blade an attack agnostic approach for preventing drive by malware infections
Download
Skip this Video
Download Presentation
BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

Loading in 2 Seconds...

play fullscreen
1 / 34

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections - PowerPoint PPT Presentation


  • 120 Views
  • Uploaded on

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections. Long Lu, Wenke Lee College of Computing, Georgia Institute of Technology Vinod Yegneswaran , Phillip Porras SRI International ACM CCS (Oct,2010) . A Presentation at Advanced Defense Lab. Outline.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections' - chloe


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
blade an attack agnostic approach for preventing drive by malware infections

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

Long Lu, Wenke Lee

College of Computing, Georgia Institute of Technology

VinodYegneswaran, Phillip Porras

SRI International

ACM CCS (Oct,2010)

A Presentation at Advanced Defense Lab

outline
Outline
  • Introduction
  • Approach
  • Architecture
  • Evaluation
  • Security Analysis
  • Related Work
  • Conclusion

Advanced Defense Lab

introduction
Introduction
  • BLADE
    • BLockAll Drive-by download Exploits
  • Why this solution?
    • The mere connection to a web server can result in the installation of malware on the client machine.
  • Design principle
    • Unconsented-content execution prevention .
    • Both attack and browser agnostic.

Advanced Defense Lab

introduction1
Introduction
  • Preventing unconsented-content execution
    • user-interaction tracking to collect user download authorizations.
    • consent correlation to discern “transparent” downloads those that involve direct user authorization.
    • Disk I/O redirection to contain disk footprints of unconsented data through supervised processes.
  • Implementation
    • IE and Firefox on Microsoft Windows platform.

Advanced Defense Lab

outline1
Outline
  • Introduction
  • Approach
  • Architecture
  • Evaluation
  • Security Analysis
  • Related Work
  • Conclusion

Advanced Defense Lab

approach
Approach
  • Drive-By Exploits
    • Shellcode injection phase
      • Gaining temporary control of the browser
    • Shellcode execution phase
    • Covert binary install phase
      • Shellcode coerces the now tained browser into fetching a remote malware application from the Internet.

Advanced Defense Lab

approach1
Approach
  • Assumption
    • The attacker should have no persistent malware deployed on the target host in advanced.
    • No rootkit from the adversary installed on the system, i.e., the OS kernel is trusted.
    • Scenarios where attackers remotely exploiting a kernel vulnerability via a browser exist are out of the scope of our model.
  • Target
    • Disrupting the covert binary install phase, completely agnostic of which browser component was exploited or which shellcode injection strategy was employed.

Advanced Defense Lab

outline2
Outline
  • Introduction
  • Approach
  • Architecture
  • Evaluation
  • Security Analysis
  • Related Work
  • Conclusion

Advanced Defense Lab

architecture
Architecture
  • We define the download identity information as (URL,Path)
    • The Correlator matches a file f with a tuple (u,p) when f is saved at p with data content received from u.

Advanced Defense Lab

architecture1
Architecture

Advanced Defense Lab

architecture screen parser
Architecture – Screen Parser
  • Download authorization lifecycle
    • Triggered by the appearance of download consent dialogs
    • GetSaveFileName(…)
    • EVENT_SYSTEM_FOREGROUND
    • SetWinEventHook(…)
  • User space agent
    • Prefilter irrelevant windowing events.
    • Pipes its output to the Screen Parser, which may represent a user consent dialog currently in focus.

Advanced Defense Lab

architecture supervisor
Architecture – Supervisor
  • The role of coordinator for carrying out all tasks of BLADE.
  • Assigning tasks to other BLADE components and coordinating their execution, as responding to the different event notifications from the Screen Parser.
  • List of supervised processes
    • It is a newly created browser process.
    • A remote thread is created within the process by a supervised process.
    • It is a newly created process spawned by a supervised process.
    • PsSetCreateProcessNotifyRoutine(…)

Advanced Defense Lab

architecture hardware event tracer
Architecture – Hardware Event Tracer
  • Once a download consent dialog is identified by the Screen Parser, interpret the user’s response.
    • Capture user’s mouse clicks and keyboard strokes.
    • Looks for any mouse click whose on-screen coordinates fall in the areas of download consent dialogs.
    • Maintains some state information to make accurate decisions.
  • The users can express for consent only by using the mouse (keyboard hooking is not implemented yet)

Advanced Defense Lab

architecture correlator
Architecture – Correlator
  • Establishing the 1-1 mapping between user download authorizations and downloaded files.
    • (URL,path)
  • Treats the browser as a black box, only the external behavior of the browser is visible to it.
  • Our approach works even when encryption is used (e.g., HTTPS, VPN) or browser-level encoding schemes are used (e.g., SDCH).
  • Keep a log of inbound transport-level stream for each TCP session created by supervised processes.
  • Where content of a single file comes from multiple streams is not support.

Advanced Defense Lab

architecture i o redirector
Architecture– I/O Redirector
  • Closure property
    • P = {p | p : any browser process}
    • F = {f | f : any file written by p, where p ∈ P}
    • Fauth = {fa | fa : any-authorized browser download}
    • Fint = F – Fauth ( given Fauth⊂ F is always true)
    • F’ = {f’ | f’ : any file opened by p’, where p’ ∈ P}
    • Observing that Fint ∩ F’≈ ∅.

Advanced Defense Lab

architecture i o redirector1
Architecture – I/O Redirector
  • Policies of the secure zone (P1 ~ P6)
    • Any new file created by a supervised process is redirected to the secure zone.
    • Any existing file modified by a supervised process is saved as a shadow copy in the secure zone, without change to the original file.
    • I/O redirection is transparent to supervised processes.
    • I/O redirection only applies to supervised processes. Files in the secure zone can only be accessed via redirection.
    • No execution is allowed for files in the secure zone.
    • Any file correlated with a user download authorization is remapped to the filesystem.

Advanced Defense Lab

architecture i o redirector2
Architecture – I/O Redirector
  • P4~P6
  • FsRtlRegisterFileSystemFilterCallbacks
  • P1~P3

Advanced Defense Lab

outline3
Outline
  • Introduction
  • Approach
  • Architecture
  • Evaluation
  • Security Analysis
  • Related Work
  • Conclusion

Advanced Defense Lab

evaluation effectiveness
Evaluation - Effectiveness
  • Harvests malware URLs reported in the past 48 hours from WhiteHat.
  • Environment
    • VM running on lightly loaded PC
    • VM
      • Windows XP SP2
      • IE, Firefox
      • PDF reader, Flash player, JVM…
    • PC
      • 2.0 GHz single-core CPU
      • 512 MB RAM

Advanced Defense Lab

evaluation effectiveness1
Evaluation - Effectiveness
  • 3 key experiment outcomes
    • C1 : (T|F) URL test session caused a BLADE alert.
    • C2 : (T|F) URL test session attempted to load/execute a file from the secure zone.
    • C3 : (T|F) URL test session produced a file write outside the secure zone.
  • Evaluation Metrics
    • True Positive :=
    • False Negative :=
    • False Positive :=
    • True Negative :=

Advanced Defense Lab

evaluation effectiveness2
Evaluation - Effectiveness
  • Operational for 3 months
    • Visited 3,992 unique malicious URLs
      • http://www.blade-defender.org/eval-lab

Advanced Defense Lab

evaluation effectiveness3
Evaluation - Effectiveness
  • http://www.virustotal.com/

Advanced Defense Lab

evaluation effectiveness4
Evaluation - Effectiveness
  • Use disclosed zero-day exploits listed in Table 2.
  • BLADE delivers complete and accurate protection in a browser-agnostic and exploit-oblivious manner.

Advanced Defense Lab

evaluation effectiveness5
Evaluation - Effectiveness
  • False Positive
    • The user’s authorization cannot be inferred, which leaves the resulting download in the secure zone as untrusted.
    • A legitimate browser download seeks to execute benign logic without the user ‘s consent, which represents a violation of our root assumption.
  • Downloaded 30 different software applications from 15 highly ranked freeware sites, with varying types (.exe, .zip, .msi etc.)
  • False Positive = 0 !!

Advanced Defense Lab

evaluation performance overhead
Evaluation – Performance Overhead
  • Screen Parser
    • Even the worst-case matching time was not measurable (less than a millisecond).
  • I/O Redirector
    • Copy 3 files of varying sizes(1,10,100 MB) from one location to another within the same disk (Each file was copied twice).
    • Revert to a clean VM snapshot before beginning each test.

Advanced Defense Lab

outline4
Outline
  • Introduction
  • Approach
  • Architecture
  • Evaluation
  • Security Analysis
  • Related Work
  • Conclusion

Advanced Defense Lab

security analysis
Security Analysis
  • Attacks and Built-in Countermeasures
    • Spoofing attacks
      • Forged GUI or User response -> HET / Correlator
    • Download injection and process hijacking attacks
      • Creating a remote thread within an unsupervised process -> Supervisor
    • Coercing attacks
      • Coerce the OS to execute the malware directly from secure zone -> Impossible

Advanced Defense Lab

security analysis limitations
Security Analysis - Limitations
  • Social engineering attacks where the user authorizes the download and installation of malicious binaries disguised as benign applications.
  • In-memory execution of transient malware, which could be scripts such as JavaScript bots or x86 code inserted into memory by exploits.

Advanced Defense Lab

outline5
Outline
  • Introduction
  • Approach
  • Architecture
  • Evaluation
  • Security Analysis
  • Related Work
  • Conclusion

Advanced Defense Lab

related work
Related work
  • BotHunter, BotSniffer based on post-infection network dialog, but do not prevent the execution of malware.
  • CloudAV attempt to block execution of malware is limited by the reliance on binary signatures.
  • Egele et al., NOZZLE uses static analysis of objects in the heap to detect heap-spraying attacks.
  • BLADE’s unconsented-content execution is a similar concept to sandboxing but better.

Advanced Defense Lab

outline6
Outline
  • Introduction
  • Approach
  • Architecture
  • Evaluation
  • Security Analysis
  • Related Work
  • Conclusion

Advanced Defense Lab

conclusion
Conclusion
  • BLADE’s interception logic has demonstrated 100% effectiveness in preventing covert binary installations using the most widely deployed browsers on the Internet.

Advanced Defense Lab

ad