13-11-2012, 03:11 PM
Data- Provenance Verification For Secure Hosts
ABSTRACT
Malicious software typically resides stealthily on a user's
computer and interacts with the user's computing
resources. Our goal in this work is to improve the
trustworthiness of a host and its system data. Specifically,
we provide a new mechanism that ensures the correct
origin or provenance of critical system information and
prevents adversaries from utilizing host resources. We
define data-provenance integrity as the security property
stating that the source where a piece of data is generated
cannot be spoofed or tampered with. We describe a
cryptographic provenance verification approach for
ensuring system properties and system-data integrity at
kernel-level. Its two concrete applications are
demonstrated in the keystroke integrity verification and
malicious traffic detection. Specifically, we first design
and implement an efficient cryptographic protocol that
enforces keystroke integrity by utilizing on-chip Trusted
Computing Platform (TPM). The protocol prevents the
forgery of fake key events by malware under reasonable
assumptions. Then, we demonstrate our provenance
verification approach by realizing a lightweight
framework for restricting outbound malware traffic. This
traffic-monitoring framework helps identify network
activities of stealthy malware, and lends itself to a
powerful personal firewall for examining all outbound
traffic of a host that cannot be bypassed.