BLADE

BLADE BLADE - Start

Added : 2015-10-15 Views :95K

Download Presentation

BLADE




Download Presentation - The PPT/PDF document "BLADE" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentations text content in BLADE

Slide1

BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

Long Lu1, Vinod Yegneswaran2, Phillip Porras2, Wenke Lee11 Georgia Tech2 SRI InternationalOct. 6th, 2010

17th ACM Conference on Computer and Communications Security

Slide2

Malware Propagation Facts

One common path: the InternetTwo fundamental approaches:Drive-by download Vs. Social engineeringDrive-by Downloadmost favored by today’s attackersCounts for more than 60% malware infections [ISC09, Dasiant10, Google10]

17th ACM Conference on Computer and Communications Security

2

WWW

Slide3

Drive-by Download

17th ACM Conference on Computer and Communications Security

3

Definition: Drive-by Download - An attack in which the mere connection to a website results in the installation of a binary executable without the web-user’s authorization.A click-then-infect schemeExploiting client-side vulnerabilities

Slide4

Regular browsing & downloading

17th ACM Conference on Computer and Communications Security

4

Browser automatically saves and renders

supported

file types

(*.html, *.

js

, *.jpeg, etc.)

Slide5

Regular browsing & downloading

17th ACM Conference on Computer and Communications Security

5

Browser asks for user consent before saving

unsupported

file types

(*.exe, *.zip, *.dll, etc.)

Content-Type:

application/octet-stream;

Slide6

Drive-by download attack

17th ACM Conference on Computer and Communications Security

6

Essential steps:

Exploit

Download

Execute

No user consent required!

Slide7

Observations

17th ACM Conference on Computer and Communications Security

7

Browsers handle supported content automaticallyunsupported content based on user’s permissions

Golden Rule:

Browsers should never automatically download and execute binary files without user consent

.

All

drive-by downloads inevitably break this rule.

No

drive-by download will succeed if this rule

holds.

Slide8

BLADE Approach

Goal: to eliminate drive-by malware infections Approach: unconsented execution preventionExploit and vulnerability agnostic Browser independent

17th ACM Conference on Computer and Communications Security

8

Essential steps:

Exploit

Download

Execute

Slide9

BLADE Design

Assumptions

Browsers may be fully compromised;OS is trusted;H/W is trusted.

Design choices

BLADE is designed as a kernel driver;User intents are inferred from H/W and window events ;Consented download is correlated and verified;Unconsented download are contained in “SecureZone”.

17th ACM Conference on Computer and Communications Security

9

Slide10

BLADE

HW

Evt

Tracer

Screen

Parser

Correlator

I/O

Redirector

Supervisor

BLADE Architecture

17th ACM Conference on Computer and Communications Security

10

File

System

Secure

Zone

Input Device

Driver

User

interaction

Windowing

Screen

I/O

Transport

Driver

Net

I/O

File

I/O

FileSys

View

Slide11

How it works – regular download

17th ACM Conference on Computer and Communications Security

11

FileSys

View

File

System

Secure

Zone

Screen Parser

Locate consent button(s)

Parse correlation information

H/W

Evt

. Tracer

Monitor mouse and keyboard input

I/O Redirector

Redirect disk writes from browsers

Correlator

Discover candidate and verify

its origin

Map it to the regular file system

Slide12

How it works – drive-by download

17th ACM Conference on Computer and Communications Security

12

I/O Redirector

Redirect disk writes from browsers

FileSys

View

Secure

Zone

I/O Redirector

Alert when executio

n is attempted

Slide13

Implementations

Screen ReaderMonitors certain windowing eventsParses internal composition of consent dialogues

17th ACM Conference on Computer and Communications Security

13

Slide14

Implementations

H/W Event TracerResides above device driversListens to IRPs

17th ACM Conference on Computer and Communications Security

14

OS I/O

Mgr.

Input

Driver

H/W

Evt

.

Tracer

Slide15

Implementations

I/O RedirectorBuilt as a file system mini-filterRedirects file accessesProvides a merged viewCorrelatorUses transport driver interfaceRecords streams coming from download sourcesContent-base correlation and verification

17th ACM Conference on Computer and Communications Security

15

Slide16

Empirical Evaluation

An automated test bedHarvest new real-world malicious URLs dailyVMs with various software configurations

17th ACM Conference on Computer and Communications Security

16

Slide17

Empirical Evaluation

17th ACM Conference on Computer and Communications Security

17

Slide18

Using 19 specifically hand-crafted exploitsCovering all common exploiting techniquesTargeting at diverse vulnerabilities (11 zero-days)BLADE prevented all 19 infection attempts

17th ACM Conference on Computer and Communications Security

18

Attack Coverage Evaluation

Slide19

Security analysis

Potential ways to evade/attack BLADE

17th ACM Conference on Computer and Communications Security

19

Slide20

Benign Website Evaluation

Normal file downloadsNormal site-browsing

17th ACM Conference on Computer and Communications Security

20

Slide21

Performance Evaluation

Per-component testEnd-to-end testWorst case overhead – 3%Negligible on average

17th ACM Conference on Computer and Communications Security

21

Slide22

Limitations

Social engineering attacksIn-memory execution of shellcodeOnly effective against binary executables

17th ACM Conference on Computer and Communications Security

22

Slide23

Q&A

17th ACM Conference on Computer and Communications Security

23

www.blade-defender.org


About DocSlides
DocSlides allows users to easily upload and share presentations, PDF documents, and images.Share your documents with the world , watch,share and upload any time you want. How can you benefit from using DocSlides? DocSlides consists documents from individuals and organizations on topics ranging from technology and business to travel, health, and education. Find and search for what interests you, and learn from people and more. You can also download DocSlides to read or reference later.
Youtube