Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Slides:

Advertisements

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu

Advertisements

New Security Issues Raised by Open Cards Pierre GirardJean-Louis Lanet GERMPLUS R&D.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Introduction To Java Objectives For Today â Introduction To Java â The Java Platform & The (JVM) Java Virtual Machine â Core Java (API) Application Programming.

Java Applet Security Diana Dong CS 265 Spring 2004.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009.

Fast and Precise In-Browser JavaScript Malware Detection

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

Client Side Programming Using Java Applet Outcomes: You will be expected to know: – Java Applets and HTML file; –bytecode and platform independent programs;

Introduction to Java Kiyeol Ryu Java Programming Language.

Web Page Behavior IS 373—Web Standards Todd Will.

For more Lectures and Notes Visit

1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.

Computer Security and Penetration Testing

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.

L EC. 01: J AVA FUNDAMENTALS Fall Java Programming.

01 Introduction to Java Technology. 2 Contents History of Java What is Java? Java Platforms Java Virtual Machine (JVM) Java Development Kit (JDK) Benefits.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Automated malware classification based on network behavior

A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:

DroidKungFu and AnserverBot

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,

Dynamic Web Pages (Flash, JavaScript)

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Java Introduction Lecture 1. Java Powerful, object-oriented language Free SDK and many resources at

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

Master Thesis Defense Jan Fiedler 04/17/98

AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

Department of Computer Science Internet Performance Measurements using Firefox Extensions Scot L. DeDeo Professor Craig Wills.

J ava P rogramming: From Problem Analysis to Program Design, From Problem Analysis to Program Design, Second Edition Second Edition D.S. Malik D.S. Malik.

Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.

Core Java Introduction Byju Veedu Ness Technologies httpdownload.oracle.com/javase/tutorial/getStarted/intro/definition.html.

LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.

Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Survey of Tools to Support Safe Adaptation with Validation Alain Esteva-Ramirez School of Computing and Information Sciences Florida International University.

ITP 109 Week 2 Trina Gregory Introduction to Java.

JAVA PROGRAMMING Buzzwords. Simple: Less complex syntax than C++ Not as easy to design as Visual Basic Small size of interpreter.

Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.

Fundamental of Java Programming (630002) Unit – 1 Introduction to Java.

Applications Active Web Documents Active Web Documents.

Application Communities

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

TriggerScope: Towards Detecting Logic Bombs in Android Applications

World Wide Web policy.

Introduction Enosis Learning.

Dynamic Web Pages (Flash, JavaScript)

TriggerScope Towards detecting logic bombs in android applications

Introduction Enosis Learning.

(Computer fundamental Lab)

Outcome of the Lecture Upon completion of this lecture you will be able to understand Fundamentals and Characteristics of Java Language Basic Terminology.

Presentation transcript:

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer Security Applications Conference (ACSAC) (December, 2012) Reporter: 鍾怡傑 2013/03/25

Outline  INTRODUCTION  BACKGROUND  Java applet  Java exploits  JARHEAD SYSTEM OVERVIEW  FEATURE DISCUSSION  Obfuscation  Behavior  EVALUATION  Manually Dataset  Wepawet Dataset  POSSIBLE EVASION  CONCLUSIONS

INTRODUCTION  We address the problem of malicious Java applets, a problem on the rise that is currently not well addressed by existing work.  Jarhead uses static analysis and machine learning techniques to identify malicious Java applets.

INTRODUCTION  Drive-by download attacks  Social engineering attacks

INTRODUCTION  Signature-based detection avoidable by obfuscation  Honeyclients need vulnerable software combination  Java plugin version  Java version  Browser and OS version

BACKGROUND-Java applet  Java bytecode + application files  Commonly bundled as Jar-archiveJar-archive  Embedded in web pages Embedded in web pages  Executed by web browsers in sandboxed JVM  Optional digital signature disables sandboxdigital signature  Developed in the 90ies for mobile code  Superseded by CSS, JavaScript, Flash,...  Modern browsers still support Applets Next

Jar-archive

Embedded in web pages 

Digital Signature

BACKGROUND-Java exploits  Users unaware of Java applets  Plugins default enabled  Plugins out of date  Multiple vulnerabilities in the JVM or Java library

JARHEAD SYSTEM OVERVIEW  Detector for malicious Java applets  Static  Reliable  Accurate  Fast  Offline  Robust  Low maintenance  Analyzed large number of samples  Detected previously unknown exploits

How does Jarhead work? 1.Unpack 2.Disassemble 3.Statically extract feature set 4.Classification 5.Result

Why statically? 1.Partial exploits can not be analyzed dynamically 2.Resistant to fingerprinting/evasion 3.Independent of Environment (JVM/Java version, OS,... ) 4.100% Code coverage

FEATURE DISCUSSION  General metrics (size in bytes,... )  Obfuscation  Code metrics  String obfuscation  Active code obfuscation  Behavior  Interaction with security-critical components  Download and execute  Jar Content  Known vulnerable functions  42 features total

Obfuscation

Code metrics  We collect a number of simple metrics that look at the size of an applet, i.e., the total number of instructions and the number of lines of disassembled code, its number of classes, and the number of functions per class.  Cyclomatic complexity is a complexity metric for code, computed on the control flow graph (CFG).  To find semantically useless code, we measure the number of dead local variables and the number of unused methods and functions.

String obfuscation  Strings are heavily used by both benign and malicious applets.  The reason for string obfuscation is to defend against signature-based systems.  For the length feature, we determine the length of the shortest and longest string in the pool as well as the average length of all strings.

Active Code Obfuscation  To counter code analysis techniques that check for the invocation of known vulnerable library functions within the Java library, malicious applets frequently use reflection.  To detect such activity, we count the absolute number of times reflection is used in the bytecode to instantiate objects and to call functions.  We check if the Java.io.Serializable java.lang.Object or java.lang.Class interface.  we check if the JavaScript interface is used.

Behavior

Interaction with security-critical components  Several vulnerabilities in different versions of the Sun Java plugin have led to exploits that bypass the sandboxing mechanisms.  Runtime class  System class  ClassLoader class

Download and execute  For a successful exploit, it is necessary to execute a file after it has been downloaded.  Java.net.URL objects  Sockets  Write files  spawn a new process

Jar Content  The number of files in the Jar that are not Java class files(media files, images,... ).  Binary machine code in the archive.(executable or library)  The total size of the Jar archive in bytes

Known vulnerable functions  MidiSystem.getSoundbank()  javax.management.remote.rmi.RMIConnectionImpl()  MIDlet  The combination of functions is MidiSystem.getSequencer, and Sequencer.addControllerEventListener  javax.management.MBeanServer interface

Obfuscation features  Cyclomatic complexity  Semantically useless code (dead variables, unused functions,... )  Percentage of non-ASCII strings  Length and number of Strings  Use of Reection  Dynamic code loading  Invocation of JS interpreter

Behavioral features  Interaction with Runtime  Interaction with System Security Manager  Check for extensions of the ClassLoader  Use of URLs, FileStreams,...  Ability to spawn process  SMS-send functionality  Call to known vulnerable functions

Top ten features MeritAttributeType 0.398gets_parametersbehavior 0.266functions_per_classobfuscation 0.271no_of_instructionsobfuscation 0.257gets_runtimebehavior 0.254lines_of_disassemblyobfuscation 0.232uses_file_outputstreambehavior 0.22percent_unused_methodsobfuscation 0.211longest_string_char_cntobfuscation 0.202mccabe_complexity_avgobfuscation 0.197calls_execute_functionbehavior

EVALUATION  Manually collected (2,854 samples)  Applet collection sites   (  Malware research community site   Security site   Web crawl  Wepawet (1,551 samples) 

Manually Dataset  Virustotal found 1,721 (82.1%) of the files to be benign and 374 (17.9%) to be malicious  Virustotal has actually misclassified 61 (2.9%) applets.  34 (1.6%) benign applets as malicious  27 (1.3%) malicious applets as benign  The classifier only misclassified a total of 11 (0.5%) samples.  The false positive rate was 0.2% (4 applets)  The false negative rate was 0.3% (7 applets)

Comparison of Jarhead and Virustotal misclassifications Virustotal (42 AVs)Jarhead (10x cross-val.) False pos.1.6%0.2% False neg.1.3%0.3%

Wepawet Dataset  The authors of Wepawet provided us with 1,551 Jar files.  Virustotal found 413 (32.4%) applets to be benign and 862 (67.6%) applets to be malicious. 86 (6.7%) samples  59 (4.6%) malicious applets as benign  27 (2.1%) benign applets as malicious.  We found a total misclassification count of 21 (1.6%)  The false positive rate was 0.9% (12 applets)  The false negative rate was 0.7% (9 applets)

Jarhead’s performance on the Wepawet dataset Original classifier10x cross validated False positives2.1%0.9% False negatives4.6%0.7%

POSSIBLE EVASION  It is possible to use the Java native interface (JNI) to execute native code on the machine. This is not covered by our analysis.  Malicious behavior is distributed among multiple applets within a single page  A completely new class of exploits or vulnerabilities could bypass our detection either

CONCLUSIONS  We address the quickly growing problem of malicious Java applets by building a detection system based on static analysis and machine learning.  We also deployed our system as a plugin for the Wepawet system, which is publicly accessible.  In the future, we plan to improve our results by using more sophisticated static analysis techniques to achieve even higher accuracy.

Thank you... any Questions?