JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

Slides:



Advertisements
Similar presentations
Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.
Advertisements

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Security+ Guide to Network Security Fundamentals, Third Edition
Browser Exploitation Framework (BeEF) Lab
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.
Norman SecureSurf Protect your users when surfing the Internet.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Computer & Network Security
I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht ( Joint work with : V.N. Venkatakrishnan.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Course code: ABI 204 Introduction to E-Commerce Chapter 5: Security Threats to Electronic Commerce AMA University 1.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
I STILL KNOW WHAT YOU VISITED LAST SUMMER User Interaction And Side Channel Attacks On Browser History Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman.
Module 7: Advanced Application and Web Filtering.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan, Northwestern University.
Sky Advanced Threat Prevention
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal, Eric Dingle, Jean-Philippe, Gravel Panayiotis, Mavrommatis Niels, Provos.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
WebShield: Enabling Various Web User Defense Techniques without Client Side Modifications Yan Chen Lab for Internet and Security Technology (LIST) Northwestern.
 SafePay: Protecting against Credit Card Forgery with Existing Magnetic Card Readers Yinzhi Cao †, Xiang Pan §, Yan Chen § † Lehigh University § Northwestern.
Antivirus Software Troy Behmer. Outline Topics covered: – What is Antivirus software (AVS)? – What are the advantages and disadvantages of AVS? – What.
Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.
Week-14 (Lecture-1) Malicious software and antivirus: 1. Malware A user can be tricked or forced into downloading malware comes in many forms, Ex. viruses,
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
BUILD SECURE PRODUCTS AND SERVICES
Javascript worms By Benjamin Mossé SecPro
Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
Jon Peppler, Menlo Security Channels
Automatic and Precise Client-Side Protection against CSRF Attacks
Dynamic Web Pages Jin Wu INF 385E Information Architecture
Exploring DOM-Based Cross Site Attacks
Enterprise Class Security Scanner
Security and JavaScript
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge*** * Columbia University ** Northwestern University *** Tsinghua University

Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 2/24

Introduction and Background Drive-by download Attack – Unintended download of malicious computer software from the Internet, which is usually due to a browser vulnerability, such as buffer and heap overflow. Approximately 1.3% of the incoming search queries (millions per day) to Google returned at least one URL with a drive-by download attack. 3/24

4/24

Overview A reactive vulnerability-based approach to match malicious JavaScript samples targeting drive-by download attacks. JShield (> 4,000 additional lines of code integrated into WebKit) has been adopted by Huawei, the world’s largest telecommunication equipment maker. I spent two months at Huawei in 2012 and 2013 respectively to help them test JShield with millions of real-world samples. JShield is filed under a U.S. patent (14/207,665). 5/24

Deployment Server Side – The Web Application Firewalls (WAF) or Web IDS/IPS – Web malware scanning services Client Side – Part of Anti-virus Software 6/24

Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 7/24

Motivation Attackers will change existing malicious JavaScript code to evade detection, called sample pollution: – Embedded inside DOM events, such as mouse moves. – Injected and interleaved with benign JavaScript code. 8/24

Motivation Cont’d 9/24 Anti-virus SoftwareOriginal SamplesPolluted Samples Avira Antivirus Premium % (1176/1200)0.58% (7/1200) AVG Internet Security % (1072/1200)3.58% (43/1200) Kaspersky Internet Security % (1109/1200)2.00% (24/1200) Norton Internet Security % (248/1200)0.08% (1/1200) Trend Micro Titanium Internet Security % (1051/1200)2.00% (24/1200) Top Vendors in Industry:

Motivation Cont’d 10/24 Original SamplesPolluted Samples True Positive93.1%36.7% False Positive0.5% Detection Rate of Zozzle [1] State-of-the-art Research Work: [1] Curtsinger, Charlie, Benjamin Livshits, Benjamin G. Zorn, and Christian Seifert. "ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection." In USENIX Security Symposium, pp

Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 11/24

Solution Space 12/24 Turing Machine Signature Accuracy High Low High JShield Signature Ideal Signature Speed Symbolic Constraint Signature Regular Expression

System Architecture 13/24

Opcode Signature Example 14/24 SignatureSentenceClause

Example 15/24 var obj = new Object(); obj.__proto__.__defineGetter__("a", function () { this.__proto__ = null; return 0; }); obj.a; Exploit: Outputted Opcodes:

Matching Process 16/24 State 1State 2State 3 Opcodes of the exploit: Signature to be matched:

Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 17/24

Evaluation Vulnerability Coverage Rate Robust to Sample Pollution Performance 18/24

Evaluation Vulnerability Coverage 19/24 Vulnerability Position BrowserShieldSong et al.JShield JS Engine3/220/2222/22 PDF JS Engine4/180/1818/18 Plug-in20/2121/21 Reis et al., Browsershield: vulnerability-driven filtering of dynamic html. In OSDI (2006). Song et al., preventing drive-by download via inter-module communication monitoring. In ASIACCS (2010).

Evaluation Accuracy Original SamplesPolluted Samples TP for Web Pages100% FP for Web Pages0% 20/24 Anti-virus SoftwareOriginal SamplesPolluted Samples Avira Antivirus Premium % (1176/1200)0.58% (7/1200) AVG Internet Security % (1072/1200)3.58% (43/1200) Kaspersky Internet Security % (1109/1200)2.00% (24/1200) Norton Internet Security % (248/1200)0.08% (1/1200) Trend Micro Titanium Internet Security % (1051/1200)2.00% (24/1200) ZozzleOriginal SamplesPolluted Samples True Positive93.1%36.7% False Positive0.5%

Evaluation Performance 21/24

Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 22/24

Conclusion In this talk, I presented JShield, a vulnerability based detection engine of drive-by download attacks. JShield represents the semantics of each vulnerability and is robust to sample pollution. In evaluation, we show that JShield incurs affordable overhead. 23/24

Thank you! Questions? 24/24

JShield - Deployment Model Backup Slide JShield is deployed as a drive-by attack detection engine at Huawei’s intelligent cloud. 25/24

Advertisement My research on web security: – List of Papers – I do not know what you visited last summer – Protecting users from third-party web tracking with TrackingFree browser, NDSS – JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks, ACSAC – Abusing Browser Address Bar for Fun and Profit – An Empirical Investigation of Add-on Cross Site Scripting Attacks, SecureComm – Protecting Web-based Single Sign-on Protocols against Relying Party Impersonation Attacks through a Dedicated Bi-directional Authenticated Secure Channel, RAID – Redefining Web Browser Principals with a Configurable Origin Policy, DSN-DCCS – Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security, AsiaCCS – PathCutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks, NDSS – WebShield: Enabling Various Web Defense Techniques without Client Side Modifications, NDSS /24