Skip to main content
SpringerLink
Log in

Putting Trojans on the Horns of a Dilemma: Redundancy for Information Theft Detection

  • Chapter
Transactions on Computational Science IV

Part of the book series: Lecture Notes in Computer Science ((TCOMPUTATSCIE,volume 5430))

Abstract

Conventional approaches to either information flow security or intrusion detection are not suited to detecting Trojans that steal information such as credit card numbers using advanced cryptovirological and inference channel techniques. We propose a technique based on repeated deterministic replays in a virtual machine to detect the theft of private information. We prove upper bounds on the average amount of information an attacker can steal without being detected, even if they are allowed an arbitrary distribution of visible output states. Our intrusion detection approach is more practical than traditional approaches to information flow security.

We show that it is possible to, for example, bound the average amount of information an attacker can steal from a 53-bit credit card number to less than a bit by sampling only 11 of the 253 possible outputs visible to the attacker, using a two-pronged approach of hypothesis testing and information theory.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. IEEE Security and Privacy 1(4), 33–39 (2003)

    Article  Google Scholar 

  2. Sarangi, S.R., Greskamp, B., Torrellas, J.: CADRE: Cycle-Accurate Deterministic Replay for Hardware Debugging. In: DSN 2006: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2006), Washington, DC, USA, pp. 301–312. IEEE Computer Society, Los Alamitos (2006)

    Google Scholar 

  3. Shannon, C.E., Weaver, W.: The Mathematical Theory of Communication. University of Illinois Press, Urbana (1949)

    MATH  Google Scholar 

  4. Wray, J.C.: An analysis of covert timing channels. In: IEEE Symposium on Security and Privacy, pp. 2–7 (1991)

    Google Scholar 

  5. General William T. Sherman, as quoted in B. H. Liddell Hart, Strategy, second revised edition

    Google Scholar 

  6. Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. Wiley Publishing, Inc., Chichester (2004)

    Google Scholar 

  7. Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on SSH. In: USENIX Security Symposium 2001 (2001)

    Google Scholar 

  8. Kuhn, M.G.: Optical time-domain eavesdropping risks of CRT displays. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 3–18 (2002)

    Google Scholar 

  9. Kohno, T., Broido, A., Claffy, K.C.: Remote Physical Device Fingerprinting. In: IEEE Symposium on Security and Privacy (May 2005)

    Google Scholar 

  10. Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. SIGARCH Comput. Archit. News 35(2), 494–505 (2007)

    Article  Google Scholar 

  11. Yumerefendi, A., Mickle, B., Cox, L.P.: Tightlip: Keeping applications from spilling the beans. In: Networked Systems Design and Implementation (NSDI) (2007)

    Google Scholar 

  12. Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)

    Google Scholar 

  13. Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: IEEE Symposium on Security and Privacy, pp. 75–86 (1984)

    Google Scholar 

  14. de Oliveira, D.A.S., Crandall, J.R., Wassermann, G., Su, Z., Wu, S.F., Chong, F.T.: ExecRecorder: VM-based full-system replay for attack analysis and system recovery. In: Workshop on Architectural and System Support for Improving Software Dependability, San Jose, CA (October 2006)

    Google Scholar 

  15. The OpenSSL Project, http://www.openssl.org/

  16. Clarkson, M.R., Myers, A.C., Schneider, F.B.: Belief in information flow. In: CSFW 2005: Proceedings of the 18th IEEE Computer Security Foundations Workshop (CSFW 2005), Washington, DC, USA, pp. 31–45. IEEE Computer Society, Los Alamitos (2005)

    Google Scholar 

  17. Moskowitz, I.S., Kang, M.H.: Covert channels - here to stay? In: Compass 1994: 9th Annual Conference on Computer Assurance, Gaithersburg, MD, National Institute of Standards and Technology, pp. 235–244 (1994)

    Google Scholar 

  18. Kang, M.H., Moskowitz, I.S.: A pump for rapid, reliable, secure communication. In: CCS 1993: Proceedings of the 1st ACM conference on Computer and Communications Security, pp. 119–129. ACM Press, New York (1993)

    Google Scholar 

  19. Costa, M.: Writing on dirty paper (corresp.). IEEE Transactions on Information Theory 29(3), 439–441 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  20. Vachharajani, N., Bridges, M.J., Chang, J., Rangan, R., Ottoni, G., Blome, J.A., Reis, G.A., Vachharajani, M., August, D.I.: RIFLE: An architectural framework for user-centric information-flow security. In: Proceedings of the 37th International Symposium on Microarchitecture (MICRO) (December 2004)

    Google Scholar 

  21. Fenton, J.S.: Information protection systems. Ph.D. Thesis, University of Cambridge (1973)

    Google Scholar 

  22. Fenton, J.S.: Memoryless subsystems. The Computer Journal 17(2), 143–147 (1974)

    Article  MathSciNet  MATH  Google Scholar 

  23. Denning, D.E.R.: Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc., Boston (1982)

    MATH  Google Scholar 

  24. Bishop, M.: Computer Security: Art and Science, p. 344. Addison-Wesley, Reading (2003)

    Google Scholar 

  25. Kumar, A., Paxson, V., Weaver, N.: Exploiting underlying structure for detailed reconstruction of an internet-scale event. In: IMC 2005: Proceedings of the 5th ACM SIGCOMM on Internet measurement. ACM Press, New York (2006)

    Google Scholar 

  26. Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev. 36(SI), 211–224 (2002)

    Article  Google Scholar 

  27. Wittbold, J.T., Johnson, D.M.: Information flow in nondeterministic systems. In: IEEE Symposium on Security and Privacy, pp. 144–161 (1990)

    Google Scholar 

  28. Gray III, J.W.: Toward a mathematical foundation for information flow security. In: IEEE Symposium on Security and Privacy, pp. 21–35 (1991)

    Google Scholar 

  29. Gianvecchio, S., Wang, H.: Detecting covert timing channels: an entropy-based approach. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and Communications Security, pp. 307–316. ACM, New York (2007)

    Google Scholar 

  30. Köpf, B., Basin, D.: An information-theoretic model for adaptive side-channel attacks. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and Communications Security, pp. 286–296. ACM, New York (2007)

    Google Scholar 

  31. Browne, R.: An entropy conservation law for testing the completeness of covert channel analysis. In: CCS 1994: Proceedings of the 2nd ACM Conference on Computer and Communications Security, pp. 270–281. ACM Press, New York (1994)

    Google Scholar 

  32. Browne, R.: The turing test and non-information flow. In: IEEE Symposium on Security and Privacy, pp. 373–388 (1991)

    Google Scholar 

  33. Browne, R.: Mode security: An infrastructure for covert channel suppression. In: IEEE Symposium on Security and Privacy, pp. 39–55 (1999)

    Google Scholar 

  34. Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1) (2003)

    Google Scholar 

  35. Myers, A.C.: JFlow: Practical mostly-static information flow control. In: POPL 1999: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM Press, New York (1999)

    Google Scholar 

  36. Malacaria, P.: Assessing security threats of looping constructs. In: POPL 2007: Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM Press, New York (2007)

    Google Scholar 

  37. McCamant, S., Ernst, M.D.: A simulation-based proof technique for dynamic information flow. In: PLAS 2007: ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, San Diego, California, USA, June 14 (2007)

    Google Scholar 

  38. McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation, Tucson, AZ, USA, June 9–11 (2008)

    Google Scholar 

  39. Light Pink Book: A guide to understanding covert channel analysis of trusted systems, version 1. NCSC-TG-030, Library No. S-240,572, TCSEC Rainbow Series Library (November 1993)

    Google Scholar 

  40. Lampson, B.W.: A note on the confinement problem. Communications of the ACM 16(10), 613–615 (1973)

    Article  Google Scholar 

  41. Lipner, S.B.: A comment on the confinement problem. In: SOSP 1975: Proceedings of the fifth ACM Symposium on Operating Systems Principles, pp. 192–196. ACM Press, New York (1975)

    Google Scholar 

  42. McHugh, J.: Covert channel analysis (1995)

    Google Scholar 

  43. Millen, J.K.: 20 years of covert channel modeling and analysis. In: IEEE Symposium on Security and Privacy, pp. 113–114 (1999)

    Google Scholar 

  44. Kemmerer, R.A.: Shared resource matrix methodology: an approach to identifying storage and timing channels. ACM Trans. Comput. Syst. 1(3), 256–277 (1983)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dept. of Computer Science, University of New Mexico, USA

    Jedidiah R. Crandall

  2. Dept. of Mathematics and Statistics, California State University, Long Beach, USA

    John Brevik

  3. Dept. of Computer Science, University of California at Davis, USA

    Shaozhi Ye, Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su & S. Felix Wu

  4. Dept. of Computer Science, University of California at Santa Barbara, USA

    Frederic T. Chong

Authors
  1. Jedidiah R. Crandall
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. John Brevik
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shaozhi Ye
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Gary Wassermann
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Daniela A. S. de Oliveira
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Zhendong Su
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. S. Felix Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Frederic T. Chong
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Calgary, 2500 University Drive N.W., T2N 1N4, Calgary, AB, Canada

    Marina L. Gavrilova

  2. OptimaNumerics Ltd., Cathedral House, 23-31 Waring Street, BT1 2DX, Belfast, UK

    C. J. Kenneth Tan

  3. University of Amazonas State - UEA Manaus, AM, Brazil

    Edward David Moreno

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Crandall, J.R. et al. (2009). Putting Trojans on the Horns of a Dilemma: Redundancy for Information Theft Detection. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds) Transactions on Computational Science IV. Lecture Notes in Computer Science, vol 5430. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-01004-0_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-01004-0_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-01003-3

  • Online ISBN: 978-3-642-01004-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation