Presentations text content in BLADE
Slide1
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections
Long Lu1, Vinod Yegneswaran2, Phillip Porras2, Wenke Lee11 Georgia Tech2 SRI InternationalOct. 6th, 2010
17th ACM Conference on Computer and Communications Security
Slide2Malware Propagation Facts
One common path: the InternetTwo fundamental approaches:Drive-by download Vs. Social engineeringDrive-by Downloadmost favored by today’s attackersCounts for more than 60% malware infections [ISC09, Dasiant10, Google10]
17th ACM Conference on Computer and Communications Security
2
WWW
Slide3Drive-by Download
17th ACM Conference on Computer and Communications Security
3
Definition: Drive-by Download - An attack in which the mere connection to a website results in the installation of a binary executable without the web-user’s authorization.A click-then-infect schemeExploiting client-side vulnerabilities
Slide4Regular browsing & downloading
17th ACM Conference on Computer and Communications Security
4
Browser automatically saves and renders
supported
file types
(*.html, *.
js
, *.jpeg, etc.)
Slide5Regular browsing & downloading
17th ACM Conference on Computer and Communications Security
5
Browser asks for user consent before saving
unsupported
file types
(*.exe, *.zip, *.dll, etc.)
Content-Type:
application/octet-stream;
Slide6Drive-by download attack
17th ACM Conference on Computer and Communications Security
6
Essential steps:
Exploit
Download
Execute
No user consent required!
Slide7Observations
17th ACM Conference on Computer and Communications Security
7
Browsers handle supported content automaticallyunsupported content based on user’s permissions
Golden Rule:
Browsers should never automatically download and execute binary files without user consent
.
All
drive-by downloads inevitably break this rule.
No
drive-by download will succeed if this rule
holds.
Slide8BLADE Approach
Goal: to eliminate drive-by malware infections Approach: unconsented execution preventionExploit and vulnerability agnostic Browser independent
17th ACM Conference on Computer and Communications Security
8
Essential steps:
Exploit
Download
Execute
Slide9BLADE Design
Assumptions
Browsers may be fully compromised;OS is trusted;H/W is trusted.
Design choices
BLADE is designed as a kernel driver;User intents are inferred from H/W and window events ;Consented download is correlated and verified;Unconsented download are contained in “SecureZone”.
17th ACM Conference on Computer and Communications Security
9
Slide10BLADE
HW
Evt
Tracer
Screen
Parser
Correlator
I/O
Redirector
Supervisor
BLADE Architecture
17th ACM Conference on Computer and Communications Security
10
File
System
Secure
Zone
Input Device
Driver
User
interaction
Windowing
Screen
I/O
Transport
Driver
Net
I/O
File
I/O
FileSys
View
Slide11How it works – regular download
17th ACM Conference on Computer and Communications Security
11
FileSys
View
File
System
Secure
Zone
Screen Parser
Locate consent button(s)
Parse correlation information
H/W
Evt
. Tracer
Monitor mouse and keyboard input
I/O Redirector
Redirect disk writes from browsers
Correlator
Discover candidate and verify
its origin
Map it to the regular file system
Slide12How it works – drive-by download
17th ACM Conference on Computer and Communications Security
12
I/O Redirector
Redirect disk writes from browsers
FileSys
View
Secure
Zone
I/O Redirector
Alert when executio
n is attempted
Slide13Implementations
Screen ReaderMonitors certain windowing eventsParses internal composition of consent dialogues
17th ACM Conference on Computer and Communications Security
13
Slide14Implementations
H/W Event TracerResides above device driversListens to IRPs
17th ACM Conference on Computer and Communications Security
14
OS I/O
Mgr.
Input
Driver
H/W
Evt
.
Tracer
Slide15Implementations
I/O RedirectorBuilt as a file system mini-filterRedirects file accessesProvides a merged viewCorrelatorUses transport driver interfaceRecords streams coming from download sourcesContent-base correlation and verification
17th ACM Conference on Computer and Communications Security
15
Slide16Empirical Evaluation
An automated test bedHarvest new real-world malicious URLs dailyVMs with various software configurations
17th ACM Conference on Computer and Communications Security
16
Slide17Empirical Evaluation
17th ACM Conference on Computer and Communications Security
17
Slide18Using 19 specifically hand-crafted exploitsCovering all common exploiting techniquesTargeting at diverse vulnerabilities (11 zero-days)BLADE prevented all 19 infection attempts
17th ACM Conference on Computer and Communications Security
18
Attack Coverage Evaluation
Slide19Security analysis
Potential ways to evade/attack BLADE
17th ACM Conference on Computer and Communications Security
19
Slide20Benign Website Evaluation
Normal file downloadsNormal site-browsing
17th ACM Conference on Computer and Communications Security
20
Slide21Performance Evaluation
Per-component testEnd-to-end testWorst case overhead – 3%Negligible on average
17th ACM Conference on Computer and Communications Security
21
Slide22Limitations
Social engineering attacksIn-memory execution of shellcodeOnly effective against binary executables
17th ACM Conference on Computer and Communications Security
22
Slide23Q&A
17th ACM Conference on Computer and Communications Security
23
www.blade-defender.org
BLADE
Download Presentation - The PPT/PDF document "BLADE" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.