logging in or signing up ADSandbox : A Fight Against Malicious Websites nj9045 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 42 Category: Science & Tech.. License: All Rights Reserved Like it (0) Dislike it (0) Added: April 04, 2011 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript ADSandbox: Sandboxing JavaScript to fight Malicious Websites: ADSandbox : Sandboxing JavaScript to fight Malicious Websites GUIDE - A SEMINAR BY VAISHALI DHARKAR NAVDEEP KUMAR JAIN ROLL NO: - 4332Slide 2: In terms of computing, a malicious attack can be any physical or electronic action taken with the intent of acquiring, destroying, modifying, or accessing a user’s data without permission. Physical attacks typically mean either the theft of hardware storing personal/confidential information or the destruction of said hardware. Electronic attacks (the focus of this presentation) involve unauthorized access or unauthorized modification of the user’s computer. What is a Malicious Attack?Slide 3: Types of Malicious A ttacks Viruses Worms Trojan horses Logic bombs (a.k.a. Time bombs ) Trapdoors Phishing/SpoofingSlide 4: Virus – a program capable of copying itself to another. Viruses usually steal/destroy data, but a very small majority are simply pranks. Worm – a type of virus that does not need human aid to proliferate. Usually worms will spread via networks or the Internet. Trojan – a type of virus that disguises itself as a legitimate program.Slide 5: Logic bombs (Time Bombs) pieces of code that remain inactive until a certain event specified by the attacker occurs; then the bomb renders the system inoperable.Slide 6: Trapdoors – a code placed within the system that allows a third party to bypass system security at any convenient time.Slide 7: Phishing – using a fake website to steal personal information Spoofing – similar to phishing, except the dummy object is now a log-on screen that asks for a user name and password that gets passed on to the attacker.Slide 8: Web Has Become a Primary Target 8 Drive by Download Cross site scripting Cross Site Request Forgery Cross-Origin JavaScript Capability LeaksDEFINiTION: DEFINiTION ADSandbox is an analysis system or a client-side detection system for malicious websites focuses on detecting attacks through Javascript. It provides controlled execution environment for Javascript.BASIC CONCEPT : BASIC CONCEPT JavaScript does not have any built-in sandbox concept. - The idea is to execute any embedded JavaScript within an isolated environment and log every critical action. - Using heuristics on these logs, ADSandbox decides whether the site is malicious or notSlide 11: Here I have shown you Sandboxing concept in case of Hard-disk Attacks from Internet and Local NetworkSlide 12: 12 Behavior of Sandbox OS sandbox application allow open(“foo.txt”) open(“/etc/passwd”) deny security check security check security policyDesign of ADSandbox: Design of ADSandbox Important Terms :- BHO – BHO stands for Browser Helper Object . BHO interrupts navigation process and initiates the analysis of the target URL by Sandbox. DLL – DLL stands for Dynamic Link Library. DLL accesses internet to source of desired website in order to analyse it and return report to BHO. Wrapper Executable – It is the manual method for analysing any website for its maliciousness.Architecture of ADSandbox: Architecture of ADSandbox user can access internet in many ways Through browsers Through cmd before navigating to this website, the browser invokes the BHO. BHO hands over the URL of the website to the analysis DLL DLL return report to BHO after analysis Browser displays this report within the browser if the website has been suspected The user starts the wrapper executable program on a command line User supply some parameters to indicate which URL should be analysed and what kind of analysis should be performed the wrapper executable then hands over the URL to the analysis DLL DLL then download source code of website and analyse it DLL's main analysis function again returns the report, which then is printed on the command line.Additional Information: Additional Information The wrapper executable offers slightly more options for the user to analyse websites: for example, a batch processing feature is able to process a list of URLs and to create detailed statistics about the analysed sites.Analysis of Site: A nalysis of Site There are two types of analysis method : - 1. Static Analysis 2. Dynamic AnalysisStatic analysis: S tatic analysis Definition :- Static analysis consists in examining the code of programs to determine properties of the dynamic execution of these programs without running them. In case of our system it is also called as :- Static IFrame analysisStatic IFrame analysis: Static IFrame analysis IFrame :- An IFrame (Inline Frame) is an HTML document embedded inside another HTML document on a website. An IFRAME is very useful when we want to display the content from other web sites. This analysis method detects every IFrame on a website and analyses several properties to decide whether this IFrame comes from a website with malicious intent. For example , settings that make the IFrame invisible to users, like a height or width of zero or a position that is out of the visible area, are facts that suggest maliciousness.Static IFrame analysis contd …..: S tatic IFrame analysis contd ….. Relevant is also the target URL of such an IFrame, which is another important indication in this context. There are four possible outcomes of this check: 1. The IFrame is hidden and refers to another domain, 2. it is hidden but loads an address in the same domain, 3. it is not hidden but refers to a foreign domain, or 4. it is neither hidden nor does it refer to another domain. A simple usage of an IFRAME would be as follows: < iframe id =" Iframe1 " frameborder =" 0 " vspace =" 0 " hspace =" 0 " marginwidth =" 0 " marginheight =" 0 " width =" 100 " scrolling =" yes " height =" 100 " src =" http://www.yahoo.com"> </ iframe >Static IFrame analysis contd …..: Static IFrame analysis contd ….. Really suspicious is the one in which the IFrame is hidden and it refers to a foreign domain Attacker generally use trusted website to spread malwares through hidden IFrames that refers to a foreign domain Then our system try to detect is the unnoticed download of contents from another domain while visiting a website we trust But a hidden IFrame will be considered as not suspicious unless it refers to a foreign domainStatic IFrame analysis contd …..: Static IFrame analysis contd ….. In the case the IFrame is visible but refers to another domain Then we will not be able to say that the website malicious or not The content of this IFrame is analysed itself as soon as it is loaded by any browserDynamic analysis: Dynamic analysis Definition :- The idea is to execute any embedded JavaScript within an isolated environment and log every critical action. The main advantage of dynamic analysis over static analysis is that we are able to analyse obfuscated JavaScript . Obfuscation:- Special work is performed to protect the output of Java, which is used frequently and widely. It is called “obfuscation”, which makes the people not to understand the program code when they look at it. This code is then decoded and executed by the JavaScript eval function.Dynamic Analysis contd ….: Dynamic Analysis contd …. Procedure of decoding of Obfuscated code needs recursive operations several times. It is usually even impossible to automatically analyse such a JavaScript, because of the variety of available obfuscation methods. But this is possible with our dynamic JavaScript analysis , as each level of unpacking the obfuscated code is done just as it would be done in the browser of an attacked user .Dynamic Analysis contd ….: Dynamic Analysis contd …. STAGES OCCUR DURING DEOBFUSCATION OF JAVASCRIPT We extract the JavaScript source code from the HTML code create a JavaScript Execution object pass the JavaScript source code JavaScript Execution creates an instance of Spider Monkey and executes the given JavaScript Spider –monkey is Javascript engine written in C Spider Monkey on the other hand is modified each time an object is accessed to call a corresponding static callback function of the JavaScript Execution class With the help of this instrumentation every access to every JavaScript object is recognised and loggedSlide 31: Example This is a JavaScript Program Then we run this code is ADSandbox The resulting log will look like this And now the ADSandbox execute this code Execution log is then searched for the pattern that reveal malicious behaviour For example in the execution log if the JavaScript uses the function SaveToFile or run, The corresponding pattern is CONVERT ([^\n]+\\.|)( SaveToFile|Run ) TO A FUNCTION ADSandbox implemented patterns to detect a broader range of attacks such as cookie stealing , file downloads and heap-spraying attacksEvaluation results: Evaluation results Terms to Remember :- Fast Positive Rate :- Type I error , also known as an " error of the first kind ", an α error , or a " false positive ": the error of rejecting a null hypothesis when it is actually true . Fast Negative Rate :- Type II error , also known as an " error of the second kind ", a β error , or a " false negative ": the error of failing to reject a null hypothesis when in fact we should have rejected it. For example :- if a test shows that a patient is sick when in fact he is not. For example :- if a test shows that a patient is not sick when in fact he is .Tests for False Positive Rate: Tests for False Positive Rate To measure the performance and the false positives rate of our system, we analyzed the landing page of the top 1,000 websites from Alexa.com , which we suppose to be a good indication for the detection effectiveness of our tool. This system (ADSandbox) achieves a false positives rate of 0%, as none of these websites was suspected by our analysis .Tests for False Negative Rate: Tests for False Negative Rate We analyzed 140 samples of potentially malicious websites from the wild. And RESULT is The other 63 samples mostly contained hidden IFrame (s) to include an exploit. Other 31 samples contained JavaScript that just redirected to malicious URL Unfortunately, 10 samples could not be successfully analysed due to JavaScript errors, which we denote as potential false negatives Another 21 samples we were able to analyse were not classified as malicious by our analysis system Five of these samples could not be detected to be malicious because they check whether specific browser plug-ins are available before they trigger an exploit, but during this test we have not considered plug-ins. That’s why we denote these 5 as false negative. There were four samples that used the DOM tree for obfuscation, but due to demerits of ADSandbox or inability to detect this kind of obfuscation these 4 will also be counted in FALSE NEGATIVE additional 4 samples did not contain a complete exploit code, so they are harmless The other 8 samples did not even contain an exploit or they are not malicous Finally, we end up with a false negative rate between 6.43 and 13.57%Slide 35: Advantage and Disadvantage of Sandboxes Advantage Enhanced security Disadvantage Overhead incurred by security checksSlide 36: 36 Reason for OVERHEAD Overhead of security checks Application suspends during security checks Entire time for checks is added to overall execution time app sandbox OS check kernel service time invoke syscall check return from syscall THANK YOU: THANK YOUSlide 38: Questions? You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
ADSandbox : A Fight Against Malicious Websites nj9045 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 42 Category: Science & Tech.. License: All Rights Reserved Like it (0) Dislike it (0) Added: April 04, 2011 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript ADSandbox: Sandboxing JavaScript to fight Malicious Websites: ADSandbox : Sandboxing JavaScript to fight Malicious Websites GUIDE - A SEMINAR BY VAISHALI DHARKAR NAVDEEP KUMAR JAIN ROLL NO: - 4332Slide 2: In terms of computing, a malicious attack can be any physical or electronic action taken with the intent of acquiring, destroying, modifying, or accessing a user’s data without permission. Physical attacks typically mean either the theft of hardware storing personal/confidential information or the destruction of said hardware. Electronic attacks (the focus of this presentation) involve unauthorized access or unauthorized modification of the user’s computer. What is a Malicious Attack?Slide 3: Types of Malicious A ttacks Viruses Worms Trojan horses Logic bombs (a.k.a. Time bombs ) Trapdoors Phishing/SpoofingSlide 4: Virus – a program capable of copying itself to another. Viruses usually steal/destroy data, but a very small majority are simply pranks. Worm – a type of virus that does not need human aid to proliferate. Usually worms will spread via networks or the Internet. Trojan – a type of virus that disguises itself as a legitimate program.Slide 5: Logic bombs (Time Bombs) pieces of code that remain inactive until a certain event specified by the attacker occurs; then the bomb renders the system inoperable.Slide 6: Trapdoors – a code placed within the system that allows a third party to bypass system security at any convenient time.Slide 7: Phishing – using a fake website to steal personal information Spoofing – similar to phishing, except the dummy object is now a log-on screen that asks for a user name and password that gets passed on to the attacker.Slide 8: Web Has Become a Primary Target 8 Drive by Download Cross site scripting Cross Site Request Forgery Cross-Origin JavaScript Capability LeaksDEFINiTION: DEFINiTION ADSandbox is an analysis system or a client-side detection system for malicious websites focuses on detecting attacks through Javascript. It provides controlled execution environment for Javascript.BASIC CONCEPT : BASIC CONCEPT JavaScript does not have any built-in sandbox concept. - The idea is to execute any embedded JavaScript within an isolated environment and log every critical action. - Using heuristics on these logs, ADSandbox decides whether the site is malicious or notSlide 11: Here I have shown you Sandboxing concept in case of Hard-disk Attacks from Internet and Local NetworkSlide 12: 12 Behavior of Sandbox OS sandbox application allow open(“foo.txt”) open(“/etc/passwd”) deny security check security check security policyDesign of ADSandbox: Design of ADSandbox Important Terms :- BHO – BHO stands for Browser Helper Object . BHO interrupts navigation process and initiates the analysis of the target URL by Sandbox. DLL – DLL stands for Dynamic Link Library. DLL accesses internet to source of desired website in order to analyse it and return report to BHO. Wrapper Executable – It is the manual method for analysing any website for its maliciousness.Architecture of ADSandbox: Architecture of ADSandbox user can access internet in many ways Through browsers Through cmd before navigating to this website, the browser invokes the BHO. BHO hands over the URL of the website to the analysis DLL DLL return report to BHO after analysis Browser displays this report within the browser if the website has been suspected The user starts the wrapper executable program on a command line User supply some parameters to indicate which URL should be analysed and what kind of analysis should be performed the wrapper executable then hands over the URL to the analysis DLL DLL then download source code of website and analyse it DLL's main analysis function again returns the report, which then is printed on the command line.Additional Information: Additional Information The wrapper executable offers slightly more options for the user to analyse websites: for example, a batch processing feature is able to process a list of URLs and to create detailed statistics about the analysed sites.Analysis of Site: A nalysis of Site There are two types of analysis method : - 1. Static Analysis 2. Dynamic AnalysisStatic analysis: S tatic analysis Definition :- Static analysis consists in examining the code of programs to determine properties of the dynamic execution of these programs without running them. In case of our system it is also called as :- Static IFrame analysisStatic IFrame analysis: Static IFrame analysis IFrame :- An IFrame (Inline Frame) is an HTML document embedded inside another HTML document on a website. An IFRAME is very useful when we want to display the content from other web sites. This analysis method detects every IFrame on a website and analyses several properties to decide whether this IFrame comes from a website with malicious intent. For example , settings that make the IFrame invisible to users, like a height or width of zero or a position that is out of the visible area, are facts that suggest maliciousness.Static IFrame analysis contd …..: S tatic IFrame analysis contd ….. Relevant is also the target URL of such an IFrame, which is another important indication in this context. There are four possible outcomes of this check: 1. The IFrame is hidden and refers to another domain, 2. it is hidden but loads an address in the same domain, 3. it is not hidden but refers to a foreign domain, or 4. it is neither hidden nor does it refer to another domain. A simple usage of an IFRAME would be as follows: < iframe id =" Iframe1 " frameborder =" 0 " vspace =" 0 " hspace =" 0 " marginwidth =" 0 " marginheight =" 0 " width =" 100 " scrolling =" yes " height =" 100 " src =" http://www.yahoo.com"> </ iframe >Static IFrame analysis contd …..: Static IFrame analysis contd ….. Really suspicious is the one in which the IFrame is hidden and it refers to a foreign domain Attacker generally use trusted website to spread malwares through hidden IFrames that refers to a foreign domain Then our system try to detect is the unnoticed download of contents from another domain while visiting a website we trust But a hidden IFrame will be considered as not suspicious unless it refers to a foreign domainStatic IFrame analysis contd …..: Static IFrame analysis contd ….. In the case the IFrame is visible but refers to another domain Then we will not be able to say that the website malicious or not The content of this IFrame is analysed itself as soon as it is loaded by any browserDynamic analysis: Dynamic analysis Definition :- The idea is to execute any embedded JavaScript within an isolated environment and log every critical action. The main advantage of dynamic analysis over static analysis is that we are able to analyse obfuscated JavaScript . Obfuscation:- Special work is performed to protect the output of Java, which is used frequently and widely. It is called “obfuscation”, which makes the people not to understand the program code when they look at it. This code is then decoded and executed by the JavaScript eval function.Dynamic Analysis contd ….: Dynamic Analysis contd …. Procedure of decoding of Obfuscated code needs recursive operations several times. It is usually even impossible to automatically analyse such a JavaScript, because of the variety of available obfuscation methods. But this is possible with our dynamic JavaScript analysis , as each level of unpacking the obfuscated code is done just as it would be done in the browser of an attacked user .Dynamic Analysis contd ….: Dynamic Analysis contd …. STAGES OCCUR DURING DEOBFUSCATION OF JAVASCRIPT We extract the JavaScript source code from the HTML code create a JavaScript Execution object pass the JavaScript source code JavaScript Execution creates an instance of Spider Monkey and executes the given JavaScript Spider –monkey is Javascript engine written in C Spider Monkey on the other hand is modified each time an object is accessed to call a corresponding static callback function of the JavaScript Execution class With the help of this instrumentation every access to every JavaScript object is recognised and loggedSlide 31: Example This is a JavaScript Program Then we run this code is ADSandbox The resulting log will look like this And now the ADSandbox execute this code Execution log is then searched for the pattern that reveal malicious behaviour For example in the execution log if the JavaScript uses the function SaveToFile or run, The corresponding pattern is CONVERT ([^\n]+\\.|)( SaveToFile|Run ) TO A FUNCTION ADSandbox implemented patterns to detect a broader range of attacks such as cookie stealing , file downloads and heap-spraying attacksEvaluation results: Evaluation results Terms to Remember :- Fast Positive Rate :- Type I error , also known as an " error of the first kind ", an α error , or a " false positive ": the error of rejecting a null hypothesis when it is actually true . Fast Negative Rate :- Type II error , also known as an " error of the second kind ", a β error , or a " false negative ": the error of failing to reject a null hypothesis when in fact we should have rejected it. For example :- if a test shows that a patient is sick when in fact he is not. For example :- if a test shows that a patient is not sick when in fact he is .Tests for False Positive Rate: Tests for False Positive Rate To measure the performance and the false positives rate of our system, we analyzed the landing page of the top 1,000 websites from Alexa.com , which we suppose to be a good indication for the detection effectiveness of our tool. This system (ADSandbox) achieves a false positives rate of 0%, as none of these websites was suspected by our analysis .Tests for False Negative Rate: Tests for False Negative Rate We analyzed 140 samples of potentially malicious websites from the wild. And RESULT is The other 63 samples mostly contained hidden IFrame (s) to include an exploit. Other 31 samples contained JavaScript that just redirected to malicious URL Unfortunately, 10 samples could not be successfully analysed due to JavaScript errors, which we denote as potential false negatives Another 21 samples we were able to analyse were not classified as malicious by our analysis system Five of these samples could not be detected to be malicious because they check whether specific browser plug-ins are available before they trigger an exploit, but during this test we have not considered plug-ins. That’s why we denote these 5 as false negative. There were four samples that used the DOM tree for obfuscation, but due to demerits of ADSandbox or inability to detect this kind of obfuscation these 4 will also be counted in FALSE NEGATIVE additional 4 samples did not contain a complete exploit code, so they are harmless The other 8 samples did not even contain an exploit or they are not malicous Finally, we end up with a false negative rate between 6.43 and 13.57%Slide 35: Advantage and Disadvantage of Sandboxes Advantage Enhanced security Disadvantage Overhead incurred by security checksSlide 36: 36 Reason for OVERHEAD Overhead of security checks Application suspends during security checks Entire time for checks is added to overall execution time app sandbox OS check kernel service time invoke syscall check return from syscall THANK YOU: THANK YOUSlide 38: Questions?