RESTful and Light Weight Dynamic Information Flow Tracking-Based Computer Security Systems

Abstract

Cyber threats impose a significant service disruption to public and private sectors at analarming rate. Modern cyber threats such as ransomware and advanced persistent threats are intelligent and stealthy. These threats are able to successfully avoid detection from traditional cyber defenses such as static signature based anomaly detectors and anti-virus software. However, the activities of the cyber adversaries introduce information flows in the victim system that capture the data and control commands used by the cyber adversaries. Dynamic Information Flow Tracking (DIFT) is a promising cyber defense mechanism that tags suspicious information flows, tracks their propagation in the system and performs security checks to validate the authenticity of the information flows to detect cyber threats [17, 29]. LIBDFT [17] is a widely used DIFT implementation in systems security research. However, current version of LIBDFT is not compatible with the Intel Pin, a dynamic binary instrumentation framework that supports LIBDFT code base, used by the most recent Linux distributions. LIBDFT also does not scale to perform DIFT on multiple programs. Moreover, it does not provide an ability to remotely start/terminate DIFT on a host system. This thesis is organized as follows. The Chapter one provides introduction to the problem analyzed in this thesis, proposing DIFT implementations that allows deployment of DIFT-based detection mechanisms to consumer space. The chapter two provides the necessary preliminaries on DIFT functionality, LIBDFT architecture and the limitations of LIBDFT that restricts its deployment in modern Linux distributions. The Chapter three of this dissertation introduces RESTful DIFT that updates the code base of LIBDFT library to support the latest version of Intel Pin tool and enables deployment of DIFT in modern Linux distributions. Also RESTful DIFT enables multi program DIFT functionality to improve the scalability of LIBDFT library. Moreover, it adds a RESTful service layer for improving the usability of LIBDFT. A real world attack example, Screengrab attack is used to validate the functionality of RESTful DIFT implementation. The Chapter four of this dissertation introduces Light Weight DIFT, a DIFT architecture with low memory and run-time overhead. It also supports performing DIFT on multi process programs. Moreover, Light Weight DIFT provides a user friendly graphical visualization of the DIFT results. The validity of the Light Weight DIFT implementation is verified using multi-host Screengrab attack. Lastly, the Chapter five provides a discussion on future directions that can further improve the compatibly and scalability of RESTful DIFT and Light Weight DIFT, and concluding remarks.