BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

Long Lu, Wenke LeeCollege of Computing, Georgia Institute of Technology

Vinod Yegneswaran, Phillip PorrasSRI International

ACM CCS (Oct,2010)

A Presentation at Advanced Defense Lab

Advanced Defense Lab 2

OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion

3

IntroductionBLADE

BLock All Drive-by download ExploitsWhy this solution?

The mere connection to a web server can result in the installation of malware on the client machine.

Design principleUnconsented-content execution prevention .Both attack and browser agnostic.

Advanced Defense Lab

4

IntroductionPreventing unconsented-content execution

user-interaction tracking to collect user download authorizations.

consent correlation to discern “transparent” downloads those that involve direct user authorization.

Disk I/O redirection to contain disk footprints of unconsented data through supervised processes.

ImplementationIE and Firefox on Microsoft Windows platform.




6

ApproachDrive-By Exploits

Shellcode injection phase Gaining temporary control of the browser

Shellcode execution phase

Covert binary install phase Shellcode coerces the now tained browser into fetching a remote

malware application from the Internet.


7

ApproachAssumption

The attacker should have no persistent malware deployed on the target host in advanced.

No rootkit from the adversary installed on the system, i.e., the OS kernel is trusted.

Scenarios where attackers remotely exploiting a kernel vulnerability via a browser exist are out of the scope of our model.

TargetDisrupting the covert binary install phase, completely

agnostic of which browser component was exploited or which shellcode injection strategy was employed.




9

ArchitectureWe define the download identity information as

(URL,Path)The Correlator matches a file f with a tuple (u,p) when f is

saved at p with data content received from u.


10

Architecture


11

Architecture – Screen ParserDownload authorization lifecycle

Triggered by the appearance of download consent dialogsGetSaveFileName(…)EVENT_SYSTEM_FOREGROUNDSetWinEventHook(…)

User space agentPrefilter irrelevant windowing events.Pipes its output to the Screen Parser, which may represent

a user consent dialog currently in focus.


http://msdn.microsoft.com/en-us/library/ms646928(VS.85).aspx

http://msdn.microsoft.com/en-us/library/dd318066(VS.85).aspx

http://msdn.microsoft.com/en-us/library/dd373640(VS.85).aspx

12

Architecture – SupervisorThe role of coordinator for carrying out all tasks of

BLADE.Assigning tasks to other BLADE components and

coordinating their execution, as responding to the different event notifications from the Screen Parser.

List of supervised processesIt is a newly created browser process.A remote thread is created within the process by a

supervised process.It is a newly created process spawned by a supervised

process.PsSetCreateProcessNotifyRoutine(…)


http://msdn.microsoft.com/en-us/library/ff559951(VS.85).aspx

13

Architecture – Hardware Event TracerOnce a download consent dialog is identified by the

Screen Parser, interpret the user’s response.Capture user’s mouse clicks and keyboard strokes.Looks for any mouse click whose on-screen coordinates fall

in the areas of download consent dialogs.Maintains some state information to make accurate

decisions.

The users can express for consent only by using the mouse (keyboard hooking is not implemented yet)


14

Architecture – CorrelatorEstablishing the 1-1 mapping between user download

authorizations and downloaded files.(URL,path)

Treats the browser as a black box, only the external behavior of the browser is visible to it.

Our approach works even when encryption is used (e.g., HTTPS, VPN) or browser-level encoding schemes are used (e.g., SDCH).

Keep a log of inbound transport-level stream for each TCP session created by supervised processes.

Where content of a single file comes from multiple streams is not support.


15

Architecture – I/O RedirectorClosure property

P = {p | p : any browser process}F = {f | f : any file written by p, where p P}∈Fauth = {fa | fa : any-authorized browser download}Fint = F – Fauth ( given Fauth F is always true)⊂F’ = {f’ | f’ : any file opened by p’, where p’ P}∈Observing that Fint ∩ F’ ≈ .∅


16

Architecture – I/O RedirectorPolicies of the secure zone (P1 ~ P6)

Any new file created by a supervised process is redirected to the secure zone.

Any existing file modified by a supervised process is saved as a shadow copy in the secure zone, without change to the original file.

I/O redirection is transparent to supervised processes.I/O redirection only applies to supervised processes. Files in

the secure zone can only be accessed via redirection.No execution is allowed for files in the secure zone.Any file correlated with a user download authorization is

remapped to the filesystem.


17

Architecture – I/O Redirector


P1~P3 P4~P6FsRtlRegisterFileSystemFilterCallbacks

http://msdn.microsoft.com/en-us/library/ff547172%28v=VS.85%29.aspx



19

Evaluation - EffectivenessHarvests malware URLs reported in the past 48 hours

from WhiteHat.Environment

VM running on lightly loaded PCVM

Windows XP SP2 IE, Firefox PDF reader, Flash player, JVM…

PC 2.0 GHz single-core CPU 512 MB RAM


http://www.whitehatsec.com/home/index.html

20

Evaluation - Effectiveness3 key experiment outcomes

C1 : (T|F) URL test session caused a BLADE alert.C2 : (T|F) URL test session attempted to load/execute a file

from the secure zone.C3 : (T|F) URL test session produced a file write outside the

secure zone.Evaluation Metrics

True Positive := False Negative :=False Positive :=True Negative :=


)32(1 CCC )32(1 CCC )32(1 CCC )32(1 CCC

21

Evaluation - EffectivenessOperational for 3 months

Visited 3,992 unique malicious URLs http://www.blade-defender.org/eval-lab


http://www.blade-defender.org/eval-lab

22

Evaluation - Effectivenesshttp://www.virustotal.com/


http://www.virustotal.com/

23

Evaluation - EffectivenessUse disclosed zero-day

exploits listed in Table 2.

BLADE delivers complete and accurate protection in a browser-agnostic and exploit-oblivious manner.


24

Evaluation - EffectivenessFalse Positive

The user’s authorization cannot be inferred, which leaves the resulting download in the secure zone as untrusted.

A legitimate browser download seeks to execute benign logic without the user ‘s consent, which represents a violation of our root assumption.

Downloaded 30 different software applications from 15 highly ranked freeware sites, with varying types (.exe, .zip, .msi etc.)

False Positive = 0 !!


25

Evaluation – Performance OverheadScreen Parser

Even the worst-case matching time was not measurable (less than a millisecond).

I/O RedirectorCopy 3 files of varying sizes(1,10,100 MB) from one location

to another within the same disk (Each file was copied twice).

Revert to a clean VM snapshot before beginning each test.


26Advanced Defense Lab

Evaluation – Performance Overhead

27Advanced Defense Lab

Evaluation – Performance Overhead



29

Security AnalysisAttacks and Built-in Countermeasures

Spoofing attacks Forged GUI or User response -> HET / Correlator

Download injection and process hijacking attacks Creating a remote thread within an unsupervised process ->

SupervisorCoercing attacks

Coerce the OS to execute the malware directly from secure zone -> Impossible


30

Security Analysis - LimitationsSocial engineering attacks where the user authorizes the

download and installation of malicious binaries disguised as benign applications.

In-memory execution of transient malware, which could be scripts such as JavaScript bots or x86 code inserted into memory by exploits.




32

Related workBotHunter, BotSniffer based on post-infection network

dialog, but do not prevent the execution of malware.

CloudAV attempt to block execution of malware is limited by the reliance on binary signatures.

Egele et al., NOZZLE uses static analysis of objects in the heap to detect heap-spraying attacks.

BLADE’s unconsented-content execution is a similar concept to sandboxing but better.




34

ConclusionBLADE’s interception logic has demonstrated 100%

effectiveness in preventing covert binary installations using the most widely deployed browsers on the Internet.


Documents

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections