| Security threats have escalated rapidly over the past few years. Malware, zero-day attacks and rootkits are now common terms heard over the media, drawing attention from large enterprises to regular computer users. What makes it worse is that cyber crime has become financially lucrative, leading to the formation of organizations that specialize in the development and trading of malware. As a result, computer attacks have become more sophisticated and more stealthy, and can evade most of today's defenses.;SEE (Safe Execution Environment) is suitable for running stand-alone untrusted applications in a secure way. It employs one-way isolation: processes running within the SEE are given read-access to the environment provided by the host OS, but their write operations are prevented from escaping outside the SEE. As a result, SEE processes cannot impact the behavior of host OS processes, or the integrity of data on the host OS. It provides a convenient way for users to inspect system changes made within the SEE. If the user does not accept these changes, they can be rolled back at the click of a button. Otherwise, the changes can be "committed" so as to become visible outside the SEE. We provide consistency criteria that ensure semantic consistency of the committed results. Our implementation results show that most software, including fairly complex server and client applications, can run successfully within the SEE. The approach introduces low performance overheads, typically below 10%.;The second approach PPI (Practical Proactive Integrity Preservation) aims at providing integrity guarantees at the whole system level. It focuses on proactive integrity protection by decoupling integrity labels from low-level policies that specify how to resolve accesses causing information flows that may compromise integrity. Therefore, a richer set of security levels, and more flexible policy choices can be specified to promote usability. We then develop an analysis technique that can largely automate the generation of integrity labels and policies that preserve the usability of applications in most cases. The evaluation of our implementation on Linux desktop distributions indicates that it can stop a variety of sophisticated malware attacks, while remaining usable.;Current defensive approaches like code analysis and behavior blocking can be either difficult to utilize or be evaded by indirect attacks. In contrast, techniques based on information-flow blocking can provide assurances about system integrity even in the face of sophisticated attacks. However, there has not been much success in applying information flow based techniques to modern COTS operating systems to provide satisfactory results in the aspects of security, usability, and scope. This is, in part, due to the fact that a strict application of information flow policy can break existing applications. Another important factor is the difficulty of policy development. We therefore develop two approaches in an effort to address these issues. |
