1 / 25

WebShield : Enabling Various Web Defense Techniques without Client Side Modifications

WebShield : Enabling Various Web Defense Techniques without Client Side Modifications. Zhichun Li , Tang Yi , Yinzhi Cao, Vaibhav Rastogi , Yan Chen , Bin Liu , and Clint Sbisa NEC Laboratories America, Inc. Northwestern University Tsinghua University.

aren
Download Presentation

WebShield : Enabling Various Web Defense Techniques without Client Side Modifications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. WebShield: Enabling Various Web Defense Techniques without Client Side Modifications Zhichun Li, Tang Yi, Yinzhi Cao, VaibhavRastogi, Yan Chen, Bin Liu,and Clint Sbisa NEC Laboratories America, Inc. Northwestern University Tsinghua University

  2. Web Has Become a Primary Target Drive by Download Cross site scripting Cross Site Request Forgery Cross-Origin JavaScript Capability Leaks 2

  3. Desire a General Middlebox • Existing web defense techniques need browser/client modification • Advocate middlebox approaches Existing Web Defense Approaches Client modification Slow adoption 3

  4. General Design Principles for Middlebox • Principles • Principle I: general middlebox should enable various protection mechanisms • Principle II: avoid client-side deployment • Principle III: containment of untrusted script execution • Principle IV: should not sacrifice user experience 4

  5. Existing Middlebox Approaches • BrowserShield • Code rewriting: rewrite HTML and JavaScript code with policy checking wrappers • Only applies to known browser vulnerabilities • Hard to be extended to support other defense mechanisms • SpyProxy • Actively execute the web pages in a proxy sandbox • Applies to both known and unknown vulnerabilities • But only detect deterministic exploits 5

  6. Evade Existing Approaches functionattackX() { // exploit an unknown vulnerability, // so BrowserShield cannot be applied ... } varattackcalled=false; functionloadAttack() { var el=document.getElementById("Evil"); // use user events to bypass SpyProxy el.addEventListener("mouseover", checkMouse,false); } functioncheckMouse() { if (! attackcalled) { attackcalled=true; window.setTimeout(attackX,0); } } Very Easy to Implement Trigger the attack through mouse events checkMouse attackX 6

  7. Outline • Our Design • Implementation • Evaluation • Conclusion 7

  8. Our Design Client Browser HTML Parser Java-Script Engine CSS Parser DOM Render Engine User Interface 8

  9. Our Design Client Browser HTML Parser Java-Script Engine CSS Parser DOM Render Engine User Interface 9

  10. Our Design Client Browser HTML Parser Java-Script Engine CSS Parser DOM Render Engine User Interface 10

  11. Our Design HTML Parser Java-Script Engine CSS Parser DOM DOM Render Engine User Interface 11

  12. Our Design Proxy sandbox Sync visual effects through encoded DOM updates JavaScriptRender Agent HTML Parser Java-Script Engine CSS Parser DOM DOM DOM Encoder Render Engine Browser Controller User Interface Detection Engine Web Proxy 12

  13. Initial Page Render URI Request URI Request web Client Browser Web Proxy Transformed Resp HTML Resp Shadow Browser Render Agent <!—eyJkYXRhIjp7fSwidHlwZSI6InN0eWxlU2h4iOltdfQ==--> <script id="DOM1"> __dp.apply("DOM1“) </script> 13

  14. Dynamic HTML Interaction Support wrap as JS events input Client Browser Web Proxy web • Latency added • Communication delay • DOM update delay • DOM tree update location • Element ID • Location vector starting from the root of the tree Shadow Browser DOM visual updates 14

  15. Implementation • Use Webkit to implement Shadow browser • Current sandbox based on SELinux • Session manager in Python 15

  16. Outline • Our Design • Implementation • Evaluation • Conclusion 16

  17. Evaluation • Environment Setup • Web Proxy: 2.5GHz Intel Xeon server • Web Browser on Core2 2.66GHz • Evaluation Metrics • Compatibility • Performance (user transparency) • Latency • Memory • Communication overhead • Drive-by-download detect demonstration 17

  18. Evaluation • Compatibility • 91 out of Alexa top 100 web sites • 19 out of Alexa top 20 web sites • Reasons for not compatible websites • Not supported features • Stability of the prototype 18

  19. Latency Overhead • Initial page rendering • Evaluate Alexa top 100 sites • Render start: median +134ms, 90th percentile +1.08 sec • Render end: median +382 ms, 90th percentile +2.46 sec Chrome render start and end time 19

  20. Latency Overhead • Interactive Performance for Dynamic HTML • Microbenchmarks • Test on a real JavaScript game: JavaScript Game – connect 4 20

  21. Memory and Communication Overhead • Memory overhead • Communication overhead 21

  22. Usefulness Demonstration • Drive-by-download detection • Implement both policy-based and behavior-based detection • Policy-based: check the parameters of JavaScript API calls and the parsing process • Behavior-based: check a list of abnormal behaviors similar to SpyProxy • Evaluate eight vulnerabilities with Alexa top 500 web sites. 22

  23. Conclusion • We design, implement and evaluate WebShield • A general middleboxthat enables various web defense mechanisms • Run JavaScript inside the middlebox, and thus reduce the attack surface • No client modification • Small overhead for latency, communication and memory  remain good user experience 23

  24. Advertisement • Positions available for system people (OS, Network, and Security) in NEC Research Labs • Full-time • Interns

  25. Q & A

More Related