Practical Proactive Integrity Preservation: A Basis for Malware Defense

Sun, Weiqing; Sekar, R.; Poothia, G.; Karandikar, T.

doi:10.1109/sp.2008.35

Cited by 32 publications

(51 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Researchers have recently proposed practical approaches to integrity that approximate classical integrity models [47,21,50,20,40]. These practical integrity models are all strictly weaker than classical models, in that they do not require formal assurance for code with the authority to protect integrity while receiving untrusted inputs.…”

Section: Related Workmentioning

confidence: 99%

“…Recently, researchers have proposed a variety of approaches to enforce information flow integrity focusing on system abstractions [21,47,50,20,56,57]. All of the above approaches require that administrators replace the commodity system policies with a new information flow policy that includes mediators.…”

mentioning

confidence: 99%

“…All of the above approaches require that administrators replace the commodity system policies with a new information flow policy that includes mediators. Only Practical Proactive Integrity [50] (PPI) provides some automated support for producing integrity policies from existing MAC policies, but it uses simple, two-level lattices and requires administrators to determine whether a process can handle all integrity threats, which is a difficult and error-prone task. To evaluate such risks more precisely, researchers have realized that it is important to identify and defend those program entrypoints accessible to adversaries 3 , called the program's attack surface [16,23].…”

mentioning

confidence: 99%

See 2 more Smart Citations

Transforming commodity security policies to enforce Clark-Wilson integrity

Muthukumaran

Rueda

Talele

et al. 2012

Proceedings of the 28th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Modern distributed systems are composed from several offthe-shelf components, including operating systems, virtualization infrastructure, and application packages, upon which some custom application software (e.g., web application) is often deployed. While several commodity systems now include mandatory access control (MAC) enforcement to protect the individual components, the complexity of such MAC policies and the myriad of possible interactions among individual hosts in distributed systems makes it difficult to identify the attack paths available to adversaries. As a result, security practitioners react to vulnerabilities as adversaries uncover them, rather than proactively protecting the system's data integrity. In this paper, we develop a mostly-automated method to transform a set of commodity MAC policies into a system-wide policy that proactively protects system integrity, approximating the Clark-Wilson integrity model. The method uses the insights from the Clark-Wilson model, which requires integrity verification of security-critical data and mediation at program entrypoints, to extend existing MAC policies with the proactive mediation necessary to protect system integrity. We demonstrate the practicality of producing Clark-Wilson policies for distributed systems on a web application running on virtualized Ubuntu SELinux hosts, where our method finds: (1) that only 27 additional entrypoint mediators are sufficient to mediate the threats of remote adversaries over the entire distributed system and (2) and only 20 additional local threats require mediation to approximate Clark-Wilson integrity comprehensively. As a result, available security policies can be used as a foundation for proactive integrity protection from both local and remote threats.

show abstract

Section: Related Workmentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Transforming commodity security policies to enforce Clark-Wilson integrity

Muthukumaran

Rueda

Talele

et al. 2012

Proceedings of the 28th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…However, formal assurance of the correctness of these programs is necessary to justify such behavior in the Clark-Wilson model. While formal assurance for programs appeared to be emerging as a viable technology in 1987 (i.e., when the Clark-Wilson model was proposed), it is now widely believed that formal assurance of complete applications is impractical, so new interpretations of integrity have recently been proposed [30,18,35]. These interpretations require that high integrity programs are designed to only accept untrusted inputs at interfaces where integrity decisions can be enforced.…”

Section: Integritymentioning

confidence: 99%

“…The design of our approach is based on three insights. First, we leverage emerging work on practical integrity models [30,18,35] that define comprehensive and practical integrity model for general purpose systems. Our approach generates proofs that a remote party can use to determine whether a virtual machine's execution adheres to an approximation of Clark-Wilson integrity [30].…”

Section: Introductionmentioning

confidence: 99%

Justifying Integrity Using a Virtual Machine Verifier

Schiffman

Moyer

Shal

et al. 2009

2009 Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Emerging distributing computing architectures, such as grid and cloud computing, depend on the high integrity execution of each system in the computation. While integrity measurement enables systems to generate proofs of their integrity to remote parties, we find that current integrity measurement approaches are insufficient to prove runtime integrity for systems in these architectures. Integrity measurement approaches that are flexible enough have an incomplete view of runtime integrity, possibly leading to false integrity claims, and approaches that provide comprehensive integrity do so only for computing environments that are too restrictive. In this paper, we propose an architecture for building comprehensive runtime integrity proofs for general purpose systems in distributed computing architectures. In this architecture, we strive for classical integrity, using an approximation of the Clark-Wilson integrity model as our target. Key to building such integrity proofs is a carefully crafted host system whose long-term integrity can be justified easily using current techniques and a new component, called a VM verifier, that can enforce our integrity target on VMs comprehensively. We have built a prototype based on the Xen virtual machine system for SELinux VMs, and find distributed compilation can be implemented, providing accurate proofs of our integrity target with less than 4% overhead.

show abstract