1 / 34

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections. Long Lu, Wenke Lee College of Computing, Georgia Institute of Technology Vinod Yegneswaran , Phillip Porras SRI International ACM CCS (Oct,2010) . A Presentation at Advanced Defense Lab. Outline.

chloe
Download Presentation

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections Long Lu, Wenke Lee College of Computing, Georgia Institute of Technology VinodYegneswaran, Phillip Porras SRI International ACM CCS (Oct,2010) A Presentation at Advanced Defense Lab

  2. Outline • Introduction • Approach • Architecture • Evaluation • Security Analysis • Related Work • Conclusion Advanced Defense Lab

  3. Introduction • BLADE • BLockAll Drive-by download Exploits • Why this solution? • The mere connection to a web server can result in the installation of malware on the client machine. • Design principle • Unconsented-content execution prevention . • Both attack and browser agnostic. Advanced Defense Lab

  4. Introduction • Preventing unconsented-content execution • user-interaction tracking to collect user download authorizations. • consent correlation to discern “transparent” downloads those that involve direct user authorization. • Disk I/O redirection to contain disk footprints of unconsented data through supervised processes. • Implementation • IE and Firefox on Microsoft Windows platform. Advanced Defense Lab

  5. Outline • Introduction • Approach • Architecture • Evaluation • Security Analysis • Related Work • Conclusion Advanced Defense Lab

  6. Approach • Drive-By Exploits • Shellcode injection phase • Gaining temporary control of the browser • Shellcode execution phase • Covert binary install phase • Shellcode coerces the now tained browser into fetching a remote malware application from the Internet. Advanced Defense Lab

  7. Approach • Assumption • The attacker should have no persistent malware deployed on the target host in advanced. • No rootkit from the adversary installed on the system, i.e., the OS kernel is trusted. • Scenarios where attackers remotely exploiting a kernel vulnerability via a browser exist are out of the scope of our model. • Target • Disrupting the covert binary install phase, completely agnostic of which browser component was exploited or which shellcode injection strategy was employed. Advanced Defense Lab

  8. Outline • Introduction • Approach • Architecture • Evaluation • Security Analysis • Related Work • Conclusion Advanced Defense Lab

  9. Architecture • We define the download identity information as (URL,Path) • The Correlator matches a file f with a tuple (u,p) when f is saved at p with data content received from u. Advanced Defense Lab

  10. Architecture Advanced Defense Lab

  11. Architecture – Screen Parser • Download authorization lifecycle • Triggered by the appearance of download consent dialogs • GetSaveFileName(…) • EVENT_SYSTEM_FOREGROUND • SetWinEventHook(…) • User space agent • Prefilter irrelevant windowing events. • Pipes its output to the Screen Parser, which may represent a user consent dialog currently in focus. Advanced Defense Lab

  12. Architecture – Supervisor • The role of coordinator for carrying out all tasks of BLADE. • Assigning tasks to other BLADE components and coordinating their execution, as responding to the different event notifications from the Screen Parser. • List of supervised processes • It is a newly created browser process. • A remote thread is created within the process by a supervised process. • It is a newly created process spawned by a supervised process. • PsSetCreateProcessNotifyRoutine(…) Advanced Defense Lab

  13. Architecture – Hardware Event Tracer • Once a download consent dialog is identified by the Screen Parser, interpret the user’s response. • Capture user’s mouse clicks and keyboard strokes. • Looks for any mouse click whose on-screen coordinates fall in the areas of download consent dialogs. • Maintains some state information to make accurate decisions. • The users can express for consent only by using the mouse (keyboard hooking is not implemented yet) Advanced Defense Lab

  14. Architecture – Correlator • Establishing the 1-1 mapping between user download authorizations and downloaded files. • (URL,path) • Treats the browser as a black box, only the external behavior of the browser is visible to it. • Our approach works even when encryption is used (e.g., HTTPS, VPN) or browser-level encoding schemes are used (e.g., SDCH). • Keep a log of inbound transport-level stream for each TCP session created by supervised processes. • Where content of a single file comes from multiple streams is not support. Advanced Defense Lab

  15. Architecture– I/O Redirector • Closure property • P = {p | p : any browser process} • F = {f | f : any file written by p, where p ∈ P} • Fauth = {fa | fa : any-authorized browser download} • Fint = F – Fauth ( given Fauth⊂ F is always true) • F’ = {f’ | f’ : any file opened by p’, where p’ ∈ P} • Observing that Fint ∩ F’≈ ∅. Advanced Defense Lab

  16. Architecture – I/O Redirector • Policies of the secure zone (P1 ~ P6) • Any new file created by a supervised process is redirected to the secure zone. • Any existing file modified by a supervised process is saved as a shadow copy in the secure zone, without change to the original file. • I/O redirection is transparent to supervised processes. • I/O redirection only applies to supervised processes. Files in the secure zone can only be accessed via redirection. • No execution is allowed for files in the secure zone. • Any file correlated with a user download authorization is remapped to the filesystem. Advanced Defense Lab

  17. Architecture – I/O Redirector • P4~P6 • FsRtlRegisterFileSystemFilterCallbacks • P1~P3 Advanced Defense Lab

  18. Outline • Introduction • Approach • Architecture • Evaluation • Security Analysis • Related Work • Conclusion Advanced Defense Lab

  19. Evaluation - Effectiveness • Harvests malware URLs reported in the past 48 hours from WhiteHat. • Environment • VM running on lightly loaded PC • VM • Windows XP SP2 • IE, Firefox • PDF reader, Flash player, JVM… • PC • 2.0 GHz single-core CPU • 512 MB RAM Advanced Defense Lab

  20. Evaluation - Effectiveness • 3 key experiment outcomes • C1 : (T|F) URL test session caused a BLADE alert. • C2 : (T|F) URL test session attempted to load/execute a file from the secure zone. • C3 : (T|F) URL test session produced a file write outside the secure zone. • Evaluation Metrics • True Positive := • False Negative := • False Positive := • True Negative := Advanced Defense Lab

  21. Evaluation - Effectiveness • Operational for 3 months • Visited 3,992 unique malicious URLs • http://www.blade-defender.org/eval-lab Advanced Defense Lab

  22. Evaluation - Effectiveness • http://www.virustotal.com/ Advanced Defense Lab

  23. Evaluation - Effectiveness • Use disclosed zero-day exploits listed in Table 2. • BLADE delivers complete and accurate protection in a browser-agnostic and exploit-oblivious manner. Advanced Defense Lab

  24. Evaluation - Effectiveness • False Positive • The user’s authorization cannot be inferred, which leaves the resulting download in the secure zone as untrusted. • A legitimate browser download seeks to execute benign logic without the user ‘s consent, which represents a violation of our root assumption. • Downloaded 30 different software applications from 15 highly ranked freeware sites, with varying types (.exe, .zip, .msi etc.) • False Positive = 0 !! Advanced Defense Lab

  25. Evaluation – Performance Overhead • Screen Parser • Even the worst-case matching time was not measurable (less than a millisecond). • I/O Redirector • Copy 3 files of varying sizes(1,10,100 MB) from one location to another within the same disk (Each file was copied twice). • Revert to a clean VM snapshot before beginning each test. Advanced Defense Lab

  26. Evaluation – Performance Overhead Advanced Defense Lab

  27. Evaluation – Performance Overhead Advanced Defense Lab

  28. Outline • Introduction • Approach • Architecture • Evaluation • Security Analysis • Related Work • Conclusion Advanced Defense Lab

  29. Security Analysis • Attacks and Built-in Countermeasures • Spoofing attacks • Forged GUI or User response -> HET / Correlator • Download injection and process hijacking attacks • Creating a remote thread within an unsupervised process -> Supervisor • Coercing attacks • Coerce the OS to execute the malware directly from secure zone -> Impossible Advanced Defense Lab

  30. Security Analysis - Limitations • Social engineering attacks where the user authorizes the download and installation of malicious binaries disguised as benign applications. • In-memory execution of transient malware, which could be scripts such as JavaScript bots or x86 code inserted into memory by exploits. Advanced Defense Lab

  31. Outline • Introduction • Approach • Architecture • Evaluation • Security Analysis • Related Work • Conclusion Advanced Defense Lab

  32. Related work • BotHunter, BotSniffer based on post-infection network dialog, but do not prevent the execution of malware. • CloudAV attempt to block execution of malware is limited by the reliance on binary signatures. • Egele et al., NOZZLE uses static analysis of objects in the heap to detect heap-spraying attacks. • BLADE’s unconsented-content execution is a similar concept to sandboxing but better. Advanced Defense Lab

  33. Outline • Introduction • Approach • Architecture • Evaluation • Security Analysis • Related Work • Conclusion Advanced Defense Lab

  34. Conclusion • BLADE’s interception logic has demonstrated 100% effectiveness in preventing covert binary installations using the most widely deployed browsers on the Internet. Advanced Defense Lab

More Related