1 / 70

OSN Vulnerabilities & Social HoneyMonkey November 23, 2009

OSN Vulnerabilities & Social HoneyMonkey November 23, 2009. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ http://www.facebook.com/sfelixwu/ wu@cs.ucdavis.edu. ISN Vulnerabilities. Data/Information oriented attacks Privacy, Spyware

licia
Download Presentation

OSN Vulnerabilities & Social HoneyMonkey November 23, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OSN Vulnerabilities& Social HoneyMonkeyNovember 23, 2009 S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ http://www.facebook.com/sfelixwu/ wu@cs.ucdavis.edu ecs289m, Fall 2009

  2. ISN Vulnerabilities • Data/Information oriented attacks • Privacy, Spyware • Control-flow oriented attacks • Trick you to execute something unexpected • E.g., samy worm ecs289m, Fall 2009

  3. target site Attacker 3 malicious code 1 normal interaction “reflected” code 4 2 From: Malicious User To: Victim User CLICK HERE NORMAL VALID SESSION security context: target site MALICIOUS CODE security context: target site 5 email client browser window browser window ecs289m, Fall 2009

  4. reflected xss - illustrated email/googleTalk/irc/etc. *deAthL0rd420* jen.innocent@good.com Hey Jen, click on this link - itsa soooo good!!!?! http://www.good.com/logon.jsp?uid=“><script>alert(‘xss’)</script> ecs289m, Fall 2009

  5. reflected xss - illustrated HTTP/HTTPS www.good.com jen.innocent@good.com GET /logon.jsp?uid=“><script>alert(‘xss’)</script> HTTP/1.1 User-Agent: Lynx Cookie: Session_Cookie: F24EX98H3L3GAW1; ecs289m, Fall 2009

  6. reflected xss - illustrated HTTP/HTTPS www.good.com jen.innocent@good.com <html> <body><form action=“logon.jsp”> Logon Name: <input name=“uid” value=“”><script>alert(‘xss’)</script>”> … </form></body> </html> ecs289m, Fall 2009

  7. stored xss – the arsenic in the well attacker submits sticky (persisted) input to the app (e.g., blog comment/user profile) i mention the input contains JS? whoops later, some random peasant comes along and views the profile or blog comment application displays comment/profile to user browser and JS inside it gets exec’d instead of displayed on browser ecs289m, Fall 2009

  8. stored xss - illustrated HTTP/HTTPS *deAthL0rd420* www.good.com POST /setMyProfile.jsp HTTP/1.1 User-Agent: Lynx Cookie: Session_Cookie: F24EX98H3L3GAW1; profile=<script>alert(‘hi’)</script> ecs289m, Fall 2009

  9. stored xss - illustrated HTTP/HTTPS www.good.com 1st person to view attacker’s profile <html> <body> … <div id=“profile”>This user’s profile: <script>alert(‘hi’)</script> 2nd person to view attacker’s profile ecs289m, Fall 2009

  10. the story of samy myspace™ is one giant advertisement banner that has a hidden social networking site inside of it (like an easter egg) you setup a profile, pics, etc. for other people to see samy wanted an xss worm in his own profile that made the reader his friend and new source of worm ecs289m, Fall 2009

  11. the story of samy myspace did well not to let any JS through samy used ‘java\nscript’ since ‘javascript’ was filtered out, String.fromCharCode(34) to generate a double quote, etc. 10 hours – 560 friends, 13 hours – 6400, 18 hours – 1,000,000, 19 hours – entire site is down ecs289m, Fall 2009

  12. Topics • HoneyMonkey: a quick introduction • Why it works and why it won’t? • Four Technical Areas to worry about ecs289m, Fall 2009

  13. HoneyMonkey ecs289m, Fall 2009

  14. The goal…as I believe… • Given an URL, will visiting this URL by a normal user cause any undesirable outcome? • JSRedir-R (GENO/Gumblar) • In-session Tracing (Phishing without emails) • Compromised Web browsers (& CSS) • Or , others… ecs289m, Fall 2009

  15. ecs289m, Fall 2009

  16. HoneyMonkey • Candidate URL’s • but which ones? • Possible vulnerable platforms • different levels of patches using Vmware-like • Policy to detect violations • Any status changes regarding new processes, registry, and unexpected file activities. ecs289m, Fall 2009

  17. HoneyMonkey ecs289m, Fall 2009

  18. Browser vulnerability exploits… Code obfuscation URL redirection Vulnerability exploitation Malware installation ecs289m, Fall 2009

  19. Code obfuscation… • Dynamic code injection – document.write() function inside a script. • Unreadable code – decoded using unescape() function. • Custom decoding routine. • Substring replacement using replace() function. ecs289m, Fall 2009

  20. URL redirection… Secondary URL • Primary URL • Protocol redirection using HTTP 302 temporary redirect. • HTML tags. • Script functions including window.location.replace(). ecs289m, Fall 2009

  21. Trojan-Downloader.win32.ACVE.am ecs289m, Fall 2009

  22. Vulnerability exploitation… • Exploiting of multiple browser vulnerabilities. • Owing to its popularity IE is attacked a lot. Malware installation… • Introduce some piece of arbitrary code on the victim machine in order to achieve a larger attack goal. ecs289m, Fall 2009

  23. HoneyMonkey • Automatically detect and analyze a network of websites that exploit browsers. ecs289m, Fall 2009

  24. For Facebook • Automated analyzing a large number of applications continuously • Especially for those being actively used. ecs289m, Fall 2009

  25. Exploit detection system… • Stage 1 – scalable mode by visiting N-FBApps. • Stage 2 – perform recursive redirected analysis. (trying different functions) • Stage 3 – scan exploit URLs/APPs using fully patched VMs. ecs289m, Fall 2009

  26. Exploit detection • Executable files created or modified outside the browser sandbox folders. • Processes created. • Windows registry entries created or modified. • Vulnerability exploited. ecs289m, Fall 2009

  27. ecs289m, Fall 2009

  28. What are the issues? ecs289m, Fall 2009

  29. What are the issues? • “Exploit Detection” ecs289m, Fall 2009

  30. Exploit detection - XML report… • Executable files created or modified outside the browser sandbox folders. • Processes created. • Windows registry entries created or modified. • “Known” Vulnerability exploited. • Redirect-URLs visited. ecs289m, Fall 2009

  31. What are the issues? • “Exploit Detection” • Antivirus, Wepawet (usually signature-based) • How about zero-day? • Maybe mixed scripting (could be very complicated) and kernel root kit… • Is there any easier way? ecs289m, Fall 2009

  32. How about OSN? • How do we know that our social integrity has been altered? • How do we know that our profile/photos have been visited or copied? • History of access • How do we know that part of our profile has been interpreted as an executable script? • Pattern of propagation ecs289m, Fall 2009

  33. An idea of OSN IDS • Amount of Social Resources consumed by a particular FB application • Friendship Network, trust and reputation, is utilized to conduct communication • We have a “expected model” for the usage of such resources ~ Anomaly detection ecs289m, Fall 2009

  34. Statistic-based ANomaly Detection(SAND) • choose a parameter (a random variable hopefully without any assumption about its probabilistic distribution) • record its statistical “long-term” profile • check how much, quantitatively, its short-term behavior deviates from its long term profile • set the right threshold on the deviation to raise alarms ecs289m, Fall 2009

  35. timer control update decay clean long term profile raw events compute the deviation 0 0 5 10 15 20 25 30 threshold control alarm generation ecs289m, Fall 2009

  36. observed system events SBL-based Anomaly Detection model update the Model model-based event analysis Example Selection analysis reports Explanation Based Learning ecs289m, Fall 2009

  37. AND  EXPAND • Anomaly Detection • Detect • Analysis and Explanation • Application ecs289m, Fall 2009

  38. Challenges • It might take a while before we realize the problem. • I.e., HoneyMonkey might not work well. • We probably should build an IDS for each FB profile. ecs289m, Fall 2009

  39. What are the issues? • “Exploit Detection” • “Black List of scanning IP addresses” • Facebook Identifiers ecs289m, Fall 2009

  40. What are the issues? • “Exploit Detection” • “Black List of scanning IP addresses” • The attacker knows what we, from which sets of IP addresses, are trying to accomplish. • There are techniques to detect whether we are using a virtual environment. ecs289m, Fall 2009

  41. What are the issues? • “Exploit Detection” • “Black List of scanning IP addresses” • “Correlating Infections” ecs289m, Fall 2009

  42. What are the issues? • “Exploit Detection” • “Black List of scanning IP addresses” • “Correlating Infections” • “I personally” haven’t seen it but… • Two URLs must be visited in sequence • Recursive/Redirect URL visits must be “stateful”! ecs289m, Fall 2009

  43. What are the issues? • “Exploit Detection” • “Black List of scanning IP addresses” • “Correlating Infections” • “Capturing Human Interactions” • It might be hard to pretend to be a real human user though. ecs289m, Fall 2009

  44. What are the issues? • “Exploit Detection” • “Black List of scanning IP addresses” • “Correlating Infections” • “Capturing Human Interactions” • “Choosing the Candidates” • This has been a critical issue to handle billions of possible URLs ecs289m, Fall 2009

  45. Six Issues • “Exploit Detection” • “Black List of scanning IP addresses” • “Correlating Infections” • “Capturing Human Interactions” • “Choosing the Candidates” • “Scalability and Parallelism” ecs289m, Fall 2009

  46. Candidate URL’s • HoneyMonkey’s approach • The initial bad list (host files and well known spyware holders) • Expanding/growing the list via methods such mutual referencing and redirection. • Others: • Spam and phishing emails • Special hotspot business websites such as pornography, illegal/pirated content sharing (P2P), and advertising sites (or local-intentional targets ~ financial and DoD’s websites). ecs289m, Fall 2009

  47. Candidate URL’s • What are our objectives? • Regular Internet usages versus national security • Biased sampling • #’s of exploit provider groups is small. (~3) • This might be due to the sampling strategies (proof?) ecs289m, Fall 2009

  48. Candidate URL’s • Yet, another approach… • Key-word based searching (using Google) • Those are how we get “infected” anyway! • MapReduce ecs289m, Fall 2009

  49. ecs289m, Fall 2009

  50. Candidate URL’s • Yet, another approach… • Key-word based searching (using Google) • Those are how we get “infected” anyway! • MapReduce • URLs/Profiles as the keys • Links to “known” malicious pages as the value • We can quickly identify a large number of bad URLs (assuming that we are google). ecs289m, Fall 2009

More Related