130 likes | 217 Views
SpyProxy: On-the-fly Protection From Malicious Web Content. Alex Moshchuk , Tanya Bragin, Damien Deville, Steve Gribble, Hank Levy Department of Computer Science and Engineering University of Washington Seattle, WA. Web Content Today. Users are increasingly relying on the Web
E N D
SpyProxy: On-the-fly Protection From Malicious Web Content Alex Moshchuk, Tanya Bragin, Damien Deville, Steve Gribble, Hank Levy Department of Computer Science and Engineering University of Washington Seattle, WA
Web Content Today • Users are increasingly relying on the Web • to access data, download software, use services • Web content is increasingly active • Attackers are going where the users are • drive-by downloads that exploit browser flaws • 1 in 200 high-traffic sites use exploitsto install spyware
SpyProxy • An on-the-fly Web defense system that protects clients from malicious Web pages • High-level goals: • Safety: prevent bad content from reaching users • Transparency: users don’t need to change anything • Responsiveness: users don’t perceive overhead
Our approach • A Web proxy renders content in a virtual machine before passing to client • In the VM, event triggers detect suspicious activity • new processes, suspicious files, registry modifications • effective at detecting drive-by-download attacks • no false negatives • works for unknown exploits SpyProxy Web VM VM VM
URL URL URL root page root page Naïve architecture spyproxy client browser proxy front end Squid web cache Web VM worker
Naïve architecture spyproxy client browser proxy front end Squid web cache Web VM worker
safe Naïve architecture spyproxy client browser proxy front end Squid web cache Web VM worker
Pros and Cons • Advantages • identify and block attacks before they arrive at victim • behavior-based analysis can detect unknown threats • fine-grained, real-time protection • Hard questions • differences between proxy and client? • when has the page finished loading? • what about non-determinism? • performance?
Solving performance problems • Full page must render in VM before any content flows to client • but, users are affected most by render start time • naïve spyproxy adds the full VM render time to this • Optimizations: • Prefetching • Staged release • Caching • Static analysis Pipelining, overlapping transfers Eliminating unnecessary work
How fast is it, with all optimizations? • 2,000 requests from 800 pages in 124 sites • Zipf popularity • Optimizations work! • Start-to-render time only 600ms more than base
How effective is it? • Gathered list of 100 drive-by attack pages • It works great, in spite of non-determinism issues
Conclusions • Spyproxy protects clients from malicious Web content • transparency: no client modifications needed • performant: adds 600ms to render start time • effective: contained 100% of attacks we examined • Open issues • dealing with non-deterministic content • eliminating browser ambiguities