Spectator: Detection and Containment of JavaScriptWorms

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Spectator: Detection and Containment of JavaScript Worms By Livshits & Cui Presented by Colin.

Server-Side vs. Client-Side Scripting Languages

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Chapter 11 ASP.NET JavaScript, Third Edition. 2 Objectives Learn about client/server architecture Study server-side scripting Create ASP.NET applications.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

Norman SecureSurf Protect your users when surfing the Internet.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.

INTRODUCTION TO WEB DATABASE PROGRAMMING

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

Prevent Cross-Site Scripting (XSS) attack

Chapter 16 The World Wide Web Chapter Goals Compare and contrast the Internet and the World Wide Web Describe general Web processing Describe several.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

JavaScript, Fourth Edition

Advanced Web Forms with Databases Programming Right from the Start with Visual Basic.NET 1/e 13.

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Chapter 8 Cookies And Security JavaScript, Third Edition.

INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.

Cross-Site Attacks James Walden Northern Kentucky University.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.

Module 7: Resolving NetBIOS Names by Using Windows Internet Name Service (WINS)

STATE MANAGEMENT.  Web Applications are based on stateless HTTP protocol which does not retain any information about user requests  The concept of state.

Maintaining and Updating Windows Server Monitoring Windows Server It is important to monitor your Server system to make sure it is running smoothly.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Cross Site Scripting and its Issues By Odion Oisamoje.

Union-find Algorithm Presented by Michael Cassarino.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

The Problem of State. We will look at… Sometimes web development is just plain weird! Internet / World Wide Web Aspects of their operation The role of.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

GLOBAL EDGE SOFTWERE LTD1 R EMOTE F ILE S HARING - Ardhanareesh Aradhyamath.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:

ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.

 Samy (also known as JS.Spacehero)  XSS worm that was designed to propagate across the MySpace social-networking site. At the time of release, it.

SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

111 State Management Beginning ASP.NET in C# and VB Chapter 4 Pages

1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.

Database and Cloud Security

Javascript worms By Benjamin Mossé SecPro

What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.

Overview Multimedia: The Role of WINS in the Network Infrastructure

Exploring DOM-Based Cross Site Attacks

Cross-Site Scripting Attack (XSS)

Cross Site Request Forgery (CSRF)

Presentation transcript:

Spectator: Detection and Containment of JavaScriptWorms Benjamin Livshits Weidong Cui Microsoft Research

Overview Popularity of interactive java-script worms: JavaScript worms are enabled by cross-site scripting vulnerabilities in Web applications. While cross-site scripting vulnerabilities have been a common problem in Web based- applications for some time, their threat is now significantly amplified with the advent of AJAX technology.

Overview (Cont.) Spectator: the first automatic detection and containment solution for JavaScript worms. How: Spectator performs distributed data tainting by observing and tagging the traffic between the browser and the Web application.

Samy Worms Released on myspace 2005 Technique: exploiting a cross-site scriptting vulnirbity. worm added close to a million users to the worm author’s “friends” list. According to MySpace site maintainers, the worm caused an explosion in the number of entries in the friends list across the site, eventually leading to resource exhaustion

Samy Worms (Cont.) Proboagation: 1)Download: A visitor downloads an infected profile and automatically executes the JavaScript payload. This adds Samy as the viewer’s “friend” and also adds the text but most of all, samy is my hero to the viewer’s profile.

Samy Worms (Cont.) 2) Propogation: The payload is extracted from the contents of the profile being viewed and then added to the viewer’s profile.

Spectator Spectator is the first practical solution to the problem of detecting and containment of JavaScript worms. Spectator is also insensitive to the worm propagation speed; it can deal with rapid zero-day worm attacks as well as worms that disguise their presence with slow propagation.

Spectator (Cont.) Spectator is insensitive of what the JavaScript code looks like and does not rely on signatures of any sort; therefore it is able to detect polymorphic worms or worms that use other executable content such as VBScript or JavaScript embedded in Flash or other executable content.

Architecture

Architecture (Cont.) The Spectator worm detection algorithm relies on the following properties that guarantee that we can observe and record the propagation of a piece of data during its entire "round trip": Property 1): Reliable HTML input detection. Property 2): Reliable client-side tag propagation.

Detection Algorithm Propagation Graph Representation: Each node of the graph corresponds to a tag and edges represent causality edges. Each node carries with it the IP address of the client the tag originates from.

Detection Algorithm (Cont.) Ideally, they want to perform worm detection on the fly, whenever a new upload request is observed by Spectator. When a new edge is added to the propagation graph G, we check to see if the diameter of updated graph G now exceeds the user-defined threshold d.

Detection Algorithm (Cont.) The issue is that they need to keep track of the set of unique IP addresses encountered on the current path from the root.

Detection Algorithm (Cont.) Worm Detection: Whenever a new causality edge from node parent to node child is added to GA: 1. If parent is the only predecessor of child in GA, we walk up the tree branch and find all storage stations on the current tree branch. We copy IPS(parent) into IPS(child) and then add child’s IP if it is not found by the search. In the latter case, DEPTH(child) value is incremented. If the size of IPS(child) reaches threshold c, we designate child as a storage station.

Detection Algorithm (Cont.) 2. If child has two predecessors in GA, we compare DEPTH values stored at the two predecessors, select the larger one, and remove the other edge from the graph, restoring non-sharing. After that we follow step 1 above. Note that the predecessors do not have to belong to the same tree. However, after the insertion is complete, child will be a member of a single tree.

Detection Algorithm (Cont.) Worm Containment: Whenever the depth of the newly added node exceeds detection threshold d, we mark the entire tree containing the new edge as infected. To do so, we maintain an additional status at every leaf. Whenever a tree is deemed infected by our algorithm, we propagate the infected status to every tree node. Subsequently, all uploads that are caused by nodes within that tree are disallowed until there is a message from the server saying that it is safe to do so.

Implementation Tag Propagation in the Browser. Tagging Upload Traffic and Server-Side Support for Spectator.

Implementation (Cont.) Tag Propagation in the Browser: Client-Side Causality Tracking: HTTP-only Spectator cookie in the browser: use session cookies that expire after the browser is closed, which may not happen for a while. So, if the user visits site D served by Spectator, then visits site E, and then returns to D, the Spectator cookie would still be sent to Spectator by the browser. Injected client-side JavaScript to signal page unloads.

Implementation (Cont.) Attacks Against Client-Side Tracking: (Two types) Worm Relaying. Tampering with unload events. Restriction!: If malicious script attempts to send the unload event to Spectator prematurely in an effort to break the propagation chain, we will receive more that one unload event per session. When a sufficient number of duplicate unload events is seen, we raise an alarm for the server, requiring a manual inspection. Opening a new window? No! Fetching a new page with no tags before the malicious upload will not help an attacker evade Spectator because this clean page and the original page share the same HTTP-only cookie.

Implementation (Cont.) Tagging Upload Traffic and Server-Side: The primary goal of server-side support is to embed Spectator tags into suspicious data uploaded to a protected Web server in a transparent and persistent manner so that: 1) the tags will not interfere with the Web server’s application logic 2) the embedded tags will be propagated together with the data when the latter is requested from the Web server.

Experimental Evaluation Large-scale simulations. A real-life case study. OurSpace: Simulating User Behavior Scenario 1: Worm outbreak (random topology). Scenario 2: A single long blog entry Scenario 3: A model of worm propagation (power law connectivity).

Experimental Evaluation (Cont.) The graph shows insertion times for Scenario 1 with the detection threshold d set to 20. The x-axis corresponds to the tag being inserted; the yaxis shows the insertion time in milliseconds. The entire run took about 15 minutes with a total of 1,543 nodes inserted

Experimental Evaluation (Cont.) Effectiveness of Detection: They use Scenario 3. the diameter of GA on the yaxis as more nodes are added up to 100,000 nodes for Scenarios 1 and 3, as shown on the x-axis

Conclusion Results are good in general. Still needs to be tested further, to make sure that wont flag a non-malicious script as a malicious. Good as research area for those who are interested.