Please use this identifier to cite or link to this item:
Title: Enhancing Operating Systems with Network Provenance Based Policies for Systematic Malware Defense
Authors: Sekar, R
Sze, Wai Kit
Department of Computer Science
Porter, Donald
Lu, Long
Jaeger, Trent.
Issue Date: 1-Dec-2016
Publisher: The Graduate School, Stony Brook University: Stony Brook, NY.
Abstract: Todays OSes adopt users as the basic unit of trust. Every file and process owned by the same user has the same userid as the user. This design stems from the very first multi-user OS created, a time when computers were self-contained, and file contents were under the control of users. Today, users frequently download data and code from the Internet, without fully understanding their content or consequences. However, existing desktop OSes reuse the same old trust model and treat downloaded files as if users are fully responsible for them. This trust is exploited by today’s malware. In this dissertation, we generalize the existing OS trust hierarchy with remote provenance information. Instead of having only mutually-untrusted users, we extend it to principals encoding both local user and remote provenance information. We allow principals to have arbitrary trust relationships. With just two provenances having a unidirectional trust relationship, we can already build a usable integrity protection that can systematically defend against unknown malware. In addition, we show how our framework substantially generalizes previous ones such as the web browsers’ same-origin policy and the policies governing inter-app interactions on mobile OSes. Trust hierarchy and access controls are enforced deep inside OSes. Generalizing the trust model can affect all applications and every component in OSes. Instead of building a new OS from scratch or instrumenting existing OSes to enforce this new trust model directly, we re-purpose existing security mechanism common in contemporary OSes to achieve this generalization. This re-purposing mediates every access automatically, incurs low performance overhead, and is agnostic to both OSes and applications. Our system has been implemented on Linux, BSD, and Windows, supporting large applications like Firefox, Microsoft Office, Adobe Reader and Photoshop. This dissertation is organized into three parts. The first part is concerned with provenance tracking and enforcement mechanisms. Our main contributions in this part are (a) a novel dual-sandbox architecture that provides strong security against untrusted (potentially malicious) code, while preserving compatibility with the vast base of existing applications, and (b) an approach for encoding provenance using userids supported on contemporary operating systems, which enables the enforcement framework to be easily implemented on Linux, BSD and Windows. The second part of the dissertation studies provenance-based security policies. Our key contributions in this context include: (a) a formal treatment of the usability versus functionality trade-off made by various integrity-preservation policies, (b) the development of a new integrity policy that, in a formal sense, provides an optimal trade-off, (c) formalizing what it means for a policy to preserve the integrity and availability, and establishing that our policies indeed achieve these goals, (d) development of inference techniques to automate several components of policy development, and (e) the development of a general provenance-based security policy framework that is shown to subsume existing models such as those arising in the context of web mashups and smart phone apps. The third part of this dissertation implements the mechanisms and policies developed in the previous parts into several prototype systems and evaluates their effectiveness, performance and usability. The first system, Spif, is an integrity protection system for commodity OSes, including Linux, BSD, and Windows. Spif can run large, unmodified applications, such as Firefox, Google Chrome, Microsoft Office, Adobe Reader, and Photoshop, without any impact on user experience, while warding off sophisticated and stealthy malware. The second system, SRFD, addresses a long-standing problem in information flow tracking, called self-revocation. The last system, SwInst, is a system to secure the software installation process. We use SwInst to demonstrate the need for rollback and commit capabilities in an enforcement mechanism, and how these can be utilized to realize highly expressive security policies that cannot be supported otherwise. This system has been successfully evaluated on over 20,000 software packages available on Ubuntu Linux.
Description: 218 pg.
Appears in Collections:Stony Brook Theses and Dissertations Collection

Files in This Item:
File Description SizeFormat 
Sze_grad.sunysb_0771E_12836.pdf1.16 MBAdobe PDFView/Open

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.