Advertisement

Putting Trojans on the Horns of a Dilemma: Redundancy for Information Theft Detection

  • Jedidiah R. Crandall
  • John Brevik
  • Shaozhi Ye
  • Gary Wassermann
  • Daniela A. S. de Oliveira
  • Zhendong Su
  • S. Felix Wu
  • Frederic T. Chong
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5430)

Abstract

Conventional approaches to either information flow security or intrusion detection are not suited to detecting Trojans that steal information such as credit card numbers using advanced cryptovirological and inference channel techniques. We propose a technique based on repeated deterministic replays in a virtual machine to detect the theft of private information. We prove upper bounds on the average amount of information an attacker can steal without being detected, even if they are allowed an arbitrary distribution of visible output states. Our intrusion detection approach is more practical than traditional approaches to information flow security.

We show that it is possible to, for example, bound the average amount of information an attacker can steal from a 53-bit credit card number to less than a bit by sampling only 11 of the 253 possible outputs visible to the attacker, using a two-pronged approach of hypothesis testing and information theory.

Keywords

Intrusion detection information theft detection malware analysis information theory 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. IEEE Security and Privacy 1(4), 33–39 (2003)CrossRefGoogle Scholar
  2. 2.
    Sarangi, S.R., Greskamp, B., Torrellas, J.: CADRE: Cycle-Accurate Deterministic Replay for Hardware Debugging. In: DSN 2006: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2006), Washington, DC, USA, pp. 301–312. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  3. 3.
    Shannon, C.E., Weaver, W.: The Mathematical Theory of Communication. University of Illinois Press, Urbana (1949)zbMATHGoogle Scholar
  4. 4.
    Wray, J.C.: An analysis of covert timing channels. In: IEEE Symposium on Security and Privacy, pp. 2–7 (1991)Google Scholar
  5. 5.
    General William T. Sherman, as quoted in B. H. Liddell Hart, Strategy, second revised editionGoogle Scholar
  6. 6.
    Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. Wiley Publishing, Inc., Chichester (2004)Google Scholar
  7. 7.
    Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on SSH. In: USENIX Security Symposium 2001 (2001)Google Scholar
  8. 8.
    Kuhn, M.G.: Optical time-domain eavesdropping risks of CRT displays. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 3–18 (2002)Google Scholar
  9. 9.
    Kohno, T., Broido, A., Claffy, K.C.: Remote Physical Device Fingerprinting. In: IEEE Symposium on Security and Privacy (May 2005)Google Scholar
  10. 10.
    Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. SIGARCH Comput. Archit. News 35(2), 494–505 (2007)CrossRefGoogle Scholar
  11. 11.
    Yumerefendi, A., Mickle, B., Cox, L.P.: Tightlip: Keeping applications from spilling the beans. In: Networked Systems Design and Implementation (NSDI) (2007)Google Scholar
  12. 12.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)Google Scholar
  13. 13.
    Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: IEEE Symposium on Security and Privacy, pp. 75–86 (1984)Google Scholar
  14. 14.
    de Oliveira, D.A.S., Crandall, J.R., Wassermann, G., Su, Z., Wu, S.F., Chong, F.T.: ExecRecorder: VM-based full-system replay for attack analysis and system recovery. In: Workshop on Architectural and System Support for Improving Software Dependability, San Jose, CA (October 2006)Google Scholar
  15. 15.
    The OpenSSL Project, http://www.openssl.org/
  16. 16.
    Clarkson, M.R., Myers, A.C., Schneider, F.B.: Belief in information flow. In: CSFW 2005: Proceedings of the 18th IEEE Computer Security Foundations Workshop (CSFW 2005), Washington, DC, USA, pp. 31–45. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  17. 17.
    Moskowitz, I.S., Kang, M.H.: Covert channels - here to stay? In: Compass 1994: 9th Annual Conference on Computer Assurance, Gaithersburg, MD, National Institute of Standards and Technology, pp. 235–244 (1994)Google Scholar
  18. 18.
    Kang, M.H., Moskowitz, I.S.: A pump for rapid, reliable, secure communication. In: CCS 1993: Proceedings of the 1st ACM conference on Computer and Communications Security, pp. 119–129. ACM Press, New York (1993)Google Scholar
  19. 19.
    Costa, M.: Writing on dirty paper (corresp.). IEEE Transactions on Information Theory 29(3), 439–441 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Vachharajani, N., Bridges, M.J., Chang, J., Rangan, R., Ottoni, G., Blome, J.A., Reis, G.A., Vachharajani, M., August, D.I.: RIFLE: An architectural framework for user-centric information-flow security. In: Proceedings of the 37th International Symposium on Microarchitecture (MICRO) (December 2004)Google Scholar
  21. 21.
    Fenton, J.S.: Information protection systems. Ph.D. Thesis, University of Cambridge (1973)Google Scholar
  22. 22.
    Fenton, J.S.: Memoryless subsystems. The Computer Journal 17(2), 143–147 (1974)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Denning, D.E.R.: Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc., Boston (1982)zbMATHGoogle Scholar
  24. 24.
    Bishop, M.: Computer Security: Art and Science, p. 344. Addison-Wesley, Reading (2003)Google Scholar
  25. 25.
    Kumar, A., Paxson, V., Weaver, N.: Exploiting underlying structure for detailed reconstruction of an internet-scale event. In: IMC 2005: Proceedings of the 5th ACM SIGCOMM on Internet measurement. ACM Press, New York (2006)Google Scholar
  26. 26.
    Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev. 36(SI), 211–224 (2002)CrossRefGoogle Scholar
  27. 27.
    Wittbold, J.T., Johnson, D.M.: Information flow in nondeterministic systems. In: IEEE Symposium on Security and Privacy, pp. 144–161 (1990)Google Scholar
  28. 28.
    Gray III, J.W.: Toward a mathematical foundation for information flow security. In: IEEE Symposium on Security and Privacy, pp. 21–35 (1991)Google Scholar
  29. 29.
    Gianvecchio, S., Wang, H.: Detecting covert timing channels: an entropy-based approach. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and Communications Security, pp. 307–316. ACM, New York (2007)Google Scholar
  30. 30.
    Köpf, B., Basin, D.: An information-theoretic model for adaptive side-channel attacks. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and Communications Security, pp. 286–296. ACM, New York (2007)Google Scholar
  31. 31.
    Browne, R.: An entropy conservation law for testing the completeness of covert channel analysis. In: CCS 1994: Proceedings of the 2nd ACM Conference on Computer and Communications Security, pp. 270–281. ACM Press, New York (1994)Google Scholar
  32. 32.
    Browne, R.: The turing test and non-information flow. In: IEEE Symposium on Security and Privacy, pp. 373–388 (1991)Google Scholar
  33. 33.
    Browne, R.: Mode security: An infrastructure for covert channel suppression. In: IEEE Symposium on Security and Privacy, pp. 39–55 (1999)Google Scholar
  34. 34.
    Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1) (2003)Google Scholar
  35. 35.
    Myers, A.C.: JFlow: Practical mostly-static information flow control. In: POPL 1999: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM Press, New York (1999)Google Scholar
  36. 36.
    Malacaria, P.: Assessing security threats of looping constructs. In: POPL 2007: Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM Press, New York (2007)Google Scholar
  37. 37.
    McCamant, S., Ernst, M.D.: A simulation-based proof technique for dynamic information flow. In: PLAS 2007: ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, San Diego, California, USA, June 14 (2007)Google Scholar
  38. 38.
    McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation, Tucson, AZ, USA, June 9–11 (2008)Google Scholar
  39. 39.
    Light Pink Book: A guide to understanding covert channel analysis of trusted systems, version 1. NCSC-TG-030, Library No. S-240,572, TCSEC Rainbow Series Library (November 1993)Google Scholar
  40. 40.
    Lampson, B.W.: A note on the confinement problem. Communications of the ACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  41. 41.
    Lipner, S.B.: A comment on the confinement problem. In: SOSP 1975: Proceedings of the fifth ACM Symposium on Operating Systems Principles, pp. 192–196. ACM Press, New York (1975)Google Scholar
  42. 42.
    McHugh, J.: Covert channel analysis (1995)Google Scholar
  43. 43.
    Millen, J.K.: 20 years of covert channel modeling and analysis. In: IEEE Symposium on Security and Privacy, pp. 113–114 (1999)Google Scholar
  44. 44.
    Kemmerer, R.A.: Shared resource matrix methodology: an approach to identifying storage and timing channels. ACM Trans. Comput. Syst. 1(3), 256–277 (1983)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jedidiah R. Crandall
    • 1
  • John Brevik
    • 2
  • Shaozhi Ye
    • 3
  • Gary Wassermann
    • 3
  • Daniela A. S. de Oliveira
    • 3
  • Zhendong Su
    • 3
  • S. Felix Wu
    • 3
  • Frederic T. Chong
    • 4
  1. 1.Dept. of Computer ScienceUniversity of New MexicoUSA
  2. 2.Dept. of Mathematics and StatisticsCalifornia State UniversityLong BeachUSA
  3. 3.Dept. of Computer ScienceUniversity of California at DavisUSA
  4. 4.Dept. of Computer ScienceUniversity of California at Santa BarbaraUSA

Personalised recommendations