Panorama:Capturing System-wide Information Flow for Malware Detection and Analysis

Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and Engin Kirda

Publication: ACM Conference on Computer and Communications Security, 2007

Presenter: Brad Mundt for CAP6133 Spring ‘08

Motivation

Malicious software sneaks onto computers Collects users’ private information Causes havoc on Internet

Slows performance Costs to remove

Reputable vendors violate users’ privacy Google Desktop Sony Media Player

Traditional Malware detection

Signature-basedCannot detect new malware or variants

HeuristicsHigh false positivesHigh false negatives

The Panorama way

Input Suspicious behavior

Inappropriate data access, stealthfully

Process Whole-system, fine-grained taint tracking

Marking data Operating-system-aware taint analysis

What touches the tainted data and how

Output Taint Graphs

Tracked tainted data

Taint Graph

Information flow that shows the process that accessed the tainted data

Make policies based on Taint Graph

Compare unknown samples against Taint Graph Automatic Numerous categories

Taint Graph example

Taint Graph generation

Similar to a mapped out logic/process tree Conceptually, horizontal branching

9 different types of Root taint sources Text, password, http, https, icmp, ftp, document, and

directory

Non-root entries can be OS objects (processes, modules) OS resource (such as a file)

System Overview

Conceptual Structure

Works with closed code Windows OS FireFox

Monitors the whole system in a processor emulator

Shadow memory stores taint status of Each byte of physical memory CPU’s general purpose registers Hard disk and network interface buffer

Taint Sources

Test information is inputted and marked as taint source

Inputted from hardware such as Keyboard Network interface Hard disk

Tainting at hardware level Malware could hook before input reaches the software

Taint propagation

Monitors CPU instructions and DMA operations dealing with tainted data

OS-Aware taint trackingDeveloped a kernel module

Authenticated communications to taint engine

Code identification

Identifying the code under analysis and it’s actionsEntire code segment is labeled

Dynamic or Encrypted code is labeled too A similar method labels trusted code

Three categorized behaviors

Anomalous information access MS Paint accessing passwords

Anomalous information leakage BHO reporting home about surfed websites

Excessive information access Repeatedly accessed directory to hide rootkit

Malware detections

42 real-world malware samples 56 benign applications were tested Only 3 false positives, no false negatives

2 from a personal firewall1 from a browser accelerator

Summary

A new system to detect malwareSystem-Wide Information Flow

Taint tracking Data access and process tracking

Taint graphs Policies

Contributions

Unified approach to detect and analyze diverse malware

Designed and developed a functional prototype

Detected all malware samplesKeystroke loggers, password sniffers, packet

sniffers, stealth backdoors, rootkits, and spyware

Weaknesses

Performance Overhead Using Cygwin utilities Prototype is not optimized Slowdown average is 20 times Intended as a offline tool

Evasive malware Time bombs Selective keystroke loggers Virtual environment detection

How to Improve

Optimize the code

Automate taint graph analysis and policy implementation

Virtual environment shielding Or switch out of emulated environment

Implement mentioned improvements Unicode conversion- switch case issue

The End

Thank you…