TY - GEN
T1 - Expanding malware defense by securing software installations
AU - Sun, Weiqing
AU - Sekar, R.
AU - Liang, Zhenkai
AU - Venkatakrishnan, V. N.
PY - 2008
Y1 - 2008
N2 - Software installation provides an attractive entry vector for malware: since installations are performed with administrator privileges, malware can easily get the enhanced level of access needed to install backdoors, spyware, rootkits, or "bot" software, and to hide these installations from users. Previous research has been focused mainly on securing the execution phase of untrusted software, while largely ignoring the safety of installations. Even security-enhanced operating systems such as SELinux and Vista don't usually impose restrictions during software installs, expecting the system administrator to "know what she is doing." This paper addresses this "gap in armor" by securing software installations. Our technique can support a diversity of package managers and software installers. It is based on a framework that simplifies the development and enforcement of policies that govern safety of installations. We present a simple policy that can be used to prevent untrusted software from modifying any of the files used by benign software packages, thus blocking the most common mechanism used by malware to ensure that it is run automatically after each system reboot. While the scope of our technique is limited to the installation phase, it can be easily combined with approaches for secure execution, e.g., by ensuring that all future runs of an untrusted package will take place within an administrator-specified sandbox. Our experimental evaluation has considered over one hundred benign and untrusted software packages. Our technique was able to block malicious packages among these without breaking non-malicious ones.
AB - Software installation provides an attractive entry vector for malware: since installations are performed with administrator privileges, malware can easily get the enhanced level of access needed to install backdoors, spyware, rootkits, or "bot" software, and to hide these installations from users. Previous research has been focused mainly on securing the execution phase of untrusted software, while largely ignoring the safety of installations. Even security-enhanced operating systems such as SELinux and Vista don't usually impose restrictions during software installs, expecting the system administrator to "know what she is doing." This paper addresses this "gap in armor" by securing software installations. Our technique can support a diversity of package managers and software installers. It is based on a framework that simplifies the development and enforcement of policies that govern safety of installations. We present a simple policy that can be used to prevent untrusted software from modifying any of the files used by benign software packages, thus blocking the most common mechanism used by malware to ensure that it is run automatically after each system reboot. While the scope of our technique is limited to the installation phase, it can be easily combined with approaches for secure execution, e.g., by ensuring that all future runs of an untrusted package will take place within an administrator-specified sandbox. Our experimental evaluation has considered over one hundred benign and untrusted software packages. Our technique was able to block malicious packages among these without breaking non-malicious ones.
KW - Malicious code
KW - Sandboxing
KW - Software installation
KW - Untrusted code
UR - https://www.scopus.com/pages/publications/49949083293
U2 - 10.1007/978-3-540-70542-0_9
DO - 10.1007/978-3-540-70542-0_9
M3 - Conference contribution
SN - 3540705414
SN - 9783540705413
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 164
EP - 185
BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 5th International Conference, DIMVA 2008, Proceedings
T2 - 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2008
Y2 - 10 July 2008 through 11 July 2008
ER -