The design and implementation of tripwire: a file system integrity checker
CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
An entropy conservation law for testing the completeness of covert channel analysis
CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Protecting privacy using the decentralized label model
ACM Transactions on Software Engineering and Methodology (TOSEM)
Mode Security: An Infrastructure for Covert Channel Suppression
SP '94 Proceedings of the 1994 IEEE Symposium on Security and Privacy
Feedback Control of Computing Systems
Feedback Control of Computing Systems
Secure program execution via dynamic information flow tracking
ASPLOS XI Proceedings of the 11th international conference on Architectural support for programming languages and operating systems
Minos: Control Data Attack Prevention Orthogonal to Memory Model
Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
RIFLE: An Architectural Framework for User-Centric Information-Flow Security
Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
Labels and event processes in the asbestos operating system
Proceedings of the twentieth ACM symposium on Operating systems principles
Minos: Architectural support for protecting control data
ACM Transactions on Architecture and Code Optimization (TACO)
Assessing security threats of looping constructs
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks
Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture
Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Practical taint-based protection using demand emulation
Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Raksha: a flexible information flow architecture for software security
Proceedings of the 34th annual international symposium on Computer architecture
Understanding data lifetime via whole system simulation
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Making information flow explicit in HiStar
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
Dytan: a generic dynamic taint analysis framework
Proceedings of the 2007 international symposium on Software testing and analysis
Information flow control for standard OS abstractions
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Panorama: capturing system-wide information flow for malware detection and analysis
Proceedings of the 14th ACM conference on Computer and communications security
Understanding and visualizing full systems with data flow tomography
Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
Parallelizing security checks on commodity hardware
Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
Quantitative information flow as network flow capacity
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
On the Limits of Information Flow Techniques for Malware Analysis and Containment
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Complete information flow tracking from the gates up
Proceedings of the 14th international conference on Architectural support for programming languages and operating systems
Pointless tainting?: evaluating the practicality of pointer tainting
Proceedings of the 4th ACM European conference on Computer systems
Putting Trojans on the Horns of a Dilemma: Redundancy for Information Theft Detection
Transactions on Computational Science IV
Measuring channel capacity to distinguish undue influence
Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
Noninterference through Secure Multi-execution
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Tightlip: keeping applications from spilling the beans
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
A software-hardware architecture for self-protecting data
Proceedings of the 2012 ACM conference on Computer and communications security
Proceedings of the 2012 workshop on New security paradigms
Proceedings of the 2013 workshop on New security paradigms workshop
The impact of the antivirus on the digital evidence
International Journal of Electronic Security and Digital Forensics
Hi-index | 0.00 |
Current intrusion detection systems (IDSes) fall into two very limiting categories: appearance-based or behavior-based. These rely on specifying good vs. bad behavior in terms of patterns in the malicious input or in the trace of execution during the attack. Some successful IDS systems have specified attacks in terms of information flow and the influences data sources have on the system, but only in very limited domains such as control data attacks, and typically using information flow tracking mechanisms customized to their purpose. Intrusion detection based on a general method for information flow tracking would allow for very explicit and general definitions of attacks that precluded entire categories of vulnerabilities and exploits, but our current methods for dynamic information flow tracking (DIFT) are inadequate to make this a reality. DIFT works by tagging (or tainting) data and tracking it to measure the information flow throughout the system. Existing DIFT systems have limited support for address and control dependencies, and therefore cannot track information flow within a full system, except in an ad-hoc, application-specific fashion. As a first step toward making information flow a new paradigm for intrusion detection, we present a prototype DIFT system that supports address and control dependencies in a general way. As a motivating example to demonstrate this system, we define an attack by the amount of control that external network entities have over what a networked system is doing. This coarse definition is not precise enough to detect attacks but serves as a demonstration of our approach to DIFT. We measure the amount of information flow between tainted sources and the control path of the CPU for a variety of scenarios and show that our prototype system gives intuitive, meaningful results.