Mitigating Malware Collin Jackson CS142 – Winter 2009.

Slides:

Advertisements

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Advertisements

®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Hulk: Eliciting Malicious Behavior in Browser Extensions

By Hiranmayi Pai Neeraj Jain

PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Chromium OS Chase Rogers. User Interface Unobtrusive Use small amount of screen space Combine apps and web pages into one tab strip Floating Windows Search.

An Evaluation of the Google Chrome Extension Security Architecture

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

Norman SecureSurf Protect your users when surfing the Internet.

Chapter Nine Maintaining a Computer Part III: Malware.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Basic Computer Security Sankardas Roy Department of Computing and Information Sciences Kansas State University.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Staying Safe Online Keep your Information Secure.

Windows Internet Explorer 9 Chapter 1 Introduction to Internet Explorer.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

®® Microsoft Windows 7 Windows Tutorial 5 Protecting Your Computer.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.

Before: Servers Behind Firewalls Today: Servers Migrate Out Business drivers: E-Business Supply chain management CRM.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Robust Defenses for Cross-Site Request Forgery

Client-based Application Attacks Adli Abdul Wahid Dept. of Comp. Science, IIUM

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim.

GAZELLE THE MULTI-PRINCIPAL OS CONSTRUCTION OF THE GAZELLE WEB BROWSER.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Cross-site request forgery Collin Jackson CS 142 Winter 2009.

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.

Web Security. Introduction Webserver hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself These.

Cloud Environment Spring  Microsoft Research Browser (2009)  Multi-Principal Environment with Browser OS  Next Step Towards Secure Browser 

Return to the PC Security web page Lesson 4: Increasing Web Browser Security.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

Sniper Corporation. Sniper Corporation is an IT security solution company that has introduced security products for the comprehensive protection related.

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Critical Security Controls

World Wide Web policy.

Ofer Shezaf, CTO, Breach Security

MICROSOFT OUTLOOK and Outlook service Provider

Cross Site Request Forgery New Attacks and Defenses

Presentation transcript:

Mitigating Malware Collin Jackson CS142 – Winter 2009

Approach Fact: Browsers will always have bugs Goal: Reduce the harm Frequency of interactions with attacker Percentage of time vulnerability is unpatched Damage if attack works Harm

Outline Frequency of interactions with attacker Percentage of time vulnerability is unpatched Damage if attack works 1. Preventing the Introduction 2. Vulnerability Response 3. Failure Containment

PREVENTING THE INTRODUCTION Frequency of interactions with attacker Percentage of time vulnerability is unpatched Damage if attack works

Drive-by downloads Provos et al. "All your iFRAMES Point to Us" Silently installs software when web page is loaded Increase exposure by compromising other sites and insert code into them Sites owners unaware they are participating in an attack

World of Warcraft keylogger Flash Player exploit used to install keylogger Links to malicious SWF posted on forums "Solution": Disable hyperlinks on forum

Scaling it up to the entire web 1.3% of the incoming search queries to Google returned at a least one malware site Visit sites with an army of browsers in VMs, check for changes to local system Indicate potentially harmful sites in search results

Now do it in the browser

Helping the webmaster out

Introductions are easy Impressions are cheap ($1 = 2000) Ad that is harmless today may be malicious tomorrow Possible mitigations:

VULNERABILITY RESPONSE Frequency of interactions with attacker Percentage of time vulnerability is unpatched Damage if attack works

Closing the vulnerability window Delay publication – Coordinate with security researchers – Offer prizes for responsibly disclosed security bugs Make patch available faster Deploy patch faster Discovery Publication Patch available Patch deployed

Obstacles to patch deployment Interrupts work flow Requires adminstrator privileges Risk of breaking things Separate update mechanisms Silent approach: GoogleUpdate.exe

Getting better, but not fast enough Frei et al. Examination of vulnerable online Web browser populations and the "insecurity iceberg"

Announcements Office hours have moved

FAILURE CONTAINMENT Frequency of interactions with attacker Percentage of time vulnerability is unpatched Damage if attack works

Severity Arbitrary Code Execution File Theft Universal XSS "Critical" "High" "Medium"

Protected Mode IE IE7 in Vista is a "low rights" process Can prompt user to get more privileges

IE7 Containment Goals Arbitrary code execution won't let attacker: – Install software – Copy files to startup folder – Change homepage or search provider setting Can we do more?

Containment Goals Universal XSS Arbitrary Code Execution File Theft

Chromium Security Architecture Browser ("kernel") – Full privileges (file system, networking) – Coarse-grained security policies protect local system Rendering engine – Sandboxed – Fine-grained same origin policy enforcement One process per plugin – Sandboxing optional Barth et al. "The Security Architecture of the Chromium Browser"

Preventing File Theft – File Downloads. Renderer can only write files to My Documents\Downloads – File Uploads. Renderer is granted ability to upload file using browser kernel's file picker. – Network Requests. Can only request web-safe schemes (http, https, ftp) Dedicated renderers for file://

Task Allocation

Is the "kernel" too complex? Total CVEs: Arbitrary code execution vulnerabilities:

OP Browser Fine-grained componentization Want to mitigate UXSS Focus is on plugin containment – Will plugins refuse to be contained? – Historically a platform for innovation in policy Missing a basic issue… Grier et al. "Secure web browsing with the OP web browser"

Why UXSS Containment is Hard " tab " tab Both requests carry cookies!

Tahoma's Approach Cox et al. "A Safety-Oriented Platform for Web Applications" Very coarse grained policy Separate browser state for each top-level site Site can opt in to more sharing via manifest files

Gazelle's Approach Wang et al. "The Multi- Principal OS Construction of the Gazelle Web Browser" Inspect cross-origin HTTP responses Filter unexpected content types " tab " tab

Another approach: Cookie Blocking Block the "Cookie" header for cross-domain resource loads Third-party cookie blocking already does this for privacy Third-party frames are ok Cross-subdomain might be ok Open question: How many sites does this break compared to content type filtering?

Conclusion Frequency of interactions with attacker Percentage of time vulnerability is unpatched Damage if attack works 1. Preventing the Introduction 2. Vulnerability Response 3. Failure Containment

Reading Barth et al. "The Security Architecture of the Chromium Browser" Optional (i.e. not required): – Provos et al. "All your iFRAMES Point to Us" – Frei et al. Examination of vulnerable online Web browser populations and the "insecurity iceberg" – Cox et al. "A Safety-Oriented Platform for Web Applications" – Grier et al. "Secure web browsing with the OP web browser" – Wang et al. "The Multi-Principal OS Construction of the Gazelle Web Browser"