterization of Data Provenance , 2001, ICDT.

[29]  Zhenkai Liang,et al.  Expanding Malware Defense by Securing Software Installations , 2008, DIMVA.

[30]  Wei Xu,et al.  An efficient and backwards-compatible transformation to ensure memory safety of C programs , 2004, SIGSOFT '04/FSE-12.

[31]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.