Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009.

Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

An introduction to honeyclient technologies Christian Seifert Angelo Dell'Aera.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

A Hybrid Framework to Analyze Web and OS Malware Vitor M. Afonso, Dario S. Fernandes Filho, André R. A. Grégio1, PauloL.de Geus, Mario Jino.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

JSProxy: Safety from Javascript Benjamin Prosnitz, Tang Yi, Yinzhi Cao.

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Computer Security and Penetration Testing

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:

All Your iFRAMEs Point to Us Cheng Wei. Acknowledgement This presentation is extended and modified from The presentation by Bruno Virlet All Your iFRAMEs.

1 Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Application Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis Carsten Willems 1, Thorsten Holz 1, Felix Freiling 2 1 Ruhr-University.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.

 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar.

Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Shellcode Development -Femi Oloyede -Pallavi Murudkar.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.

Shellcode COSC 480 Presentation Alison Buben.

Introduction to Operating Systems

TMG Client Protection 6NPS – Session 7.

Practical Rootkit Detection with RAI

Introduction to Operating Systems

Detecting Targeted Attacks Using Shadow Honeypots

Understanding and Preventing Buffer Overflow Attacks in Unix

Exploring DOM-Based Cross Site Attacks

Cross Site Request Forgery (CSRF)

Return-to-libc Attacks

Presentation transcript:

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel, and Engin Kirda Presenter: Chia-Li Lin

2 References M. Egele, E. Kirda, and C. Kruegel. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, 6th International Conference, DIMVA 2009 (to appear), 2009.

3 Outline Introduction Automatically Detecting Drive-by Attacks Modified Firefox browser False Positive and Effectiveness Conclusion

4 Introduction Drive-by download attacks are among the most common methods for spreading malware today Typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode Propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode

5

6 Contribution Uses emulation to automatically identify shellcode based drive-by download attacks in a browser That is integrated into the Mozilla Firefox browser Evaluated on more than one thousand malicious and several thousand benign sites that the system with no false positives

7 Vulnerability Most current drive-by downloads target browser plug-ins that are developed and distributed by third parties  buffer overflows  memory corruption  pointer overwrites

8 JavaScript Basics Typically used to assign the binary representation of shellcode to a variable that is stored in the address space of the browser JavaScript

9 Tracking String Allocations To detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates  global string variables  local string variables  strings that are properties (members) of objects The code that we added simply keeps track of the start address of a string variable and its length

10 Checking Strings: libemu libemu is a small library written in C that offers basic x86 emulation and shellcode detection. Being used in:  Nepenthes  Honeytrap Checks starting whether there is a sequence of valid instructions of sufficient length  32 bytes for the minimal length

11 libemu libemu is a small library written in c. libemu supports: Using libemu one can:  detect shellcodes  execute the shellcodes  profile shellcode behaviour executing x86 instructionsshellcode execution reading x86 binary codeshellcode execution register emulationwin32 api hooking basic fpu emulation

12 Modified Firefox browser Simulating ActiveX components  dummy objects for instantiation requests to ActiveX components Modify the parser  JScript parser is more tolerant with regards to semicolons than SpiderMonkey. Batch processing time-outs  replace all delays of setTimeout calls with a delay of 50ms

13 ActiveX components

14 Performance Optimizations First, one can reduce the total number of invocations of the emulation engine Second, one can reduce the amount of data that the emulator needs to inspect  string a consists of the concatenation of strings x and y  can skip the analysis (emulation) of x and y when a was already scanned and found to be clean

15 Performance Intel Core 2 Duo processor 2.66 GHz and 4 GB of main memory.With a bandwidth of 1 MBit/s of ADSL.  chosen the 150 most popular web sites from the Alexa

16 False Positive Evaluation To visit 4502 that well-known benign pages from the Alexa Moves to the next URL  two seconds after the page finished loading  ten seconds after page loading started Not produce any false positives

17 Detection Effectiveness[1/2] Evaluated our system on the traces of 1,187 web browsing sessions that are known to contain drive-by attacks.  list of such URLs from the Spamcop  spam trap of a security company

18 Detection Effectiveness[2/2] To filter those URLs that actually host drive-by attacks, used the:  Capture Honeypot Client (HPC) To extract application level data from the network traces, used the:  “Chaosreader”,11,910 URLs (files) were associated with the 1,187 traces Running detection system on the resources associated with 1,187 traces,detected 956 instances of shellcode

19 Cause of failing Manual analysis revealed four main causes that result in our prototype failing to detect a threat 1. not make use of memory exploits 2. use Visual Basic (VB) script code 3. malicious code is distributed over several scripts 4..cab archive files

20 Conclutions The system is integrated into the web browser where it monitors JavaScript code that is downloaded and executed. Verified the capability of our approach to successfully detect real-world drive-by download attacks. The evaluation shows that our approach is feasible in practice.

21 Supported This work has been supported by the Austrian Science Foundation (FWF) under grant P18764, SECoverer FIT-IT Trust in IT- Systems 2. Call, Austria, Secure Business Austria (SBA), and the WOMBAT and FORWARD projects funded by the European Commission in the 7th Framework.

22 Questions