webshield enabling various web defense techniques without client side modifications n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
WebShield : Enabling Various Web Defense Techniques without Client Side Modifications PowerPoint Presentation
Download Presentation
WebShield : Enabling Various Web Defense Techniques without Client Side Modifications

Loading in 2 Seconds...

play fullscreen
1 / 25

WebShield : Enabling Various Web Defense Techniques without Client Side Modifications - PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on

WebShield : Enabling Various Web Defense Techniques without Client Side Modifications. Zhichun Li , Tang Yi , Yinzhi Cao , Vaibhav Rastogi , Yan Chen , Bin Liu , and Clint Sbisa NEC Laboratories America, Inc. Northwestern University Tsinghua University.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'WebShield : Enabling Various Web Defense Techniques without Client Side Modifications' - elmo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
webshield enabling various web defense techniques without client side modifications

WebShield: Enabling Various Web Defense Techniques without Client Side Modifications

Zhichun Li, Tang Yi, Yinzhi Cao, VaibhavRastogi, Yan Chen, Bin Liu,and Clint Sbisa

NEC Laboratories America, Inc.

Northwestern University

Tsinghua University

web has become a primary target
Web Has Become a Primary Target

Drive by Download

Cross site scripting

Cross Site Request Forgery

Cross-Origin JavaScript Capability Leaks

2

desire a general middlebox
Desire a General Middlebox
  • Existing web defense techniques need browser/client modification
  • Advocate middlebox approaches

Existing Web Defense Approaches

Client modification

Slow adoption

3

general design principles for middlebox
General Design Principles for Middlebox
  • Principles
    • Principle I: general middlebox should enable various protection mechanisms
    • Principle II: avoid client-side deployment
    • Principle III: containment of untrusted script execution
    • Principle IV: should not sacrifice user experience

4

existing middlebox approaches
Existing Middlebox Approaches
  • BrowserShield
    • Code rewriting: rewrite HTML and JavaScript code with policy checking wrappers
    • Only applies to known browser vulnerabilities
    • Hard to be extended to support other defense mechanisms
  • SpyProxy
    • Actively execute the web pages in a proxy sandbox
    • Applies to both known and unknown vulnerabilities
    • But only detect deterministic exploits

5

evade existing approaches
Evade Existing Approaches

functionattackX() {

// exploit an unknown vulnerability,

// so BrowserShield cannot be applied

...

}

varattackcalled=false;

functionloadAttack() {

var el=document.getElementById("Evil");

// use user events to bypass SpyProxy

el.addEventListener("mouseover",

checkMouse,false);

}

functioncheckMouse() {

if (! attackcalled) {

attackcalled=true;

window.setTimeout(attackX,0);

}

}

Very Easy to Implement

Trigger the attack through mouse events

6

outline
Outline
  • Our Design
  • Implementation
  • Evaluation
  • Conclusion

7

our design
Our Design

Client Browser

HTML Parser

Java-Script Engine

CSS Parser

DOM

Render Engine

User Interface

8

our design1
Our Design

Client Browser

HTML Parser

Java-Script Engine

CSS Parser

DOM

Render Engine

User Interface

9

our design2
Our Design

Client Browser

HTML Parser

Java-Script Engine

CSS Parser

DOM

Render Engine

User Interface

10

our design3
Our Design

HTML Parser

Java-Script Engine

CSS Parser

DOM

DOM

Render Engine

User Interface

11

our design4
Our Design

Proxy sandbox

Sync visual effects through encoded DOM updates

JavaScriptRender Agent

HTML Parser

Java-Script Engine

CSS Parser

DOM

DOM

DOM Encoder

Render Engine

Browser Controller

User Interface

Detection Engine

Web Proxy

12

initial page render
Initial Page Render

URI Request

web

Client Browser

Web Proxy

Transformed Resp

HTML Resp

Shadow Browser

Render Agent

<!—eyJkYXRhIjp7fSwidHlwZSI6InN0eWxlU2h4iOltdfQ==--> <script id="DOM1"> __dp.apply("DOM1“) </script>

13

dynamic html interaction support
Dynamic HTML Interaction Support
  • Latency added
    • Communication delay
    • DOM update delay
  • DOM tree update location
    • Element ID
    • Location vector starting from the root of the tree

web

input

wrap as JS events

Web Proxy

Client Browser

DOM visual updates

Shadow Browser

14

implementation
Implementation
  • Use Webkit to implement Shadow browser
  • Current sandbox based on SELinux
  • Session manager in Python

15

outline1
Outline
  • Our Design
  • Implementation
  • Evaluation
  • Conclusion

16

evaluation
Evaluation
  • Environment Setup
    • Web Proxy: 2.5GHz Intel Xeon server
    • Web Browser on Core2 2.66GHz
  • Evaluation Metrics
    • Compatibility
    • Performance (user transparency)
      • Latency
      • Memory
      • Communication overhead
    • Drive-by-download detect demonstration

17

evaluation1
Evaluation
  • Compatibility
    • 91 out of Alexa top 100 web sites
    • 19 out of Alexa top 20 web sites
    • Reasons for not compatible websites
      • Not supported features
      • Stability of the prototype

18

latency overhead
Latency Overhead
  • Initial page rendering
    • Evaluate Alexa top 100 sites
    • Render start: median +134ms, 90th percentile +1.08 sec
    • Render end: median +382 ms, 90th percentile +2.46 sec

Chrome render start and end time

19

latency overhead1
Latency Overhead
  • Interactive Performance for Dynamic HTML
    • Microbenchmarks
    • Test on a real JavaScript game: JavaScript Game – connect 4

20

memory and communication overhead
Memory and Communication Overhead
  • Memory overhead
  • Communication overhead

21

usefulness demonstration
Usefulness Demonstration
  • Drive-by-download detection
    • Implement both policy-based and behavior-based detection
      • Policy-based: check the parameters of JavaScript API calls and the parsing process
      • Behavior-based: check a list of abnormal behaviors similar to SpyProxy
    • Evaluate eight vulnerabilities with Alexa top 500 web sites.

22

conclusion
Conclusion
  • We design, implement and evaluate WebShield
    • A general middleboxthat enables various web defense mechanisms
    • Run JavaScript inside the middlebox, and thus reduce the attack surface
    • No client modification
    • Small overhead for latency, communication and memory  remain good user experience

23

advertisement
Advertisement
  • Positions available for system people (OS, Network, and Security) in NEC Research Labs
    • Full-time
    • Interns