Presentation is loading. Please wait.

Presentation is loading. Please wait.

Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.

Published byGwendolyn York Modified over 9 years ago

Similar presentations

Presentation on theme: "Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium."— Presentation transcript:

1 Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium (August, 2011)

2 Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft Microsoft Research Technical Report (November, 2010)

3 Outline  Introduction  Observation on Offline Nozzle  Design  Experiment  Evaluation 2011/5/243A Seminar at Advanced Defense Lab

4 Introduction  In the last several years, we have seen mass-scale exploitation of memory- based vulnerabilities migrate towards heap spraying attacks.  But many solutions are not lightweight enough to be integrated into a commercial browser. 2011/5/24A Seminar at Advanced Defense Lab4

5 About Nozzle  The overhead of this runtime technique may be 10% or higher.  This paper is based on our experience using NOZZLE for offline.  Offline scanning is also not as effective against transient malware that appears and disappears frequently. 2011/5/24A Seminar at Advanced Defense Lab5

6 About Zozzle  ZOZZLE is integrated with the browser’s JavaScript engine to collect and process JavaScript code that is created at runtime.  Our focus in this paper is on creating a very low false positive, low overhead scanner. 2011/5/24A Seminar at Advanced Defense Lab6

7 Observation on Offline Nozzle  Once we determine that JavaScript is malicious, we invested a considerable effort in examining the code by hand and categorizing it in various ways.  we investigated 169 malware samples. 2011/5/24A Seminar at Advanced Defense Lab7

8 Distribution of Different Exploit Samples 2011/5/24A Seminar at Advanced Defense Lab8

9 Transience of Detected Malicious URLs 2011/5/24A Seminar at Advanced Defense Lab9

10 Javascript eval Unfolding 2011/5/24A Seminar at Advanced Defense Lab10

11 Distribution of Context Counts 2011/5/24A Seminar at Advanced Defense Lab11

12 Design 2011/5/24A Seminar at Advanced Defense Lab12

13 Training Data Extraction and Labeling  We start by augmenting the JavaScript engine in a browser with a “deobfuscator” that extracts and collects individual fragments of JavaScript. Detours [link]link jscript.dll [link]link Compile function ( COlescript::Compile() ) 2011/5/24A Seminar at Advanced Defense Lab13

14 Feature Extraction  We create features based on the hierarchical structure of the JavaScript abstract syntax tree(AST). 2011/5/24A Seminar at Advanced Defense Lab14

15 Feature Selection  χ 2 test  2011/5/24A Seminar at Advanced Defense Lab15 With featureWithout feature maliciousAC benignBD

16 Classifier Training  Naϊve Bayesian classifier   Assume to be conditionally independent  2011/5/24A Seminar at Advanced Defense Lab16

17 Naϊve Bayesian classifier   Complexity: linear time 2011/5/24A Seminar at Advanced Defense Lab17

18 Fast Pattern Matching 2011/5/24A Seminar at Advanced Defense Lab18

19 Fast Pattern Matching (cont.) 2011/5/24A Seminar at Advanced Defense Lab19

20 Experiment  Malicious Samples 919 deobfuscated malicious context  Benign Samples Alexa top 50 URLs 7,976 contexts 2011/5/24A Seminar at Advanced Defense Lab20

21 Feature Selection  hand-picked vs. automatically selected 2011/5/24A Seminar at Advanced Defense Lab21

22 Evaluation  HP xw4600 workstation Intel Core2 Duo 3.16 GHz 4 GB memory Windows 7 64-bit Enterprise 2011/5/24A Seminar at Advanced Defense Lab22

23 Effectiveness 2011/5/24A Seminar at Advanced Defense Lab23

24 Training Set Size 2011/5/24A Seminar at Advanced Defense Lab24

25 Feature Set Size 2011/5/24A Seminar at Advanced Defense Lab25

26 Comparison with Other Techniques 2011/5/24A Seminar at Advanced Defense Lab26

27 Performance: Context Size 2011/5/24A Seminar at Advanced Defense Lab27

28 Performance: Feature Set 2011/5/24A Seminar at Advanced Defense Lab28

29 2011/5/24A Seminar at Advanced Defense Lab29

30 2011/5/24A Seminar at Advanced Defense Lab30

31 I think these is the all… 2011/5/24A Seminar at Advanced Defense Lab31 unescape(“%48%65%6c%6c%6f%57 %6f%72%6c%64”) “\u0048\u0065\u006C\u006C\u006F \u0057\u006F\u0072\u006C\u0064” document.write(“alert(‘1’)”); eval(“alert(1)”); "H976e246l3l2o19W42o45r7l88d734 ".replace(/[09]/g,"")

32 If I want to eval …  Fucntion("alert(‘1')")(); setTimeout("alert(‘1')“; execScript("alert(‘1')", "javascript"); [].constructor.constructor('alert(1)')(); window["eval"]("alert(‘1’)");  2011/5/24A Seminar at Advanced Defense Lab32

33 In the network, I find …  ([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[ ]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[] )[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[ +!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[ +[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[] +!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[] ]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]] +(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+! +[]]+(!![]+[])[+[]]])(+!+[])  2011/5/24A Seminar at Advanced Defense Lab33

34 2011/5/24A Seminar at Advanced Defense Lab34

Download ppt "Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium."

Similar presentations

Arnd Christian König Venkatesh Ganti Rares Vernica Microsoft Research Entity Categorization Over Large Document Collections.

Arnd Christian König Venkatesh Ganti Rares Vernica Microsoft Research Entity Categorization Over Large Document Collections.
Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.

Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.

KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks

Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Fast and Precise In-Browser JavaScript Malware Detection

Fast and Precise In-Browser JavaScript Malware Detection
 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.

 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.
Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.

Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
A Low-cost Attack on a Microsoft CAPTCHA Yan Qiang, 2008-12-9.

A Low-cost Attack on a Microsoft CAPTCHA Yan Qiang,
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Similar presentations

Ads by Google