research-article

The user is not the enemy: fighting malware by tracking user intentions

Authors:
Jeffrey Shirley

University of Virginia, Charlottesville, Virginia

University of Virginia, Charlottesville, Virginia
View Profile

,
David Evans

University of Virginia, Charlottesville, Virginia

University of Virginia, Charlottesville, Virginia
View Profile

NSPW '08: Proceedings of the 2008 New Security Paradigms WorkshopAugust 2009Pages 33–45https://doi.org/10.1145/1595676.1595683

Published:22 September 2008Publication History

NSPW '08: Proceedings of the 2008 New Security Paradigms Workshop

Pages 33–45

ABSTRACT

Current access control policies provide no mechanisms for incorporating user behavior in access control decisions, even though the way a user interacts with a program often indicates what the user expects that program to do. We develop a new approach to access control, focusing on single-user systems, in which the complete history of user and program actions can be used to improve the precision and expressiveness of access control policies. We describe mechanisms for securely capturing user actions, mapping those actions onto likely user intents, and a language for defining access control policies that incorporate user intentions. We implemented a prototype for capturing user intentions, and present results from experiments on malware mitigation using the prototype. Our results show that a very simple MAC policy can prevent a significant amount of system damage caused by malware while not interfering with most benign software.

References

Anne Adams, and Martina Angela Sasse. Users Are Not the Enemy. Communications of the ACM, December 1999: 40--46. Google ScholarDigital Library
Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the Art of Virtualization. In Proc. Symposium on Operating System Principles. 2003. Google ScholarDigital Library
D. Elliot Bell and Leonard J. LaPadula. Secure Computer Systems: Mathematical Foundations. Technical Report. The MITRE Corporation, 1973.Google Scholar
Kenneth J. Biba. Integrity Considerations for Secure Computer Systems. Technical Report. The MITRE Corporation, 1977.Google Scholar
Mihai Christodorescu, Somesh Jha, Sanjit A. Seshia, Dawn Song, and Randal E. Bryant. Semantics-Aware Malware Detection. In Proc. IEEE Symposium on Security and Privacy. 2005. Google ScholarDigital Library
David D. Clark and David D. Wilson. A Comparison of Commercial and Military Computer Security Policies. In Proc. IEEE Symposium on Security and Privacy. 1987.Google Scholar
Lorrie Cranor, and Simson Garfinkel. Security and Usability. O'Reilly, 2005. Google ScholarDigital Library
Weidong Cui, Randy H. Katz, and Wai-tian Tan. BINDER: An Extrusion-based Break-In Detector for Personal Computers. In Proc. USENIX Security Symposium. 2005. Google ScholarDigital Library
T. Daboczi, I. Kollar, G. Simon, and T. Megyeri. How to test graphical user interfaces. IEEE Instrumentation&Measurement Magazine, September 2003: 27--33.Google Scholar
Dorothy E. Denning. A Lattice Model of Secure Information Flow. Communications of the ACM, May 1976: 236--243. Google ScholarDigital Library
Rachna Dhamija, J.D. Tygar, and Marti Hearst. Why Phishing Works. In Proc. ACM SIGCHI. 2006. Google ScholarDigital Library
DoD Standard 5200.28-STD: Trusted Computer System Evaluation Criteria. United States Department of Defense, 1985.Google Scholar
David Ferraiolo, and Richard Kuhn. Role-based Access Control. In Proc. National Computer Security Conference. 1992.Google Scholar
Carrie Gates and Carol Taylor. Challenging the Anomaly Detection Paradigm: A Provocative Discussion. In Proc. New Security Paradigms Workshop. 2006. Google ScholarDigital Library
Joseph Halpern, and Vicky Weissman. Using first-order logic to reason about policies. In Computer Security Foundations Workshop. 2003.Google ScholarCross Ref
Steven B. Hirsch. Secure Keyboard Input Terminal. U.S. Patent 4,333,090. 1980.Google Scholar
Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. Intrusion Detection Using Sequences of System Calls. Journal of Computer Security, 1998: 151--180. Google ScholarDigital Library
Galen Hunt and Doug Brubacher. Detours: Binary Interception of Win32 Functions. In Proc.USENIX Windows NT Symposium. 1999. Google ScholarDigital Library
Engin Kirda, Christopher Kruegel, Greg Banks, Giovanni Vigna, and Richard A. Kemmerer. Behavior-based Spyware Detection. In Proc. USENIX Security Symposium. 2006. Google ScholarDigital Library
Christopher Kruegel, William Robertson, and Giovanni Vigna. Detecting Kernel-Level Rootkits Through Binary Analysis. In Proc. Annual Computer Security Applications Conference. 2004. Google ScholarDigital Library
Henry M. Levy. Capability-based Computer Systems. Digital Press, 1984.Google ScholarDigital Library
Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, and Ruth C. Taylor. The Inevitability of Failure: The Flawed Assumption of Security in Modern Computer Systems. In Proc. National Information Systems Security Conference. 1998.Google Scholar
Microsoft Corporation. Microsoft Virtual PC. 2007. http://www.microsoft.com/windowsxp/virtualpc/Google Scholar
Microsoft Corporation. Windows Vista: User Account Control. 2006.Google Scholar
National Security Administration. Security-Enhanced Linux. 2007. http://www.nsa.gov/selinux/.Google Scholar
Donald A. Norman. The Design of Everyday Things. Doubleday, 1988.Google Scholar
Novell Corporation. AppArmor. http://www.novell.com/linux/security/apparmor/.Google Scholar
OASIS. eXtensible Access Control Markup Language (XACML) version 2.0. 2006.Google Scholar
Vern Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Proc. USENIX Security Symposium. 1998. Google ScholarDigital Library
C. Powers and M. Schunter. Enterprise Privacy Authorization Language (EPAL 1.2). W3C Member Submission, 2003.Google Scholar
Sysinternals. Rootkit Revealer. 2006. http://www.sysinternals.com/Utilities/RootkitRevealer.Google Scholar
Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Andersen, and Jay Lepreau. The FLASK Security Architecture: System Support for Diverse Security Policies. In Proc. USENIX Security Symposium. 1999. Google ScholarDigital Library
Marc Stiegler, Alan H. Karp, Ka-Ping Yee, and Mark Miller. Polaris: Virus-safe Computing. Technical Report. Hewlett-Packard, 2004.Google Scholar
Sun Microsystems. HotJava: The Security Story. 1995.Google Scholar
Sun Microsystems. Java Security Overview. 2007. http://java.sun.com/javase/6/docs/technotes/guides.Google Scholar
Symantec Corporation. Symantec Norton Antivirus. 2006. http://www.symantec.com.Google Scholar
The Snort Project. Snort, The Open Source Network Intrusion Detection System. 2006. http://www.snort.org/.Google Scholar
The Tripwire Project. Tripwire host-based IDS. 2007. http://sourceforge.net/projects/tripwire/.Google Scholar
Michael C. Tschantz and Shriram Krishnamurthi. Towards Reasonability Properties for Access Control Policy Languages. In Proc. ACM SACMAT. 2006. Google ScholarDigital Library
J.D. Tygar and Alma Whitten. Why Johnny Can't Encrypt. In Proc. USENIX Security Symposium. 1999.Google Scholar
VMWare Corporation. VMWare. 2007. http://www.vmware.com.Google Scholar
VMWare Corporation. Virtual Machine Communication Interface. 2007. http://pubs.vmware.com/vmci-sdk/VMCI_intro.html.Google Scholar
David Wagner and Paulo Soto. Mimicry Attacks on Host-Based Intrusion Detection Systems. In Proc. ACM Conference on Computer and Communications Security. 2002. Google ScholarDigital Library
David R. Wooten. Securing the User Input Path On NGSCB Systems. In Microsoft WinHEC. 2004. http://download.microsoft.com/download/1/8/f/18f8cee2-0b64-41f2893da6f2295b40c8/TW04055_WINHEC2004.ppt.Google Scholar
Wei Xu, Sandeep Bhatkar, and R. Sekar. Taint-enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In Proc. USENIX Security Symposium. 2006. Google ScholarDigital Library
Ka-Ping Yee. Aligning Security and Usability. IEEE Security and Privacy Magazine, September 2004: 48--55. Google ScholarDigital Library
Doug Beck, Binh Vo, and Chad Verbowski. Detecting Stealth Software with Strider GhostBuster. In Proc. Int. Conf. on Dependable Systems and Networks. 2005. Google ScholarDigital Library

Index Terms

The user is not the enemy: fighting malware by tracking user intentions
1. Security and privacy

Recommendations

User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems
SP '12: Proceedings of the 2012 IEEE Symposium on Security and Privacy

Modern client platforms, such as iOS, Android, Windows Phone, Windows 8, and web browsers, run each application in an isolated environment with limited privileges. A pressing open problem in such systems is how to allow users to grant applications ...
Read More
A Category-Based Model for ABAC
ABAC'18: Proceedings of the Third ACM Workshop on Attribute-Based Access Control

In Attribute-Based Access Control (ABAC) systems, access to resources is controlled by evaluating rules against the attributes of the user and the object involved in the access request, as well as the values of the relevant attributes from the ...
Read More
The Next 700 Policy Miners: A Universal Method for Building Policy Miners
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

A myriad of access control policy languages have been and continue to be proposed. The design of policy miners for each such language is a challenging task that has required specialized machine learning and combinatorial algorithms. We present an ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
NSPW '08: Proceedings of the 2008 New Security Paradigms Workshop
August 2009
144 pages
ISBN:9781605583419
DOI:10.1145/1595676
General Chairs:
Matt Bishop
University of California, Davis, USA
,
Christian W. Probst
Technical University of Denmark, Denmark
,
Program Chairs:
Angelos Keromytis
Columbia University, USA
,
Anil Somayaji
Carleton University, Canada
Copyright © 2008 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 September 2008
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
access control
security policies
user intent
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate62of170submissions,36%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 12
  Total Citations
  View Citations
- 536
  Total Downloads
- Downloads (Last 12 months)12
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

The user is not the enemy: fighting malware by tracking user intentions

NSPW '08: Proceedings of the 2008 New Security Paradigms Workshop

ABSTRACT

References

Cited By

Index Terms

Recommendations

User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems

A Category-Based Model for ABAC

The Next 700 Policy Miners: A Universal Method for Building Policy Miners