NOZZLE: A Defense Against Heap-spraying Code Injection Attacks

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware InfectionsLong Lu, Wenke LeeCollege of Computing, Georgia Institute of TechnologyVinod Yegneswaran, Phillip PorrasSRI InternationalACM CCS (Oct,2010) A Presentation at Advanced Defense Lab1OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion

Advanced Defense Lab22IntroductionBLADEBLock All Drive-by download ExploitsWhy this solution?The mere connection to a web server can result in the installation of malware on the client machine.Design principleUnconsented-content execution prevention .Both attack and browser agnostic.Advanced Defense Lab3IntroductionPreventing unconsented-content executionuser-interaction tracking to collect user download authorizations.consent correlation to discern transparent downloads those that involve direct user authorization.Disk I/O redirection to contain disk footprints of unconsented data through supervised processes.ImplementationIE and Firefox on Microsoft Windows platform.Advanced Defense Lab4OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion

Advanced Defense Lab55ApproachDrive-By ExploitsShellcode injection phaseGaining temporary control of the browser

Shellcode execution phase

Covert binary install phaseShellcode coerces the now tained browser into fetching a remote malware application from the Internet.Advanced Defense Lab6ApproachAssumptionThe attacker should have no persistent malware deployed on the target host in advanced.No rootkit from the adversary installed on the system, i.e., the OS kernel is trusted.Scenarios where attackers remotely exploiting a kernel vulnerability via a browser exist are out of the scope of our model.TargetDisrupting the covert binary install phase, completely agnostic of which browser component was exploited or which shellcode injection strategy was employed.Advanced Defense Lab7OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion

Advanced Defense Lab88ArchitectureWe define the download identity information as (URL,Path)The Correlator matches a file f with a tuple (u,p) when f is saved at p with data content received from u.Advanced Defense Lab9

ArchitectureAdvanced Defense Lab10

Architecture Screen ParserDownload authorization lifecycleTriggered by the appearance of download consent dialogsGetSaveFileName()EVENT_SYSTEM_FOREGROUNDSetWinEventHook()User space agentPrefilter irrelevant windowing events.Pipes its output to the Screen Parser, which may represent a user consent dialog currently in focus.

Advanced Defense Lab11Architecture SupervisorThe role of coordinator for carrying out all tasks of BLADE.Assigning tasks to other BLADE components and coordinating their execution, as responding to the different event notifications from the Screen Parser.List of supervised processesIt is a newly created browser process.A remote thread is created within the process by a supervised process.It is a newly created process spawned by a supervised process.PsSetCreateProcessNotifyRoutine()Advanced Defense Lab12Architecture Hardware Event TracerOnce a download consent dialog is identified by the Screen Parser, interpret the users response.Capture users mouse clicks and keyboard strokes.Looks for any mouse click whose on-screen coordinates fall in the areas of download consent dialogs.Maintains some state information to make accurate decisions.

The users can express for consent only by using the mouse (keyboard hooking is not implemented yet)Advanced Defense Lab13Architecture CorrelatorEstablishing the 1-1 mapping between user download authorizations and downloaded files.(URL,path)Treats the browser as a black box, only the external behavior of the browser is visible to it.Our approach works even when encryption is used (e.g., HTTPS, VPN) or browser-level encoding schemes are used (e.g., SDCH).Keep a log of inbound transport-level stream for each TCP session created by supervised processes.Where content of a single file comes from multiple streams is not support.

Advanced Defense Lab14Architecture I/O RedirectorClosure propertyP = {p | p : any browser process}F = {f | f : any file written by p, where p P}Fauth = {fa | fa : any-authorized browser download}Fint = F Fauth ( given Fauth F is always true)F = {f | f : any file opened by p, where p P}Observing that Fint F .Advanced Defense Lab15Architecture I/O RedirectorPolicies of the secure zone (P1 ~ P6)Any new file created by a supervised process is redirected to the secure zone.Any existing file modified by a supervised process is saved as a shadow copy in the secure zone, without change to the original file.I/O redirection is transparent to supervised processes.I/O redirection only applies to supervised processes. Files in the secure zone can only be accessed via redirection.No execution is allowed for files in the secure zone.Any file correlated with a user download authorization is remapped to the filesystem.

Advanced Defense Lab16Architecture I/O RedirectorAdvanced Defense Lab17P1~P3

P4~P6FsRtlRegisterFileSystemFilterCallbacks

OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion

Advanced Defense Lab1818Evaluation - EffectivenessHarvests malware URLs reported in the past 48 hours from WhiteHat.EnvironmentVM running on lightly loaded PCVMWindows XP SP2IE, FirefoxPDF reader, Flash player, JVMPC2.0 GHz single-core CPU 512 MB RAMAdvanced Defense Lab19Evaluation - Effectiveness3 key experiment outcomesC1 : (T|F) URL test session caused a BLADE alert.C2 : (T|F) URL test session attempted to load/execute a file from the secure zone.C3 : (T|F) URL test session produced a file write outside the secure zone.Evaluation MetricsTrue Positive := False Negative :=False Positive:=True Negative:=

Advanced Defense Lab20

Evaluation - EffectivenessOperational for 3 monthsVisited 3,992 unique malicious URLshttp://www.blade-defender.org/eval-lab

Advanced Defense Lab21

Evaluation - Effectivenesshttp://www.virustotal.com/Advanced Defense Lab22

Evaluation - EffectivenessUse disclosed zero-day exploits listed in Table 2.

BLADE delivers complete and accurate protection in a browser-agnostic and exploit-oblivious manner.Advanced Defense Lab23

Evaluation - EffectivenessFalse PositiveThe users authorization cannot be inferred, which leaves the resulting download in the secure zone as untrusted.A legitimate browser download seeks to execute benign logic without the user s consent, which represents a violation of our root assumption.Downloaded 30 different software applications from 15 highly ranked freeware sites, with varying types (.exe, .zip, .msi etc.)False Positive = 0 !!Advanced Defense Lab24Evaluation Performance OverheadScreen ParserEven the worst-case matching time was not measurable (less than a millisecond).I/O RedirectorCopy 3 files of varying sizes(1,10,100 MB) from one location to another within the same disk (Each file was copied twice).Revert to a clean VM snapshot before beginning each test.Advanced Defense Lab25Advanced Defense Lab26Evaluation Performance Overhead

Advanced Defense Lab27

Evaluation Performance OverheadOutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion

Advanced Defense Lab2828Security AnalysisAttacks and Built-in CountermeasuresSpoofing attacksForged GUI or User response -> HET / CorrelatorDownload injection and process hijacking attacksCreating a remote thread within an unsupervised process -> SupervisorCoercing attacksCoerce the OS to execute the malware directly from secure zone -> ImpossibleAdvanced Defense Lab29Security Analysis - LimitationsSocial engineering attacks where the user authorizes the download and installation of malicious binaries disguised as benign applications.

In-memory execution of transient malware, which could be scripts such as JavaScript bots or x86 code inserted into memory by exploits.Advanced Defense Lab30OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion

Advanced Defense Lab3131Related workBotHunter, BotSniffer based on post-infection network dialog, but do not prevent the execution of malware.

CloudAV attempt to block execution of malware is limited by the reliance on binary signatures.

Egele et al., NOZZLE uses static analysis of objects in the heap to detect heap-spraying attacks.

BLADEs unconsented-content execution is a similar concept to sandboxing but better.Advanced Defense Lab32OutlineIntroductionApproachArchitectureEvaluationSecurity AnalysisRelated WorkConclusion

Advanced Defense Lab3333ConclusionBLADEs interception logic has demonstrated 100% effectiveness in preventing covert binary installations using the most widely deployed browsers on the Internet.Advanced Defense Lab34