Upload
chloe
View
45
Download
0
Tags:
Embed Size (px)
DESCRIPTION
BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections. Long Lu, Wenke Lee College of Computing, Georgia Institute of Technology Vinod Yegneswaran , Phillip Porras SRI International ACM CCS (Oct,2010) . A Presentation at Advanced Defense Lab. Outline. - PowerPoint PPT Presentation
Citation preview
BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections
Long Lu, Wenke LeeCollege of Computing, Georgia Institute of Technology
Vinod Yegneswaran, Phillip PorrasSRI International
ACM CCS (Oct,2010)
A Presentation at Advanced Defense Lab
Advanced Defense Lab 2
OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion
3
IntroductionBLADE
BLock All Drive-by download ExploitsWhy this solution?
The mere connection to a web server can result in the installation of malware on the client machine.
Design principleUnconsented-content execution prevention .Both attack and browser agnostic.
Advanced Defense Lab
4
IntroductionPreventing unconsented-content execution
user-interaction tracking to collect user download authorizations.
consent correlation to discern “transparent” downloads those that involve direct user authorization.
Disk I/O redirection to contain disk footprints of unconsented data through supervised processes.
ImplementationIE and Firefox on Microsoft Windows platform.
Advanced Defense Lab
Advanced Defense Lab 5
OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion
6
ApproachDrive-By Exploits
Shellcode injection phase Gaining temporary control of the browser
Shellcode execution phase
Covert binary install phase Shellcode coerces the now tained browser into fetching a remote
malware application from the Internet.
Advanced Defense Lab
7
ApproachAssumption
The attacker should have no persistent malware deployed on the target host in advanced.
No rootkit from the adversary installed on the system, i.e., the OS kernel is trusted.
Scenarios where attackers remotely exploiting a kernel vulnerability via a browser exist are out of the scope of our model.
TargetDisrupting the covert binary install phase, completely
agnostic of which browser component was exploited or which shellcode injection strategy was employed.
Advanced Defense Lab
Advanced Defense Lab 8
OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion
9
ArchitectureWe define the download identity information as
(URL,Path)The Correlator matches a file f with a tuple (u,p) when f is
saved at p with data content received from u.
Advanced Defense Lab
10
Architecture
Advanced Defense Lab
11
Architecture – Screen ParserDownload authorization lifecycle
Triggered by the appearance of download consent dialogsGetSaveFileName(…)EVENT_SYSTEM_FOREGROUNDSetWinEventHook(…)
User space agentPrefilter irrelevant windowing events.Pipes its output to the Screen Parser, which may represent
a user consent dialog currently in focus.
Advanced Defense Lab
12
Architecture – SupervisorThe role of coordinator for carrying out all tasks of
BLADE.Assigning tasks to other BLADE components and
coordinating their execution, as responding to the different event notifications from the Screen Parser.
List of supervised processesIt is a newly created browser process.A remote thread is created within the process by a
supervised process.It is a newly created process spawned by a supervised
process.PsSetCreateProcessNotifyRoutine(…)
Advanced Defense Lab
13
Architecture – Hardware Event TracerOnce a download consent dialog is identified by the
Screen Parser, interpret the user’s response.Capture user’s mouse clicks and keyboard strokes.Looks for any mouse click whose on-screen coordinates fall
in the areas of download consent dialogs.Maintains some state information to make accurate
decisions.
The users can express for consent only by using the mouse (keyboard hooking is not implemented yet)
Advanced Defense Lab
14
Architecture – CorrelatorEstablishing the 1-1 mapping between user download
authorizations and downloaded files.(URL,path)
Treats the browser as a black box, only the external behavior of the browser is visible to it.
Our approach works even when encryption is used (e.g., HTTPS, VPN) or browser-level encoding schemes are used (e.g., SDCH).
Keep a log of inbound transport-level stream for each TCP session created by supervised processes.
Where content of a single file comes from multiple streams is not support.
Advanced Defense Lab
15
Architecture – I/O RedirectorClosure property
P = {p | p : any browser process}F = {f | f : any file written by p, where p P}∈Fauth = {fa | fa : any-authorized browser download}Fint = F – Fauth ( given Fauth F is always true)⊂F’ = {f’ | f’ : any file opened by p’, where p’ P}∈Observing that Fint ∩ F’ ≈ .∅
Advanced Defense Lab
16
Architecture – I/O RedirectorPolicies of the secure zone (P1 ~ P6)
Any new file created by a supervised process is redirected to the secure zone.
Any existing file modified by a supervised process is saved as a shadow copy in the secure zone, without change to the original file.
I/O redirection is transparent to supervised processes.I/O redirection only applies to supervised processes. Files in
the secure zone can only be accessed via redirection.No execution is allowed for files in the secure zone.Any file correlated with a user download authorization is
remapped to the filesystem.
Advanced Defense Lab
17
Architecture – I/O Redirector
Advanced Defense Lab
P1~P3 P4~P6FsRtlRegisterFileSystemFilterCallbacks
Advanced Defense Lab 18
OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion
19
Evaluation - EffectivenessHarvests malware URLs reported in the past 48 hours
from WhiteHat.Environment
VM running on lightly loaded PCVM
Windows XP SP2 IE, Firefox PDF reader, Flash player, JVM…
PC 2.0 GHz single-core CPU 512 MB RAM
Advanced Defense Lab
20
Evaluation - Effectiveness3 key experiment outcomes
C1 : (T|F) URL test session caused a BLADE alert.C2 : (T|F) URL test session attempted to load/execute a file
from the secure zone.C3 : (T|F) URL test session produced a file write outside the
secure zone.Evaluation Metrics
True Positive := False Negative :=False Positive :=True Negative :=
Advanced Defense Lab
)32(1 CCC )32(1 CCC )32(1 CCC )32(1 CCC
21
Evaluation - EffectivenessOperational for 3 months
Visited 3,992 unique malicious URLs http://www.blade-defender.org/eval-lab
Advanced Defense Lab
22
Evaluation - Effectivenesshttp://www.virustotal.com/
Advanced Defense Lab
23
Evaluation - EffectivenessUse disclosed zero-day
exploits listed in Table 2.
BLADE delivers complete and accurate protection in a browser-agnostic and exploit-oblivious manner.
Advanced Defense Lab
24
Evaluation - EffectivenessFalse Positive
The user’s authorization cannot be inferred, which leaves the resulting download in the secure zone as untrusted.
A legitimate browser download seeks to execute benign logic without the user ‘s consent, which represents a violation of our root assumption.
Downloaded 30 different software applications from 15 highly ranked freeware sites, with varying types (.exe, .zip, .msi etc.)
False Positive = 0 !!
Advanced Defense Lab
25
Evaluation – Performance OverheadScreen Parser
Even the worst-case matching time was not measurable (less than a millisecond).
I/O RedirectorCopy 3 files of varying sizes(1,10,100 MB) from one location
to another within the same disk (Each file was copied twice).
Revert to a clean VM snapshot before beginning each test.
Advanced Defense Lab
26Advanced Defense Lab
Evaluation – Performance Overhead
27Advanced Defense Lab
Evaluation – Performance Overhead
Advanced Defense Lab 28
OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion
29
Security AnalysisAttacks and Built-in Countermeasures
Spoofing attacks Forged GUI or User response -> HET / Correlator
Download injection and process hijacking attacks Creating a remote thread within an unsupervised process ->
SupervisorCoercing attacks
Coerce the OS to execute the malware directly from secure zone -> Impossible
Advanced Defense Lab
30
Security Analysis - LimitationsSocial engineering attacks where the user authorizes the
download and installation of malicious binaries disguised as benign applications.
In-memory execution of transient malware, which could be scripts such as JavaScript bots or x86 code inserted into memory by exploits.
Advanced Defense Lab
Advanced Defense Lab 31
OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion
32
Related workBotHunter, BotSniffer based on post-infection network
dialog, but do not prevent the execution of malware.
CloudAV attempt to block execution of malware is limited by the reliance on binary signatures.
Egele et al., NOZZLE uses static analysis of objects in the heap to detect heap-spraying attacks.
BLADE’s unconsented-content execution is a similar concept to sandboxing but better.
Advanced Defense Lab
Advanced Defense Lab 33
OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion
34
ConclusionBLADE’s interception logic has demonstrated 100%
effectiveness in preventing covert binary installations using the most widely deployed browsers on the Internet.
Advanced Defense Lab