1 / 13

SpyProxy: On-the-fly Protection From Malicious Web Content

SpyProxy: On-the-fly Protection From Malicious Web Content. Alex Moshchuk , Tanya Bragin, Damien Deville, Steve Gribble, Hank Levy Department of Computer Science and Engineering University of Washington Seattle, WA. Web Content Today. Users are increasingly relying on the Web

tibor
Download Presentation

SpyProxy: On-the-fly Protection From Malicious Web Content

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SpyProxy: On-the-fly Protection From Malicious Web Content Alex Moshchuk, Tanya Bragin, Damien Deville, Steve Gribble, Hank Levy Department of Computer Science and Engineering University of Washington Seattle, WA

  2. Web Content Today • Users are increasingly relying on the Web • to access data, download software, use services • Web content is increasingly active • Attackers are going where the users are • drive-by downloads that exploit browser flaws • 1 in 200 high-traffic sites use exploitsto install spyware

  3. Browser Exploit in Action

  4. SpyProxy • An on-the-fly Web defense system that protects clients from malicious Web pages • High-level goals: • Safety: prevent bad content from reaching users • Transparency: users don’t need to change anything • Responsiveness: users don’t perceive overhead

  5. Our approach • A Web proxy renders content in a virtual machine before passing to client • In the VM, event triggers detect suspicious activity • new processes, suspicious files, registry modifications • effective at detecting drive-by-download attacks • no false negatives • works for unknown exploits SpyProxy Web VM VM VM

  6. URL URL URL root page root page Naïve architecture spyproxy client browser proxy front end Squid web cache Web VM worker

  7. Naïve architecture spyproxy client browser proxy front end Squid web cache Web VM worker

  8. safe Naïve architecture spyproxy client browser proxy front end Squid web cache Web VM worker

  9. Pros and Cons • Advantages • identify and block attacks before they arrive at victim • behavior-based analysis can detect unknown threats • fine-grained, real-time protection • Hard questions • differences between proxy and client? • when has the page finished loading? • what about non-determinism? • performance?

  10. Solving performance problems • Full page must render in VM before any content flows to client • but, users are affected most by render start time • naïve spyproxy adds the full VM render time to this • Optimizations: • Prefetching • Staged release • Caching • Static analysis Pipelining, overlapping transfers Eliminating unnecessary work

  11. How fast is it, with all optimizations? • 2,000 requests from 800 pages in 124 sites • Zipf popularity • Optimizations work! • Start-to-render time only 600ms more than base

  12. How effective is it? • Gathered list of 100 drive-by attack pages • It works great, in spite of non-determinism issues

  13. Conclusions • Spyproxy protects clients from malicious Web content • transparency: no client modifications needed • performant: adds 600ms to render start time • effective: contained 100% of attacks we examined • Open issues • dealing with non-deterministic content • eliminating browser ambiguities

More Related