Provenance-Aware Tracing ofWorm Break-in and Contaminations: A Process Coloring Approach

To investigate the exploitation and contamination by self-propagating Internet worms, a provenance-aware tracing mechanism is highly desirable. Provenance unawareness causes difficulties in fast, accurate identification of a worm’s break-in point, and incurs significant log inspection overhead. This paper presents the design, implementation, and evaluation of process coloring, an efficient provenance-aware approach to worm break-in and contamination tracing. More specifically, process coloring assigns a "color", a unique system-wide identifier, to each remotely-accessible server or process. The color will then be either inherited by spawned child processes or diffused indirectly through process actions (e.g., read/write operations). Process coloring brings two major advantages: (1) It enables fast color-based identification of a worm’s break-in point even before detailed log analysis; (2) It naturally partitions log data based on their colors, effectively reducing the volume of log data that need to be examined for worm investigation. A tamper-resistant log collection method is developed based on the virtual machine introspection technique. Our experiments with a number of real-world worms demonstrate the advantages of processing coloring.

[1]  Eric Alata,et al.  CADHo: Collection and Analysis of Data from Honeypots , 2005 .

[2]  L. Alvisi,et al.  A Survey of Rollback-Recovery Protocols , 2002 .

[3]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[4]  Iván Arce,et al.  An Analysis of the Slapper Worm , 2003, IEEE Secur. Priv..

[5]  Leonard J. LaPadula,et al.  MITRE technical report 2547, volume II , 1996 .

[6]  A. Prasad Sistla,et al.  Efficient distributed recovery using message logging , 1989, PODC '89.

[7]  Henry L. Owen,et al.  Re-establishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table , 2004, ESORICS.

[8]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[9]  Samuel T. King,et al.  Debugging Operating Systems with Time-Traveling Virtual Machines (Awarded General Track Best Paper Award!) , 2005, USENIX Annual Technical Conference, General Track.

[10]  Eugene H. Spafford,et al.  On the role of file system metadata in digital forensics , 2004, Digit. Investig..

[11]  Steven D. Gribble,et al.  Using time travel to diagnose computer problems , 2004, EW 11.

[12]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[13]  Jeff Dike,et al.  User-mode Linux , 2006, Annual Linux Showcase & Conference.

[14]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[15]  Tal Garfinkel,et al.  Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation , 2005, USENIX Security Symposium.

[16]  Zhenkai Liang,et al.  Isolated program execution: an application transparent approach for executing untrusted programs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[17]  S. Gribble,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[18]  Helen J. Wang,et al.  Virtual Playgrounds for Worm Behavior Investigation , 2005, RAID.

[19]  Sushil Jajodia,et al.  Recovery from Malicious Transactions , 2002, IEEE Trans. Knowl. Data Eng..

[20]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[21]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[22]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[23]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[24]  Robert E. Strom,et al.  Optimistic recovery in distributed systems , 1985, TOCS.

[25]  Peter Szor,et al.  An Analysis of the Slapper Worm Ex-ploit , 2003 .

[26]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[27]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[28]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[29]  Tzi-cker Chiueh,et al.  Design, implementation, and evaluation of repairable file service , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[30]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[31]  Eugene H. Spafford,et al.  Experiences with Tripwire: Using Integrity Checkers for Intrusion Detection , 1994 .

[32]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[33]  A. Turing On Computable Numbers, with an Application to the Entscheidungsproblem. , 1937 .

[34]  Wu-chi Feng,et al.  Forensix: a robust, high-performance reconstruction system , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[35]  Thorsten Holz,et al.  NoSEBrEaK - attacking honeynets , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[36]  Samuel T. King,et al.  Proceedings of the 2003 Symposium on Operating Systems Principles (SOSP) , 2003 .

[37]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[38]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[39]  Steven D. Gribble,et al.  Configuration Debugging as Search: Finding the Needle in the Haystack , 2004, OSDI.

[40]  Eugene H. Spafford,et al.  Pervasive binding of labels to system processes , 2005 .

[41]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[42]  Angelos D. Keromytis,et al.  MOVE: An End-to-End Solution to Network Denial of Service , 2005, NDSS.