IceShield: Detection and Mitigation of Malicious Websites

Download Report

Transcript IceShield: Detection and Mitigation of Malicious Websites 

Introduction
 Related Work
 Design Overview
 System Implementation
 Evaluation
 Limitations

A Seminar at Advanced Defense Lab
2011/7/19
2

There are many different kinds of threats
and attack vectors against current
browsers.
› Drive-by-Download attacks
› Cross-Site Scripting (XSS)
› Clickjacking
A Seminar at Advanced Defense Lab
2011/7/19
3

The root cause of this problem is the fact
that an attacker can compromise the
integrity of almost all DOM properties of
a website by injecting malicious
JavaScript code.
A Seminar at Advanced Defense Lab
2011/7/19
4

We introduce IceShield, a novel
approach to perform light-weight
instrumentation of JavaScript, detecting
a diverse set of attacks against the DOM
tree.
A Seminar at Advanced Defense Lab
2011/7/19
5
Offline
Auto-Selected
Features
Online
Cujo, Zozzle
Machine Learning
Manual-Selected
Features
Security Policy
A Seminar at Advanced Defense Lab
Wepawet[link]
(JSAND)
IceShield
Gatekeeper[link],
Caja[link]
Gazelle
[link]
2011/7/19
6

We assume that almost every JavaScript
based attack will have to use native
methods at some point in order to
prepare necessary data structures.
› Heap spray
› JIT spray
A Seminar at Advanced Defense Lab
2011/7/19
7

An attacker can render any signature
based malware detection lacking
advanced de-obfuscation routines
useless.
A Seminar at Advanced Defense Lab
2011/7/19
8

We do not rely on any form of static
code analysis.

We instrument objects and functions
dynamically, and providing an
execution context in which we can
analyze their behavior.
A Seminar at Advanced Defense Lab
2011/7/19
9

Our heuristics are based on a manual
analysis of current attacks, and we tried
to generalize the heuristics such that
they are capable of detecting a wide
variety of attacks.
A Seminar at Advanced Defense Lab
2011/7/19
10

External domain injection
› <embed>, <iframe>, <script>, …

Dangerous MIME type injection

Suspicious Unicode characters
› %u0c0c

Suspicious decoding result
A Seminar at Advanced Defense Lab
2011/7/19
11

Overlong decoding results
› 4096 characters

Dangerous element creation
› <iframe>, <script>, …

URI/CLSID pattern in attribute setter

Dangerous tag injection via the innerHTML
property
A Seminar at Advanced Defense Lab
2011/7/19
12

We overwrite and wrap the native
JavaScript methods into a context that
allows us to inspect dynamically.

IceShield utilizes an ECMA Script 5
feature called
Object.defineProperty() to
implement the instrumentation in a
robust way.
A Seminar at Advanced Defense Lab
2011/7/19
13

The most relevant descriptor for IceShield
is configurable and the possibility to set it
to false, thereby freezing the property
state.

All modern user agents such as Firefox 4,
Chrome 6-10, and Internet Explorer 9
support object freezing.
A Seminar at Advanced Defense Lab
2011/7/19
14

Linear Discriminant Analysis (LDA)[link]
A Seminar at Advanced Defense Lab
2011/7/19
15

To avoid interference with the user
experience, we null the payload of the
possible exploit, which mitigates the
danger to the user, but in most cases has
no visible impact.
A Seminar at Advanced Defense Lab
2011/7/19
16

New window context
› <iframe> point to Javascript URI
 <iframe src=“javascript:evil()”>
› Data URI
 <object data =" data:x ,%3cscript >
evil()%3c/script >" >
› <a> and target=_blank
› <meta> redirection
A Seminar at Advanced Defense Lab
2011/7/19
17

The solution to the problems discussed
above can be found in scanning and
analyzing the website's markup during
parsing of the DOM tree.
A Seminar at Advanced Defense Lab
2011/7/19
18

We implement:
› Extension for Gecko based browser
› BHO for Internet Explorer
› Greasemonkey[link] user script
A Seminar at Advanced Defense Lab
2011/7/19
19

Known-good dataset
› Top 61,554 websites from Alexa ranking
› Check the malwaredomainlist.com
(MDL)[link] block-list

Known-bad dataset
› 81 URLs selected from MDL
› all URLs point to exploit kits
A Seminar at Advanced Defense Lab
2011/7/19
20

High-end workstation
› Intel Core i7-870 and 8GB RAM
› Ubuntu 10.04 and Firefox 3.6.8

Mid-range system
› ASUS EeePC 1000H
› Intel Atom N270 and 1 GB RAM
› Ubuntu 10and Firefox 3.6.12

Low-end device
› Nokia n900
› 600 MHz ARM7 Cortex-A8and 256 MB RAM
› Maemo and Firefox 3.5 Maemo Browser 1.5.6 RX-51
A Seminar at Advanced Defense Lab
2011/7/19
21
A Seminar at Advanced Defense Lab
2011/7/19
22

Training set
› Top 50 sites from Alexa ranking
› 30 sites from known-bad dataset

Testing set
› 61,504 sites from known-good dataset
› 51 sites from known-bad dataset
A Seminar at Advanced Defense Lab
2011/7/19
23
Correct
Incorrect
Known-good
97.83%
2.17%
Known-bad
98.04% (50)
1.96% (1)
A Seminar at Advanced Defense Lab
2011/7/19
24
To protect the user, IceShield does not
need to block access to a site that
triggers an alert.
 We can strip malicious data from the site,
and thus mitigate the attack.

A Seminar at Advanced Defense Lab
2011/7/19
25

We manually evaluated a 10% sample
set (134 sites) randomly chosen from the
false positives to confirm that the
majority of pages remain usable.
› not noticeable: 82.9%
› partially usable: 9.6%
› Unusable: 7.5%
A Seminar at Advanced Defense Lab
2011/7/19
26

2 ms to 760 ms, average 11.6ms
› 99.5% sites are smaller than 25 ms
› Average overhead 6.27%
A Seminar at Advanced Defense Lab
2011/7/19
27
A Seminar at Advanced Defense Lab
2011/7/19
28

In case an attacker deploys a malicious
PDF, Java Applet, or Flash le without
using any native DOM methods.

The lack of heuristic coverage on
ActiveX based attacks

The lack of tamper resistance support for
older user agents.
A Seminar at Advanced Defense Lab
2011/7/19
29
A Seminar at Advanced Defense Lab
2011/7/19
30

!’’
›  “true”

[!{}]
›  “false”

{}
›  an object

!’’+[!{}]+{}
›  “trueflase[object Object]”
A Seminar at Advanced Defense Lab
2011/7/19
31

_ =[[$,__,,$$,,_$,$_,_$_,,,$_$]=!
‘'+[!{}]+{}][_$_+$_$+__+$],
_()[_$+$_+$$+__+$](-~$)
A Seminar at Advanced Defense Lab
2011/7/19
32

jjencode[link]

aaencode[link]

JSF*ck[link]
A Seminar at Advanced Defense Lab
2011/7/19
33
Because IE 8 include DEP
 Some exploit may not use heap spray


Dion Blazakis propose JIT spraying at
BlackHat DC 2010
› INTERPRETER EXPLOITATION: POINTER
INFERENCE AND JIT SPRAYING
› Generate executable code at runtime
A Seminar at Advanced Defense Lab
2011/7/19
34

var y = (
0x3c54d0d9
0x3c909058
0x3c59f46a
0x3c90c801
0x3c9030d9
0x3c53535b
...
^
^
^
^
^
^
A Seminar at Advanced Defense Lab
2011/7/19
35