2019. 07. 27 - codeground · 2019. 8. 26. · uniquemachine.org. 20 2.4 browser fingerprinting Ⅱ....
Post on 02-Feb-2021
0 Views
Preview:
TRANSCRIPT
-
발표자_이지호 (고려대 정보보호대학원)
작성일_2019. 07. 27
-
2
Crouching Honeypot, Hidden Exploit
. IntroductionⅠ . BackgroundⅡ . ExperimentsⅢ
2.1 Browser Exploits
2.2 Client Honeypots
3.1 Overview
3.2 Online Scan Services
3.3 Honeypots in the Wild
3.4 Anti-Virus Products
1.1 Biography
1.2 Professor
1.3 Keywords 2.3 Cloaking
2.4 Browser Fingerprinting
3.5 Conclusion
1.4 Abstract
Cloaking Known Exploits by Tracking Client Honeypot Fingerprints
-
3
1.1 Biography
. IntroductionⅠ
프로필사진
이 지 호E-mail jiholee2046@gmail.com
학 력 2017. 03 ~ 2018. 08
고려대 정보보호대학원석사해킹대응기술연구실소속
2003. 08 ~ 2008. 05
U. of Illinois @Urbana-Champign컴퓨터공학과학사
경력사항 2009. 03 ~
대한민국국군소속연구원
Crouching Honeypot, Hidden Exploit
-
4
1.2 Professor Biography
. IntroductionⅠ
프로필사진
김 휘 강 지도교수E-mail cenda@korea.ac.kr
학 력 2000. 03 ~ 2009. 02
산업및시스템공학과박사
1998. 03 ~ 2000. 02
KAIST 산업공학과 석사
경력사항 2017. 11
공동설립
Crouching Honeypot, Hidden Exploit
1994. 03 ~ 1998. 02
KAIST 산업경영학과 학사
2010. 03 ~
고려대정보보호대학원교수
2004. 05 ~ 2010. 02
정보보안실장
1999. 09
설립
-
5
1.3 Keywords Crouching Honeypot, Hidden Exploit
• Browser Exploits
• Client Honeypots & Cloaking
• Browser Fingerprinting
• Fingerprint Resemblance
. IntroductionⅠ
-
6
1.4 Abstract Crouching Honeypot, Hidden Exploit
. IntroductionⅠ
• Client honeypots can be fingerprinted, too.
• By leveraging fingerprint resemblance, previously-seen client honeypots can be discerned and cloaked even with spoofed IP address and/or user agent name.
• It helps hide even known browser exploits.
-
7
2.1 Browser Exploits
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
Is the Web safe?
-
8
2.1 Browser Exploits
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
Browser exploits still persist
Detected vulnerabilities in browsers amounted to 14%
https://securelist.com/it-threat-evolution-q1-2019-statistics/90916/
https://securelist.com/it-threat-evolution-q1-2019-statistics/90916/
-
9
2.1 Browser Exploits
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
SEP 10, 2018 A company that sells exploits to government agencies drops Tor Browser zero-day on Twitter after recent Tor Browser update renders exploit less valuable.
DEC 20, 2018 Microsoft issued an out-of-band patch for a zero day bug in its Internet Explorerbrowser.
MAR 8, 2019 Google Chrome zero-day: Now is the time to update and restart your browser.
MAR 21, 2019 Two zero-day Safari exploits found, one allowing complete takeover of Mac.
APR 12, 2019 Internet Explorer zero-day lets hackers steal files from Windows PCs. Microsoft refused to patch issue so security researcher released exploit code online.
JUN 18, 2019 Mozilla releases Firefox 67.0.3 to fix actively exploited zero-day.
Recent 0-days
-
10
2.1 Browser Exploits
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
Attack types leveraging browser exploits
• Spear-phishing
•Malvertising
•Watering-hole: web shells on sale!
-
11
2.1 Browser Exploits
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
What are defensive measures?
•Google Safe Browsing
•Online scan services e.g., VirusTotal
•Anti-virus products
-
12
2.2 Client Honeypot
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
What is client honeypot?
Active security devices in search of malicious servers that attack clients.
- Wikipedia
-
13
2.3 Cloaking
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
What is cloaking?
A technique in which the content presented to the search engine spider is different from that presented to the user's browser.
- Wikipedia
CrawlersWeb pageUsers
-
14
2.3 Cloaking
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
Types of cloaking
• Easy: IP address, rDNS, GeoIP, user agent
•Normal: time window, human action
•Hard: emulation crash induction, “red pill”
-
15
2.3 Cloaking
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
Thus, crouching honeypot, hidden exploit
I do not have it.
I am not a honeypot.Show me your
exploit.
-
16
2.4 Browser Fingerprinting
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
What is fingerprinting?
A procedure that maps an arbitrarily large data item to a much shorter bit string, its fingerprint, that uniquely identifies the original data for all practical purposes.
- Andrei Z. Broder
-
17
2.4 Browser Fingerprinting
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
How Unique is Your Web Browser? (2010)
Fingerprint contains at least 18.1 bits of entropy
=
Only 1 in 286,777 other browsers share its fingerprint
- P. Eckersley
panoticlick.eff.org
http://panoticlick.eff.org
-
18
2.4 Browser Fingerprinting
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
browserleaks.com
Example
http://browserleaks.com
-
19
2.4 Browser Fingerprinting
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
(Cross-)Browser Fingerprinting via OS and Hardware Level Features
99.24% unique fingerprints
- Cao et al.
uniquemachine.org
http://uniquemachine.org
-
20
2.4 Browser Fingerprinting
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
Implication
Possible to track users without cookie
Users Web page Tracking party
Application
• Tailored advertisement
• Fraud detection
-
21
2.4 Browser Fingerprinting
. BackgroundⅡ
Crouching Honeypot, Hidden Exploit
Dark Implication
Possible to track machines?
Honeypots
Web page Miscreants
Abusive Application
• Cloaking malicious campaigns
• Search engine optimization
-
22
3.1 Overview
. ExperimentsIII
Crouching Honeypot, Hidden Exploit
Hypothesis
• Systems as complex as client honeypots are probably shared, copied, and/or derived.
• Client honeypots with different IP address and/or user agent may have identical/similar fingerprints.
• It should be possible to gradually identify more IP addresses and artifacts of client honeypots as fingerprint dataset grows.
• By leveraging the result, it should be possible to help hide browser exploits from detection.
Exploit Sample
Metasploit Framework’s 34 JavaScript-based browser exploits
-
23
3.1 Overview
. ExperimentsIII
Crouching Honeypot, Hidden Exploit
Fingerprint Features
Entropy by features Canvas fingerprint example
-
24
3.2 Online Scan Services
. ExperimentsIII
Crouching Honeypot, Hidden Exploit
Assessment of 23 Services
Cymon.io, Desenmascara.me, Dr.Web, Forcepoint CSI ACE Insight,
Google Safe Browsing site status, Hacker Combat, Hybrid Analysis, Is
It Hacked?, Joe Sandbox Cloud, Kaspersky VirusDesk, Malwares.com,
MalwareURL, Norton SafeWeb, Quttera, ReScan.Pro, SiteGuarding,
Sucuri SiteCheck, urlQuery, Urlscan.io, VirusTotal, Web of Trust,
Webroot BrightCloud, Zulu URL Risk Analyzer
-
25
3.2 Online Scan Services
. ExperimentsIII
Crouching Honeypot, Hidden Exploit
Assessment of 23 Services
6 out of 23 detected 68% exploits on average
-
26
3.2 Online Scan Services
. ExperimentsIII
Crouching Honeypot, Hidden Exploit
Fingerprints of 6 Services
2 out of 6 yielded fingerprints
•Joe’s Sandbox Cloud• All features static• single IP address
•Hybrid Analysis• All features are static except screen resolution• single IP address
0% detection
-
27
3.3 Honeypots in the Wild
. ExperimentsIII
Crouching Honeypot, Hidden Exploit
Data Collection & Analysis
INPUT• Referer URL• IP address• Fingerprint
INITIAL SET• IP addresses of 57 companies from RIR’s WHOIS databases
OUTPUT• IP addresses• Fingerprints
-
28
3.3 Honeypots in the Wild
. ExperimentsIII
Crouching Honeypot, Hidden Exploit
Result
COLLECTION• 872 fingerprints• 273 distinct fingerprints
ANALYSIS• 8 networks discovered
• Palo Alto Networks• Qihu Technology• Trend Micro
-
29
3.3 Honeypots in the Wild
. ExperimentsIII
Crouching Honeypot, Hidden Exploit
Sample Fingerprint #1
-
30
3.3 Honeypots in the Wild
. ExperimentsIII
Crouching Honeypot, Hidden Exploit
Sample Fingerprint #2
-
31
3.3 Honeypots in the Wild
. ExperimentsIII
Crouching Honeypot, Hidden Exploit
Sample Fingerprint #3
-
32
3.4 Anti-Virus Products
. ExperimentsIII
Crouching Honeypot, Hidden Exploit
Assessment of Top 8 Products against Basic JavaScript Obfuscation
Avast Premier, Bitdefender Total Security, ESET Internet Security, Kaspersky
Internet Security, Malwarebytes Premium, McAfee LiveSafe, …
-
33
3.5 Conclusion
. ExperimentsIII
Crouching Honeypot, Hidden Exploit
Observation
• Our approach makes• Online scan services ineffective• Helps discover hidden client honeypots as data collection continues
• Existing approach makes• Anti-virus products ineffective (against browser exploits)
Mitigation
• Anti-tracking for honeypots or all browsers• Honeypot operation policy• Dataset poisoning by sharing IP addresses
Improvement
Larger, labelled dataset
top related