Expanding Malware Defense by Securing Software Installations

Software installation provides an attractive entry vector for malware: since installations are performed with administrator privileges, malware can easily get the enhanced level of access needed to install backdoors, spyware, rootkits, or "bot" software, and to hide these installations from users. Previous research has been focused mainly on securing the execution phase of untrusted software, while largely ignoring the safety of installations. Even security-enhanced operating systems such as SELinux and Vista don't usually impose restrictions during software installs, expecting the system administrator to "know what she is doing." This paper addresses this "gap in armor" by securing software installations. Our technique can support a diversity of package managers and software installers. It is based on a framework that simplifies the development and enforcement of policies that govern safety of installations. We present a simple policy that can be used to prevent untrusted software from modifying any of the files used by benign software packages, thus blocking the most common mechanism used by malware to ensure that it is run automatically after each system reboot. While the scope of our technique is limited to the installation phase, it can be easily combined with approaches for secure execution, e.g., by ensuring that all future runs of an untrusted package will take place within an administrator-specified sandbox. Our experimental evaluation has considered over one hundred benign and untrusted software packages. Our technique was able to block malicious packages among these without breaking non-malicious ones.

[1]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[2]  Daniel F. Sterne,et al.  A Domain and Type Enforcement UNIX Prototype , 1995, Comput. Syst..

[3]  Anurag Acharya,et al.  MAPbox: Using Parameterized Behavior Classes to Confine Untrusted Applications , 2000, USENIX Security Symposium.

[4]  Zhenkai Liang,et al.  Isolated program execution: an application transparent approach for executing untrusted programs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[5]  Yunheung Paek,et al.  Advances in Computer Systems Architecture, 12th Asia-Pacific Conference, ACSAC 2007, Seoul, Korea, August 23-25, 2007, Proceedings , 2007, Asia-Pacific Computer Systems Architecture Conference.

[6]  Zhenkai Liang,et al.  One-Way Isolation: An Effective Approach for Realizing Safe Execution Environments , 2005, NDSS.

[7]  David Robert Safford,et al.  Trusted computing and open source , 2005, Inf. Secur. Tech. Rep..

[8]  Zhenkai Liang,et al.  An Approach for Secure Software Installation , 2002, LISA.

[9]  A. Acharya,et al.  MAPbox: Using Parameterized Behavior Classes to Confine Applications , 1999 .

[10]  Merijn de Jonge,et al.  Nix: A Safe and Policy-Free System for Software Deployment , 2004, LISA.

[11]  Kazuhiko Kato,et al.  SoftwarePot: An Encapsulated Transferable File System for Secure Software Circulation , 2002, ISSS.

[12]  Ching-Hsien Hsu,et al.  Critical-Task Anticipation Scheduling Algorithm for Heterogeneous and Grid Computing , 2006, Asia-Pacific Computer Systems Architecture Conference.

[13]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[14]  Jack W. Davidson,et al.  Safe virtual execution using software dynamic translation , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[15]  Daniel Price,et al.  Solaris Zones: Operating System Support for Consolidating Commercial Workloads , 2004, LISA.

[16]  Daniel C. DuVarney,et al.  Model-carrying code: a practical approach for safe execution of untrusted applications , 2003, SOSP '03.

[17]  Jeff Dike,et al.  A user-mode port of the Linux kernel , 2000, Annual Linux Showcase & Conference.

[18]  Hong Chen,et al.  Usable Mandatory Integrity Protection for Operating Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[19]  Brian Walters,et al.  VMware Virtual Platform , 1999 .

[20]  Richard Dikau,et al.  Long Term Hillslope and Fluvial System Modelling , 2003 .

[21]  Diomidis Spinellis,et al.  Sandboxing Applications , 2001, USENIX Annual Technical Conference, FREENIX Track.

[22]  Akinori Yonezawa,et al.  Software Security — Theories and Systems , 2003, Lecture Notes in Computer Science.

[23]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[24]  Yang Yu,et al.  A feather-weight virtual machine for windows applications , 2006, VEE '06.

[25]  Robert N. M. Watson,et al.  Jails: confining the omnipotent root , 2000 .

[26]  Klaus Erik Schauser,et al.  Consh: Confined Execution Environment for Internet Computations , 1998 .

[27]  Weiqing Sun,et al.  Practical Proactive Integrity Preservation: A Basis for Malware Defense , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[28]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[29]  Hao Chen,et al.  Back to the Future: A Framework for Automatic Malware Removal and System Repair , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).