1 / 22

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks. Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel, and Engin Kirda. Presenter: Chia-Li Lin. References.

suchin
Download Presentation

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel, and Engin Kirda Presenter: Chia-Li Lin

  2. References • M. Egele, E. Kirda, and C. Kruegel. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, 6th International Conference, DIMVA 2009 (to appear), 2009.

  3. Outline • Introduction • Automatically Detecting Drive-by Attacks • Modified Firefox browser • False Positive and Effectiveness • Conclusion

  4. Introduction • Drive-by download attacks are among the most common methods for spreading malware today • Typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode • Propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode

  5. Contribution • Uses emulation to automatically identify shell-code based drive-by download attacks in a browser • That is integrated into the Mozilla Firefox browser • Evaluated on more than one thousand malicious and several thousand benign sites that the system with no false positives

  6. Vulnerability • Most current drive-by downloads target browser plug-ins that are developed and distributed by third parties • buffer overflows • memory corruption • pointer overwrites

  7. JavaScript Basics • Typically used to assign the binary representation of shellcode to a variable that is stored in the address space of the browser • JavaScript

  8. Tracking String Allocations • To detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates • global string variables • local string variables • strings that are properties (members) of objects • The code that we added simply keeps track of the start address of a string variable and its length

  9. Checking Strings: libemu • libemu is a small library written in C that offers basic x86 emulation and shellcode detection. Being used in: • Nepenthes • Honeytrap • Checks starting whether there is a sequence of valid instructions of sufficient length • 32 bytes for the minimal length

  10. libemu • libemu is a small library written in c . libemu supports: • Using libemu one can: • detect shellcodes • execute the shellcodes • profile shellcode behaviour

  11. Modified Firefox browser • Simulating ActiveX components • dummy objects for instantiation requests to ActiveX components • Modify the parser • JScript parser is more tolerant with regards to semicolons than SpiderMonkey. • Batch processing time-outs • replace all delays of setTimeout calls with a delay of 50ms

  12. ActiveX components

  13. Performance Optimizations • First, one can reduce the total number of invocations of the emulation engine • Second, one can reduce the amount of data that the emulator needs to inspect • string a consists of the concatenation of strings x and y • can skip the analysis (emulation) of x and y when a was already scanned and found to be clean

  14. Performance • Intel Core 2 Duo processor 2.66 GHz and 4 GB of main memory.With a bandwidth of 1 MBit/s of ADSL. • chosen the 150 most popular web sites from the Alexa

  15. False Positive Evaluation • To visit 4502 that well-known benign pages from the Alexa • Moves to the next URL • two seconds after the page finished loading • ten seconds after page loading started • Not produce any false positives

  16. Detection Effectiveness[1/2] • Evaluated our system on the traces of 1,187 web browsing sessions that are known to contain drive-by attacks. • list of such URLs from the Spamcop • spam trap of a security company

  17. Detection Effectiveness[2/2] • To filter those URLs that actually host drive-by attacks, used the: • Capture Honeypot Client (HPC) • To extract application level data from the network traces, used the: • “Chaosreader” ,11,910 URLs (files) were associated with the 1,187 traces • Running detection system on the resources associated with 1,187 traces,detected 956 instances of shellcode

  18. Cause of failing • Manual analysis revealed four main causes that result in our prototype failing to detect a threat • not make use of memory exploits • use Visual Basic (VB) script code • malicious code is distributed over several scripts • .cab archive files

  19. Conclutions • The system is integrated into the web browser where it monitors JavaScript code that is downloaded and executed. • Verified the capability of our approach to successfully detect real-world drive-by download attacks. • The evaluation shows that our approach is feasible in practice.

  20. Supported • This work has been supported by the Austrian Science Foundation (FWF) under grant P18764, SECoverer FIT-IT Trust in IT-Systems 2. Call, Austria, Secure Business Austria (SBA), and the WOMBAT and FORWARD projects funded by the European Commission in the 7th Framework.

  21. Questions

More Related