1 / 23

BLADE : An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

BLADE : An Attack-Agnostic Approach for Preventing Drive-By Malware Infections. Long Lu 1 , Vinod Yegneswaran 2 , Phillip Porras 2 , Wenke Lee 1 1 Georgia Tech 2 SRI International Oct. 6th, 2010. Malware Propagation Facts. One common path: the Internet

toshi
Download Presentation

BLADE : An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections 17th ACM Conference on Computer and Communications Security Long Lu1, Vinod Yegneswaran2, Phillip Porras2, Wenke Lee1 1Georgia Tech 2SRI International Oct. 6th, 2010

  2. Malware Propagation Facts • One common path: the Internet • Two fundamental approaches: • Drive-by download Vs. Social engineering • Drive-by Download • most favored by today’s attackers • Counts for more than 60% malware infections [ISC09, Dasiant10, Google10] WWW 17th ACM Conference on Computer and Communications Security

  3. Drive-by Download • Definition: Drive-by Download - An attack in which the mere connection to a website results in the installation of a binary executable without the web-user’s authorization. • A click-then-infect scheme • Exploiting client-side vulnerabilities 17th ACM Conference on Computer and Communications Security

  4. Regular browsing & downloading 17th ACM Conference on Computer and Communications Security Browser automatically saves and renders supportedfile types (*.html, *.js, *.jpeg, etc.)

  5. Regular browsing & downloading 17th ACM Conference on Computer and Communications Security Content-Type: application/octet-stream; Browser asks for user consent before saving unsupportedfile types (*.exe, *.zip, *.dll, etc.)

  6. Drive-by download attack 17th ACM Conference on Computer and Communications Security Essential steps: Exploit Download Execute No user consent required!

  7. Observations Browsers handle • supported content automatically • unsupported contentbased on user’s permissions 17th ACM Conference on Computer and Communications Security • Golden Rule:Browsers should never automatically download and execute binary files without user consent. • All drive-by downloads inevitably break this rule. • No drive-by download will succeed if this rule holds.

  8. BLADE Approach • Goal: to eliminate drive-by malware infections • Approach: unconsented execution prevention • Exploit and vulnerability agnostic • Browser independent Essential steps: Exploit Download Execute 17th ACM Conference on Computer and Communications Security

  9. BLADE Design Assumptions Design choices BLADE is designed as a kernel driver; User intents are inferred from H/W and window events ; Consented download is correlated and verified; Unconsented download are contained in “SecureZone”. • Browsers may be fully compromised; • OS is trusted; • H/W is trusted. 17th ACM Conference on Computer and Communications Security

  10. BLADE Architecture Secure Zone User interaction BLADE Input Device Driver HW Evt Tracer 17th ACM Conference on Computer and Communications Security Supervisor Screen I/O Windowing Screen Parser FileSys View File I/O I/O Redirector Correlator Net I/O Transport Driver File System

  11. How it works – regular download • Locate consent button(s) • Parse correlation information • Monitor mouse and keyboard input • Redirect disk writes from browsers • Discover candidate and verify its origin • Map it to the regular file system 17th ACM Conference on Computer and Communications Security Screen Parser H/W Evt. Tracer I/O Redirector Correlator FileSys View FileSystem SecureZone

  12. How it works – drive-by download • Redirect disk writes from browsers • Alert when execution is attempted 17th ACM Conference on Computer and Communications Security I/O Redirector I/O Redirector FileSys View SecureZone

  13. Implementations • Screen Reader • Monitors certain windowing events • Parses internal composition of consent dialogues 17th ACM Conference on Computer and Communications Security

  14. Implementations • OS I/OMgr. • H/W Evt.Tracer • H/W Event Tracer • Resides above device drivers • Listens to IRPs • Input Driver 17th ACM Conference on Computer and Communications Security

  15. Implementations • I/O Redirector • Built as a file system mini-filter • Redirects file accesses • Provides a merged view • Correlator • Uses transport driver interface • Records streams coming from download sources • Content-base correlation and verification 17th ACM Conference on Computer and Communications Security

  16. Empirical Evaluation • An automated test bed • Harvest new real-world malicious URLs daily • VMs with various software configurations 17th ACM Conference on Computer and Communications Security

  17. Empirical Evaluation 17th ACM Conference on Computer and Communications Security

  18. Attack Coverage Evaluation • Using 19 specifically hand-crafted exploits • Covering all common exploiting techniques • Targeting at diverse vulnerabilities (11 zero-days) • BLADE prevented all 19 infection attempts 17th ACM Conference on Computer and Communications Security

  19. Security analysis • Potential ways to evade/attack BLADE 17th ACM Conference on Computer and Communications Security

  20. Benign Website Evaluation • Normal file downloads • Normal site-browsing 17th ACM Conference on Computer and Communications Security

  21. Performance Evaluation • Per-component test • End-to-end test • Worst case overhead – 3% • Negligible on average 17th ACM Conference on Computer and Communications Security

  22. Limitations • Social engineering attacks • In-memory execution of shellcode • Only effective against binary executables 17th ACM Conference on Computer and Communications Security

  23. Q&A 17th ACM Conference on Computer and Communications Security www.blade-defender.org

More Related