engineering challenges in immunizing systems against
play

Engineering Challenges in Immunizing Systems Against Malicious Code - PowerPoint PPT Presentation

May 21, 2023 •300 likes •581 views

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal Technical Consultant Verdasys, Inc. Background Organizations are confronted with troubling developments the malware problem phenomenon

  1. Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal Technical Consultant Verdasys, Inc.

  2. Background Organizations are confronted with troubling developments the malware problem phenomenon •Proliferation of malware of increasing volume and quality •Targeted attacks •Professional developers taking the place of amateurs •Various organizations developing capabilities to produce malware on an industrial basis .

  3. Background A novel malware approach is presented that was developed and implemented as a feature extension to a commercial tool for the Windows platform: Digital Guardian - Verdasys, Inc. http://www.verdasys.com

  4. Requirements 1. Prevent de novo infection by malicious programs including viruses, worms and Trojan horse programs. 2. ...without first obtaining new code, virus definitions, signature files, or data. 3. ...consistent with intermittent connectivity including no facility to download data files. 4. Maximally generic and thus independent of specific pattern matching or algorithmic methods of code examination and classification. 5. Be configurable for mandatory enforcement, i.e., disallowance of override once installed. 6. Be nevertheless manageable at enterprise scale and with a constant flux of changes and adds to people and facilities. 7. Fail closed.

  5. The Malicious Code Problem Cohen (1987) proved that no single algorithm can detect all virus programs which might exist, and separately (1994) showed that access control is ineffective against malicious code.

  6. The Malicious Code Problem Szor (2005) and Chess & White (2000) both point out that there is a threshold of code mutation beyond which viruses can exist which no algorithm can detect.

  7. The Malicious Code Problem Grayaznov (1999) notes that integrity checking tools are themselves targeted by slow infector viruses, which wait for files to be modified and then piggyback their infection onto the legitimate modification thus to escape notice.

  8. The Malicious Code Problem As described by Szor (2005) , first- and second-generation virus detectors used a variety of code and pattern matching techniques and, later, algorithmic detection in a custom language.

  9. The Malicious Code Problem Next came CPU emulation techniques to detect polymorphic viruses (which partially mutate their own code in order to frustrate pattern matching scanners). Szor (2005) notes the significant challenge posed by polymorphic viruses that use entry point obscuring techniques (effectively randomizing their location within the infected host file in order to make detection more difficult).

  10. The Malicious Code Problem Szor also notes that some metamorphic viruses, which produce true mutations that do not resemble the parent, would require a pattern matching against an infeasible number of patterns. Christodrescu, et. al, (2003) found that even simple code obfuscation techniques, such as inserting NOP instructions defeated commercial virus scanners.

  11. The Malicious Code Problem Szor describes geometric detection (examining changes to file structures), heuristic analysis and behavior blocking tend (which generate false positive and false negatives). Neural networks can produce acceptable rates of false positives, but require considerable training, are subject to overtraining, and tend toward unacceptable false positive ratios when malicious code closely resembles non- malicious code.

  12. Intrusion Prevention Like intrusion detection, intrusion prevention technologies require significant training and administration and face technical challenges in achieving acceptable rates of false positives and false negatives using behavioral and statistical anomaly detection techniques.

  13. Misuse Detection e.g. Code Signature Matching • Signature matching is inherently reactive and cannot offer detection or prevention of newly emerged or “zero-day” malicious programs. • Signature matching is ineffective against unique programs that never see widespread distribution and are consequently never classified by a signature producer. • Signature matching is ineffective against programs for which source code is available, facilitating the compilation of binaries which are sufficiently different that they match no available code signatures. • Signature matching will generally ignore dual-use applications. • Signature matching cannot scale indefinitely in the face of industrial malware production.

  14. The Immunity Problem In the absence of a strong generalized defense, biologic hosts must experience an infection to develop antibodies to it. Inherently reactive, this offers little or no resistance to a previously unknown pathogen..

  15. The Immunity Problem For that, the organism cannot rely on time- lapsed development of pathogen-specific antibodies, but must instead be able to immediately disambiguate "self" and "not- self," which Forrest, et. al, (1996) were perhaps the first to attempt adapting to the digital world.

  16. The Immunity Problem Our challenge, as engineers, is to make such determinations on the fly in a way that is both effective, prompt, and non- interfering with needed work output of people and/or machines

  17. Defining “not self” Option one: programs which are attempting to enter the file system from a foreign (e.g. network) location are “not self” Option two: programs which are sourcing from anywhere except a trusted process and / or user account such a software distribution tool are “not self”

  18. Specification Based Object Level Security • Specification based detection / policy enforcement is highly effective • Without limitations of misuse or anomaly detection • Requires defining a policy and the ability to enumerate all behaviors which do not violate policy

  19. Impelmentation Using kernel level I/O system call interception, I/O system calls are subjected to security policy. Fine-grained rules can be enforced against a rich set of event attributes including process names or cryptographic hashes, user accounts, file types or paths, network sockets, and regular expressions.

  20. Rule Rule File System Shim File System Shim Execution Execution Network Shim Network Shim Network Network Kernel Mode Kernel Mode Figure 1. The Digital Guardian Agent Functional Components Stealth Stealth Windows Kernel Windows Kernel Architecture Printing Shim Printing Shim Stealth Stealth Tamper Tamper Clipboard Shim Clipboard Shim Resistance Resistance Audit Audit Process Watcher Process Watcher API Monitor API Monitor Agent Process Agent Process User Mode User Mode User Interaction User Interaction Configuration Manager Configuration Manager Server Communication Server Communication

  21. Example: A Browser Helper Object (BHO) Detect 8/25/2004 5:03:36 PM iexplore.exe File Write Fixed incfindbho.dll 8/25/2004 5:02:43 PM iexplore.exe Connect Outbound TCP IP ADDRESS REDACTED 80 8/25/2004 5:02:43 PM iexplore.exe Connect Outbound TCP IP ADDRESS REDACTED 80 8/25/2004 5:02:41 PM iexplore.exe Connect Outbound TCP IP ADDRESS REDACTED 80 8/25/2004 5:02:40 PM iexplore.exe Connect Outbound TCP IP ADDRESS REDACTED 80 8/25/2004 5:02:36 PM iexplore.exe Connect Outbound TCP IP ADDRESS REDACTED 80 8/25/2004 5:02:36 PM iexplore.exe File Read Fixed s.dat 8/25/2004 5:02:36 PM iexplore.exe File Read Fixed s.dat 8/25/2004 5:02:05 PM iexplore.exe File Write Fixed incfindbho.dll 8/25/2004 4:56:07 PM iexplore.exe File Write Fixed incfindbho.dll 8/25/2004 4:52:27 PM iexplore.exe Connect Outbound TCP IP ADDRESS REDACTED 80 8/25/2004 4:50:39 PM iexplore.exe Connect Outbound TCP IP ADDRESS REDACTED 80

  22. Solution: Prevent Event One 8/25/2004 5:03:36 PM iexplore.exe File Write Fixed incfindbho.dll 8/25/2004 5:02:43 PM iexplore.exe Connect Outbound TCP IP ADDRESS REDACTED 80 8/25/2004 5:02:43 PM iexplore.exe Connect Outbound TCP IP ADDRESS REDACTED 80

  23. Malware Mitigation Policy Logic • Block untrusted processes from writing to system paths. • Block Internet facing applications from writing or renaming executable files. • Block winzip and other file compression utilities from writing or renaming files with executable extensions. • Block web browsers from writing or renaming files with executable extensions. • Block newsreaders from writing or renaming files with executable extensions. • Block messaging applications from writing or renaming files with executable extensions. • Block P2P applications from executing, from making network connections or from writing or renaming files with executable extensions. • Block email applications from writing or renaming files with executable extensions. • Block reading and / or writing of executable file types on network drives. • Block reading and / or writing of executable file types on removable media.

  24. Malware Immunization Policy Logic • If the program binary's hash does not match the hash of a trusted program such as a software distribution tool, don’t permit it to write executable files to the file system or create / modify files within system paths. • If the program is not running within a trusted user context, do not permit it to write executable files to the file system or create / modify files within system paths.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CHALLENGES CHALLENGES C. G . G. Cassand . Cassandras as Division of Systems Engineering

CHALLENGES CHALLENGES C. G . G. Cassand . Cassandras as Division of Systems Engineering

CYBER-PHY CYBER PHYSICAL SY SICAL SYSTEMS: STEMS: MOTIV MO TIVATION TION AND AND CHALLENGES CHALLENGES C. G . G. Cassand . Cassandras as Division of Systems Engineering Center for Information and Systems Engineering Boston

571 views • 41 slides
Preparing Students for Systems Engineering Challenges of the Future Chris Paredis Program

Preparing Students for Systems Engineering Challenges of the Future Chris Paredis Program

Preparing Students for Systems Engineering Challenges of the Future Chris Paredis Program Director NSF ENG/CMMI Engineering & Systems Design, Systems Science cparedis@nsf.gov (703) 292-2241 1 Disclaimer & Acknowledgment

562 views • 23 slides
Research Challenges in Process Systems Engineering and Overview of Mathematical Programming

Research Challenges in Process Systems Engineering and Overview of Mathematical Programming

Research Challenges in Process Systems Engineering and Overview of Mathematical Programming Ignacio E. Grossmann Center for Advanced Process Decision-making (CAPD) Department of Chemical Engineering Carnegie Mellon University Pittsburgh, PA

1.21k views • 69 slides
EDA Challenges in Systems EDA Challenges in Systems EDA Challenges in Systems EDA Challenges in

EDA Challenges in Systems EDA Challenges in Systems EDA Challenges in Systems EDA Challenges in

EDA Challenges in Systems EDA Challenges in Systems EDA Challenges in Systems EDA Challenges in Systems Integration Integration J. A. G. Jess NSF EDA Workshop July 8 and 9 2009 July 8 and 9, 2009 Why should IC- Why should IC -EDA and

247 views • 10 slides
Software Engineering Challenges for Parallel Processing Systems Lt Col Marcus W Hervey, USAF

Software Engineering Challenges for Parallel Processing Systems Lt Col Marcus W Hervey, USAF

Software Engineering Challenges for Parallel Processing Systems Lt Col Marcus W Hervey, USAF AFIT/CIP marcus.hervey@us.af.mil Disclaimer "The views expressed in this presentation are those of the author and do not reflect the official

504 views • 36 slides
Regional Operations Forum Systems Engineering What Is Systems Engineering? From MIT Open Course:

Regional Operations Forum Systems Engineering What Is Systems Engineering? From MIT Open Course:

Accelerating solutions for highway safety, renewal, reliability, and capacity Regional Operations Forum Systems Engineering What Is Systems Engineering? From MIT Open Course: Systems Engineering is an interdisciplinary approach and means to

379 views • 26 slides
Meeting the Challenges of Ultra- -Large Large- - Meeting the Challenges of Ultra Scale Systems

Meeting the Challenges of Ultra- -Large Large- - Meeting the Challenges of Ultra Scale Systems

Meeting the Challenges of Ultra- -Large Large- - Meeting the Challenges of Ultra Scale Systems via Model- -Driven Driven Scale Systems via Model Engineering Engineering February 2, 2007 February 2, 2007 Dr. Douglas C. Schmidt

479 views • 47 slides
The New Engineering Frontier: Manufacturing for the Grand Challenges C. D. Mote, Jr. President,

The New Engineering Frontier: Manufacturing for the Grand Challenges C. D. Mote, Jr. President,

The New Engineering Frontier: Manufacturing for the Grand Challenges C. D. Mote, Jr. President, National Academy of Engineering Regional Grand Challenges Summit Cary, NC October 31, 2013 THE NEXT CENTURY POSES CRITICAL CHALLENGES

351 views • 24 slides
Models, Tools, Systems, Solutions, Challenges Tutorial at ACM / IEEE 22nd Int. Conf. On Model

Models, Tools, Systems, Solutions, Challenges Tutorial at ACM / IEEE 22nd Int. Conf. On Model

Model-Driven Software Engineering in Robotics Models, Tools, Systems, Solutions, Challenges Tutorial at ACM / IEEE 22nd Int. Conf. On Model Driven Engineering Languages and Systems (MODELS) www.servicerobotik-ulm.de/models2019 What is this

596 views • 22 slides
Using TSP in a Systems Engineering Environment Lessons from the front Dan Wall TUG 2006

Using TSP in a Systems Engineering Environment Lessons from the front Dan Wall TUG 2006

Using TSP in a Systems Engineering Environment Lessons from the front Dan Wall TUG 2006 2 Problem TUG 2006 Agenda Systems Engineering / TSP n Game Development n Challenges Anatomy of a Game n Lessons Learned n Summary n TUG

322 views • 21 slides
Cyberinfrastructure-enabled Molecular Products Design and Engineering: Challenges and

Cyberinfrastructure-enabled Molecular Products Design and Engineering: Challenges and

Cyberinfrastructure-enabled Molecular Products Design and Engineering: Challenges and Opportunities Venkat Venkatasubramanian Laboratory for Intelligent Process Systems Purdue University West Lafayette, IN, USA 1 Outline Molecular

1.31k views • 106 slides
Systems Engineering and Architecture Richard M. Murray Control and Dynamical Systems California

Systems Engineering and Architecture Richard M. Murray Control and Dynamical Systems California

Systems Engineering and Architecture Richard M. Murray Control and Dynamical Systems California Institute of Technology Design Principles in Biological Systems 21 April 2008 Product Systems Engineering Systems engineering methodology

408 views • 18 slides
ENGINEERING Denton, Texas and Denton Municipal Electric Business Challenges Project

ENGINEERING Denton, Texas and Denton Municipal Electric Business Challenges Project

Trey Price Engineering Systems Applications Supervisor Denton Municipal Electric 2016-17 Esri Electric & Gas Users Group Vice President ENGINEERING Denton, Texas and Denton Municipal Electric Business Challenges Project Goals

400 views • 24 slides
Challenges and opportunities in reliability engineering: the big KID (Knowledge, Information and

Challenges and opportunities in reliability engineering: the big KID (Knowledge, Information and

Challenges and opportunities in reliability engineering: the big KID (Knowledge, Information and Data) Enrico Zio Chair on Systems Science and the Energy Challenge CentraleSupelec, Fondation Electricit de France (EDF), France Energy

712 views • 59 slides
Seamless Model- and Method-Based Software & Systems Engineering Scientific Foundations

Seamless Model- and Method-Based Software & Systems Engineering Scientific Foundations

Seamless Model- and Method-Based Software & Systems Engineering Scientific Foundations Manfred Broy Technische Universitt Mnchen Institut fr Informatik D-80290 Munich, Germany Challenges in Software & Systems Development

519 views • 30 slides
Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing. Mohammad. Abdullah Al Faruque Dipl.-Inform. Sebastian Kobbe CES - C hair for E mbedded S ystems (Prof. Dr. Jrg Henkel) Department of Computer Science

847 views • 72 slides
Albert-Lszl Barabsi with Emma K. Towlson and Sean P. Cornelius www.BarabasiLab.com

Albert-Lszl Barabsi with Emma K. Towlson and Sean P. Cornelius www.BarabasiLab.com

Network Science Spreading Phenomena Albert-Lszl Barabsi with Emma K. Towlson and Sean P. Cornelius www.BarabasiLab.com Section 10.7 Epidemic Prediction Case Study 1: Epidemic Forecast Network Science: Robustness Cascades H1N1

879 views • 31 slides
Life lessons and datacenter performance analysis Dan Ardelean Amer Diwan Rick Hank Christian

Life lessons and datacenter performance analysis Dan Ardelean Amer Diwan Rick Hank Christian

Life lessons and datacenter performance analysis Dan Ardelean Amer Diwan Rick Hank Christian Kurmann Balaji Raghavan Matt Seegmiller The need to solve performance crimes Performance crimes are anything that unnecessarily increase

529 views • 42 slides
Office Hours: ESG-CV Notice September 3, 2020 Housekeeping A recording of todays session,

Office Hours: ESG-CV Notice September 3, 2020 Housekeeping A recording of todays session,

Office Hours: ESG-CV Notice September 3, 2020 Housekeeping A recording of todays session, along with the slide deck and a copy of the Chat and Q&A content will be posted to the HUD Exchange within 2-3 business days Event

645 views • 39 slides
CSE543 Computer and Network Security Module: Malware Professor Trent Jaeger CSE543 -

CSE543 Computer and Network Security Module: Malware Professor Trent Jaeger CSE543 -

616 views • 33 slides
Misleading and Defeating Importance- Scanning Malware Propagation Guofei Gu 1 , Zesheng Chen 1 ,

Misleading and Defeating Importance- Scanning Malware Propagation Guofei Gu 1 , Zesheng Chen 1 ,

Misleading and Defeating Importance- Scanning Malware Propagation Guofei Gu 1 , Zesheng Chen 1 , Phillip Porras 2 , Wenke Lee 1 1 Georgia Institute of Technology 2 SRI International Outline Background White Hole: Design & Operation

238 views • 20 slides
AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang Yuanyuan, Li Juanru, Shu Junliang, Li Bodong, Hu Wenjun, Gu Dawu Sudeep Nanjappa Jayakumar Agenda Introduc0on AppSpear Goals,

322 views • 19 slides
Certificates for cs.washington.edu 1 Certificates for GMail Important fields: Testing SSL

Certificates for cs.washington.edu 1 Certificates for GMail Important fields: Testing SSL

Certificates for cs.washington.edu 1 Certificates for GMail Important fields: Testing SSL Configuration (1) 3 Client completed verification of received certificate chain Testing SSL Configuration (2) 4 Received certificate chain (two

623 views • 49 slides
Static Analysis of Executables to Detect Malicious Patterns [12 th USENIX Security Symposium,

Static Analysis of Executables to Detect Malicious Patterns [12 th USENIX Security Symposium,

Static Analysis of Executables to Detect Malicious Patterns [12 th USENIX Security Symposium, 2003] Mihai Christodorescu Somesh Jha CS @ University of Wisconsin, Madison Presented by K. Vikram Cornell University Problem & Motivation

969 views • 30 slides

More recommend