Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.

Published byShonda Owen Modified over 9 years ago

Similar presentations

Presentation on theme: " Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab."— Presentation transcript:

1

2  Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab

3  There are many different kinds of threats and attack vectors against current browsers. › Drive-by-Download attacks › Cross-Site Scripting (XSS) › Clickjacking 2011/7/19 A Seminar at Advanced Defense Lab 3

4  The root cause of this problem is the fact that an attacker can compromise the integrity of almost all DOM properties of a website by injecting malicious JavaScript code. 2011/7/19 A Seminar at Advanced Defense Lab 4

5  We introduce IceShield, a novel approach to perform light-weight instrumentation of JavaScript, detecting a diverse set of attacks against the DOM tree. 2011/7/19 A Seminar at Advanced Defense Lab 5

6 OfflineOnline Machine Learning Auto-Selected Features Cujo, Zozzle Manual-Selected Features Wepawet[link] (JSAND)link IceShield Security Policy Gatekeeper[link], Caja[link]link Gazelle [link]link 2011/7/19 A Seminar at Advanced Defense Lab 6

7  We assume that almost every JavaScript based attack will have to use native methods at some point in order to prepare necessary data structures. › Heap spray › JIT spray 2011/7/19 A Seminar at Advanced Defense Lab 7

8  An attacker can render any signature based malware detection lacking advanced de-obfuscation routines useless. 2011/7/19 A Seminar at Advanced Defense Lab 8

9  We do not rely on any form of static code analysis.  We instrument objects and functions dynamically, and providing an execution context in which we can analyze their behavior. 2011/7/19 A Seminar at Advanced Defense Lab 9

10  Our heuristics are based on a manual analysis of current attacks, and we tried to generalize the heuristics such that they are capable of detecting a wide variety of attacks. 2011/7/19 A Seminar at Advanced Defense Lab 10

11  External domain injection ›,,, …  Dangerous MIME type injection  Suspicious Unicode characters › %u0c0c  Suspicious decoding result 2011/7/19 A Seminar at Advanced Defense Lab 11

12  Overlong decoding results › 4096 characters  Dangerous element creation ›,, …  URI/CLSID pattern in attribute setter  Dangerous tag injection via the innerHTML property 2011/7/19 A Seminar at Advanced Defense Lab 12

13  We overwrite and wrap the native JavaScript methods into a context that allows us to inspect dynamically.  IceShield utilizes an ECMA Script 5 feature called Object.defineProperty () to implement the instrumentation in a robust way. 2011/7/19 A Seminar at Advanced Defense Lab 13

14  The most relevant descriptor for IceShield is configurable and the possibility to set it to false, thereby freezing the property state.  All modern user agents such as Firefox 4, Chrome 6-10, and Internet Explorer 9 support object freezing. 2011/7/19 A Seminar at Advanced Defense Lab 14

15  Linear Discriminant Analysis (LDA)[link]link 2011/7/19 A Seminar at Advanced Defense Lab 15

16  To avoid interference with the user experience, we null the payload of the possible exploit, which mitigates the danger to the user, but in most cases has no visible impact. 2011/7/19 A Seminar at Advanced Defense Lab 16

17  New window context › point to Javascript URI  › Data URI  evil()%3c/script >" > › and target=_blank › redirection 2011/7/19 A Seminar at Advanced Defense Lab 17

18  The solution to the problems discussed above can be found in scanning and analyzing the website's markup during parsing of the DOM tree. 2011/7/19 A Seminar at Advanced Defense Lab 18

19  We implement: › Extension for Gecko based browser › BHO for Internet Explorer › Greasemonkey[link] user scriptlink 2011/7/19 A Seminar at Advanced Defense Lab 19

20  Known-good dataset › Top 61,554 websites from Alexa ranking › Check the malwaredomainlist.com (MDL)[link] block-listlink  Known-bad dataset › 81 URLs selected from MDL › all URLs point to exploit kits 2011/7/19 A Seminar at Advanced Defense Lab 20

21  High-end workstation › Intel Core i7-870 and 8GB RAM › Ubuntu 10.04 and Firefox 3.6.8  Mid-range system › ASUS EeePC 1000H › Intel Atom N270 and 1 GB RAM › Ubuntu 10and Firefox 3.6.12  Low-end device › Nokia n900 › 600 MHz ARM7 Cortex-A8and 256 MB RAM › Maemo and Firefox 3.5 Maemo Browser 1.5.6 RX-51 2011/7/19 A Seminar at Advanced Defense Lab 21

22 2011/7/19 A Seminar at Advanced Defense Lab 22

23  Training set › Top 50 sites from Alexa ranking › 30 sites from known-bad dataset  Testing set › 61,504 sites from known-good dataset › 51 sites from known-bad dataset 2011/7/19 A Seminar at Advanced Defense Lab 23

24 CorrectIncorrect Known-good97.83%2.17% Known-bad98.04% (50)1.96% (1) 2011/7/19 A Seminar at Advanced Defense Lab 24

25  To protect the user, IceShield does not need to block access to a site that triggers an alert.  We can strip malicious data from the site, and thus mitigate the attack. 2011/7/19 A Seminar at Advanced Defense Lab 25

26  We manually evaluated a 10% sample set (134 sites) randomly chosen from the false positives to confirm that the majority of pages remain usable. › not noticeable: 82.9% › partially usable: 9.6% › Unusable: 7.5% 2011/7/19 A Seminar at Advanced Defense Lab 26

27  2 ms to 760 ms, average 11.6ms › 99.5% sites are smaller than 25 ms › Average overhead 6.27% 2011/7/19 A Seminar at Advanced Defense Lab 27

28 2011/7/19 A Seminar at Advanced Defense Lab 28

29  In case an attacker deploys a malicious PDF, Java Applet, or Flash le without using any native DOM methods.  The lack of heuristic coverage on ActiveX based attacks  The lack of tamper resistance support for older user agents. 2011/7/19 A Seminar at Advanced Defense Lab 29

30 2011/7/19 A Seminar at Advanced Defense Lab 30

31  !’’ ›  “true”  [!{}] ›  “false”  {} ›  an object  !’’+[!{}]+{} ›  “trueflase[object Object]” 2011/7/19 A Seminar at Advanced Defense Lab 31

32  _ =[[$,__,,$$,,_$,$_,_$_,,,$_$]=! ‘'+[!{}]+{}][_$_+$_$+__+$], _()[_$+$_+$$+__+$](-~$) 2011/7/19 A Seminar at Advanced Defense Lab 32

33  jjencode[link]link  aaencode[link]link  JSF*ck[link]link 2011/7/19 A Seminar at Advanced Defense Lab 33

34  Because IE 8 include DEP  Some exploit may not use heap spray  Dion Blazakis propose JIT spraying at BlackHat DC 2010 › INTERPRETER EXPLOITATION: POINTER INFERENCE AND JIT SPRAYING › Generate executable code at runtime 2011/7/19 A Seminar at Advanced Defense Lab 34

35 2011/7/19 A Seminar at Advanced Defense Lab 35  var y = ( 0x3c54d0d9 ^ 0x3c909058 ^ 0x3c59f46a ^ 0x3c90c801 ^ 0x3c9030d9 ^ 0x3c53535b ^...

Download ppt " Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab."

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
1 mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations Presenter: Liu Yin Computer Science Department College of William.

1 mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations Presenter: Liu Yin Computer Science Department College of William.
MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and.

MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Fast and Precise In-Browser JavaScript Malware Detection

Fast and Precise In-Browser JavaScript Malware Detection
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.

Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Similar presentations

Ads by Google