Iceshield detection and mitigation of malicious websites with a frozen dom
This presentation is the property of its rightful owner.
Sponsored Links
1 / 35

IceShield : Detection and Mitigation of Malicious Websites with a Frozen DOM PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on
  • Presentation posted in: General

IceShield : Detection and Mitigation of Malicious Websites with a Frozen DOM. Mario Heiderich , Tilman Frosch , Thorsten Holz Ruhr-University Bochum, Germany 14 th RAID Symposium (September, 2011). Outline. Introduction Related Work Design Overview System Implementation Evaluation

Download Presentation

IceShield : Detection and Mitigation of Malicious Websites with a Frozen DOM

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Iceshield detection and mitigation of malicious websites with a frozen dom

IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM

Mario Heiderich, TilmanFrosch, Thorsten Holz

Ruhr-University Bochum, Germany

14th RAID Symposium (September, 2011)


Outline

Outline

  • Introduction

  • Related Work

  • Design Overview

  • System Implementation

  • Evaluation

  • Limitations

A Seminar at Advanced Defense Lab


Introduction

Introduction

  • There are many different kinds of threats and attack vectors against current browsers.

    • Drive-by-Download attacks

    • Cross-Site Scripting (XSS)

    • Clickjacking

A Seminar at Advanced Defense Lab


A reason

A Reason

  • The root cause of this problem is the fact that an attacker can compromise the integrity of almost all DOM properties of a website by injecting malicious JavaScript code.

A Seminar at Advanced Defense Lab


In this paper

In This Paper

  • We introduce IceShield, a novel approach to perform light-weight instrumentation of JavaScript, detecting a diverse set of attacks against the DOM tree.

A Seminar at Advanced Defense Lab


Related work

Related Work

A Seminar at Advanced Defense Lab


Design overview

Design Overview

  • We assume that almost every JavaScript based attack will have to use native methods at some point in order to prepare necessary data structures.

    • Heap spray

    • JIT spray

A Seminar at Advanced Defense Lab


Challenge

Challenge

  • An attacker can render any signature based malware detection lacking advanced de-obfuscation routines useless.

A Seminar at Advanced Defense Lab


Basic idea

Basic Idea

  • We do not rely on any form of static code analysis.

  • We instrument objects and functions dynamically, and providing an execution context in which we can analyze their behavior.

A Seminar at Advanced Defense Lab


System implementation

System Implementation

  • Our heuristics are based on a manual analysis of current attacks, and we tried to generalize the heuristics such that they are capable of detecting a wide variety of attacks.

A Seminar at Advanced Defense Lab


Current heuristics

Current Heuristics

  • External domain injection

    • <embed>, <iframe>, <script>, …

  • Dangerous MIME type injection

  • Suspicious Unicode characters

    • %u0c0c

  • Suspicious decoding result

A Seminar at Advanced Defense Lab


Current heuristics cont

Current Heuristics (cont.)

  • Overlong decoding results

    • 4096 characters

  • Dangerous element creation

    • <iframe>, <script>, …

  • URI/CLSID pattern in attribute setter

  • Dangerous tag injection via the innerHTML property

A Seminar at Advanced Defense Lab


Dynamic instrumentation

Dynamic Instrumentation

  • We overwrite and wrap the native JavaScript methods into a context that allows us to inspect dynamically.

  • IceShield utilizes an ECMA Script 5 feature called Object.defineProperty() to implement the instrumentation in a robust way.

A Seminar at Advanced Defense Lab


Tamper resistant

Tamper Resistant

  • The most relevant descriptor for IceShield is configurable and the possibility to set it to false, thereby freezing the property state.

  • All modern user agents such as Firefox 4, Chrome 6-10, and Internet Explorer 9 support object freezing.

A Seminar at Advanced Defense Lab


Scoring metric

Scoring Metric

  • Linear Discriminant Analysis (LDA)[link]

A Seminar at Advanced Defense Lab


User protection

User Protection

  • To avoid interference with the user experience, we null the payload of the possible exploit, which mitigates the danger to the user, but in most cases has no visible impact.

A Seminar at Advanced Defense Lab


Some limitations

Some Limitations

  • New window context

    • <iframe> point to Javascript URI

      • <iframesrc=“javascript:evil()”>

    • Data URI

      • <object data =" data:x ,%3cscript > evil()%3c/script >" >

    • <a> and target=_blank

    • <meta> redirection

A Seminar at Advanced Defense Lab


The solution

The Solution

  • The solution to the problems discussed above can be found in scanning and analyzing the website's markup during parsing of the DOM tree.

A Seminar at Advanced Defense Lab


Browser extensions

Browser Extensions

  • We implement:

    • Extension for Gecko based browser

    • BHO for Internet Explorer

    • Greasemonkey[link] user script

A Seminar at Advanced Defense Lab


Evaluation

Evaluation

  • Known-good dataset

    • Top 61,554 websites from Alexa ranking

    • Check the malwaredomainlist.com (MDL)[link] block-list

  • Known-bad dataset

    • 81 URLs selected from MDL

    • all URLs point to exploit kits

A Seminar at Advanced Defense Lab


Environment

Environment

  • High-end workstation

    • Intel Core i7-870 and 8GB RAM

    • Ubuntu 10.04 and Firefox 3.6.8

  • Mid-range system

    • ASUS EeePC 1000H

    • Intel Atom N270 and 1 GB RAM

    • Ubuntu 10and Firefox 3.6.12

  • Low-end device

    • Nokia n900

    • 600 MHz ARM7 Cortex-A8and 256 MB RAM

    • Maemo and Firefox 3.5 Maemo Browser 1.5.6 RX-51

A Seminar at Advanced Defense Lab


Iceshield detection and mitigation of malicious websites with a frozen dom

A Seminar at Advanced Defense Lab


Machine learning

Machine Learning

  • Training set

    • Top 50 sites from Alexa ranking

    • 30 sites from known-bad dataset

  • Testing set

    • 61,504 sites from known-good dataset

    • 51 sites from known-bad dataset

A Seminar at Advanced Defense Lab


Classification result

Classification Result

A Seminar at Advanced Defense Lab


False positive analysis

False Positive Analysis

  • To protect the user, IceShield does not need to block access to a site that triggers an alert.

  • We can strip malicious data from the site, and thus mitigate the attack.

A Seminar at Advanced Defense Lab


False positive analysis1

False Positive Analysis

  • We manually evaluated a 10% sample set (134 sites) randomly chosen from the false positives to confirm that the majority of pages remain usable.

    • not noticeable: 82.9%

    • partially usable: 9.6%

    • Unusable: 7.5%

A Seminar at Advanced Defense Lab


Performance

Performance

  • 2 ms to 760 ms, average 11.6ms

    • 99.5% sites are smaller than 25 ms

    • Average overhead 6.27%

A Seminar at Advanced Defense Lab


Performance cont

Performance (cont.)

A Seminar at Advanced Defense Lab


Limitations

Limitations

  • In case an attacker deploys a malicious PDF, Java Applet, or Flash le without using any native DOM methods.

  • The lack of heuristic coverage on ActiveX based attacks

  • The lack of tamper resistance support for older user agents.

A Seminar at Advanced Defense Lab


Thank you

Thank You

Any Question?

A Seminar at Advanced Defense Lab


The flexible javasciprt

The Flexible Javasciprt

  • !’’

    •  “true”

  • [!{}]

    •  “false”

  • {}

    •  an object

  • !’’+[!{}]+{}

    •  “trueflase[object Object]”

A Seminar at Advanced Defense Lab


Now we can understand

Now we can understand…

  • _ =[[$,__,,$$,,_$,$_,_$_,,,$_$]=! ‘'+[!{}]+{}][_$_+$_$+__+$],_()[_$+$_+$$+__+$](-~$)

A Seminar at Advanced Defense Lab


Some link

Some Link

  • jjencode[link]

  • aaencode[link]

  • JSF*ck[link]

A Seminar at Advanced Defense Lab


Jit spraying

JIT Spraying

  • Because IE 8 include DEP

  • Some exploit may not use heap spray

  • Dion Blazakispropose JIT spraying at BlackHat DC 2010

    • INTERPRETER EXPLOITATION: POINTER INFERENCE AND JIT SPRAYING

    • Generate executable code at runtime

A Seminar at Advanced Defense Lab


Jit compilation

JIT Compilation

  • var y = (0x3c54d0d9 ^0x3c909058 ^0x3c59f46a ^0x3c90c801 ^0x3c9030d9 ^0x3c53535b ^...

A Seminar at Advanced Defense Lab


  • Login