DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project...
Transcript of DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project...
![Page 1: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/1.jpg)
DARPA/I2OTransparentComputingProgram
THEIA: Tagging and Tracking of Multi-Level Host Events for Transparent Computing and Information Assurance
Mattia Fazzini Georgia Institute of Technology
Nov 3rd, 2017
![Page 2: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/2.jpg)
Agenda
• Project overview • Technical discussion
– THEIA-Panda – THEIA-KI
• Future work
![Page 3: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/3.jpg)
Project Team
![Page 4: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/4.jpg)
Project Team
PI
Wenke Lee
![Page 5: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/5.jpg)
Project Team
PI
Wenke Lee
Co-PI
Simon Chung
Co-PI
Taesoo Kim
Co-PI
Alessandro Orso
![Page 6: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/6.jpg)
Project Team
PI
Wenke Lee
Co-PI
Simon Chung
Co-PI
Taesoo Kim
Co-PI
Alessandro Orso
GTRI
Trent Brunson
![Page 7: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/7.jpg)
Project Team
PI
Wenke Lee
Co-PI
Simon Chung
Co-PI
Taesoo Kim
Co-PI
Alessandro Orso
Postdoc
Sangho Lee
GTRI
Trent Brunson
![Page 8: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/8.jpg)
Project Team
PI
Wenke Lee
Co-PI
Simon Chung
Co-PI
Taesoo Kim
Co-PI
Alessandro Orso
Postdoc
Sangho Lee
GTRI
Trent Brunson
Ph.D Student
Evan Downing
Ph.D Student
Mattia Fazzini
Ph.D Student
Yang Ji
Ph.D Student
Weiren Wang
Ph.D Student
Carter Yagemann
Ph.D Student
Joey Allen
![Page 9: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/9.jpg)
Data Breaches
![Page 10: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/10.jpg)
Data Breaches
![Page 11: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/11.jpg)
Data Breaches Trend
![Page 12: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/12.jpg)
THEIA
• Objective: – Tagging and tracking of multi-level host events for detection of advanced persistent threats (APTs)
• Efficiency: – Decouple analyses from runtime through record and replay
• Transparency: – OS level
• Establish causality relationship between system operations – Program level
• Identify relations between program instructions – UI level
• Capture user’s intent to provide ground truth of intended behavior
![Page 13: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/13.jpg)
THEIA
• Objective: – Tagging and tracking of multi-level host events for detection of advanced persistent threats (APTs)
• Efficiency: – Decouple analyses from runtime through record and replay
• Transparency: – OS level
• Establish causality relationship between system operations – Program level
• Identify relations between program instructions – UI level
• Capture user’s intent to provide ground truth of intended behavior
![Page 14: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/14.jpg)
THEIA
• Objective: – Tagging and tracking of multi-level host events for detection of advanced persistent threats (APTs)
• Efficiency: – Decouple analyses from runtime through record and replay
• Transparency: – OS level
• Establish causality relationship between system operations – Program level
• Identify relations between program instructions – UI level
• Capture user’s intent to provide ground truth of intended behavior
![Page 15: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/15.jpg)
Advanced Persistent Threats (APTs)
• Definition: – Advanced persistent threats (APTs) take place over a long period of time and can blend in with normal user and program activities
![Page 16: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/16.jpg)
Advanced Persistent Threats (APTs)
• Definition: – Advanced persistent threats (APTs) take place over a long period of time and can blend in with normal user and program activities
![Page 17: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/17.jpg)
Advanced Persistent Threats (APTs)
• Definition: – Advanced persistent threats (APTs) take place over a long period of time and can blend in with normal user and program activities
![Page 18: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/18.jpg)
Advanced Persistent Threats (APTs)
• Definition: – Advanced persistent threats (APTs) take place over a long period of time and can blend in with normal user and program activities
![Page 19: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/19.jpg)
Advanced Persistent Threats (APTs)
• Definition: – Advanced persistent threats (APTs) take place over a long period of time and can blend in with normal user and program activities
![Page 20: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/20.jpg)
DARPA Transparent Computing
TA1 THEIA
TA1…… TA3
TA2
TA2
TA2
Tagging and Tracking Storage Forensics
TA1
Adversarial ScenarioTA4
MalwareTA5
![Page 21: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/21.jpg)
DARPA Transparent Computing
TA1 THEIA
TA1…… TA3
TA2
TA2
TA2
Tagging and Tracking Storage Forensics
TA1
Adversarial ScenarioTA4
MalwareTA5
![Page 22: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/22.jpg)
DARPA Transparent Computing
TA1 THEIA
TA1…… TA3
TA2
TA2
TA2
Tagging and Tracking Storage Forensics
TA1
Adversarial ScenarioTA4
MalwareTA5
![Page 23: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/23.jpg)
DARPA Transparent Computing
TA1 THEIA
TA1…… TA3
TA2
TA2
TA2
Tagging and Tracking Storage Forensics
TA1
Adversarial ScenarioTA4
MalwareTA5
![Page 24: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/24.jpg)
DARPA Transparent Computing
TA1 THEIA
TA1…… TA3
TA2
TA2
TA2
Tagging and Tracking Storage Forensics
TA1
Adversarial ScenarioTA4
MalwareTA5
![Page 25: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/25.jpg)
DARPA Transparent Computing
TA1 THEIA
TA1…… TA3
TA2
TA2
TA2
Tagging and Tracking Storage Forensics
TA1
Adversarial ScenarioTA4
MalwareTA5
![Page 26: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/26.jpg)
THEIA-Panda Overview
Host
THEIA-Panda
GuestFA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Coarse-grained Taint AnalysisSystem Call
Information
Process Information
Record Replay
![Page 27: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/27.jpg)
THEIA-Panda Overview
Host
THEIA-Panda
GuestFA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Coarse-grained Taint AnalysisSystem Call
Information
Process Information
Record Replay
![Page 28: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/28.jpg)
THEIA-Panda Overview
Host
THEIA-Panda
GuestFA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Coarse-grained Taint AnalysisSystem Call
Information
Process Information
Record Replay
![Page 29: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/29.jpg)
THEIA-Panda Overview
Host
THEIA-Panda
GuestFA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Coarse-grained Taint AnalysisSystem Call
Information
Process Information
Record Replay
![Page 30: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/30.jpg)
THEIA-Panda Overview
Host
THEIA-Panda
GuestFA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Coarse-grained Taint AnalysisSystem Call
Information
Process Information
Record Replay
![Page 31: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/31.jpg)
THEIA-Panda Overview
Host
THEIA-Panda
GuestFA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Coarse-grained Taint AnalysisSystem Call
Information
Process Information
Record Replay
![Page 32: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/32.jpg)
THEIA-Panda Overview
Host
THEIA-Panda
GuestFA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Coarse-grained Taint AnalysisSystem Call
Information
Process Information
Record Replay
![Page 33: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/33.jpg)
THEIA-Panda Overview
Host
THEIA-Panda
GuestFA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Coarse-grained Taint AnalysisSystem Call
Information
Process Information
Record Replay
![Page 34: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/34.jpg)
Record and Replay
• Record: – Take a snapshot of the machine state – Log non-deterministic inputs
• Data entering CPU on port input • Hardware interrupts and their parameters • Data written to RAM during direct memory operation from peripheral
• Replay: – Replay activity (data) starting from snapshot of machine state
• Implementation: – QEMU/PANDA* and 64-bit Linux Guest
*B. Dolan-Gavitt, J. Hodosh, P. Hulin, T. Leek, R. Whelan. Repeatable Reverse Engineering with PANDA. 5th Program Protection and Reverse Engineering Workshop, Los Angeles, California, December 2015
![Page 35: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/35.jpg)
Record and Replay
• Record: – Take a snapshot of the machine state – Log non-deterministic inputs
• Data entering CPU on port input • Hardware interrupts and their parameters • Data written to RAM during direct memory operation from peripheral
• Replay: – Replay activity (data) starting from snapshot of machine state
• Implementation: – QEMU/PANDA* and 64-bit Linux Guest
*B. Dolan-Gavitt, J. Hodosh, P. Hulin, T. Leek, R. Whelan. Repeatable Reverse Engineering with PANDA. 5th Program Protection and Reverse Engineering Workshop, Los Angeles, California, December 2015
![Page 36: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/36.jpg)
Record and Replay
• Record: – Take a snapshot of the machine state – Log non-deterministic inputs
• Data entering CPU on port input • Hardware interrupts and their parameters • Data written to RAM during direct memory operation from peripheral
• Replay: – Replay activity (data) starting from snapshot of machine state
• Implementation: – QEMU/PANDA* and 64-bit Linux Guest
*B. Dolan-Gavitt, J. Hodosh, P. Hulin, T. Leek, R. Whelan. Repeatable Reverse Engineering with PANDA. 5th Program Protection and Reverse Engineering Workshop, Los Angeles, California, December 2015
![Page 37: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/37.jpg)
Record and Replay ImplementationExample
static ssize_t e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size) {
do {
rr_record_handle_packet_call( RR_CALLSITE_E1000_RECEIVE_2, (void *)( buf + desc_offset + vlan_offset), copy_size, NET_TRANSFER_IOB_TO_RAM)
} while (desc_offset < total_size);
}…
…
pci_dma_write(&s->dev, le64_to_cpu(desc.buffer_addr), (void *)(buf + desc_offset + vlan_offset), copy_size);
…
…
![Page 38: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/38.jpg)
Record and Replay ImplementationExample
static ssize_t e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size) {
do {
rr_record_handle_packet_call( RR_CALLSITE_E1000_RECEIVE_2, (void *)( buf + desc_offset + vlan_offset), copy_size, NET_TRANSFER_IOB_TO_RAM)
} while (desc_offset < total_size);
}…
…
pci_dma_write(&s->dev, le64_to_cpu(desc.buffer_addr), (void *)(buf + desc_offset + vlan_offset), copy_size);
…
…
![Page 39: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/39.jpg)
Record and Replay ImplementationExample
static ssize_t e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size) {
do {
rr_record_handle_packet_call( RR_CALLSITE_E1000_RECEIVE_2, (void *)( buf + desc_offset + vlan_offset), copy_size, NET_TRANSFER_IOB_TO_RAM)
} while (desc_offset < total_size);
}…
…
pci_dma_write(&s->dev, le64_to_cpu(desc.buffer_addr), (void *)(buf + desc_offset + vlan_offset), copy_size);
…
…
![Page 40: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/40.jpg)
OS-level Transparency
• Goal: – Capture events and dependencies of OS-level events
• Approach: – Based on VM introspection
• Events analyzed: – Process operations:
• clone,fork,execve,exit, etc. – File operations:
• open,read,write,unlink, etc. – Network operations:
• socket,connect,recvmsg, etc. – Memory operations:
• mmap,mprotect,shmget, etc.
![Page 41: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/41.jpg)
OS-level Transparency
• Goal: – Capture events and dependencies of OS-level events
• Approach: – Based on VM introspection
• Events analyzed: – Process operations:
• clone,fork,execve,exit, etc. – File operations:
• open,read,write,unlink, etc. – Network operations:
• socket,connect,recvmsg, etc. – Memory operations:
• mmap,mprotect,shmget, etc.
![Page 42: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/42.jpg)
OS-level Transparency
• Goal: – Capture events and dependencies of OS-level events
• Approach: – Based on VM introspection
• Events analyzed: – Process operations:
• clone,fork,execve,exit, etc. – File operations:
• open,read,write,unlink, etc. – Network operations:
• socket,connect,recvmsg, etc. – Memory operations:
• mmap,mprotect,shmget, etc.
![Page 43: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/43.jpg)
OS-level Transparency Implementation Example
#ifdef TARGET_X86_64 void helper_syscall(int next_eip_addend {
panda_cb_list *plist; for(plist = panda_cbs[PANDA_CB_BEFORE_SYSCALL]; plist != NULL; plist = panda_cb_list_next(plist)) { plist->entry.before_syscall(env); } … }
![Page 44: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/44.jpg)
OS-level Transparency Implementation Example
#ifdef TARGET_X86_64 void helper_syscall(int next_eip_addend {
panda_cb_list *plist; for(plist = panda_cbs[PANDA_CB_BEFORE_SYSCALL]; plist != NULL; plist = panda_cb_list_next(plist)) { plist->entry.before_syscall(env); } … }
![Page 45: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/45.jpg)
OS-level Transparency Implementation Example
#ifdef TARGET_X86_64 void helper_syscall(int next_eip_addend {
panda_cb_list *plist; for(plist = panda_cbs[PANDA_CB_BEFORE_SYSCALL]; plist != NULL; plist = panda_cb_list_next(plist)) { plist->entry.before_syscall(env); } … }
![Page 46: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/46.jpg)
Action History Graph (AHG)
• Goal: – Represent causality across events
• Causality: – Process->Process (e.g., fork) – Process->File (e.g., write) – File->Process (e.g., read) – Process->Host (e.g., send) – Host->Process (e.g., recv)
![Page 47: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/47.jpg)
Action History Graph (AHG)
• Goal: – Represent causality across events
• Causality: – Process->Process (e.g., fork) – Process->File (e.g., write) – File->Process (e.g., read) – Process->Host (e.g., send) – Host->Process (e.g., recv)
![Page 48: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/48.jpg)
Action History Graph (AHG)
• Goal: – Represent causality across events
• Causality: – Process->Process (e.g., fork) – Process->File (e.g., write) – File->Process (e.g., read) – Process->Host (e.g., send) – Host->Process (e.g., recv)
![Page 49: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/49.jpg)
Action History Graph Example
![Page 50: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/50.jpg)
Coarse-grained Taint Analysis
• Goal: – Quickly capture the provenance of objects in the AHG
• Working mechanism: – Runs while building AHG – Processes have a provenance set – Process operations:
• fork, clone: copy provenance of parent to child process – File and network operations
• read, recv: associate provenance of object to process • write, send: associate provenance of process to object
![Page 51: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/51.jpg)
Coarse-grained Taint Analysis
• Goal: – Quickly capture the provenance of objects in the AHG
• Working mechanism: – Runs while building AHG – Processes have a provenance set – Process operations:
• fork, clone: copy provenance of parent to child process – File and network operations
• read, recv: associate provenance of object to process • write, send: associate provenance of process to object
![Page 52: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/52.jpg)
Coarse-grained Taint Analysis
• Goal: – Quickly capture the provenance of objects in the AHG
• Working mechanism: – Runs while building AHG – Processes have a provenance set – Process operations:
• fork, clone: copy provenance of parent to child process – File and network operations
• read, recv: associate provenance of object to process • write, send: associate provenance of process to object
![Page 53: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/53.jpg)
Fine-grained Taint Analysis
• Goal: – Accurately capture provenance of objects in the AHG
• Working mechanism: – Decoupled from program execution – Instruction level propagation – Taint tags at byte level granularity
• Optimizations: – Trace-based dynamic taint analysis
![Page 54: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/54.jpg)
Fine-grained Taint Analysis
• Goal: – Accurately capture provenance of objects in the AHG
• Working mechanism: – Decoupled from program execution – Instruction level propagation – Taint tags at byte level granularity
• Optimizations: – Trace-based dynamic taint analysis
![Page 55: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/55.jpg)
Fine-grained Taint Analysis
• Goal: – Accurately capture provenance of objects in the AHG
• Working mechanism: – Decoupled from program execution – Instruction level propagation – Taint tags at byte level granularity
• Optimizations: – Trace-based dynamic taint analysis
![Page 56: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/56.jpg)
Fine-grained Taint Analysis Implementation
Guest Basic Block
TCG Basic Block
LLVM Basic Block
![Page 57: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/57.jpg)
Fine-grained Taint Analysis Implementation
Guest Basic Block
TCG Basic Block
LLVM Basic Block
![Page 58: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/58.jpg)
Fine-grained Taint Analysis Implementation
Guest Basic Block
TCG Basic Block
LLVM Basic Block
![Page 59: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/59.jpg)
Fine-grained Taint Analysis Implementation
Guest Basic Block
TCG Basic Block
LLVM Basic Block
![Page 60: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/60.jpg)
Trace-based Taint Analysis
• Objective: – Improve performance of fine-grained taint analysis
• Key intuition: – Within a trace instruction sequences are executed multiple times
• Working mechanism: – Based on the execution trace of the system/program – Computes taint summaries for sequences of instructions – Re-use taint summaries on the trace and possible across traces
• Implementation: – Sequitur algorithm: recognizes a lexical structure in an execution trace and generates a grammar where terminals are instructions
– Analyze grammar and reuse taint results when possible
![Page 61: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/61.jpg)
Trace-based Taint Analysis
• Objective: – Improve performance of fine-grained taint analysis
• Key intuition: – Within a trace instruction sequences are executed multiple times
• Working mechanism: – Based on the execution trace of the system/program – Computes taint summaries for sequences of instructions – Re-use taint summaries on the trace and possible across traces
• Implementation: – Sequitur algorithm: recognizes a lexical structure in an execution trace and generates a grammar where terminals are instructions
– Analyze grammar and reuse taint results when possible
![Page 62: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/62.jpg)
Trace-based Taint Analysis
• Objective: – Improve performance of fine-grained taint analysis
• Key intuition: – Within a trace instruction sequences are executed multiple times
• Working mechanism: – Based on the execution trace of the system/program – Computes taint summaries for sequences of instructions – Re-use taint summaries on the trace and possible across traces
• Implementation: – Sequitur algorithm: recognizes a lexical structure in an execution trace and generates a grammar where terminals are instructions
– Analyze grammar and reuse taint results when possible
![Page 63: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/63.jpg)
Trace-based Taint Analysis Example
9
… mov qword ptr [r12+rax*8], rdx jmp 0x7f8c47a21b13 add rdx, 0x10 mov rax, qword ptr [rdx] test rax, rax jz 0x7f8c47a21b52 cmp rax, 0x21 jbe 0x7f8c47a21b08 lea rcx, ptr [rip+0x21ef29] …
Execution Trace Grammarmov qword ptr [r12+rax*8], rdx
jump 0x7f8c47a21b13
10
jz 0x7f8c47a21b524768
add rdx, 0x1043
mov rax, qword ptr [rdx]
test rax, rax
11 11
![Page 64: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/64.jpg)
Trace-based Taint Analysis Example
9
… mov qword ptr [r12+rax*8], rdx jmp 0x7f8c47a21b13 add rdx, 0x10 mov rax, qword ptr [rdx] test rax, rax jz 0x7f8c47a21b52 cmp rax, 0x21 jbe 0x7f8c47a21b08 lea rcx, ptr [rip+0x21ef29] …
Execution Trace Grammarmov qword ptr [r12+rax*8], rdx
jump 0x7f8c47a21b13
10
jz 0x7f8c47a21b524768
add rdx, 0x1043
mov rax, qword ptr [rdx]
11 11
![Page 65: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/65.jpg)
Fine-grained Taint Analysis
![Page 66: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/66.jpg)
Fine-grained Taint Analysis
![Page 67: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/67.jpg)
Case Study Overview
![Page 68: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/68.jpg)
Case Study Overview
![Page 69: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/69.jpg)
Case Study Overview
![Page 70: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/70.jpg)
Case Study Overview
![Page 71: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/71.jpg)
Case Study Overview
![Page 72: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/72.jpg)
Case Study and AHG
bash execute
firefox
firefox
recv from
execute
143.215.130.204
sh
sh
143.215.130.204
execute
wget
wgetrecv from
writescreen grab
execute
screen grab
recv msg
X0
write s.png
execute
read
nc
nc
write
143.215.130.204
Process
Event
File
Network
Tag
Causality
![Page 73: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/73.jpg)
Case Study and AHG
bash execute
firefox
firefox
recv from
execute
143.215.130.204
sh
sh
143.215.130.204
execute
wget
wgetrecv from
writescreen grab
execute
screen grab
recv msg
X0
write s.png
execute
read
nc
nc
write
143.215.130.204
Process
Event
File
Network
Tag
Causality
![Page 74: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/74.jpg)
Case Study and AHG Step 1
1) Victim starts Firefox
bash
execute
firefox
firefox
Process
Event
File
Network
Tag
recv from
recv from
screen grab
screen grab
recv msg
![Page 75: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/75.jpg)
Case Study and AHG Step 2
2) Victim visits malicious.com (143.215.130.204) that runs shell process
firefox recv from
execute
143.215.130.204
sh
sh
Process
Event
File
Network
Tag
recv from
recv from
screen grab
screen grab
recv msg
![Page 76: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/76.jpg)
Case Study and AHG Step 3
3) Attacker downloads and executes screengrab
sh143.215.130.204
execute
wget
wgetrecv from
writescreen grab
execute
screen grab
recv msg X0
write s.png
Process
Event
File
Network
Tag
recv from
recv from
screen grab
screen grab
recv msg
![Page 77: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/77.jpg)
Case Study and AHG Step 4
4) Screenshot is sent to attacker’s server
sh execute
read s.png
nc
nc
write
143.215.130.204
Process
Event
File
Network
Tag
recv from
recv from
screen grab
screen grab
recv msg
![Page 78: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/78.jpg)
Case Study andCoarse-grained Taint Analysis.
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread
libc.soread
wgetrcread
Process
Event
File
Network
Tag
recv from
recv from
screen grab
screen grab
recv msg
Coarse Taint Set
![Page 79: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/79.jpg)
Case Study andCoarse-grained Taint Analysis.
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread CT1
libc.soread
wgetrcread
Process
Event
File
Network
Tag
recv from
recv from
screen grab
screen grab
recv msg
Coarse Taint Set
![Page 80: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/80.jpg)
Case Study andCoarse-grained Taint Analysis.
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread CT1
libc.soread
wgetrcread
Process
Event
File
Network
Tag
CT1
recv from
recv from
screen grab
screen grab
recv msg
Coarse Taint Set
![Page 81: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/81.jpg)
Case Study andCoarse-grained Taint Analysis.
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread CT1
libc.soread CT2
wgetrcread
Process
Event
File
Network
Tag
CT1
recv from
recv from
screen grab
screen grab
recv msg
Coarse Taint Set
![Page 82: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/82.jpg)
Case Study andCoarse-grained Taint Analysis.
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread CT1
libc.soread CT2
wgetrcread
Process
Event
File
Network
Tag
CT1 CT2
recv from
recv from
screen grab
screen grab
recv msg
Coarse Taint Set
![Page 83: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/83.jpg)
Case Study andCoarse-grained Taint Analysis.
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread CT1
libc.soread CT2
wgetrcread CT3
Process
Event
File
Network
Tag
CT1 CT2
recv from
recv from
screen grab
screen grab
recv msg
Coarse Taint Set
![Page 84: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/84.jpg)
Case Study andCoarse-grained Taint Analysis.
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread CT1
libc.soread CT2
wgetrcread CT3
Process
Event
File
Network
Tag
CT1 CT2 CT3
recv from
recv from
screen grab
screen grab
recv msg
Coarse Taint Set
![Page 85: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/85.jpg)
Case Study andCoarse-grained Taint Analysis.
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread CT1
libc.soread CT2
wgetrcread CT3
CT4
Process
Event
File
Network
Tag
CT1 CT2 CT3
recv from
recv from
screen grab
screen grab
recv msg
Coarse Taint Set
![Page 86: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/86.jpg)
Case Study andCoarse-grained Taint Analysis.
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread CT1
libc.soread CT2
wgetrcread CT3
CT4
Process
Event
File
Network
Tag
CT1 CT2 CT3 CT4
recv from
recv from
screen grab
screen grab
recv msg
Coarse Taint Set
![Page 87: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/87.jpg)
Case Study andCoarse-grained Taint Analysis.
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread CT1
libc.soread CT2
wgetrcread CT3
CT4
CT5
Process
Event
File
Network
Tag
CT1 CT2 CT3 CT4
recv from
recv from
screen grab
screen grab
recv msg
Coarse Taint Set
![Page 88: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/88.jpg)
Case Study andFine-grained Taint Analysis
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread
libc.soread
wgetrcread
Process
Event
File
Network
Tag
recv from
recv from
screen grab
screen grab
recv msg
![Page 89: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/89.jpg)
Case Study andFine-grained Taint Analysis
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread FT1
libc.soread
wgetrcread
Process
Event
File
Network
Tag
recv from
recv from
screen grab
screen grab
recv msg
![Page 90: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/90.jpg)
Case Study andFine-grained Taint Analysis
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread FT1
libc.soread FT2
wgetrcread
Process
Event
File
Network
Tag
recv from
recv from
screen grab
screen grab
recv msg
![Page 91: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/91.jpg)
Case Study andFine-grained Taint Analysis
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread FT1
libc.soread FT2
wgetrcread FT3
Process
Event
File
Network
Tag
recv from
recv from
screen grab
screen grab
recv msg
![Page 92: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/92.jpg)
Case Study andFine-grained Taint Analysis
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread FT1
libc.soread FT2
wgetrcread FT3
FT4
Process
Event
File
Network
Tag
recv from
recv from
screen grab
screen grab
recv msg
![Page 93: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/93.jpg)
Case Study andFine-grained Taint Analysis
sh
143.215.130.204
execute
wget
wget
recv from
write screen grab
libssl.soread FT1
libc.soread FT2
wgetrcread FT3
FT4
FT5
Process
Event
File
Network
Tag
recv from
recv from
screen grab
screen grab
recv msg
![Page 94: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/94.jpg)
THEIA-Panda Overheads
TIME Bare Exec Time
KVM Exec Time
QEMU Exec Time
Record Exec Time
Replay Exec Time
Bare Exec Time
KVM Exec Time
2.09 x
QEMU Exec Time
6.19 x 2.96 x
Record Exec Time
7.75 x 3.71 x 1.25 x
Replay Exec Time
13.82 x 6.62 x 2.23 x 1.78 x
• Fine grained taint analysis: – ~40x to ~300x compared to bare execution
• Space overhead: – ~86 GB/day non det log data + ~1.3GB/day graph data
![Page 95: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/95.jpg)
THEIA-Panda Overheads
TIME Bare Exec Time
KVM Exec Time
QEMU Exec Time
Record Exec Time
Replay Exec Time
Bare Exec Time
KVM Exec Time
2.09 x
QEMU Exec Time
6.19 x 2.96 x
Record Exec Time
7.75 x 3.71 x 1.25 x
Replay Exec Time
13.82 x 6.62 x 2.23 x 1.78 x
• Fine grained taint analysis: – ~40x to ~300x compared to bare execution
• Space overhead: – ~86 GB/day non det log data + ~1.3GB/day graph data
![Page 96: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/96.jpg)
THEIA-Panda Overheads
TIME Bare Exec Time
KVM Exec Time
QEMU Exec Time
Record Exec Time
Replay Exec Time
Bare Exec Time
KVM Exec Time
2.09 x
QEMU Exec Time
6.19 x 2.96 x
Record Exec Time
7.75 x 3.71 x 1.25 x
Replay Exec Time
13.82 x 6.62 x 2.23 x 1.78 x
• Fine grained taint analysis: – ~40x to ~300x compared to bare execution
• Space overhead: – ~86 GB/day non det log data + ~1.3GB/day graph data
![Page 97: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/97.jpg)
THEIA-Panda Overheads
TIME Bare Exec Time
KVM Exec Time
QEMU Exec Time
Record Exec Time
Replay Exec Time
Bare Exec Time
KVM Exec Time
2.09 x
QEMU Exec Time
6.19 x 2.96 x
Record Exec Time
7.75 x 3.71 x 1.25 x
Replay Exec Time
13.82 x 6.62 x 2.23 x 1.78 x
• Fine grained taint analysis: – ~40x to ~300x compared to bare execution
• Space overhead: – ~86 GB/day non det log data + ~1.3GB/day graph data
![Page 98: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/98.jpg)
THEIA-Panda Overheads
TIME Bare Exec Time
KVM Exec Time
QEMU Exec Time
Record Exec Time
Replay Exec Time
Bare Exec Time
KVM Exec Time
2.09 x
QEMU Exec Time
6.19 x 2.96 x
Record Exec Time
7.75 x 3.71 x 1.25 x
Replay Exec Time
13.82 x 6.62 x 2.23 x 1.78 x
• Fine grained taint analysis: – ~40x to ~300x compared to bare execution
• Space overhead: – ~86 GB/day non det log data + ~1.3GB/day graph data
![Page 99: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/99.jpg)
THEIA-Panda Observations
-Panda
![Page 100: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/100.jpg)
THEIA-KI Overview
THEIA-KI-Analysis
FA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Query InterfaceTHEIA-KI +
OS
Record
Replay
System Call Information
Process Information
![Page 101: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/101.jpg)
THEIA-KI Overview
THEIA-KI-Analysis
FA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Query InterfaceTHEIA-KI +
OS
Record
Replay
System Call Information
Process Information
![Page 102: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/102.jpg)
THEIA-KI Overview
THEIA-KI-Analysis
FA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Query InterfaceTHEIA-KI +
OS
Record
Replay
System Call Information
Process Information
![Page 103: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/103.jpg)
THEIA-KI Overview
THEIA-KI-Analysis
FA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Query InterfaceTHEIA-KI +
OS
Record
Replay
System Call Information
Process Information
![Page 104: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/104.jpg)
THEIA-KI Overview
THEIA-KI-Analysis
FA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Query InterfaceTHEIA-KI +
OS
Record
Replay
System Call Information
Process Information
![Page 105: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/105.jpg)
THEIA-KI Overview
THEIA-KI-Analysis
FA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Query InterfaceTHEIA-KI +
OS
Record
Replay
System Call Information
Process Information
![Page 106: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/106.jpg)
THEIA-KI Overview
THEIA-KI-Analysis
FA
Fine-grained Taint Analysis
Action History Graph
Real-time
On-demand
Storage
Query InterfaceTHEIA-KI +
OS
Record
Replay
System Call Information
Process Information
![Page 107: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/107.jpg)
THEIA-KI
• Key features: – Record/replay
• Kernel-based instrumentation – Instruction level replay of the user space
• On top of Intel PIN – Coarse-grained causality
• From system instrumentation and logging – Fine-grained causality
• From dynamic taint tracking
• Threat model: – Kernel is trusted
![Page 108: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/108.jpg)
THEIA-KI
• Key features: – Record/replay
• Kernel-based instrumentation – Instruction level replay of the user space
• On top of Intel PIN – Coarse-grained causality
• From system instrumentation and logging – Fine-grained causality
• From dynamic taint tracking
• Threat model: – Kernel is trusted
![Page 109: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/109.jpg)
THEIA-KI
• Key features: – Record/replay
• Kernel-based instrumentation – Instruction level replay of the user space
• On top of Intel PIN – Coarse-grained causality
• From system instrumentation and logging – Fine-grained causality
• From dynamic taint tracking
• Threat model: – Kernel is trusted
![Page 110: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/110.jpg)
Record and Replay
• Record: – Kernel instrumentation
• Order, return values and memory addresses modified by a system call • Timing and values of received signals • Sources of randomness
– Libc instrumentation • synchronization of pthread
• Implementation: – Arnold* with 32-bit Linux kernel
Process groupThread 1 Thread 2
*David Devecsery, Michael Chow, Xianzheng Dou, Peter M Chen, Jason Flinn. Eidetic Systems. Proceedings of the 11th USENIX Symposium on Operating System Design and Implementation (OSDI), October 2014.
![Page 111: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/111.jpg)
Record and Replay
• Record: – Kernel instrumentation
• Order, return values and memory addresses modified by a system call • Timing and values of received signals • Sources of randomness
– Libc instrumentation • synchronization of pthread
• Implementation: – Arnold* with 32-bit Linux kernel
Process groupThread 1 Thread 2
*David Devecsery, Michael Chow, Xianzheng Dou, Peter M Chen, Jason Flinn. Eidetic Systems. Proceedings of the 11th USENIX Symposium on Operating System Design and Implementation (OSDI), October 2014.
![Page 112: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/112.jpg)
Record and Replay
• Record: – Kernel instrumentation
• Order, return values and memory addresses modified by a system call • Timing and values of received signals • Sources of randomness
– Libc instrumentation • synchronization of pthread
• Implementation: – Arnold* with 32-bit Linux kernel
File
Socket
Randomness
External Inputs
Process groupThread 1 Thread 2
*David Devecsery, Michael Chow, Xianzheng Dou, Peter M Chen, Jason Flinn. Eidetic Systems. Proceedings of the 11th USENIX Symposium on Operating System Design and Implementation (OSDI), October 2014.
![Page 113: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/113.jpg)
Record and Replay
• Record: – Kernel instrumentation
• Order, return values and memory addresses modified by a system call • Timing and values of received signals • Sources of randomness
– Libc instrumentation • synchronization of pthread
• Implementation: – Arnold* with 32-bit Linux kernel
File
Socket
Randomness
External Inputs
Process groupThread 1 Thread 2
Thread Synchronization
*David Devecsery, Michael Chow, Xianzheng Dou, Peter M Chen, Jason Flinn. Eidetic Systems. Proceedings of the 11th USENIX Symposium on Operating System Design and Implementation (OSDI), October 2014.
![Page 114: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/114.jpg)
Record and Replay
• Record: – Kernel instrumentation
• Order, return values and memory addresses modified by a system call • Timing and values of received signals • Sources of randomness
– Libc instrumentation • synchronization of pthread
• Implementation: – Arnold* with 32-bit Linux kernel
File
Socket
Randomness
External Inputs
Process groupThread 1 Thread 2
Thread Synchronization
*David Devecsery, Michael Chow, Xianzheng Dou, Peter M Chen, Jason Flinn. Eidetic Systems. Proceedings of the 11th USENIX Symposium on Operating System Design and Implementation (OSDI), October 2014.
![Page 115: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/115.jpg)
Kernel InstrumentationImplementation Example
unsigned long arch_align_stack(unsigned long sp { /* Begin REPLAY */ if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space){ unsigned int rand = get_random_int(); if (current->record_thrd) { record_randomness(rand); } else if (current->replay_thrd){ rand = replay_randomness(); } sp -= rand % 8192; } /* End REPLAY */ return sp & ~0xf; }
![Page 116: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/116.jpg)
Kernel InstrumentationImplementation Example
unsigned long arch_align_stack(unsigned long sp { /* Begin REPLAY */ if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space){ unsigned int rand = get_random_int(); if (current->record_thrd) { record_randomness(rand); } else if (current->replay_thrd){ rand = replay_randomness(); } sp -= rand % 8192; } /* End REPLAY */ return sp & ~0xf; }
![Page 117: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/117.jpg)
Kernel InstrumentationImplementation Example
unsigned long arch_align_stack(unsigned long sp { /* Begin REPLAY */ if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space){ unsigned int rand = get_random_int(); if (current->record_thrd) { record_randomness(rand); } else if (current->replay_thrd){ rand = replay_randomness(); } sp -= rand % 8192; } /* End REPLAY */ return sp & ~0xf; }
![Page 118: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/118.jpg)
Query System Workflow
Reachability & Pruning
Coarse-grained Subgraph
Fine-grained analysis
Fine-grained Tags
Triggering PointsAHG
Queries
![Page 119: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/119.jpg)
Query System Workflow
Reachability & Pruning
Coarse-grained Subgraph
Fine-grained analysis
Fine-grained Tags
Triggering PointsAHG
Queries
![Page 120: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/120.jpg)
Query System Workflow
Reachability & Pruning
Coarse-grained Subgraph
Fine-grained analysis
Fine-grained Tags
Triggering PointsAHG
Queries
![Page 121: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/121.jpg)
Query System Workflow
Reachability & Pruning
Coarse-grained Subgraph
Fine-grained analysis
Fine-grained Tags
Triggering PointsAHG
Queries
![Page 122: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/122.jpg)
Query System Workflow
Reachability & Pruning
Coarse-grained Subgraph
Fine-grained analysis
Fine-grained Tags
Triggering PointsAHG
Queries
![Page 123: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/123.jpg)
Triggering Points and Queries
• Triggering points: – Pre-defined policies
• Process writes to /etc/passwd
• Queries: – From automated forensic analysis systems – Human based analysis
• Analysis types: – Backward:
• Where does this object come from? – Forward:
• What is the impact of this object on the system? – Point-to-point:
• Are these two objects related?
![Page 124: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/124.jpg)
Triggering Points and Queries
• Triggering points: – Pre-defined policies
• Process writes to /etc/passwd
• Queries: – From automated forensic analysis systems – Human based analysis
• Analysis types: – Backward:
• Where does this object come from? – Forward:
• What is the impact of this object on the system? – Point-to-point:
• Are these two objects related?
![Page 125: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/125.jpg)
Triggering Points and Queries
• Triggering points: – Pre-defined policies
• Process writes to /etc/passwd
• Queries: – From automated forensic analysis systems – Human based analysis
• Analysis types: – Backward:
• Where does this object come from? – Forward:
• What is the impact of this object on the system? – Point-to-point:
• Are these two objects related?
![Page 126: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/126.jpg)
Point-to-point Query Example
1. Attacker tampers contract file ctct.csv 2. Employee creates seasonal report s1.csv using spreadsheet editor 3. Auto report program sends seasonal s1.csv report to archive server 4. Employee creates seasonal report s2.csv using spreadsheet editor 5. Template generator creates template t.doc 6. Employee creates half-year report h2.pdf using document editor
![Page 127: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/127.jpg)
Point-to-point Query Example
1. Attacker tampers contract file ctct.csv 2. Employee creates seasonal report s1.csv using spreadsheet editor 3. Auto report program sends seasonal s1.csv report to archive server 4. Employee creates seasonal report s2.csv using spreadsheet editor 5. Template generator creates template t.doc 6. Employee creates half-year report h2.pdf using document editor
![Page 128: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/128.jpg)
Point-to-point Query Example
1. Attacker tampers contract file ctct.csv 2. Employee creates seasonal report s1.csv using spreadsheet editor 3. Auto report program sends seasonal s1.csv report to archive server 4. Employee creates seasonal report s2.csv using spreadsheet editor 5. Template generator creates template t.doc 6. Employee creates half-year report h2.pdf using document editor
ctct.csv Spreadsheet Editor
read write
s1.csv
Template Generator t.doc
writeDocument
Editor
read
read h2.pdf
writes2.csv
write
Spreadsheet Editor
read
Auto Report
archive server
read send
![Page 129: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/129.jpg)
Forward Reachability
1. Attacker tampers contract file ctct.csv 2. Employee creates seasonal report s1.csv using spreadsheet editor 3. Auto report program sends seasonal s1.csv report to archive server 4. Employee creates seasonal report s2.csv using spreadsheet editor 5. Template generator creates template t.doc 6. Employee creates half-year report h2.pdf using document editor
ctct.csv Spreadsheet Editor
read write
s1.csv
Template Generator t.doc
writeDocument
Editor
read
read h2.pdf
writes2.csv
write
Spreadsheet Editor
read
Auto Report
archive server
read send
![Page 130: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/130.jpg)
Backward Reachability
1. Attacker tampers contract file ctct.csv 2. Employee creates seasonal report s1.csv using spreadsheet editor 3. Auto report program sends seasonal s1.csv report to archive server 4. Employee creates seasonal report s2.csv using spreadsheet editor 5. Template generator creates template t.doc 6. Employee creates half-year report h2.pdf using document editor
ctct.csv Spreadsheet Editor
read write
s1.csv
Template Generator t.doc
writeDocument
Editor
read
read h2.pdf
writes2.csv
write
Spreadsheet Editor
read
Auto Report
archive server
read send
![Page 131: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/131.jpg)
Reachability Result
1. Attacker tampers contract file ctct.csv 2. Employee creates seasonal report s1.csv using spreadsheet editor 3. Auto report program sends seasonal s1.csv report to archive server 4. Employee creates seasonal report s2.csv using spreadsheet editor 5. Template generator creates template t.doc 6. Employee creates half-year report h2.pdf using document editor
ctct.csv Spreadsheet Editor
read write
s1.csv
Template Generator t.doc
writeDocument
Editor
read
read h2.pdf
writes2.csv
write
Spreadsheet Editor
read
Auto Report
archive server
read send
![Page 132: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/132.jpg)
Runtime Overhead: SPEC CPU2006
3.22%
![Page 133: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/133.jpg)
Runtime Overhead: I/O Operations
<50%
![Page 134: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/134.jpg)
Pruning Efficiency
~94.2% reduction
NoneRAIN
![Page 135: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/135.jpg)
Information Flow Tracking Accuracy
~94.2% reduction
Coarse-level Fine-level
![Page 136: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/136.jpg)
Storage Cost
~4GB per day
![Page 137: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/137.jpg)
Future Work
• Hypervisor-based non-emulation R/R
• Differential Taint Analysis
• Running memory sanitizers on replay
• Multi-host support
• Porting from 32-bit to 64-bit
![Page 138: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/138.jpg)
Future Work
• Hypervisor-based non-emulation R/R
• Differential Taint Analysis
• Running memory sanitizers on replay
• Multi-host support
• Porting from 32-bit to 64-bit
![Page 139: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/139.jpg)
Future Work
• Hypervisor-based non-emulation R/R
• Differential Taint Analysis
• Running memory sanitizers on replay
• Multi-host support
• Porting from 32-bit to 64-bit
![Page 140: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/140.jpg)
Conclusion
![Page 141: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/141.jpg)
Conclusion
![Page 142: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/142.jpg)
Conclusion
![Page 143: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/143.jpg)
Conclusion
![Page 144: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/144.jpg)
APT Demo
![Page 145: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/145.jpg)
APT Demo
![Page 146: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/146.jpg)
APT Demo
![Page 147: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/147.jpg)
THEIA-Panda Demo
![Page 148: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/148.jpg)
THEIA-Panda Demo
![Page 149: DARPA/I2O Transparent Computing Programmfazzini/slides/2017... · 2018. 7. 28. · •Project overview •Technical discussion – THEIA-Panda – THEIA-KI • Future work. Project](https://reader035.fdocuments.us/reader035/viewer/2022071219/60581ae7b1d65047e851af54/html5/thumbnails/149.jpg)
THEIA-Panda Demo