My OperaBLADE : An Attack-Agnostic Approach for Preventing Drive-By Malware Infections
Saturday, October 9, 2010 5:37:34 AM
BLADE - An Attack-Agnostic Approach for Preventing Drive-By Malware Infections.pdf
Drive-by downloads are the primary means of delivering malicious software onto computers across the internet. BLADE(BLock All Drive-by download Exploits) is a system that eliminates malware installations. It is a browser-independent operating system kernel extension that asserts that all executable files delivered through browser downloads must result from explicit user consent and redirects every unconsented browser download to a non-executable secure-zone on disk. BLADE thwarts the ability of browser-based exploits to surreptitiously download and execute malicious content by remapping to the filesystem only those browser downloads to which a programmatically inferred user-consent is correlated.
Drive-by downloads are the primary means of delivering malicious software onto computers across the internet. BLADE(BLock All Drive-by download Exploits) is a system that eliminates malware installations. It is a browser-independent operating system kernel extension that asserts that all executable files delivered through browser downloads must result from explicit user consent and redirects every unconsented browser download to a non-executable secure-zone on disk. BLADE thwarts the ability of browser-based exploits to surreptitiously download and execute malicious content by remapping to the filesystem only those browser downloads to which a programmatically inferred user-consent is correlated.
To prevent unconsented-content execution, BLADE introduces three key operating system (OS)-level capabilities by coordinating its components in the kernel space, BLADE introduces user-interaction tracking as a means to collect user download authorizations expressed during interactions with browsers. BLADE captures on-screen consent-to-download dialog windows via a Screen Parser module and tracks the user's physical interactions (e.g., mouse clicks) with these dialog windows via a Hardware Event Tracer. Second, BLADE introduces consent correlation as a means to discern “transparent” downloads from those that involve direct user authorization. Third, BLADE uses disk I/O redirection to efficiently contain disk footprints of unconsented data delivered through supervised processes.1 File content created and manipulated by supervised processes is stored in a non-executable location created and managed by BLADE. This secure zone represents virtual offshore storage accessible only from supervised processes as a result of the transparent disk I/O redirection. The redirection logic provides supervised processes with a modified file system view to maintain functional consistency, which renders the impression that all disk operations are carried out in their respective locations. Files in the secure zone are prevented from being loaded into the memory as executables (in the case of Windows, load operations of .exe, .dll, .sys, and etc. are disallowed).
What is Drive-by Exploits? A drive-by exploit can be understood as a three-phase process.
- Shellcode injection phase : All drive-by exploits begin with a remote code injection, such as buffer overflow exploit against some component within the browser process, e.g., the ActiveX interpreter, a multimedia plugin, the PDF helper object, the Flash player etc.
- Shellcode execution phase : Regardless of which exploit technique is selected by the malware author, the objective of this exploit is to inject a small shellcode segment within the browser process to conduct covert binary installation (this essentially defines the attack as a drive-by exploit).
- Covert binary install phase : The final phase of the drive-by exploit is the sequence of steps leading to the final, permanent infection of the client host. Here, the shellcode effectively coerces the now tainted browser into fetching a remote malware application from some remote source on the Internet, storing it within the filesystem and executing it on the victim's host.
BLADE Threat Model
BLADE incorporates a tactic in fighting drive-by attacks. From BLADE's perspective, the drive-by download attack conducts a series of steps designed to bypass the normal user-content-handling procedure that should be performed whenever a browser attempts to store this data to disk. The fetched binary itself represents an unsupported browser type that cannot be handled and rendered directly by the browser, but must be delivered through the standard user-initiated consent-to-download dialog. BLADE aims to disrupt the covert binary install phase, completely agnostic of which browser component was exploited or which shellcode injection strategy was employed to achieve the initial browser hijack.
BLADE foils the execution by any program entity (including the OS), of any on-disk data content received through the browser process tree, unless that content can be correlated with a user consent dialog event. BLADE enforces this requirement while not interfering with normal browser operations . Specifically, automated software updating, which is a common practice among browsers and their plug-ins, can be accomodated through source domain whitelisting.
BLADE Development Team :
Georgia Tech : Long Lu, Wenke Lee
SRI International : Phillip Porras, Vinod Yegneswaran
Useful Links :
- BLADE
- BLADE Demo Against Real-world Drive-by Download Site
- BLADE's Evaluation Lab
- Research : 1.3 million malicious ads viewed daily
- BLADE : Hacking Away at Drive-By Downloads
[/FONT]
(0%)
