Presentation is loading. Please wait.

Presentation is loading. Please wait.

Long Lu, Wenke Lee College of Computing, Georgia Institute of Technology Vinod Yegneswaran, Phillip Porras SRI International ACM CCS (Oct,2010) Long Lu,

Published byGerald Floyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Long Lu, Wenke Lee College of Computing, Georgia Institute of Technology Vinod Yegneswaran, Phillip Porras SRI International ACM CCS (Oct,2010) Long Lu,"— Presentation transcript:

1 Long Lu, Wenke Lee College of Computing, Georgia Institute of Technology Vinod Yegneswaran, Phillip Porras SRI International ACM CCS (Oct,2010) Long Lu, Wenke Lee College of Computing, Georgia Institute of Technology Vinod Yegneswaran, Phillip Porras SRI International ACM CCS (Oct,2010) A Presentation at Advanced Defense Lab

2 Outline Introduction Approach Architecture Evaluation Security Analysis Related Work Conclusion Advanced Defense Lab2

3 Introduction BLADE BLock All Drive-by download Exploits Why this solution? The mere connection to a web server can result in the installation of malware on the client machine. Design principle Unconsented-content execution prevention. Both attack and browser agnostic. Advanced Defense Lab3

4 Introduction Preventing unconsented-content execution user-interaction tracking to collect user download authorizations. consent correlation to discern “transparent” downloads those that involve direct user authorization. Disk I/O redirection to contain disk footprints of unconsented data through supervised processes. Implementation IE and Firefox on Microsoft Windows platform. Advanced Defense Lab4

5 Outline Introduction Approach Architecture Evaluation Security Analysis Related Work Conclusion Advanced Defense Lab5

6 Approach Drive-By Exploits Shellcode injection phase Gaining temporary control of the browser Shellcode execution phase Covert binary install phase Shellcode coerces the now tained browser into fetching a remote malware application from the Internet. Advanced Defense Lab6

7 Approach Assumption The attacker should have no persistent malware deployed on the target host in advanced. No rootkit from the adversary installed on the system, i.e., the OS kernel is trusted. Scenarios where attackers remotely exploiting a kernel vulnerability via a browser exist are out of the scope of our model. Target Disrupting the covert binary install phase, completely agnostic of which browser component was exploited or which shellcode injection strategy was employed. Advanced Defense Lab7

8 Outline Introduction Approach Architecture Evaluation Security Analysis Related Work Conclusion Advanced Defense Lab8

9 Architecture We define the download identity information as (URL,Path) The Correlator matches a file f with a tuple (u,p) when f is saved at p with data content received from u. Advanced Defense Lab9

10 Architecture Advanced Defense Lab10

11 Architecture – Screen Parser Download authorization lifecycle Triggered by the appearance of download consent dialogs GetSaveFileName(…) EVENT_SYSTEM_FOREGROUND SetWinEventHook(…) User space agent Prefilter irrelevant windowing events. Pipes its output to the Screen Parser, which may represent a user consent dialog currently in focus. Advanced Defense Lab11

12 Architecture – Supervisor The role of coordinator for carrying out all tasks of BLADE. Assigning tasks to other BLADE components and coordinating their execution, as responding to the different event notifications from the Screen Parser. List of supervised processes It is a newly created browser process. A remote thread is created within the process by a supervised process. It is a newly created process spawned by a supervised process. PsSetCreateProcessNotifyRoutine(…) Advanced Defense Lab12

13 Architecture – Hardware Event Tracer Once a download consent dialog is identified by the Screen Parser, interpret the user’s response. Capture user’s mouse clicks and keyboard strokes. Looks for any mouse click whose on-screen coordinates fall in the areas of download consent dialogs. Maintains some state information to make accurate decisions. The users can express for consent only by using the mouse (keyboard hooking is not implemented yet) Advanced Defense Lab13

14 Architecture – Correlator Establishing the 1-1 mapping between user download authorizations and downloaded files. (URL,path) Treats the browser as a black box, only the external behavior of the browser is visible to it. Our approach works even when encryption is used (e.g., HTTPS, VPN) or browser-level encoding schemes are used (e.g., SDCH). Keep a log of inbound transport-level stream for each TCP session created by supervised processes. Where content of a single file comes from multiple streams is not support. Advanced Defense Lab14

15 Architecture – I/O Redirector Closure property P = {p | p : any browser process} F = {f | f : any file written by p, where p ∈ P} Fauth = {fa | fa : any-authorized browser download} Fint = F – Fauth ( given Fauth ⊂ F is always true) F’ = {f’ | f’ : any file opened by p’, where p’ ∈ P} Observing that Fint ∩ F’ ≈ ∅. Advanced Defense Lab15

16 Architecture – I/O Redirector Policies of the secure zone (P1 ~ P6) Any new file created by a supervised process is redirected to the secure zone. Any existing file modified by a supervised process is saved as a shadow copy in the secure zone, without change to the original file. I/O redirection is transparent to supervised processes. I/O redirection only applies to supervised processes. Files in the secure zone can only be accessed via redirection. No execution is allowed for files in the secure zone. Any file correlated with a user download authorization is remapped to the filesystem. Advanced Defense Lab16

17 Architecture – I/O Redirector Advanced Defense Lab17 P1~P3 P4~P6 FsRtlRegisterFileSystemFilterCallbacks

18 Outline Introduction Approach Architecture Evaluation Security Analysis Related Work Conclusion Advanced Defense Lab18

19 Evaluation - Effectiveness Harvests malware URLs reported in the past 48 hours from WhiteHat.WhiteHat Environment VM running on lightly loaded PC VM Windows XP SP2 IE, Firefox PDF reader, Flash player, JVM… PC 2.0 GHz single-core CPU 512 MB RAM Advanced Defense Lab19

20 Evaluation - Effectiveness 3 key experiment outcomes C1 : (T|F) URL test session caused a BLADE alert. C2 : (T|F) URL test session attempted to load/execute a file from the secure zone. C3 : (T|F) URL test session produced a file write outside the secure zone. Evaluation Metrics True Positive := False Negative := False Positive:= True Negative:= Advanced Defense Lab20

21 Evaluation - Effectiveness Operational for 3 months Visited 3,992 unique malicious URLs http://www.blade-defender.org/eval-lab Advanced Defense Lab21

22 Evaluation - Effectiveness http://www.virustotal.com/ Advanced Defense Lab22

23 Evaluation - Effectiveness Use disclosed zero-day exploits listed in Table 2. BLADE delivers complete and accurate protection in a browser-agnostic and exploit-oblivious manner. Advanced Defense Lab23

24 Evaluation - Effectiveness False Positive The user’s authorization cannot be inferred, which leaves the resulting download in the secure zone as untrusted. A legitimate browser download seeks to execute benign logic without the user ‘s consent, which represents a violation of our root assumption. Downloaded 30 different software applications from 15 highly ranked freeware sites, with varying types (.exe,.zip,.msi etc.) False Positive = 0 !! Advanced Defense Lab24

25 Evaluation – Performance Overhead Screen Parser Even the worst-case matching time was not measurable (less than a millisecond). I/O Redirector Copy 3 files of varying sizes(1,10,100 MB) from one location to another within the same disk (Each file was copied twice). Revert to a clean VM snapshot before beginning each test. Advanced Defense Lab25

26 Advanced Defense Lab26 Evaluation – Performance Overhead

27 Advanced Defense Lab27 Evaluation – Performance Overhead

28 Outline Introduction Approach Architecture Evaluation Security Analysis Related Work Conclusion Advanced Defense Lab28

29 Security Analysis Attacks and Built-in Countermeasures Spoofing attacks Forged GUI or User response -> HET / Correlator Download injection and process hijacking attacks Creating a remote thread within an unsupervised process -> Supervisor Coercing attacks Coerce the OS to execute the malware directly from secure zone -> Impossible Advanced Defense Lab29

30 Security Analysis - Limitations Social engineering attacks where the user authorizes the download and installation of malicious binaries disguised as benign applications. In-memory execution of transient malware, which could be scripts such as JavaScript bots or x86 code inserted into memory by exploits. Advanced Defense Lab30

31 Outline Introduction Approach Architecture Evaluation Security Analysis Related Work Conclusion Advanced Defense Lab31

32 Related work BotHunter, BotSniffer based on post-infection network dialog, but do not prevent the execution of malware. CloudAV attempt to block execution of malware is limited by the reliance on binary signatures. Egele et al., NOZZLE uses static analysis of objects in the heap to detect heap-spraying attacks. BLADE’s unconsented-content execution is a similar concept to sandboxing but better. Advanced Defense Lab32

33 Outline Introduction Approach Architecture Evaluation Security Analysis Related Work Conclusion Advanced Defense Lab33

34 Conclusion BLADE’s interception logic has demonstrated 100% effectiveness in preventing covert binary installations using the most widely deployed browsers on the Internet. Advanced Defense Lab34

Download ppt "Long Lu, Wenke Lee College of Computing, Georgia Institute of Technology Vinod Yegneswaran, Phillip Porras SRI International ACM CCS (Oct,2010) Long Lu,"

Similar presentations

BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al. BLADE: An Attack-Agnostic Approach for Preventing Drive-By.

BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al. BLADE: An Attack-Agnostic Approach for Preventing Drive-By.
Virtualisation From the Bottom Up From storage to application.

Virtualisation From the Bottom Up From storage to application.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.

Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Presented by Boris Yurovitsky

Presented by Boris Yurovitsky
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Similar presentations

Ads by Google