Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection

Attacks     

Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel, and Engin Kirda

Presenter: Chia-Li Lin

2

ReferencesM. Egele, E. Kirda, and C. Kruegel. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, 6th International Conference, DIMVA 2009 (to appear), 2009.

3

OutlineIntroductionAutomatically Detecting Drive-by AttacksModified Firefox browserFalse Positive and EffectivenessConclusion

4

IntroductionDrive-by download attacks are among the most common methods for spreading malware today

Typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode

Propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode

5

6

ContributionUses emulation to automatically identify shell-code based drive-by download attacks in a browser

That is integrated into the Mozilla Firefox browser

Evaluated on more than one thousand malicious and several thousand benign sites that the system with no false positives

7

VulnerabilityMost current drive-by downloads target browser plug-ins that are developed and distributed by third parties

buffer overflows memory corruption pointer overwrites

8

JavaScript BasicsTypically used to assign the binary representation of shellcode to a variable that is stored in the address space of the browser JavaScript

9

Tracking String AllocationsTo detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates

global string variables local string variables strings that are properties (members) of objects

The code that we added simply keeps track of the start address of a string variable and its length

10

Checking Strings: libemulibemu is a small library written in C that offers basic x86 emulation and shellcode detection. Being used in:

Nepenthes Honeytrap

Checks starting whether there is a sequence of valid instructions of sufficient length

32 bytes for the minimal length

11

libemulibemu is a small library written in c . libemu supports:

Using libemu one can: detect shellcodes execute the shellcodes profile shellcode behaviour

executing x86 instructions

shellcode execution

reading x86 binary code shellcode execution register emulation win32 api hookingbasic fpu emulation

12

Modified Firefox browserSimulating ActiveX components

dummy objects for instantiation requests to ActiveX components

Modify the parser JScript parser is more tolerant with regards to

semicolons than SpiderMonkey.

Batch processing time-outs replace all delays of setTimeout calls with a delay

of 50ms

13

ActiveX components

14

Performance OptimizationsFirst, one can reduce the total number of invocations of the emulation engine

Second, one can reduce the amount of data that the emulator needs to inspect

string a consists of the concatenation of strings x and y

can skip the analysis (emulation) of x and y when a was already scanned and found to be clean

15

PerformanceIntel Core 2 Duo processor 2.66 GHz and 4 GB of main memory.With a bandwidth of 1 MBit/s of ADSL.

chosen the 150 most popular web sites from the Alexa

16

False Positive EvaluationTo visit 4502 that well-known benign pages from the Alexa

Moves to the next URL two seconds after the page finished loading ten seconds after page loading started

Not produce any false positives

17

Detection Effectiveness[1/2]Evaluated our system on the traces of 1,187 web browsing sessions that are known to contain drive-by attacks.

list of such URLs from the Spamcop spam trap of a security company

18

Detection Effectiveness[2/2]To filter those URLs that actually host drive-by attacks, used the:

Capture Honeypot Client (HPC)

To extract application level data from the network traces, used the:

“Chaosreader” ,11,910 URLs (files) were associated with the 1,187 traces

Running detection system on the resources associated with 1,187 traces,detected 956 instances of shellcode

19

Cause of failing Manual analysis revealed four main causes that result in our prototype failing to detect a threat

1.not make use of memory exploits2.use Visual Basic (VB) script code3.malicious code is distributed over several scripts4..cab archive files

20

ConclutionsThe system is integrated into the web browser where it monitors JavaScript code that is downloaded and executed.

Verified the capability of our approach to successfully detect real-world drive-by download attacks.

The evaluation shows that our approach is feasible in practice.

21

SupportedThis work has been supported by the Austrian Science Foundation (FWF) under grant P18764, SECoverer FIT-IT Trust in IT-Systems 2. Call, Austria, Secure Business Austria (SBA), and the WOMBAT and FORWARD projects funded by the European Commission in the 7th Framework.

22

Questions