 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.

Slides:



Advertisements
Similar presentations
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
1 mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations Presenter: Liu Yin Computer Science Department College of William.
MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Fast and Precise In-Browser JavaScript Malware Detection
An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
4.1 JavaScript Introduction
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
SANS Technology Institute - Candidate for Master of Science Degree
Prevent Cross-Site Scripting (XSS) attack
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
SCRIPT LESS ATTACKS STEALING THE PIE WITHOUT TOUCHING THE SILL.
SURF:SURF: Detecting and Measuring Search Poisoning Long Lu, Roberto Perdisci, and Wenke Lee Georgia Tech and University of Georgia.
JavaScript, Fourth Edition
A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.
Working with Objects Creating a Dynamic Web Page.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Introducing ASP.NET 2.0. Internet Technologies WWW Architecture Web Server Client Server Request Response Network HTTP TCP/IP PC/Mac/Unix + Browser (IE,
1 Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Application Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Module 7: Advanced Application and Web Filtering.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)
JavaScript Introduction.  JavaScript is a scripting language  A scripting language is a lightweight programming language  A JavaScript can be inserted.
Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.
Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
Shasta Console Operations February 2010 Tony Caleb.
1 Figure 9-3: Webserver and E-Commerce Security Browser Attacks  Take over a client via the browser Interesting information on the client Can use browser.
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.
WebShield: Enabling Various Web User Defense Techniques without Client Side Modifications Yan Chen Lab for Internet and Security Technology (LIST) Northwestern.
SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.
Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
CPSC FALL 2015TEAM P6 Real-time Detection System for Suspicious URLs Submitted by T.ANUPCHANDRA V.KRANTHI SUDHA CH.KRISHNAPRASAD Under Guidance.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Sophos Intercept X Matt Cooke – Senior Product Marketing Manager.
“New security software vendors are coming into the marketplace offering solutions that provide support to the development environment. Example vendors.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Exploring DOM-Based Cross Site Attacks
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab

 There are many different kinds of threats and attack vectors against current browsers. › Drive-by-Download attacks › Cross-Site Scripting (XSS) › Clickjacking 2011/7/19 A Seminar at Advanced Defense Lab 3

 The root cause of this problem is the fact that an attacker can compromise the integrity of almost all DOM properties of a website by injecting malicious JavaScript code. 2011/7/19 A Seminar at Advanced Defense Lab 4

 We introduce IceShield, a novel approach to perform light-weight instrumentation of JavaScript, detecting a diverse set of attacks against the DOM tree. 2011/7/19 A Seminar at Advanced Defense Lab 5

OfflineOnline Machine Learning Auto-Selected Features Cujo, Zozzle Manual-Selected Features Wepawet[link] (JSAND)link IceShield Security Policy Gatekeeper[link], Caja[link]link Gazelle [link]link 2011/7/19 A Seminar at Advanced Defense Lab 6

 We assume that almost every JavaScript based attack will have to use native methods at some point in order to prepare necessary data structures. › Heap spray › JIT spray 2011/7/19 A Seminar at Advanced Defense Lab 7

 An attacker can render any signature based malware detection lacking advanced de-obfuscation routines useless. 2011/7/19 A Seminar at Advanced Defense Lab 8

 We do not rely on any form of static code analysis.  We instrument objects and functions dynamically, and providing an execution context in which we can analyze their behavior. 2011/7/19 A Seminar at Advanced Defense Lab 9

 Our heuristics are based on a manual analysis of current attacks, and we tried to generalize the heuristics such that they are capable of detecting a wide variety of attacks. 2011/7/19 A Seminar at Advanced Defense Lab 10

 External domain injection ›,,, …  Dangerous MIME type injection  Suspicious Unicode characters › %u0c0c  Suspicious decoding result 2011/7/19 A Seminar at Advanced Defense Lab 11

 Overlong decoding results › 4096 characters  Dangerous element creation ›,, …  URI/CLSID pattern in attribute setter  Dangerous tag injection via the innerHTML property 2011/7/19 A Seminar at Advanced Defense Lab 12

 We overwrite and wrap the native JavaScript methods into a context that allows us to inspect dynamically.  IceShield utilizes an ECMA Script 5 feature called Object.defineProperty () to implement the instrumentation in a robust way. 2011/7/19 A Seminar at Advanced Defense Lab 13

 The most relevant descriptor for IceShield is configurable and the possibility to set it to false, thereby freezing the property state.  All modern user agents such as Firefox 4, Chrome 6-10, and Internet Explorer 9 support object freezing. 2011/7/19 A Seminar at Advanced Defense Lab 14

 Linear Discriminant Analysis (LDA)[link]link 2011/7/19 A Seminar at Advanced Defense Lab 15

 To avoid interference with the user experience, we null the payload of the possible exploit, which mitigates the danger to the user, but in most cases has no visible impact. 2011/7/19 A Seminar at Advanced Defense Lab 16

 New window context › point to Javascript URI  › Data URI  evil()%3c/script >" > › and target=_blank › redirection 2011/7/19 A Seminar at Advanced Defense Lab 17

 The solution to the problems discussed above can be found in scanning and analyzing the website's markup during parsing of the DOM tree. 2011/7/19 A Seminar at Advanced Defense Lab 18

 We implement: › Extension for Gecko based browser › BHO for Internet Explorer › Greasemonkey[link] user scriptlink 2011/7/19 A Seminar at Advanced Defense Lab 19

 Known-good dataset › Top 61,554 websites from Alexa ranking › Check the malwaredomainlist.com (MDL)[link] block-listlink  Known-bad dataset › 81 URLs selected from MDL › all URLs point to exploit kits 2011/7/19 A Seminar at Advanced Defense Lab 20

 High-end workstation › Intel Core i7-870 and 8GB RAM › Ubuntu and Firefox  Mid-range system › ASUS EeePC 1000H › Intel Atom N270 and 1 GB RAM › Ubuntu 10and Firefox  Low-end device › Nokia n900 › 600 MHz ARM7 Cortex-A8and 256 MB RAM › Maemo and Firefox 3.5 Maemo Browser RX /7/19 A Seminar at Advanced Defense Lab 21

2011/7/19 A Seminar at Advanced Defense Lab 22

 Training set › Top 50 sites from Alexa ranking › 30 sites from known-bad dataset  Testing set › 61,504 sites from known-good dataset › 51 sites from known-bad dataset 2011/7/19 A Seminar at Advanced Defense Lab 23

CorrectIncorrect Known-good97.83%2.17% Known-bad98.04% (50)1.96% (1) 2011/7/19 A Seminar at Advanced Defense Lab 24

 To protect the user, IceShield does not need to block access to a site that triggers an alert.  We can strip malicious data from the site, and thus mitigate the attack. 2011/7/19 A Seminar at Advanced Defense Lab 25

 We manually evaluated a 10% sample set (134 sites) randomly chosen from the false positives to confirm that the majority of pages remain usable. › not noticeable: 82.9% › partially usable: 9.6% › Unusable: 7.5% 2011/7/19 A Seminar at Advanced Defense Lab 26

 2 ms to 760 ms, average 11.6ms › 99.5% sites are smaller than 25 ms › Average overhead 6.27% 2011/7/19 A Seminar at Advanced Defense Lab 27

2011/7/19 A Seminar at Advanced Defense Lab 28

 In case an attacker deploys a malicious PDF, Java Applet, or Flash le without using any native DOM methods.  The lack of heuristic coverage on ActiveX based attacks  The lack of tamper resistance support for older user agents. 2011/7/19 A Seminar at Advanced Defense Lab 29

2011/7/19 A Seminar at Advanced Defense Lab 30

 !’’ ›  “true”  [!{}] ›  “false”  {} ›  an object  !’’+[!{}]+{} ›  “trueflase[object Object]” 2011/7/19 A Seminar at Advanced Defense Lab 31

 _ =[[$,__,,$$,,_$,$_,_$_,,,$_$]=! ‘'+[!{}]+{}][_$_+$_$+__+$], _()[_$+$_+$$+__+$](-~$) 2011/7/19 A Seminar at Advanced Defense Lab 32

 jjencode[link]link  aaencode[link]link  JSF*ck[link]link 2011/7/19 A Seminar at Advanced Defense Lab 33

 Because IE 8 include DEP  Some exploit may not use heap spray  Dion Blazakis propose JIT spraying at BlackHat DC 2010 › INTERPRETER EXPLOITATION: POINTER INFERENCE AND JIT SPRAYING › Generate executable code at runtime 2011/7/19 A Seminar at Advanced Defense Lab 34

2011/7/19 A Seminar at Advanced Defense Lab 35  var y = ( 0x3c54d0d9 ^ 0x3c ^ 0x3c59f46a ^ 0x3c90c801 ^ 0x3c9030d9 ^ 0x3c53535b ^...

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.