1. Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel, and Engin Kirda Presenter: Chia-Li Lin

2. 2 References M. Egele, E. Kirda, and C. Kruegel. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, 6th International Conference, DIMVA 2009 (to appear), 2009.

3. 3 Outline Introduction Automatically Detecting Drive-by Attacks Modified Firefox browser False Positive and Effectiveness Conclusion

4. 4 Introduction Drive-by download attacks are among the most common methods for spreading malware today Typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode Propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode

5. 5

6. 6 Contribution Uses emulation to automatically identify shell- code based drive-by download attacks in a browser That is integrated into the Mozilla Firefox browser Evaluated on more than one thousand malicious and several thousand benign sites that the system with no false positives

7. 7 Vulnerability Most current drive-by downloads target browser plug-ins that are developed and distributed by third parties  buffer overflows  memory corruption  pointer overwrites

8. 8 JavaScript Basics Typically used to assign the binary representation of shellcode to a variable that is stored in the address space of the browser JavaScript

9. 9 Tracking String Allocations To detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates  global string variables  local string variables  strings that are properties (members) of objects The code that we added simply keeps track of the start address of a string variable and its length

10. 10 Checking Strings: libemu libemu is a small library written in C that offers basic x86 emulation and shellcode detection. Being used in:  Nepenthes  Honeytrap Checks starting whether there is a sequence of valid instructions of sufficient length  32 bytes for the minimal length

11. 11 libemu libemu is a small library written in c. libemu supports: Using libemu one can:  detect shellcodes  execute the shellcodes  profile shellcode behaviour executing x86 instructionsshellcode execution reading x86 binary codeshellcode execution register emulationwin32 api hooking basic fpu emulation

12. 12 Modified Firefox browser Simulating ActiveX components  dummy objects for instantiation requests to ActiveX components Modify the parser  JScript parser is more tolerant with regards to semicolons than SpiderMonkey. Batch processing time-outs  replace all delays of setTimeout calls with a delay of 50ms

13. 13 ActiveX components

14. 14 Performance Optimizations First, one can reduce the total number of invocations of the emulation engine Second, one can reduce the amount of data that the emulator needs to inspect  string a consists of the concatenation of strings x and y  can skip the analysis (emulation) of x and y when a was already scanned and found to be clean

15. 15 Performance Intel Core 2 Duo processor 2.66 GHz and 4 GB of main memory.With a bandwidth of 1 MBit/s of ADSL.  chosen the 150 most popular web sites from the Alexa

16. 16 False Positive Evaluation To visit 4502 that well-known benign pages from the Alexa Moves to the next URL  two seconds after the page finished loading  ten seconds after page loading started Not produce any false positives

17. 17 Detection Effectiveness[1/2] Evaluated our system on the traces of 1,187 web browsing sessions that are known to contain drive-by attacks.  list of such URLs from the Spamcop  spam trap of a security company

18. 18 Detection Effectiveness[2/2] To filter those URLs that actually host drive-by attacks, used the:  Capture Honeypot Client (HPC) To extract application level data from the network traces, used the:  “Chaosreader”,11,910 URLs (files) were associated with the 1,187 traces Running detection system on the resources associated with 1,187 traces,detected 956 instances of shellcode

19. 19 Cause of failing Manual analysis revealed four main causes that result in our prototype failing to detect a threat 1. not make use of memory exploits 2. use Visual Basic (VB) script code 3. malicious code is distributed over several scripts 4..cab archive files

20. 20 Conclutions The system is integrated into the web browser where it monitors JavaScript code that is downloaded and executed. Verified the capability of our approach to successfully detect real-world drive-by download attacks. The evaluation shows that our approach is feasible in practice.

21. 21 Supported This work has been supported by the Austrian Science Foundation (FWF) under grant P18764, SECoverer FIT-IT Trust in IT- Systems 2. Call, Austria, Secure Business Austria (SBA), and the WOMBAT and FORWARD projects funded by the European Commission in the 7th Framework.

22. 22 Questions