1 / 35

IceShield : Detection and Mitigation of Malicious Websites with a Frozen DOM

IceShield : Detection and Mitigation of Malicious Websites with a Frozen DOM. Mario Heiderich , Tilman Frosch , Thorsten Holz Ruhr-University Bochum, Germany 14 th RAID Symposium (September, 2011). Outline. Introduction Related Work Design Overview System Implementation Evaluation

doyle
Download Presentation

IceShield : Detection and Mitigation of Malicious Websites with a Frozen DOM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM Mario Heiderich, TilmanFrosch, Thorsten Holz Ruhr-University Bochum, Germany 14th RAID Symposium (September, 2011)

  2. Outline • Introduction • Related Work • Design Overview • System Implementation • Evaluation • Limitations A Seminar at Advanced Defense Lab

  3. Introduction • There are many different kinds of threats and attack vectors against current browsers. • Drive-by-Download attacks • Cross-Site Scripting (XSS) • Clickjacking A Seminar at Advanced Defense Lab

  4. A Reason • The root cause of this problem is the fact that an attacker can compromise the integrity of almost all DOM properties of a website by injecting malicious JavaScript code. A Seminar at Advanced Defense Lab

  5. In This Paper • We introduce IceShield, a novel approach to perform light-weight instrumentation of JavaScript, detecting a diverse set of attacks against the DOM tree. A Seminar at Advanced Defense Lab

  6. Related Work A Seminar at Advanced Defense Lab

  7. Design Overview • We assume that almost every JavaScript based attack will have to use native methods at some point in order to prepare necessary data structures. • Heap spray • JIT spray A Seminar at Advanced Defense Lab

  8. Challenge • An attacker can render any signature based malware detection lacking advanced de-obfuscation routines useless. A Seminar at Advanced Defense Lab

  9. Basic Idea • We do not rely on any form of static code analysis. • We instrument objects and functions dynamically, and providing an execution context in which we can analyze their behavior. A Seminar at Advanced Defense Lab

  10. System Implementation • Our heuristics are based on a manual analysis of current attacks, and we tried to generalize the heuristics such that they are capable of detecting a wide variety of attacks. A Seminar at Advanced Defense Lab

  11. Current Heuristics • External domain injection • <embed>, <iframe>, <script>, … • Dangerous MIME type injection • Suspicious Unicode characters • %u0c0c • Suspicious decoding result A Seminar at Advanced Defense Lab

  12. Current Heuristics (cont.) • Overlong decoding results • 4096 characters • Dangerous element creation • <iframe>, <script>, … • URI/CLSID pattern in attribute setter • Dangerous tag injection via the innerHTML property A Seminar at Advanced Defense Lab

  13. Dynamic Instrumentation • We overwrite and wrap the native JavaScript methods into a context that allows us to inspect dynamically. • IceShield utilizes an ECMA Script 5 feature called Object.defineProperty() to implement the instrumentation in a robust way. A Seminar at Advanced Defense Lab

  14. Tamper Resistant • The most relevant descriptor for IceShield is configurable and the possibility to set it to false, thereby freezing the property state. • All modern user agents such as Firefox 4, Chrome 6-10, and Internet Explorer 9 support object freezing. A Seminar at Advanced Defense Lab

  15. Scoring Metric • Linear Discriminant Analysis (LDA)[link] A Seminar at Advanced Defense Lab

  16. User Protection • To avoid interference with the user experience, we null the payload of the possible exploit, which mitigates the danger to the user, but in most cases has no visible impact. A Seminar at Advanced Defense Lab

  17. Some Limitations • New window context • <iframe> point to Javascript URI • <iframesrc=“javascript:evil()”> • Data URI • <object data =" data:x ,%3cscript > evil()%3c/script >" > • <a> and target=_blank • <meta> redirection A Seminar at Advanced Defense Lab

  18. The Solution • The solution to the problems discussed above can be found in scanning and analyzing the website's markup during parsing of the DOM tree. A Seminar at Advanced Defense Lab

  19. Browser Extensions • We implement: • Extension for Gecko based browser • BHO for Internet Explorer • Greasemonkey[link] user script A Seminar at Advanced Defense Lab

  20. Evaluation • Known-good dataset • Top 61,554 websites from Alexa ranking • Check the malwaredomainlist.com (MDL)[link] block-list • Known-bad dataset • 81 URLs selected from MDL • all URLs point to exploit kits A Seminar at Advanced Defense Lab

  21. Environment • High-end workstation • Intel Core i7-870 and 8GB RAM • Ubuntu 10.04 and Firefox 3.6.8 • Mid-range system • ASUS EeePC 1000H • Intel Atom N270 and 1 GB RAM • Ubuntu 10and Firefox 3.6.12 • Low-end device • Nokia n900 • 600 MHz ARM7 Cortex-A8and 256 MB RAM • Maemo and Firefox 3.5 Maemo Browser 1.5.6 RX-51 A Seminar at Advanced Defense Lab

  22. A Seminar at Advanced Defense Lab

  23. Machine Learning • Training set • Top 50 sites from Alexa ranking • 30 sites from known-bad dataset • Testing set • 61,504 sites from known-good dataset • 51 sites from known-bad dataset A Seminar at Advanced Defense Lab

  24. Classification Result A Seminar at Advanced Defense Lab

  25. False Positive Analysis • To protect the user, IceShield does not need to block access to a site that triggers an alert. • We can strip malicious data from the site, and thus mitigate the attack. A Seminar at Advanced Defense Lab

  26. False Positive Analysis • We manually evaluated a 10% sample set (134 sites) randomly chosen from the false positives to confirm that the majority of pages remain usable. • not noticeable: 82.9% • partially usable: 9.6% • Unusable: 7.5% A Seminar at Advanced Defense Lab

  27. Performance • 2 ms to 760 ms, average 11.6ms • 99.5% sites are smaller than 25 ms • Average overhead 6.27% A Seminar at Advanced Defense Lab

  28. Performance (cont.) A Seminar at Advanced Defense Lab

  29. Limitations • In case an attacker deploys a malicious PDF, Java Applet, or Flash le without using any native DOM methods. • The lack of heuristic coverage on ActiveX based attacks • The lack of tamper resistance support for older user agents. A Seminar at Advanced Defense Lab

  30. Thank You Any Question? A Seminar at Advanced Defense Lab

  31. The Flexible Javasciprt • !’’ •  “true” • [!{}] •  “false” • {} •  an object • !’’+[!{}]+{} •  “trueflase[object Object]” A Seminar at Advanced Defense Lab

  32. Now we can understand… • _ =[[$,__,,$$,,_$,$_,_$_,,,$_$]=! ‘'+[!{}]+{}][_$_+$_$+__+$],_()[_$+$_+$$+__+$](-~$) A Seminar at Advanced Defense Lab

  33. Some Link • jjencode[link] • aaencode[link] • JSF*ck[link] A Seminar at Advanced Defense Lab

  34. JIT Spraying • Because IE 8 include DEP • Some exploit may not use heap spray • Dion Blazakispropose JIT spraying at BlackHat DC 2010 • INTERPRETER EXPLOITATION: POINTER INFERENCE AND JIT SPRAYING • Generate executable code at runtime A Seminar at Advanced Defense Lab

  35. JIT Compilation • var y = (0x3c54d0d9 ^0x3c909058 ^0x3c59f46a ^0x3c90c801 ^0x3c9030d9 ^0x3c53535b ^... A Seminar at Advanced Defense Lab

More Related