research-article

Free access

Provenance-based Integrity Protection for Windows

Authors:

R. SekarAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 211 - 220

https://doi.org/10.1145/2818000.2818011

Published: 07 December 2015 Publication History

Abstract

Existing malware defenses are primarily reactive in nature, with defenses effective only on malware that has previously been observed. Unfortunately, we are witnessing a generation of stealthy, highly targeted exploits and malware that these defenses are unprepared for. Thwarting such malware requires new defenses that are, by design, secure against unknown malware. In this paper, we present Spif, an approach that defends against malware by tracking code and data origin, and ensuring that any process that is influenced by code or data from untrusted sources will be prevented from modifying important system resources, and interacting with benign processes. Spif is designed for Windows, the most widely deployed desktop OS, and the primary platform targeted by malware. Spif is compatible with all recent Windows versions (Windows XP to Windows 10), and supports a wide range of feature rich, unmodified applications, including all popular browsers, office software and media players. Spif imposes minimal performance overheads while being able to stop a variety of malware attacks, including Stuxnet and the recently reported Sandworm malware. An open-source implementation of our system is available.

References

[1]

Bates, A., Tian, D. J., Butler, K. R., and Moyer, T. Trustworthy Whole-System Provenance for the Linux Kernel. In USENIX Security (2015).

Digital Library

[2]

Biba, K. J. Integrity Considerations for Secure Computer Systems. In Technical Report ESD-TR-76-372, USAF Electronic Systems Division, Hanscom Air Force Base, Bedford, Massachusetts (1977).

[3]

Brian Gorenc, J. S. Thinking outside the sandbox - Violating trust boundaries in uncommon ways. In BlackHat (2014).

[4]

Brumley, D., and Song, D. Privtrans: Automatically Partitioning Programs for Privilege Separation. In USENIX Security (2004).

Digital Library

[5]

BufferZone Security Ltd. BufferZone, http://bufferzonesecurity.com/.

[6]

Buneman, P., Khanna, S., and Tan, W. C. Why and Where: A Characterization of Data Provenance. In ICDT (2001).

Digital Library

[7]

Constantin, L. Researchers hack Internet Explorer 11 and Chrome at Mobile Pwn2Own. http://www.pcworld.com/article/2063560/researchers-hack-internet-explorer-11-and-chrome-at-mobile-pwn2own.html/.

[8]

Dell. Dell Data Protection | Protected Workspace. http://www.dell.com/learn/us/en/04/videos~en/documents~data-protection-workspace.aspx.

[9]

Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, F., and Morris, R. Labels and Event Processes in the Asbestos Operating System. In SOSP (2005).

Digital Library

[10]

Falliere, N., Murchu, L., and Chien, E. W32. Stuxnet Dossier. White paper, Symantec Corp., Security Response (2011).

[11]

Fisher, D. Sandbox Escape Bug in Adobe Reader Disclosed. http://threatpost.com/sandbox-escape-bug-in-adobe-reader-disclosed/109637.

[12]

Fraser, T. LOMAC: Low Water-Mark Integrity Protection for COTS Environments. In S&P (2000).

Digital Library

[13]

Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. A. A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker). In USENIX Security (1996).

Digital Library

[14]

Google Security Research. Windows Acrobat Reader 11 Sandbox Escape in MoveFileEx IPC Hook. https://code.google.com/p/google-security-research/issues/detail?id=103.

[15]

Hasabnis, N., Misra, A., and Sekar, R. Light-weight bounds checking. In CGO (2012).

Digital Library

[16]

Hasan, R., Sion, R., and Winslett, M. Introducing Secure Provenance: Problems and Challenges. In StorageSS (2007).

Digital Library

[17]

jduck. CVE-2010-3338 Windows Escalate Task Scheduler XML Privilege Escalation | Rapid7. http://www.rapid7.com/db/modules/exploit/windows/local/ms10_092_schelevator.

[18]

Katcher, J. Postmark: A new file system benchmark. Technical Report TR3022, Network Appliance, 1997.

[19]

Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M. F., Kohler, E., and Morris, R. Information Flow Control for Standard OS Abstractions. In SOSP (2007).

Digital Library

[20]

Li, H. CVE-2015-0016: Escaping the Internet Explorer Sandbox. http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox.

[21]

Li, N., Mao, Z., and Chen, H. Usable Mandatory Integrity Protection for Operating Systems. In S&P (2007).

Digital Library

[22]

Liang, Z., Sun, W., Venkatakrishnan, V. N., and Sekar, R. Alcatraz: An Isolated Environment for Experimenting with Untrusted Software. In TISSEC (2009).

Digital Library

[23]

Liang, Z., Venkatakrishnan, V., and Sekar, R. Isolated program execution: An application transparent approach for executing untrusted programs. In ACSAC (2003).

Digital Library

[24]

Loscocco, P., and Smalley, S. Meeting Critical Security Objectives with Security-Enhanced Linux. In Ottawa Linux Symposium (2001).

[25]

Mao, Z., Li, N., Chen, H., and Jiang, X. Combining Discretionary Policy with Mandatory Information Flow in Operating Systems. In TISSEC (2011).

Digital Library

[26]

Microsoft. URL Security Zones (Windows) - MSDN - Microsoft. https://msdn.microsoft.com/en-us/library/ie/ms537021%28v=vs.85%29.aspx.

[27]

Microsoft. What is Protected View? - Office Support. https://support.office.com/en-au/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653.

[28]

Microsoft. What is the Windows Integrity Mechanism? https://msdn.microsoft.com/en-us/library/bb625957.aspx.

[29]

Microsoft. Working with the AppInit_DLLs registry value. http://support.microsoft.com/kb/197571.

[30]

Microsoft Research. Detours. http://research.microsoft.com/en-us/projects/detours/.

[31]

Mozilla. Buildbot/Talos/Tests. https://wiki.mozilla.org/Buildbot/Talos/Tests.

[32]

Nadji, Y., Giffin, J., and Traynor, P. Automated Remote Repair for Mobile Malware. In ACSAC (2011).

Digital Library

[33]

Nagarakatte, S., Zhao, J., Martin, M. M., and Zdancewic, S. SoftBound: SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In PLDI (2009).

Digital Library

[34]

Offensive Security. Exploits Database, http://www.exploit-db.com/.

[35]

Provos, N. Improving Host Security with System Call Policies. In USENIX Security (2003).

Digital Library

[36]

Provos, N., Markus, F., and Peter, H. Preventing Privilege Escalation. In USENIX Security (2003).

Digital Library

[37]

Rahul Kashyap, R. W. Application Sandboxes: A Pen-Tester's Perspective. http://labs.bromium.com/2013/07/23/application-sandboxes-a-pen-testers-perspective/.

[38]

Reis, C., and Gribble, S. D. Isolating Web Programs in Modern Browser Architectures. In EuroSys (2009).

Digital Library

[39]

Sandboxie Holdings, LLC. Sandboxie, http://www.sandboxie.com/.

[40]

Sekar, R., Venkatakrishnan, V., Basu, S., Bhatkar, S., and DuVarney, D. C. Model-Carrying Code: A Practical Approach for Safe Execution of Untrusted Applications. In SOSP (2003).

Digital Library

[41]

Sun, W., Sekar, R., Liang, Z., and Venkatakrishnan, V. N. Expanding Malware Defense by Securing Software Installations. In DIMVA (2008).

Digital Library

[42]

Sun, W., Sekar, R., Poothia, G., and Karandikar, T. Practical Proactive Integrity Preservation: A Basis for Malware Defense. In S&P (2008).

Digital Library

[43]

Sze, W. K., Mital, B., and Sekar, R. Towards More Usable Information Flow Policies for Contemporary Operating Systems. In SACMAT (2014).

Digital Library

[44]

Sze, W. K., and Sekar, R. A Portable User-Level Approach for System-wide Integrity Protection. In ACSAC (2013).

Digital Library

[45]

Ubuntu. AppArmor. https://wiki.ubuntu.com/AppArmor/.

[46]

Ward, S. iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. http://www.isightpartners.com/2014/10/cve-2014-4114/.

[47]

Xu, K., Xiong, H., Wu, C., Stefan, D., and Yao, D. Data-Provenance Verification For Secure Hosts. In TDSC (2012).

Digital Library

[48]

Xu, W., DuVarney, D. C., and Sekar, R. An efficient and backwards-compatible transformation to ensure memory safety of C programs. In FSE (2004).

Digital Library

[49]

Yee, B., Sehr, D., Dardyk, G., Chen, J. B., Muth, R., Orm, T., Okasaka, S., Narula, N., Fullagar, N., and Inc, G. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In S&P (2009).

Digital Library

[50]

Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazières, D. Making Information Flow Explicit in HiStar. In OSDI (2006).

Digital Library

Cited By

Ali SLocasto MSmith S(2024)Weird Machines in Package Managers: A Case Study of Input Language Complexity and Emergent Execution in Software Systems2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00021(169-179)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00021
Pan BStakhanova NRay S(2023)Data Provenance in Security and PrivacyACM Computing Surveys10.1145/359329455:14s(1-35)Online publication date: 17-Jul-2023
https://doi.org/10.1145/3593294
Sekar RHamlen KLu L(2020)Information FlowProceedings of the 2020 ACM Workshop on Forming an Ecosystem Around Software Transformation10.1145/3411502.3418421(1-2)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3411502.3418421
Show More Cited By

Provenance-based Integrity Protection for Windows
1. Security and privacy
  1. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Neutralizing windows-based malicious mobile code
SAC '02: Proceedings of the 2002 ACM symposium on Applied computing

Mobile code---executable programs that get copied from computer-to-computer via e-mail, web browsers, etc.---is a popular way to stage malicious attacks against users. The Windows operating system is often the target of such attacks, in part because of ...
Windows Virus and Malware Troubleshooting
Mining data provenance to detect advanced persistent threats
TAPP'19: Proceedings of the 11th USENIX Conference on Theory and Practice of Provenance

An advanced persistent threat (APT) is a stealthy malware instance that gains unauthorized access to a system and remains undetected for an extended time period. The aim of this work is to evaluate the feasibility of applying advanced machine learning ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

National Science Foundation

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
757
Total Downloads

Downloads (Last 12 months)206
Downloads (Last 6 weeks)24

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ali SLocasto MSmith S(2024)Weird Machines in Package Managers: A Case Study of Input Language Complexity and Emergent Execution in Software Systems2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00021(169-179)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00021
Pan BStakhanova NRay S(2023)Data Provenance in Security and PrivacyACM Computing Surveys10.1145/359329455:14s(1-35)Online publication date: 17-Jul-2023
https://doi.org/10.1145/3593294
Sekar RHamlen KLu L(2020)Information FlowProceedings of the 2020 ACM Workshop on Forming an Ecosystem Around Software Transformation10.1145/3411502.3418421(1-2)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3411502.3418421
Hossain MSheikhi SSekar R(2020)Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics2020 IEEE Symposium on Security and Privacy (SP)10.1109/SP40000.2020.00064(1139-1155)Online publication date: May-2020
https://doi.org/10.1109/SP40000.2020.00064
Pasquier THan XMoyer TBates AHermant OEyers DBacon JSeltzer MLie DMannan MBackes MWang X(2018)Runtime Analysis of Whole-System ProvenanceProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243776(1601-1616)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243776
Yang YCai ZWang CZhang J(2018)Probabilistically Inferring Attack Ramifications Using Temporal Dependence NetworkIEEE Transactions on Information Forensics and Security10.1109/TIFS.2018.283304813:11(2913-2928)Online publication date: Nov-2018
https://doi.org/10.1109/TIFS.2018.2833048
Sun XDai JLiu PSinghal AYen J(2018)Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack PathsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2018.282109513:10(2506-2521)Online publication date: Oct-2018
https://doi.org/10.1109/TIFS.2018.2821095
Pan JZhuang Y(2017)PMCAPSecurity and Communication Networks10.1155/2017/46215872017Online publication date: 22-May-2017
https://dl.acm.org/doi/10.1155/2017/4621587
Mao WCai ZTowsley DFeng QGuan X(2017)Security importance assessment for system objects and malware detectionComputers and Security10.1016/j.cose.2017.02.00968:C(47-68)Online publication date: 1-Jul-2017
https://dl.acm.org/doi/10.1016/j.cose.2017.02.009
Lopez JBabun LAksu HUluagac A(2017)A Survey on Function and System Call Hooking ApproachesJournal of Hardware and Systems Security10.1007/s41635-017-0013-21:2(114-136)Online publication date: 21-Sep-2017
https://doi.org/10.1007/s41635-017-0013-2

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents