Practical automatic determination of causal relationships in software execution traces

From the system investigator who needs to analyze an intrusion (“how did the intruder break in?”), to the forensic expert who needs to investigate digital crimes (“did the suspect commit the crime?”), security experts have to frequently answer questions about the cause-effect relationships between the various events that occur in a computer system. The implications of using causality determination techniques with a low accuracy vary from slowing down incident response to undermining the evidence unearthed by forensic experts. This dissertation presents research done along two areas: (1) We present an empirical study evaluating the accuracy and performance overhead of existing causality determination techniques. Our study shows that existing causality determination techniques are either accurate or efficient, but seldom both. (2) We propose a novel approach to causality determination based on coarse-grained observation of control-flow of program execution. Our evaluation shows that our approach is both practical in terms of low runtime overhead and accurate in terms of low false positives and false negatives.

[1]  Jan Vitek,et al.  Efficient intrusion detection using automaton inlining , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[2]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[3]  Keith Marzullo,et al.  Computer Forensics in Forensis , 2008, 2008 Third International Workshop on Systematic Approaches to Digital Forensic Engineering.

[4]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[5]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[6]  Tom Burr,et al.  Causation, Prediction, and Search , 2003, Technometrics.

[7]  Calvin Lin,et al.  Efficient and extensible security enforcement using dynamic data flow analysis , 2008, CCS.

[8]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[9]  O. Penrose The Direction of Time , 1962 .

[10]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1990, TOPL.

[11]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[12]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[13]  Marcus J. Ranum Experiences Benchmarking Intrusion Detection Systems , 2002 .

[14]  Carla E. Brodley,et al.  Temporal sequence learning and data reduction for anomaly detection , 1998, CCS '98.

[15]  Tzi-cker Chiueh,et al.  A General Dynamic Information Flow Tracking Framework for Security Applications , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[16]  Mikhail J. Atallah,et al.  An empirical study of automatic event reconstruction systems , 2006, Digit. Investig..

[17]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[18]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[19]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[20]  Florian P. Buchholz,et al.  Design and Implementation of Zeitline: a Forensic Timeline Editor , 2005, DFRWS.

[21]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[22]  P. Suppes A Probabilistic Theory Of Causality , 1970 .

[23]  Markus Mock,et al.  Improving program slicing with dynamic points-to data , 2002, SIGSOFT '02/FSE-10.

[24]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[25]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[26]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[27]  Maurice J. Bach The Design of the UNIX Operating System , 1986 .

[28]  Subbarayan Venkatesan,et al.  Forensic analysis of file system intrusions using improved backtracking , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[29]  Alex Aiken,et al.  Cooperative Bug Isolation , 2007 .

[30]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[31]  Steve J. Chapin,et al.  Monitoring Access to Shared Memory-Mapped Files , 2005, DFRWS.

[32]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[33]  Somesh Jha,et al.  Efficient Context-Sensitive Intrusion Detection , 2004, NDSS.

[34]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[35]  James R. Larus,et al.  Efficient path profiling , 1996, Proceedings of the 29th Annual IEEE/ACM International Symposium on Microarchitecture. MICRO 29.

[36]  Robert P. Goldberg,et al.  Survey of virtual machine research , 1974, Computer.

[37]  J. Mill A System of Logic , 1843 .

[38]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[39]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[40]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[41]  Xiangyu Zhang,et al.  Precise dynamic slicing algorithms , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[42]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[43]  Wu-chi Feng,et al.  Forensix: a robust, high-performance reconstruction system , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[44]  Rajiv Gupta,et al.  Hybrid slicing: an approach for refining static slices using dynamic information , 1995, SIGSOFT FSE.

[45]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[46]  Christophe Bidan,et al.  An Improved Reference Flow Control Model for Policy-Based Intrusion Detection , 2003, ESORICS.

[47]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[48]  Donald Nute,et al.  Counterfactuals , 1975, Notre Dame J. Formal Log..

[49]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[50]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[51]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[52]  Eugene H. Spafford,et al.  Pervasive binding of labels to system processes , 2005 .

[53]  J. Pearl Causality: Models, Reasoning and Inference , 2000 .

[54]  Mark David Weiser,et al.  Program slices: formal, psychological, and practical investigations of an automatic program abstraction method , 1979 .

[55]  Chris I. Dalton,et al.  Dynamic label binding at run-time , 2003, NSPW '03.

[56]  Judea Pearl,et al.  Reasoning with Cause and Effect , 1999, IJCAI.

[57]  Christophe Bidan,et al.  Experimenting with a policy-based HIDS based on an information flow control model , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[58]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[59]  Of references. , 1966, JAMA.

[60]  Fabian Monrose,et al.  Trail of bytes: efficient support for forensic analysis , 2010, CCS '10.

[61]  Stephen McCamant,et al.  Measuring channel capacity to distinguish undue influence , 2009, PLAS '09.

[62]  Frederic T. Chong,et al.  Minos: Control Data Attack Prevention Orthogonal to Memory Model , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[63]  Eugene H. Spafford,et al.  On the role of file system metadata in digital forensics , 2004, Digit. Investig..

[64]  Unix System Laboratories System V Application Binary Interface , 1993 .

[65]  Eugene H. Spafford,et al.  An Event-Based Digital Forensic Investigation Framework , 2004 .

[66]  Flemming Nielson,et al.  Security Analysis using Flow Logics , 2000, Bull. EATCS.

[67]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[68]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[69]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[70]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[71]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[72]  Chris Hankin,et al.  Approximate non-interference , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[73]  G. A. Venkatesh,et al.  Experimental results from dynamic slicing of C programs , 1995, TOPL.

[74]  James R. Larus,et al.  EEL: machine-independent executable editing , 1995, PLDI '95.

[75]  Susan W. Brenner,et al.  The Trojan Horse Defense in Cybercrime Cases , 2004 .

[76]  Clay Shields,et al.  Providing process origin information to aid in computer forensic investigations , 2004, J. Comput. Secur..

[77]  Massimo Bernaschi,et al.  Operating system enhancements to prevent the misuse of system calls , 2000, CCS.

[78]  Brian D. Carrier,et al.  Defining event reconstruction of digital crime scenes. , 2004, Journal of forensic sciences.

[79]  Alexander Dekhtyar,et al.  Information Retrieval , 2018, Lecture Notes in Computer Science.

[80]  T. Redmond,et al.  Noninterference and intrusion detection , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[81]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[82]  J. Bennett,et al.  Enquiry Concerning Human Understanding , 2010 .

[83]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[84]  P. Spirtes,et al.  Causation, prediction, and search , 1993 .

[85]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[86]  Richard Scheines,et al.  Causation, Prediction, and Search, Second Edition , 2000, Adaptive computation and machine learning.

[87]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[88]  Xuxian Jiang,et al.  Provenance-Aware Tracing ofWorm Break-in and Contaminations: A Process Coloring Approach , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[89]  D. Lewis Philosophical Papers: Volume II , 1987 .

[90]  David W. Binkley,et al.  A large-scale empirical study of forward and backward static slice size and context sensitivity , 2003, International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings..

[91]  Christophe Bidan,et al.  Introducing Reference Flow Control for Detecting Intrusion Symptoms at the OS Level , 2002, RAID.

[92]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[93]  Eugene H. Spafford,et al.  A hypothesis-based approach to digital forensic investigations , 2006 .

[94]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[95]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.