Secure installation of un-trusted applications

Abstract

Malware is one of the current dominant threats to desktop systems. A popular infection vector for malware is through downloads. Malware, specifically Trojans, disguises itself inside seemingly harmless software, which when downloaded and installed wreaks havoc on the system. Un-trusted software is downloaded and installed by naive users daily, potentially exposing their computer system to malware. Current state of the art solutions provide minimal protection during installation and fail to adequately protect desktop systems. In this project, we introduce CISSIA, a configurable isolation system for the safe installation of un-trusted applications. CISSIA isolates the operating system from changes done during the installation, extracts and reports the behaviour of the installer to users to help them decide whether to merge the resulting installation to the host system. Key techniques used by CISSIA include dynamic binary translation at process level, which allows for modification of the code on the fly, without the need for modifying the original code; namespace redirection and copy-on-write (COW), where operating system resources are isolated on writing through renaming; configurable isolation is achieved through a set of policy protection levels; and extraction of suspicious behaviour through analyzing of system library calls made by the installer. The main technical challenges of this project included handling the complexity of installations, discriminating between benign and malicious behaviour and dynamic binary code re-writing. Results show that isolation can be successfully implemented by dynamic binary translation at user level. The behaviour of the un-trusted application can be successfully extracted through analyzing of calls made by the installer. Isolation level can be effectively configured in order to block malicious installers whilst not breaking the execution of benign ones. Results also show that installations run under CISSIA can be correctly merged into the host system without breaking.