Modeling and control of a dynamic information flow tracking system

This thesis introduces and details the effort of modeling and control design of an information tracking system for computer security purposes. It is called Dynamic Information Flow Tracking (DIFT) system. The DIFT system is developed at the Computer Science Department at the University of New Mexico, works by tagging data and tracking it to measure the information flow throughout the system. DIFT can be used for several security applications such as securing sensor networks and honeypot - which is a trap set to detect, deflect, or counteract attempts at unauthorized use of information systems. Existing DIFT systems cannot track address and control dependencies, therefore, their applicability is currently very limited because important information flow dependencies are not tracked for stability reasons. A new approach is taken, aimed at stabilizing DIFT systems and enabling it to detect control dependencies at the assembly-level, through control theory. Modern control has been used to model several cyber-physical, computing, networking, economical... systems. In an effort to model a computing system using control theory, this thesis introduces a general hybrid systems framework to model the flow of information in DIFT when control dependencies are encountered. Information flow in DIFT is represented by a numeric vector called taint vector . The model suggested benefits from the characteristics of hybrid systems and its ability to represent continuous variables and discrete events occurring. The system is stabilized by making sure that the taint vectors represent the true information flow in control dependencies. This problem is solved by designing a PID and model predictive controller which guarantee that system does not over taint, while allowing information to flow properly. The modeling framework is validated by comparing simulations of the hybrid models against. This research provides a new approach to solve the DIFT over-tainting problems through modeling it as a hybrid system and forcing the constraints to be obeyed by the taint values.\u2

Combatting Advanced Persistent Threat via Causality Inference and Program Analysis

Cyber attackers are becoming more and more sophisticated. In particular, Advanced Persistent Threat (APT) is a new class of attack that targets a specifc organization and compromises systems over a long time without being detected. Over the years, we have seen notorious examples of APTs including Stuxnet which disrupted Iranian nuclear centrifuges and data breaches affecting millions of users. Investigating APT is challenging as it occurs over an extended period of time and the attack process is highly sophisticated and stealthy. Also, preventing APTs is diffcult due to ever-expanding attack vectors. In this dissertation, we present proposals for dealing with challenges in attack investigation. Specifcally, we present LDX which conducts precise counter-factual causality inference to determine dependencies between system calls (e.g., between input and output system calls) and allows investigators to determine the origin of an attack (e.g., receiving a spam email) and the propagation path of the attack, and assess the consequences of the attack. LDX is four times more accurate and two orders of magnitude faster than state-of-the-art taint analysis techniques. Moreover, we then present a practical model-based causality inference system, MCI, which achieves precise and accurate causality inference without requiring any modifcation or instrumentation in end-user systems. Second, we show a general protection system against a wide spectrum of attack vectors and methods. Specifcally, we present A2C that prevents a wide range of attacks by randomizing inputs such that any malicious payloads contained in the inputs are corrupted. The protection provided by A2C is both general (e.g., against various attack vectors) and practical (7% runtime overhead)