Modern operating systems provide a number of different mechanisms that allow processes to interact. These interactions can generally be divided into two classes: inter-process communication techniques, which a process supports to provide services to its clients, and injection methods, which allow a process to inject code or data directly into another process' address space. Operating systems support these mechanisms to enable better performance and to provide simple and elegant software development APIs that promote cooperation between processes. Unfortunately, process interaction channels introduce problems at the end-host that are related to malware containment and the attribution of malicious actions. In particular, host-based security systems rely on process isolation to detect and contain malware. However, interaction mechanisms allow malware to manipulate a trusted process to carry out malicious actions on its behalf. In this case, existing security products will typically either ignore the actions or mistakenly attribute them to the trusted process. For example, a host-based security tool might be configured to deny untrusted processes from accessing the network, but malware could circumvent this policy by abusing a (trusted) web browser to get access to the Internet. In short, an effective host-based security solution must monitor and take into account interactions between processes. In this paper, we present Prison, a system that tracks process interactions and prevents malware from leveraging benign programs to fulfill its malicious intent. To this end, an operating system kernel extension monitors the various system services that enable processes to interact, and the system analyzes the calls to determine whether or not the interaction should be allowed. Prison can be deployed as an online system for tracking and containing malicious process interactions to effectively mitigate the threat of malware. The system can also be used as a dynamic analysis tool to aid an analyst in understanding a malware sample's effect on its environment.
[1]
Norman Hardy,et al.
The Confused Deputy: (or why capabilities might have been invented)
,
1988,
OPSR.
[2]
Trent Jaeger,et al.
Design and Implementation of a TCG-based Integrity Measurement Architecture
,
2004,
USENIX Security Symposium.
[3]
Niels Provos,et al.
Improving Host Security with System Call Policies
,
2003,
USENIX Security Symposium.
[4]
Xuxian Jiang,et al.
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
,
2008,
RAID.
[5]
Christopher Krügel,et al.
Dymo: Tracking Dynamic Code Identity
,
2011,
RAID.
[6]
Engin Kirda,et al.
A View on Current Malware Behaviors
,
2009,
LEET.
[7]
Christopher Krügel,et al.
Scalable, Behavior-Based Malware Clustering
,
2009,
NDSS.
[8]
John Lambert.
SOFTWARE RESTRICTION POLICIES IN WINDOWS XP
,
2002
.
[9]
Felix C. Freiling,et al.
Toward Automated Dynamic Malware Analysis Using CWSandbox
,
2007,
IEEE Secur. Priv..
[10]
Sape J. Mullender.
Interprocess communication
,
1990
.
[11]
Tzi-cker Chiueh,et al.
A Forced Sampled Execution Approach to Kernel Rootkit Identification
,
2007,
RAID.
[12]
Bernd Eggers.
Rootkits Subverting The Windows Kernel
,
2016
.
[13]
Fabrice Bellard,et al.
QEMU, a Fast and Portable Dynamic Translator
,
2005,
USENIX ATC, FREENIX Track.