BLADE PowerPoint Presentation, PPT - DocSlides

BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

Long Lu1, Vinod Yegneswaran2, Phillip Porras2, Wenke Lee11 Georgia Tech2 SRI InternationalOct. 6th, 2010

17th ACM Conference on Computer and Communications Security

Malware Propagation Facts

One common path: the InternetTwo fundamental approaches:Drive-by download Vs. Social engineeringDrive-by Downloadmost favored by today’s attackersCounts for more than 60% malware infections [ISC09, Dasiant10, Google10]

17th ACM Conference on Computer and Communications Security

2

WWW

Drive-by Download

17th ACM Conference on Computer and Communications Security

3

Definition: Drive-by Download - An attack in which the mere connection to a website results in the installation of a binary executable without the web-user’s authorization.A click-then-infect schemeExploiting client-side vulnerabilities

Regular browsing & downloading

17th ACM Conference on Computer and Communications Security

4

Browser automatically saves and renders

supported

file types

(*.html, *.

js

, *.jpeg, etc.)

Regular browsing & downloading

17th ACM Conference on Computer and Communications Security

5

Browser asks for user consent before saving

unsupported

file types

(*.exe, *.zip, *.dll, etc.)

Content-Type:

application/octet-stream;

Drive-by download attack

17th ACM Conference on Computer and Communications Security

6

Essential steps:

Exploit

Download

Execute

No user consent required!

Observations

17th ACM Conference on Computer and Communications Security

7

Browsers handle supported content automaticallyunsupported content based on user’s permissions

Golden Rule:

Browsers should never automatically download and execute binary files without user consent

.

All

drive-by downloads inevitably break this rule.

No

drive-by download will succeed if this rule

holds.

BLADE Approach

Goal: to eliminate drive-by malware infections Approach: unconsented execution preventionExploit and vulnerability agnostic Browser independent

17th ACM Conference on Computer and Communications Security

8

Essential steps:

Exploit

Download

Execute

BLADE Design

Assumptions

Browsers may be fully compromised;OS is trusted;H/W is trusted.

Design choices

BLADE is designed as a kernel driver;User intents are inferred from H/W and window events ;Consented download is correlated and verified;Unconsented download are contained in “SecureZone”.

17th ACM Conference on Computer and Communications Security

9

BLADE

HW

Evt

Tracer

Screen

Parser

Correlator

I/O

Redirector

Supervisor

BLADE Architecture

17th ACM Conference on Computer and Communications Security

10

File

System

Secure

Zone

Input Device

Driver

User

interaction

Windowing

Screen

I/O

Transport

Driver

Net

I/O

File

I/O

FileSys

View

How it works – regular download

17th ACM Conference on Computer and Communications Security

11

FileSys

View

File

System

Secure

Zone

Screen Parser

Locate consent button(s)

Parse correlation information

H/W

Evt

. Tracer

Monitor mouse and keyboard input

I/O Redirector

Redirect disk writes from browsers

Correlator

Discover candidate and verify

its origin

Map it to the regular file system

How it works – drive-by download

17th ACM Conference on Computer and Communications Security

12

I/O Redirector

Redirect disk writes from browsers

FileSys

View

Secure

Zone

I/O Redirector

Alert when executio

n is attempted

Implementations

Screen ReaderMonitors certain windowing eventsParses internal composition of consent dialogues

17th ACM Conference on Computer and Communications Security

13

Implementations

H/W Event TracerResides above device driversListens to IRPs

17th ACM Conference on Computer and Communications Security

14

OS I/O

Mgr.

Input

Driver

H/W

Evt

.

Tracer

Implementations

I/O RedirectorBuilt as a file system mini-filterRedirects file accessesProvides a merged viewCorrelatorUses transport driver interfaceRecords streams coming from download sourcesContent-base correlation and verification

17th ACM Conference on Computer and Communications Security

15

Empirical Evaluation

An automated test bedHarvest new real-world malicious URLs dailyVMs with various software configurations

17th ACM Conference on Computer and Communications Security

16

Empirical Evaluation

17th ACM Conference on Computer and Communications Security

17

Using 19 specifically hand-crafted exploitsCovering all common exploiting techniquesTargeting at diverse vulnerabilities (11 zero-days)BLADE prevented all 19 infection attempts

17th ACM Conference on Computer and Communications Security

18

Attack Coverage Evaluation

Security analysis

Potential ways to evade/attack BLADE

17th ACM Conference on Computer and Communications Security

19

Benign Website Evaluation

Normal file downloadsNormal site-browsing

17th ACM Conference on Computer and Communications Security

20

Performance Evaluation

Per-component testEnd-to-end testWorst case overhead – 3%Negligible on average

17th ACM Conference on Computer and Communications Security

21

Limitations

Social engineering attacksIn-memory execution of shellcodeOnly effective against binary executables

17th ACM Conference on Computer and Communications Security

22

Q&A

17th ACM Conference on Computer and Communications Security

23

www.blade-defender.org