skew heap, leftist heap - Department of Computer Science and
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks
description
Transcript of Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection
Attacks
Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel, and Engin Kirda
Presenter: Chia-Li Lin
2
ReferencesM. Egele, E. Kirda, and C. Kruegel. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, 6th International Conference, DIMVA 2009 (to appear), 2009.
3
OutlineIntroductionAutomatically Detecting Drive-by AttacksModified Firefox browserFalse Positive and EffectivenessConclusion
4
IntroductionDrive-by download attacks are among the most common methods for spreading malware today
Typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode
Propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode
5
6
ContributionUses emulation to automatically identify shell-code based drive-by download attacks in a browser
That is integrated into the Mozilla Firefox browser
Evaluated on more than one thousand malicious and several thousand benign sites that the system with no false positives
7
VulnerabilityMost current drive-by downloads target browser plug-ins that are developed and distributed by third parties
buffer overflows memory corruption pointer overwrites
8
JavaScript BasicsTypically used to assign the binary representation of shellcode to a variable that is stored in the address space of the browser JavaScript
9
Tracking String AllocationsTo detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates
global string variables local string variables strings that are properties (members) of objects
The code that we added simply keeps track of the start address of a string variable and its length
10
Checking Strings: libemulibemu is a small library written in C that offers basic x86 emulation and shellcode detection. Being used in:
Nepenthes Honeytrap
Checks starting whether there is a sequence of valid instructions of sufficient length
32 bytes for the minimal length
11
libemulibemu is a small library written in c . libemu supports:
Using libemu one can: detect shellcodes execute the shellcodes profile shellcode behaviour
executing x86 instructions
shellcode execution
reading x86 binary code shellcode execution register emulation win32 api hookingbasic fpu emulation
12
Modified Firefox browserSimulating ActiveX components
dummy objects for instantiation requests to ActiveX components
Modify the parser JScript parser is more tolerant with regards to
semicolons than SpiderMonkey.
Batch processing time-outs replace all delays of setTimeout calls with a delay
of 50ms
13
ActiveX components
14
Performance OptimizationsFirst, one can reduce the total number of invocations of the emulation engine
Second, one can reduce the amount of data that the emulator needs to inspect
string a consists of the concatenation of strings x and y
can skip the analysis (emulation) of x and y when a was already scanned and found to be clean
15
PerformanceIntel Core 2 Duo processor 2.66 GHz and 4 GB of main memory.With a bandwidth of 1 MBit/s of ADSL.
chosen the 150 most popular web sites from the Alexa
16
False Positive EvaluationTo visit 4502 that well-known benign pages from the Alexa
Moves to the next URL two seconds after the page finished loading ten seconds after page loading started
Not produce any false positives
17
Detection Effectiveness[1/2]Evaluated our system on the traces of 1,187 web browsing sessions that are known to contain drive-by attacks.
list of such URLs from the Spamcop spam trap of a security company
18
Detection Effectiveness[2/2]To filter those URLs that actually host drive-by attacks, used the:
Capture Honeypot Client (HPC)
To extract application level data from the network traces, used the:
“Chaosreader” ,11,910 URLs (files) were associated with the 1,187 traces
Running detection system on the resources associated with 1,187 traces,detected 956 instances of shellcode
19
Cause of failing Manual analysis revealed four main causes that result in our prototype failing to detect a threat
1.not make use of memory exploits2.use Visual Basic (VB) script code3.malicious code is distributed over several scripts4..cab archive files
20
ConclutionsThe system is integrated into the web browser where it monitors JavaScript code that is downloaded and executed.
Verified the capability of our approach to successfully detect real-world drive-by download attacks.
The evaluation shows that our approach is feasible in practice.
21
SupportedThis work has been supported by the Austrian Science Foundation (FWF) under grant P18764, SECoverer FIT-IT Trust in IT-Systems 2. Call, Austria, Secure Business Austria (SBA), and the WOMBAT and FORWARD projects funded by the European Commission in the 7th Framework.
22
Questions