iceshield : detection and mitigation of malicious websites with a frozen dom
DESCRIPTION
IceShield : Detection and Mitigation of Malicious Websites with a Frozen DOM. Mario Heiderich , Tilman Frosch , Thorsten Holz Ruhr-University Bochum, Germany 14 th RAID Symposium (September, 2011). Outline. Introduction Related Work Design Overview System Implementation Evaluation - PowerPoint PPT PresentationTRANSCRIPT
IceShield: Detection and Mitigation of Malicious
Websites with a Frozen DOMMario Heiderich, Tilman Frosch, Thorsten
HolzRuhr-University Bochum, Germany
14th RAID Symposium (September, 2011)
A Seminar at Advanced Defense Lab 2
Outline Introduction Related Work Design Overview System Implementation Evaluation Limitations
2011/7/19
A Seminar at Advanced Defense Lab 3
Introduction There are many different kinds of
threats and attack vectors against current browsers.› Drive-by-Download attacks› Cross-Site Scripting (XSS)› Clickjacking
2011/7/19
A Seminar at Advanced Defense Lab 4
A Reason The root cause of this problem is the
fact that an attacker can compromise the integrity of almost all DOM properties of a website by injecting malicious JavaScript code.
2011/7/19
A Seminar at Advanced Defense Lab 5
In This Paper We introduce IceShield, a novel
approach to perform light-weight instrumentation of JavaScript, detecting a diverse set of attacks against the DOM tree.
2011/7/19
A Seminar at Advanced Defense Lab 6
Related Work
Offline Online
Machine Learning
Auto-Selected Features Cujo, Zozzle
Manual-Selected Features
Wepawet[link] (JSAND) IceShield
Security Policy Gatekeeper[link], Caja[link]
Gazelle[link]
2011/7/19
A Seminar at Advanced Defense Lab 7
Design Overview We assume that almost every
JavaScript based attack will have to use native methods at some point in order to prepare necessary data structures.› Heap spray› JIT spray
2011/7/19
A Seminar at Advanced Defense Lab 8
Challenge An attacker can render any signature
based malware detection lacking advanced de-obfuscation routines useless.
2011/7/19
A Seminar at Advanced Defense Lab 9
Basic Idea We do not rely on any form of static
code analysis.
We instrument objects and functions dynamically, and providing an execution context in which we can analyze their behavior.
2011/7/19
A Seminar at Advanced Defense Lab 10
System Implementation Our heuristics are based on a manual
analysis of current attacks, and we tried to generalize the heuristics such that they are capable of detecting a wide variety of attacks.
2011/7/19
A Seminar at Advanced Defense Lab 11
Current Heuristics External domain injection
› <embed>, <iframe>, <script>, …
Dangerous MIME type injection
Suspicious Unicode characters› %u0c0c
Suspicious decoding result2011/7/19
A Seminar at Advanced Defense Lab 12
Current Heuristics (cont.) Overlong decoding results
› 4096 characters
Dangerous element creation› <iframe>, <script>, …
URI/CLSID pattern in attribute setter
Dangerous tag injection via the innerHTML property
2011/7/19
A Seminar at Advanced Defense Lab 13
Dynamic Instrumentation We overwrite and wrap the native
JavaScript methods into a context that allows us to inspect dynamically.
IceShield utilizes an ECMA Script 5 feature called Object.defineProperty() to implement the instrumentation in a robust way.
2011/7/19
A Seminar at Advanced Defense Lab 14
Tamper Resistant The most relevant descriptor for
IceShield is configurable and the possibility to set it to false, thereby freezing the property state.
All modern user agents such as Firefox 4, Chrome 6-10, and Internet Explorer 9 support object freezing.
2011/7/19
A Seminar at Advanced Defense Lab 15
Scoring Metric Linear Discriminant Analysis (LDA)[link]
2011/7/19
A Seminar at Advanced Defense Lab 16
User Protection To avoid interference with the user
experience, we null the payload of the possible exploit, which mitigates the danger to the user, but in most cases has no visible impact.
2011/7/19
A Seminar at Advanced Defense Lab 17
Some Limitations New window context
› <iframe> point to Javascript URI <iframe src=“javascript:evil()”>
› Data URI <object data =" data:x ,%3cscript > evil()%3c/script >" >
› <a> and target=_blank› <meta> redirection
2011/7/19
A Seminar at Advanced Defense Lab 18
The Solution The solution to the problems discussed
above can be found in scanning and analyzing the website's markup during parsing of the DOM tree.
2011/7/19
A Seminar at Advanced Defense Lab 19
Browser Extensions We implement:
› Extension for Gecko based browser
› BHO for Internet Explorer
› Greasemonkey[link] user script
2011/7/19
A Seminar at Advanced Defense Lab 20
Evaluation Known-good dataset
› Top 61,554 websites from Alexa ranking› Check the malwaredomainlist.com (MDL)[
link] block-list
Known-bad dataset› 81 URLs selected from MDL› all URLs point to exploit kits
2011/7/19
A Seminar at Advanced Defense Lab 21
Environment High-end workstation
› Intel Core i7-870 and 8GB RAM› Ubuntu 10.04 and Firefox 3.6.8
Mid-range system› ASUS EeePC 1000H› Intel Atom N270 and 1 GB RAM› Ubuntu 10and Firefox 3.6.12
Low-end device› Nokia n900› 600 MHz ARM7 Cortex-A8and 256 MB RAM› Maemo and Firefox 3.5 Maemo Browser 1.5.6 RX-51
2011/7/19
A Seminar at Advanced Defense Lab 222011/7/19
A Seminar at Advanced Defense Lab 23
Machine Learning Training set
› Top 50 sites from Alexa ranking› 30 sites from known-bad dataset
Testing set› 61,504 sites from known-good dataset› 51 sites from known-bad dataset
2011/7/19
A Seminar at Advanced Defense Lab 24
Classification Result
Correct Incorrect
Known-good 97.83% 2.17%
Known-bad 98.04% (50) 1.96% (1)
2011/7/19
A Seminar at Advanced Defense Lab 25
False Positive Analysis To protect the user, IceShield does not
need to block access to a site that triggers an alert.
We can strip malicious data from the site, and thus mitigate the attack.
2011/7/19
A Seminar at Advanced Defense Lab 26
False Positive Analysis We manually evaluated a 10% sample
set (134 sites) randomly chosen from the false positives to confirm that the majority of pages remain usable.› not noticeable: 82.9%› partially usable: 9.6%› Unusable: 7.5%
2011/7/19
A Seminar at Advanced Defense Lab 27
Performance 2 ms to 760 ms, average 11.6ms
› 99.5% sites are smaller than 25 ms› Average overhead 6.27%
2011/7/19
A Seminar at Advanced Defense Lab 28
Performance (cont.)
2011/7/19
A Seminar at Advanced Defense Lab 29
Limitations In case an attacker deploys a malicious
PDF, Java Applet, or Flash le without using any native DOM methods.
The lack of heuristic coverage on ActiveX based attacks
The lack of tamper resistance support for older user agents.
2011/7/19
A Seminar at Advanced Defense Lab 30
Thank YouAny Question?
2011/7/19
A Seminar at Advanced Defense Lab 31
The Flexible Javasciprt !’’
› “true”
[!{}] › “false”
{} › an object
!’’+[!{}]+{} › “trueflase[object Object]”
2011/7/19
A Seminar at Advanced Defense Lab 32
Now we can understand… _ =[[$,__,,$$,,_$,$_,_$_,,,$_$]=! ‘'+[!{}]+{}][_$_+$_$+__+$],_()[_$+$_+$$+__+$](-~$)
2011/7/19
A Seminar at Advanced Defense Lab 33
Some Link jjencode[link]
aaencode[link]
JSF*ck[link]
2011/7/19
A Seminar at Advanced Defense Lab 34
JIT Spraying Because IE 8 include DEP Some exploit may not use heap spray
Dion Blazakis propose JIT spraying at BlackHat DC 2010› INTERPRETER EXPLOITATION: POINTER
INFERENCE AND JIT SPRAYING› Generate executable code at runtime
2011/7/19
A Seminar at Advanced Defense Lab 35
JIT Compilation
2011/7/19
var y = (0x3c54d0d9 ^0x3c909058 ^0x3c59f46a ^0x3c90c801 ^0x3c9030d9 ^0x3c53535b ^...