research-article

BLADE: an attack-agnostic approach for preventing drive-by malware infections

Authors:

Vinod Yegneswaran,

Phillip Porras,

Wenke LeeAuthors Info & Claims

CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Pages 440 - 450

https://doi.org/10.1145/1866307.1866356

Published: 04 October 2010 Publication History

Abstract

Web-based surreptitious malware infections (i.e., drive-by downloads) have become the primary method used to deliver malicious software onto computers across the Internet. To address this threat, we present a browser independent operating system kernel extension designed to eliminate driveby malware installations. The BLADE (Block All Drive-by download Exploits) system asserts that all executable files delivered through browser downloads must result from explicit user consent and transparently redirects every unconsented browser download into a nonexecutable secure zone of disk. BLADE thwarts the ability of browser-based exploits to surreptitiously download and execute malicious content by remapping to the file system only those browser downloads to which a programmatically inferred user-consent is correlated, BLADE provides its protection without explicit knowledge of any exploits and is thus resilient against code obfuscation and zero-day threats that directly contribute to the pervasiveness of today's drive-by malware. We present the design of our BLADE prototype implementation for the Microsoft Windows platform, and report results from as extensive empirical evaluation of its effectiveness on popular browsers. Our evaluation includes multiple versions of IE and Firefox, against 1,934 active malicious URLs, representing a broad spectrum of web-based exploits not plaguing the Internet. BLADE successfully blocked all drive-by malware install attempts with zero false positives and a 3% worst-case performance cost.

References

[1]

}}Alexa - Top Sites By Category. http://www.alexa.com/topsites/category.

[2]

}}Microsoft Security Bulletin MS10-002 - Critical. http://www.microsoft.com/technet/security/bulletin/MS10- 002.mspx.

[3]

}}Process Monitor. http://technet.microsoft.com/enus/ sysinternals/bb896645.aspx.

[4]

}}Testing rendering time. http://scragz.com/archived/mozilla/test-rendering-time.

[5]

}}finjan: securing your web. http://www.finjan.com, 2009.

[6]

}}stopbadware.org. http://www.stopbadware.org, 2009.

[7]

}}Symantec inc. http://www.symantec.com, 2009.

[8]

}}B. Adam, P. F. Adrienne, S. Prateek, and B. Aaron. Protecting browsers from extension vulnerabilities. In Network and Distributed System Security Symposium (NDSS), 2010.

[9]

}}P. Barford and V. Yegneswaran. An inside look at botnets. Special Workshop on Malware Detection, Advances in Information Security, Springer Verlag, 2006.

[10]

}}A. Barth, C. Jackson, C. Reis, and T. G. C. Team. The Security Architecture of the Chromium Browser. In Stanford Technical Report, 2008.

[11]

}}S. Chen, J. Meseguer, R. Sasse, H. J. Wang, and Y.-M. Wang. A systematic approach to uncover security flaws in gui logic. In Proceedings of the IEEE Symposium on Security and Privacy, 2007.

Digital Library

[12]

}}S. Dietrich, N. Long, and D. Dittrich. Analyzing distributed denial of service tools: The Shaft Case. In Proceedings of the USENIX System Adminstrator's Conference, LISA, 2000.

Digital Library

[13]

}}M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Proceedings of Detection of Intrusions and Malware and Vulnerabilility Assessment (DIMVA), 2009.

Digital Library

[14]

}}S. Ford, M. Cova, C. Kruegel, and G. Vigna. Wepawet. http://wepawet.cs.ucsb.edu, 2009.

[15]

}}G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting malware infection through IDS-driven dialog correlation. In Proceedings of 16th USENIX Security Symposium, 2007.

Digital Library

[16]

}}G. Gu, J. Zhang, and W. Lee. Botsniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS), 2008.

[17]

}}K. J. Higgins. 'Aurora' exploit retooled to bypass Internet Explorer's DEP security. http://www.darkreading.com/security/-vulnerabilities/showArticle.jhtml?articleID=222301436.

[18]

}}S. Jain, F. Shafique, V. Djeric, and A. Goel. Application-level isolation and recovery with solitude. In Proceedings of ACM EuroSys, 2008.

Digital Library

[19]

}}B. Krebs. Clamping down the Clampi trojan. http://voices.washingtonpost.com/securityfix/2009/09/-clamping_down_on_clampi.html.

[20]

}}Z. Liang, V. N. Venkatakrishnan, and R. Sekar. Isolated program execution: An application transparent approach for executing untrusted programs.

[21]

}}A. Martinez-Cabrera. Malware infections double on web pages. http://articles.sfgate.com/2010-01--26/business/-17836038_1_malware-infected-sites.

[22]

}}A. Moshchuk, T. Bragin, D. Deville, S. D. Gribble, and H. M. Levy. SpyProxy: Execution-based detection of malicious web content. In Proceedings of 16th USENIX Security Symposium, 2007.

Digital Library

[23]

}}A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware on the web. In Network and Distributed System Security Symposium, February 2006.

[24]

}}J. Nazario. phoneyc: A Virtual Client Honeyport. In Proceedings of LEET, 2009.

Digital Library

[25]

}}J. Oberheide, E. Cooke, and F. Jahanian. Cloudav: N-version antivirus in the network cloud. In Proceedings of 17th USENIX Security Symposium, 2008.

Digital Library

[26]

}}N. Provos. Spybye - finding malware. http://www.monkey.org/ Üprovos/spybye/, 2009.

[27]

}}N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proceedings of the 17th USENIX Security Symposium, 2008.

Digital Library

[28]

}}N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In 1st Workshop on Hot Topics in Understanding Botnets, 2007.

Digital Library

[29]

}}M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multi-faceted approach to understanding the botnet phenomenon. In Proceedings of ACM SIGCOMM/USENIX Internet Measurement Conference, October 2006.

Digital Library

[30]

}}P. Ratanaworabhan, B. Livshits, and B. Zorn. NOZZLE: A defense against heap-spraying code injection attacks. In Proceedings of 18th USENIX Security Symposium, 2009.

Digital Library

[31]

}}C. Reis, J. Dunagan, H. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: Vulnerability driven filtering of dynamic html. In Proceedings of OSDI, 2006.

Digital Library

[32]

}}C. Seifert, R. Steenson, T. Holtz, B. Yuan, and M. A. Davis. Know your enemy: Malicious web servers. http://www.honeynet.org/papers/mws/, 2007.

[33]

}}M. Stiegler, A. Karp, K. Yee, T. Close, and M. Miller. Polaris: virus-safe computing for Windows XP. Communications of the ACM, 49(9):88, 2006.

Digital Library

[34]

}}H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal construction of the Gazelle web browser. In Proceedings of the 18th Usenix Security Symposium, 2009.

Digital Library

[35]

}}Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Network and Distributed System Security Symposium (NDSS), 2006.

Cited By

Kontogeorgopoulos KKritikos K(2024)Overview of Social Engineering Protection and Prevention MethodsComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54204-6_4(64-83)Online publication date: 1-Mar-2024
https://doi.org/10.1007/978-3-031-54204-6_4
Du YDuan HXu LCui HWang CWang Q(2023)${{\sf PEBA}}$: Enhancing User Privacy and Coverage of Safe Browsing ServicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.320476720:5(4343-4358)Online publication date: 1-Sep-2023
https://doi.org/10.1109/TDSC.2022.3204767
Ayele YChockalingam SLau N(2023)Threat Actors and Methods of Attack to Social Robots in Public SpacesHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-35822-7_18(262-273)Online publication date: 9-Jul-2023
https://doi.org/10.1007/978-3-031-35822-7_18
Show More Cited By

Index Terms

BLADE: an attack-agnostic approach for preventing drive-by malware infections
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads
WWW '11: Proceedings of the 20th international conference on World wide web

A drive-by download attack occurs when a user visits a webpage which attempts to automatically download malware without the user's consent. Attackers sometimes use a malware distribution network (MDN) to manage a large number of malicious webpages, ...
On the development of an internetwork-centric defense for scanning worms

Studies of worm outbreaks have found that the speed of worm propagation makes manual intervention ineffective. Consequently, many automated containment mechanisms have been proposed to contain worm outbreaks before they grow out of control. These ...
POSTER: Detecting Malicious Web Pages based on Structural Similarity of Redirection Chains
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Detecting malicious web pages used in attacks and building blacklists and signatures from them are done to protect users against drive-by download attacks. Gathering the content on web pages by crawling and evaluating it to check if it is malicious can ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

October 2010

782 pages

ISBN:9781450302456

DOI:10.1145/1866307

General Chair:
Ehab Al-Shaer
University of North Carolina, Charlotte, USA
,
Program Chairs:
Angelos D. Keromytis
Columbia University, USA
,
Vitaly Shmatikov
University of Texas at Austin, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '10

Sponsor:

SIGSAC

CCS '10: 17th ACM Conference on Computer and Communications Security 2010

October 4 - 8, 2010

Illinois, Chicago, USA

Acceptance Rates

CCS '10 Paper Acceptance Rate 55 of 325 submissions, 17%;

Overall Acceptance Rate 1,210 of 6,719 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

107
Total Citations
View Citations
1,276
Total Downloads

Downloads (Last 12 months)37
Downloads (Last 6 weeks)8

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kontogeorgopoulos KKritikos K(2024)Overview of Social Engineering Protection and Prevention MethodsComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54204-6_4(64-83)Online publication date: 1-Mar-2024
https://doi.org/10.1007/978-3-031-54204-6_4
Du YDuan HXu LCui HWang CWang Q(2023)${{\sf PEBA}}$: Enhancing User Privacy and Coverage of Safe Browsing ServicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.320476720:5(4343-4358)Online publication date: 1-Sep-2023
https://doi.org/10.1109/TDSC.2022.3204767
Ayele YChockalingam SLau N(2023)Threat Actors and Methods of Attack to Social Robots in Public SpacesHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-35822-7_18(262-273)Online publication date: 9-Jul-2023
https://doi.org/10.1007/978-3-031-35822-7_18
Romano ALehmann DPradel MWang W(2022)Wobfuscator: Obfuscating JavaScript Malware via Opportunistic Translation to WebAssembly2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833626(1574-1589)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833626
Allen JYang ZLanden MBhat RGrover HChang AJi YPerdisci RLee WLigatti JOu XKatz JVigna G(2020)Mnemosyne: An Effective and Efficient Postmortem Watering Hole Attack Investigation SystemProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3423355(787-802)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3423355
Liu TWang HLi LLuo XDong FGuo YWang LBissyandé TKlein J(2020)MadDroid: Characterizing and Detecting Devious Ad Contents for Android AppsProceedings of The Web Conference 202010.1145/3366423.3380242(1715-1726)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1145/3366423.3380242
Cui HZhou YWang CWang XDu YWang Q(2020)PPSB: An Open and Flexible Platform for Privacy-Preserving Safe BrowsingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.2937783(1-1)Online publication date: 2020
https://doi.org/10.1109/TDSC.2019.2937783
Xu GHu YGuo QHe RLi LXu GHan ZWang H(2020)Dissecting Mobile Offerwall Advertisements: An Explorative Study2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS51102.2020.00072(518-526)Online publication date: Dec-2020
https://doi.org/10.1109/QRS51102.2020.00072
Mokoena TZuva TAppiah M(2020)Analysis of Social Engineering Attacks Using Exploit KitsIntelligent Algorithms in Software Engineering10.1007/978-3-030-51965-0_16(189-204)Online publication date: 9-Aug-2020
https://doi.org/10.1007/978-3-030-51965-0_16
SHIBAHARA TTAKATA YAKIYAMA MYAGI THATO KMURATA M(2019)Evasive Malicious Website Detection by Leveraging Redirection Subgraph SimilaritiesIEICE Transactions on Information and Systems10.1587/transinf.2018FCP0007E102.D:3(430-443)Online publication date: 1-Mar-2019
https://doi.org/10.1587/transinf.2018FCP0007
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents