Upload
shonda-owen
View
213
Download
2
Embed Size (px)
Citation preview
IceShield: Detection and Mitigation of Malicious
Websites with a Frozen DOMMario Heiderich, Tilman Frosch, Thorsten
HolzRuhr-University Bochum, Germany
14th RAID Symposium (September, 2011)
A Seminar at Advanced Defense Lab 2
Outline
Introduction Related Work Design Overview System Implementation Evaluation Limitations
2011/7/19
A Seminar at Advanced Defense Lab 3
Introduction
There are many different kinds of threats and attack vectors against current browsers.› Drive-by-Download attacks› Cross-Site Scripting (XSS)› Clickjacking
2011/7/19
A Seminar at Advanced Defense Lab 4
A Reason
The root cause of this problem is the fact that an attacker can compromise the integrity of almost all DOM properties of a website by injecting malicious JavaScript code.
2011/7/19
A Seminar at Advanced Defense Lab 5
In This Paper
We introduce IceShield, a novel approach to perform light-weight instrumentation of JavaScript, detecting a diverse set of attacks against the DOM tree.
2011/7/19
A Seminar at Advanced Defense Lab 6
Related Work
Offline Online
Machine Learning
Auto-Selected Features Cujo, Zozzle
Manual-Selected Features
Wepawet[link] (JSAND) IceShield
Security Policy Gatekeeper[link], Caja[link]
Gazelle[link]
2011/7/19
A Seminar at Advanced Defense Lab 7
Design Overview
We assume that almost every JavaScript based attack will have to use native methods at some point in order to prepare necessary data structures.› Heap spray› JIT spray
2011/7/19
A Seminar at Advanced Defense Lab 8
Challenge
An attacker can render any signature based malware detection lacking advanced de-obfuscation routines useless.
2011/7/19
A Seminar at Advanced Defense Lab 9
Basic Idea
We do not rely on any form of static code analysis.
We instrument objects and functions dynamically, and providing an execution context in which we can analyze their behavior.
2011/7/19
A Seminar at Advanced Defense Lab 10
System Implementation
Our heuristics are based on a manual analysis of current attacks, and we tried to generalize the heuristics such that they are capable of detecting a wide variety of attacks.
2011/7/19
A Seminar at Advanced Defense Lab 11
Current Heuristics
External domain injection› <embed>, <iframe>, <script>, …
Dangerous MIME type injection
Suspicious Unicode characters› %u0c0c
Suspicious decoding result2011/7/19
A Seminar at Advanced Defense Lab 12
Current Heuristics (cont.)
Overlong decoding results› 4096 characters
Dangerous element creation› <iframe>, <script>, …
URI/CLSID pattern in attribute setter
Dangerous tag injection via the innerHTML property
2011/7/19
A Seminar at Advanced Defense Lab 13
Dynamic Instrumentation
We overwrite and wrap the native JavaScript methods into a context that allows us to inspect dynamically.
IceShield utilizes an ECMA Script 5 feature called Object.defineProperty() to implement the instrumentation in a robust way.
2011/7/19
A Seminar at Advanced Defense Lab 14
Tamper Resistant
The most relevant descriptor for IceShield is configurable and the possibility to set it to false, thereby freezing the property state.
All modern user agents such as Firefox 4, Chrome 6-10, and Internet Explorer 9 support object freezing.
2011/7/19
A Seminar at Advanced Defense Lab 15
Scoring Metric
Linear Discriminant Analysis (LDA)[link]
2011/7/19
A Seminar at Advanced Defense Lab 16
User Protection
To avoid interference with the user experience, we null the payload of the possible exploit, which mitigates the danger to the user, but in most cases has no visible impact.
2011/7/19
A Seminar at Advanced Defense Lab 17
Some Limitations
New window context› <iframe> point to Javascript URI
<iframe src=“javascript:evil()”>› Data URI
<object data =" data:x ,%3cscript > evil()%3c/script >" >
› <a> and target=_blank› <meta> redirection
2011/7/19
A Seminar at Advanced Defense Lab 18
The Solution
The solution to the problems discussed above can be found in scanning and analyzing the website's markup during parsing of the DOM tree.
2011/7/19
A Seminar at Advanced Defense Lab 19
Browser Extensions
We implement:› Extension for Gecko based browser
› BHO for Internet Explorer
› Greasemonkey[link] user script
2011/7/19
A Seminar at Advanced Defense Lab 20
Evaluation
Known-good dataset› Top 61,554 websites from Alexa ranking› Check the malwaredomainlist.com (MDL)[
link] block-list
Known-bad dataset› 81 URLs selected from MDL› all URLs point to exploit kits
2011/7/19
A Seminar at Advanced Defense Lab 21
Environment
High-end workstation› Intel Core i7-870 and 8GB RAM› Ubuntu 10.04 and Firefox 3.6.8
Mid-range system› ASUS EeePC 1000H› Intel Atom N270 and 1 GB RAM› Ubuntu 10and Firefox 3.6.12
Low-end device› Nokia n900› 600 MHz ARM7 Cortex-A8and 256 MB RAM› Maemo and Firefox 3.5 Maemo Browser 1.5.6 RX-51
2011/7/19
A Seminar at Advanced Defense Lab 23
Machine Learning
Training set› Top 50 sites from Alexa ranking› 30 sites from known-bad dataset
Testing set› 61,504 sites from known-good dataset› 51 sites from known-bad dataset
2011/7/19
A Seminar at Advanced Defense Lab 24
Classification Result
Correct Incorrect
Known-good 97.83% 2.17%
Known-bad 98.04% (50) 1.96% (1)
2011/7/19
A Seminar at Advanced Defense Lab 25
False Positive Analysis
To protect the user, IceShield does not need to block access to a site that triggers an alert.
We can strip malicious data from the site, and thus mitigate the attack.
2011/7/19
A Seminar at Advanced Defense Lab 26
False Positive Analysis
We manually evaluated a 10% sample set (134 sites) randomly chosen from the false positives to confirm that the majority of pages remain usable.› not noticeable: 82.9%› partially usable: 9.6%› Unusable: 7.5%
2011/7/19
A Seminar at Advanced Defense Lab 27
Performance
2 ms to 760 ms, average 11.6ms› 99.5% sites are smaller than 25 ms› Average overhead 6.27%
2011/7/19
A Seminar at Advanced Defense Lab 29
Limitations
In case an attacker deploys a malicious PDF, Java Applet, or Flash le without using any native DOM methods.
The lack of heuristic coverage on ActiveX based attacks
The lack of tamper resistance support for older user agents.
2011/7/19
A Seminar at Advanced Defense Lab 31
The Flexible Javasciprt
!’’ › “true”
[!{}] › “false”
{} › an object
!’’+[!{}]+{} › “trueflase[object Object]”
2011/7/19
A Seminar at Advanced Defense Lab 32
Now we can understand…
_ =[[$,__,,$$,,_$,$_,_$_,,,$_$]=! ‘'+[!{}]+{}][_$_+$_$+__+$],_()[_$+$_+$$+__+$](-~$)
2011/7/19
A Seminar at Advanced Defense Lab 33
Some Link
jjencode[link]
aaencode[link]
JSF*ck[link]
2011/7/19
A Seminar at Advanced Defense Lab 34
JIT Spraying
Because IE 8 include DEP Some exploit may not use heap spray
Dion Blazakis propose JIT spraying at BlackHat DC 2010› INTERPRETER EXPLOITATION: POINTER
INFERENCE AND JIT SPRAYING› Generate executable code at runtime
2011/7/19