Blade an attack agnostic approach for preventing drive by malware infections
This presentation is the property of its rightful owner.
Sponsored Links
1 / 34

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on
  • Presentation posted in: General

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections. Long Lu, Wenke Lee College of Computing, Georgia Institute of Technology Vinod Yegneswaran , Phillip Porras SRI International ACM CCS (Oct,2010) . A Presentation at Advanced Defense Lab. Outline.

Download Presentation

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Blade an attack agnostic approach for preventing drive by malware infections

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

Long Lu, Wenke Lee

College of Computing, Georgia Institute of Technology

VinodYegneswaran, Phillip Porras

SRI International

ACM CCS (Oct,2010)

A Presentation at Advanced Defense Lab


Outline

Outline

  • Introduction

  • Approach

  • Architecture

  • Evaluation

  • Security Analysis

  • Related Work

  • Conclusion

Advanced Defense Lab


Introduction

Introduction

  • BLADE

    • BLockAll Drive-by download Exploits

  • Why this solution?

    • The mere connection to a web server can result in the installation of malware on the client machine.

  • Design principle

    • Unconsented-content execution prevention .

    • Both attack and browser agnostic.

Advanced Defense Lab


Introduction1

Introduction

  • Preventing unconsented-content execution

    • user-interaction tracking to collect user download authorizations.

    • consent correlation to discern “transparent” downloads those that involve direct user authorization.

    • Disk I/O redirection to contain disk footprints of unconsented data through supervised processes.

  • Implementation

    • IE and Firefox on Microsoft Windows platform.

Advanced Defense Lab


Outline1

Outline

  • Introduction

  • Approach

  • Architecture

  • Evaluation

  • Security Analysis

  • Related Work

  • Conclusion

Advanced Defense Lab


Approach

Approach

  • Drive-By Exploits

    • Shellcode injection phase

      • Gaining temporary control of the browser

    • Shellcode execution phase

    • Covert binary install phase

      • Shellcode coerces the now tained browser into fetching a remote malware application from the Internet.

Advanced Defense Lab


Approach1

Approach

  • Assumption

    • The attacker should have no persistent malware deployed on the target host in advanced.

    • No rootkit from the adversary installed on the system, i.e., the OS kernel is trusted.

    • Scenarios where attackers remotely exploiting a kernel vulnerability via a browser exist are out of the scope of our model.

  • Target

    • Disrupting the covert binary install phase, completely agnostic of which browser component was exploited or which shellcode injection strategy was employed.

Advanced Defense Lab


Outline2

Outline

  • Introduction

  • Approach

  • Architecture

  • Evaluation

  • Security Analysis

  • Related Work

  • Conclusion

Advanced Defense Lab


Architecture

Architecture

  • We define the download identity information as (URL,Path)

    • The Correlator matches a file f with a tuple (u,p) when f is saved at p with data content received from u.

Advanced Defense Lab


Architecture1

Architecture

Advanced Defense Lab


Architecture screen parser

Architecture – Screen Parser

  • Download authorization lifecycle

    • Triggered by the appearance of download consent dialogs

    • GetSaveFileName(…)

    • EVENT_SYSTEM_FOREGROUND

    • SetWinEventHook(…)

  • User space agent

    • Prefilter irrelevant windowing events.

    • Pipes its output to the Screen Parser, which may represent a user consent dialog currently in focus.

Advanced Defense Lab


Architecture supervisor

Architecture – Supervisor

  • The role of coordinator for carrying out all tasks of BLADE.

  • Assigning tasks to other BLADE components and coordinating their execution, as responding to the different event notifications from the Screen Parser.

  • List of supervised processes

    • It is a newly created browser process.

    • A remote thread is created within the process by a supervised process.

    • It is a newly created process spawned by a supervised process.

    • PsSetCreateProcessNotifyRoutine(…)

Advanced Defense Lab


Architecture hardware event tracer

Architecture – Hardware Event Tracer

  • Once a download consent dialog is identified by the Screen Parser, interpret the user’s response.

    • Capture user’s mouse clicks and keyboard strokes.

    • Looks for any mouse click whose on-screen coordinates fall in the areas of download consent dialogs.

    • Maintains some state information to make accurate decisions.

  • The users can express for consent only by using the mouse (keyboard hooking is not implemented yet)

Advanced Defense Lab


Architecture correlator

Architecture – Correlator

  • Establishing the 1-1 mapping between user download authorizations and downloaded files.

    • (URL,path)

  • Treats the browser as a black box, only the external behavior of the browser is visible to it.

  • Our approach works even when encryption is used (e.g., HTTPS, VPN) or browser-level encoding schemes are used (e.g., SDCH).

  • Keep a log of inbound transport-level stream for each TCP session created by supervised processes.

  • Where content of a single file comes from multiple streams is not support.

Advanced Defense Lab


Architecture i o redirector

Architecture– I/O Redirector

  • Closure property

    • P = {p | p : any browser process}

    • F = {f | f : any file written by p, where p ∈ P}

    • Fauth = {fa | fa : any-authorized browser download}

    • Fint = F – Fauth ( given Fauth⊂ F is always true)

    • F’ = {f’ | f’ : any file opened by p’, where p’ ∈ P}

    • Observing that Fint ∩ F’≈ ∅.

Advanced Defense Lab


Architecture i o redirector1

Architecture – I/O Redirector

  • Policies of the secure zone (P1 ~ P6)

    • Any new file created by a supervised process is redirected to the secure zone.

    • Any existing file modified by a supervised process is saved as a shadow copy in the secure zone, without change to the original file.

    • I/O redirection is transparent to supervised processes.

    • I/O redirection only applies to supervised processes. Files in the secure zone can only be accessed via redirection.

    • No execution is allowed for files in the secure zone.

    • Any file correlated with a user download authorization is remapped to the filesystem.

Advanced Defense Lab


Architecture i o redirector2

Architecture – I/O Redirector

  • P4~P6

  • FsRtlRegisterFileSystemFilterCallbacks

  • P1~P3

Advanced Defense Lab


Outline3

Outline

  • Introduction

  • Approach

  • Architecture

  • Evaluation

  • Security Analysis

  • Related Work

  • Conclusion

Advanced Defense Lab


Evaluation effectiveness

Evaluation - Effectiveness

  • Harvests malware URLs reported in the past 48 hours from WhiteHat.

  • Environment

    • VM running on lightly loaded PC

    • VM

      • Windows XP SP2

      • IE, Firefox

      • PDF reader, Flash player, JVM…

    • PC

      • 2.0 GHz single-core CPU

      • 512 MB RAM

Advanced Defense Lab


Evaluation effectiveness1

Evaluation - Effectiveness

  • 3 key experiment outcomes

    • C1 : (T|F) URL test session caused a BLADE alert.

    • C2 : (T|F) URL test session attempted to load/execute a file from the secure zone.

    • C3 : (T|F) URL test session produced a file write outside the secure zone.

  • Evaluation Metrics

    • True Positive :=

    • False Negative :=

    • False Positive:=

    • True Negative:=

Advanced Defense Lab


Evaluation effectiveness2

Evaluation - Effectiveness

  • Operational for 3 months

    • Visited 3,992 unique malicious URLs

      • http://www.blade-defender.org/eval-lab

Advanced Defense Lab


Evaluation effectiveness3

Evaluation - Effectiveness

  • http://www.virustotal.com/

Advanced Defense Lab


Evaluation effectiveness4

Evaluation - Effectiveness

  • Use disclosed zero-day exploits listed in Table 2.

  • BLADE delivers complete and accurate protection in a browser-agnostic and exploit-oblivious manner.

Advanced Defense Lab


Evaluation effectiveness5

Evaluation - Effectiveness

  • False Positive

    • The user’s authorization cannot be inferred, which leaves the resulting download in the secure zone as untrusted.

    • A legitimate browser download seeks to execute benign logic without the user ‘s consent, which represents a violation of our root assumption.

  • Downloaded 30 different software applications from 15 highly ranked freeware sites, with varying types (.exe, .zip, .msi etc.)

  • False Positive = 0 !!

Advanced Defense Lab


Evaluation performance overhead

Evaluation – Performance Overhead

  • Screen Parser

    • Even the worst-case matching time was not measurable (less than a millisecond).

  • I/O Redirector

    • Copy 3 files of varying sizes(1,10,100 MB) from one location to another within the same disk (Each file was copied twice).

    • Revert to a clean VM snapshot before beginning each test.

Advanced Defense Lab


Evaluation performance overhead1

Evaluation – Performance Overhead

Advanced Defense Lab


Evaluation performance overhead2

Evaluation – Performance Overhead

Advanced Defense Lab


Outline4

Outline

  • Introduction

  • Approach

  • Architecture

  • Evaluation

  • Security Analysis

  • Related Work

  • Conclusion

Advanced Defense Lab


Security analysis

Security Analysis

  • Attacks and Built-in Countermeasures

    • Spoofing attacks

      • Forged GUI or User response -> HET / Correlator

    • Download injection and process hijacking attacks

      • Creating a remote thread within an unsupervised process -> Supervisor

    • Coercing attacks

      • Coerce the OS to execute the malware directly from secure zone -> Impossible

Advanced Defense Lab


Security analysis limitations

Security Analysis - Limitations

  • Social engineering attacks where the user authorizes the download and installation of malicious binaries disguised as benign applications.

  • In-memory execution of transient malware, which could be scripts such as JavaScript bots or x86 code inserted into memory by exploits.

Advanced Defense Lab


Outline5

Outline

  • Introduction

  • Approach

  • Architecture

  • Evaluation

  • Security Analysis

  • Related Work

  • Conclusion

Advanced Defense Lab


Related work

Related work

  • BotHunter, BotSniffer based on post-infection network dialog, but do not prevent the execution of malware.

  • CloudAV attempt to block execution of malware is limited by the reliance on binary signatures.

  • Egele et al., NOZZLE uses static analysis of objects in the heap to detect heap-spraying attacks.

  • BLADE’s unconsented-content execution is a similar concept to sandboxing but better.

Advanced Defense Lab


Outline6

Outline

  • Introduction

  • Approach

  • Architecture

  • Evaluation

  • Security Analysis

  • Related Work

  • Conclusion

Advanced Defense Lab


Conclusion

Conclusion

  • BLADE’s interception logic has demonstrated 100% effectiveness in preventing covert binary installations using the most widely deployed browsers on the Internet.

Advanced Defense Lab


  • Login