DOCSLIB.ORG

December 2005 Volume 30 Number 6

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
December 2005 Volume 30 Number 6 DECEMBER 2005 VOLUME 30 NUMBER 6 THE USENIX MAGAZINE OPINION Musings security issue RIK FARROW Monoculture on the Back of the Envelope DAN GEER SECURITY Secure Embedded Systems Need Microkernels GERNOT HEISER Breaking the Ties That Bind: Application Isolation and Migration SHAYA POTTER AND JASON NIEH Spying with Bots THORSTEN HOLZ A Summary of Savvy Backbone Defense RAVEN ALDER The Virtual Firewall VASSILIS PREVELAKIS Linux vs. OpenBSD: A Firewall Performance Test MASSIMILIANO ADAMO AND MAURO TABLÒ Using Memory Dumps in Digital Forensics SAM STOVER AND MATT DICKERSON Using Version Control in System Administration LU KE KANIES Writing Detection Signatures CH RISTOPHER JORDAN (WITH CONTRIBUTIONS FROM JASON ROYES AND JESSE WHYTE) Teaching Computer Security, Privacy, and Politics MING CHOW USENIX NOTES 2006 Election for Board of Directors Getting It Wrong PETER H. SALUS USACO Team Brings Home the Gold ROB KOLSTAD Thanks to Our Volunteers ELLIE YOUNG Summary of USENIX Board of Directors Meetings ELLIE YOUNG AND TARA MULLIGAN SAGE Code of Ethics CONFERENCES 14th USENIX Security Symposium The Advanced Computing Systems Association Upcoming Events 7TH IEEE WORKSHOP ON MOBILE COMPUTING 2ND STEPS TO REDUCING UNWANTED TRAFFIC SYSTEMS AND APPLICATIONS (WMCSA 2006) ON THE INTERNET WORKSHOP (SRUTI ’06) Sponsored by IEEE Computer Society in cooperation JULY 6–7, 2006, SAN JOSE, CA, USA with USENIX http://www.usenix.org/sruti06 APRIL 6–7, 2006, SEMIAHMOO RESORT, WA, USA Paper submissions due: April 20, 2006 http://research.ihost.com/wmcsa2006 15TH USENIX SECURITY SYMPOSIUM 3RD SYMPOSIUM ON NETWORKED SYSTEMS (SECURITY ’06) DESIGN AND IMPLEMENTATION JULY 31–AUGUST 4, VANCOUVER, B.C., CANADA Sponsored by USENIX, in cooperation with ACM SIGCOMM http://www.usenix.org/sec06 and ACM SIGOPS Paper submissions due: February 1, 2006 MAY 8–10, 2006, SAN JOSE, CA, USA http://www.usenix.org/nsdi06 7TH SYMPOSIUM ON OPERATING SYSTEMS DESIGN AND IMPLEMENTATION (OSDI ’06) 5TH SYSTEM ADMINISTRATION AND NETWORK Sponsored by USENIX, in cooperation with ACM SIGOPS ENGINEERING CONFERENCE (SANE 2006) NOVEMBER 6–8, 2006, SEATTLE, WA, USA Organized by Stichting SANE and co-sponsored by Stichting http://www.usenix.org/osdi06 NLnet, USENIX, and SURFnet Paper submissions due: April 24, 2006 MAY 15–19, 2006, DELFT, THE NETHERLANDS http://www.sane.nl/sane2006 SECOND WORKSHOP ON HOT TOPICS IN SYSTEM DEPENDABILITY (HOTDEP ’06) 2006 USENIX ANNUAL TECHNICAL NOVEMBER 8, 2006, SEATTLE, WA, USA CONFERENCE (USENIX ’06) http://www.usenix.org/usenix06 MAY 30–JUNE 3, 2006, BOSTON, MA, USA Paper submissions due: July 15, 2006 http://www.usenix.org/usenix06 Paper submissions due: January 17, 2006 20TH LARGE INSTALLATION SYSTEM ADMINISTRATION CONFERENCE (LISA ’06) SECOND INTERNATIONAL CONFERENCE ON DECEMBER 3–8, 2006, WASHINGTON, D.C., USA VIRTUAL EXECUTION ENVIRONMENTS (VEE ’06) Sponsored by ACM SIGPLAN in cooperation with USENIX JUNE 14–16, OTTAWA, ONTARIO, CANADA http://www.veeconference.org/vee06 4TH INTERNATIONAL CONFERENCE ON MOBILE SYSTEMS, APPLICATIONS, AND SERVICES (MOBISYS 2006) Jointly sponsored by ACM SIGMOBILE and USENIX, in cooperation with ACM SIGOPS JUNE 19–22, UPPSALA, SWEDEN http://www.sigmobile.org/mobisys/2006 For a complete list of all USENIX & USENIX co-sponsored events, see http://www.usenix.org/events contents OPINION 2 Musings RIK FARROW 6 Monoculture on the Back of the Envelope DAN GEER SECURITY 9 Secure Embedded Systems Need Microkernels GERNOT HEISER 14 Breaking the Ties That Bind: Application Isolation and Migration SHAYA POTTER AND JASON NIEH 18 Spying with Bots THORSTEN HOLZ 24 A Summary of Savvy Backbone Defense RAVEN ALDER 27 The Virtual Firewall VASSILIS PREVELAKIS 35 Linux vs. OpenBSD: A Firewall Performance Test VOL. 30, #6, DECEMBER 2005 MASSIMILIANO ADAMO AND MAURO TABLÒ 43 Using Memory Dumps in Digital Forensics EDITOR ;login: is the official SAM STOVER AND MATT DICKERSON Rik Farrow magazine of the [email protected] USENIX Association. 49 Using Version Control in System Administration MANAGING EDITOR ;login: (ISSN 1044-6397) is LUKE KANIES Jane-Ellen Long published bi-monthly by the 55 Writing Detection Signatures [email protected] USENIX Association, 2560 CH RISTOPHER JORDAN (WITH CONTRIBUTIONS COPY EDITOR Ninth Street, Suite 215, FROM JASON ROYES AND JESSE WHYTE) Steve Gilmartin Berkeley, CA 94710. 62 Teaching Computer Security, Privacy, and Politics [email protected] $85 of each member’s annual MING CHOW PRODUCTION dues is for an annual sub- Rob Carroll scription to ;login:. Subscrip- Casey Henderson tions for nonmembers are USENIX NOTES $115 per year. TYPESETTER 64 2006 Election for Board of Directors Star Type Periodicals postage paid at [email protected] Berkeley, CA, and additional 65 Getting It Wrong offices. PETER H. SALUS USENIX ASSOCIATION 2560 Ninth Street, POSTMASTER: Send address 66 USACO Team Brings Home the Gold Suite 215, Berkeley, changes to ;login:, ROB KOLSTAD California 94710 USENIX Association, Phone: (510) 528-8649 2560 Ninth Street, 66 Thanks to Our Volunteers FAX: (510) 548-5738 Suite 215, Berkeley, ELLIE YOUNG CA 94710. http://www.usenix.org 67 Summary of USENIX http://www.sage.org ©2005 USENIX Association. Board of Directors Meetings USENIX is a registered trade- ELLIE YOUNG AND TARA MULLIGAN mark of the USENIX Associa- tion. Many of the designa- 68 SAGE Code of Ethics tions used by manufacturers and sellers to distinguish their CONFERENCE REPORTS products are claimed as trade- marks. USENIX acknowl- 69 14th USENIX Security Symposium edges all trademarks herein. Where those designations ap- pear in this publication and USENIX is aware of a trade- mark claim, the designations have been printed in caps or initial caps. WELCOME TO THE EIGHTH SECURITY edition of ;login:. I was asked if I would like R IK FARROW to edit one issue of ;login: per year back in 1998, and the only thing that has changed this year is that I am now editing regular issues of ;login: as well. Well, perhaps that’s not the only thing that has musings changed this year. Google has announced that it is partnering with NASA. PalmOne has dropped its pro- [email protected] prietary PalmOS and aligned itself with Microsoft. So- laris 11 and FreeBSD 6 are out in Beta. Microsoft and Intel are attempting to finesse the issue of the next DVD format by choosing to back HD DVD as opposed to Sony’s Blue Ray. On the security front, things have been relatively quiet. There was a lot of foo-for-all when Michael Lynn decided to resign from ISS rather than remain silent about the exploit he had written for Cisco IOS. While Lynn delivered his exposé at Black Hat Las Vegas, Cisco and ISS got restraining orders against Black Hat in an attempt to prevent copies of Lynn’s presentation from escaping “into the wild.” Of course, that attempt failed, and resulted in even more copies of the presentation being passed around. Nothing like screaming “fire” to get attention. There were immediate fears of the ultimate Internet worm that would bring on “a digital Pearl Harbor.” But no worm or exploit has emerged . so far. I have written in the past about the relative fragility of the routing infrastructure, and a monoculture of routers will certainly not help things. I’ll have more to say about IOS, Cisco’s Internet Operating System, later. But on the MS worm front, nothing nearly as exciting as in past years. No Slammer, spreading faster than any worm ever (90% of vulnerable systems in just 10 minutes). No Blaster, leading to fears that Al Qaeda had launched a cyberattack that had led to the FirstEnergy-initiated blackout in August of 2003. Blaster had nothing to do with it and neither did Al Qaeda; downsizing had much more responsibility for the blackout. Not even a new root vulnerability in Sendmail (last in 2003, and I am happy that things have gone well there). Does this mean we, programmers and sysadmins, can now rest easy? That the problems with program de- sign and architecture have been solved, and that the worms and exploits are now things of the past? Hardly. Weakness in Depth In the world of security, we like to talk about defense in depth, having layers of protection. You know, first 2 ;LO GIN: V OL. 30, NO. 6 you have a packet filter, then a DMZ, with a firewall between the DMZ and the internal networks. There will be IDS both in the DMZ and at critical points on the internal networks, firewalls on critical systems, host-based intrusion detec- tion, centralized patch management and authentication. Boy, this sounds good just writing about it. And will it work? What exactly do I mean by “weakness in depth”? Weakness in depth alludes to the design of the operating systems we use every day. Way back in the dark ages of computing, when a fast processor could exe- cute one million instructions per second and be used to provide winter heat for the building it lived in, deep thinkers came up with the notion of the Trusted Computing Base. The TCB would be the bare minimum amount of code re- quired to execute any application securely. Thus, no matter how poorly and in- securely the code had been written, even if a program was written with mali- cious intent, it would be impossible to violate the rules set down by the TCB. Having written that, let’s consider what passes for a TCB today. You might think that picking out the TCB from the rest of the OS is a difficult task. But it’s not, really, because all computers use similar hardware. The TCB relies on two hardware features for security: memory management and privilege level. Of these, the privilege level is the simplest. Processors can run in one of two (or more) privilege levels. Some processors have just two; the Intel x86 line has four, but only two are used.
Load more

Recommended publications
  • Strider Web Security
    Adversarial Web Crawling with Strider Monkeys Yi-Min Wang Director, Cyber-Intelligence Lab Internet Services Research Center (ISRC) Microsoft Research Search Engine Basics • Crawler – Crawling policy • Page classification & indexing • Static ranking • Query processing • Document-query matching & dynamic ranking – Diversity • Goals of web crawling – Retrieve web page content seen by browser users – Classify and index the content for search ranking • What is a monkey? – Automation program that mimics human user behavior Stateless Static Crawling • Assumptions – Input to the web server: the URL • Stateless client – Output from the web server: page content in HTML • Static crawler ignores scripts Stateful Static Crawling • We all know that Cookies affect web server response • HTTP User-Agent field affects response too – Some servers may refuse low-value crawlers – Some spammers use crawler-browser cloaking • Give crawlers a page that maximizes ranking (=traffic) • Give users a page that maximizes profit Dynamic Crawling • Simple crawler-browser cloaking can be achieved by returning HTML with scripts – Crawlers only parse static HTML text that maximizes ranking/traffic – Users’ browsers additionally execute the dynamic scripts that maximize profit • Usually redirect to a third-party domain to server ads • Need browser-based dynamic crawlers to index the true content Search Spam Example: Google search “coach handbag” Spam Doorway URL = http://coach-handbag-top.blogspot.com http://coach-handbag-top.blogspot.com/ script execution led to redirection
    [Show full text]
  • Escape from Monkey Island: ? Evading High-Interaction Honeyclients
    Escape from Monkey Island: ? Evading High-Interaction Honeyclients Alexandros Kapravelos1, Marco Cova2, Christopher Kruegel1, Giovanni Vigna1 1 UC Santa Barbara {kapravel,chris,vigna}@cs.ucsb.edu 2 University of Birmingham, UK {m.cova}@cs.bham.ac.uk Abstract. High-interaction honeyclients are the tools of choice to detect mali- cious web pages that launch drive-by-download attacks. Unfortunately, the ap- proach used by these tools, which, in most cases, is to identify the side-effects of a successful attack rather than the attack itself, leaves open the possibility for malicious pages to perform evasion techniques that allow one to execute an at- tack without detection or to behave in a benign way when being analyzed. In this paper, we examine the security model that high-interaction honeyclients use and evaluate their weaknesses in practice. We introduce and discuss a number of possible attacks, and we test them against several popular, well-known high- interaction honeyclients. Our attacks evade the detection of these tools, while successfully attacking regular visitors of malicious web pages. 1 Introduction In a drive-by-download attack, a user is lured into visiting a malicious web page, which contains code that exploits vulnerabilities in the user’s browser and/or its environment. If successful, the exploits can execute arbitrary code on the victim’s machine [33]. This ability is typically used to automatically download and run malware programs on the compromised machine, which, as a consequence, often becomes part of a botnet [31]. Drive-by-download attacks are one of the most pervasive threats on the web, and past measurements have found millions of malicious web pages [3, 32].
    [Show full text]
  • Tracking and Mitigation of Malicious Remote Control Networks
    Tracking and Mitigation of Malicious Remote Control Networks Inauguraldissertation zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften der Universität Mannheim vorgelegt von Thorsten Holz aus Trier Mannheim, 2009 Dekan: Prof. Dr. Felix Christoph Freiling, Universität Mannheim Referent: Prof. Dr. Felix Christoph Freiling, Universität Mannheim Korreferent: Prof. Dr. Christopher Krügel, University of California, Santa Barbara Tag der mündlichen Prüfung: 30. April 2009 Abstract Attacks against end-users are one of the negative side effects of today’s networks. The goal of the attacker is to compromise the victim’s machine and obtain control over it. This machine is then used to carry out denial-of-service attacks, to send out spam mails, or for other nefarious purposes. From an attacker’s point of view, this kind of attack is even more efficient if she manages to compromise a large number of machines in parallel. In order to control all these machines, she establishes a malicious remote control network, i.e., a mechanism that enables an attacker the control over a large number of compromised machines for illicit activities. The most common type of these networks observed so far are so called botnets. Since these networks are one of the main factors behind current abuses on the Internet, we need to find novel approaches to stop them in an automated and efficient way. In this thesis we focus on this open problem and propose a general root cause methodology to stop malicious remote control networks. The basic idea of our method consists of three steps. In the first step, we use honeypots to collect information.
    [Show full text]
  • Hakin9 Extra Followers, We [email protected] Are Giving You the Latest Fruit of Our Labour
    Szukaj nas takze na www.ashampoo.com Pwn Plug. The Industry’s First Commercial Air Freshener? Pentesting Drop Box. Printer PSU? ...nope FEATURES: % Covert tunneling % SSH access over 3G/GSM cell networks % NAC/802.1x bypass % and more! Discover the glory of Universal Plug & Pwn @ pwnieexpress.com t) @pwnieexpress e) [email protected] p) 802.227.2PWN pwnplug - Dave-ad3-203x293mm.indd 1 1/5/12 3:32 PM To hack or not to hack Managing: Michał Wiśniewski – that is [email protected] the question Senior Consultant/Publisher: Paweł Marciniak Editor in Chief: Grzegorz Tabaka ear Hakin9 Extra Followers, we [email protected] are giving you the latest fruit of our labour. Honeypots are our le- Art Director: itmotiv this month. Especially for Marcin Ziółkowski Dyou, our dear followers, we have selected the choicest articles within the topic of Ho- DTP: neypots/Honeynets. I sincerely hope that we Marcin Ziółkowski sufficiently expanded on the topic to satisfy www.gdstudio.pl your needs and we quenched your appetite for Hakin9 knowledge. I am also very happy Production Director: that we managed to have an exclusive inte- Andrzej Kuca rview with Dr. Fred Cohen – the „father” of [email protected] computer viruses and that, once again, our respected authors helped us with their con- Marketing Director: tributions. This month: Jeremiah Brott will, Grzegorz Tabaka in great detail, tell you about different ty- [email protected] pes of honeypots and their use. Roberto Saia is going to present you „Proactive Network Proofreadres: Defence Through Simulated Networks”. Hari Bob Folden, I.
    [Show full text]
  • OPINION Sysadmin NETWORKING Security Columns
    October 2010 VOLUME 35 NUMBER 5 OPINION Musings 2 RikR FaR ow SYSADMin Teaching System Administration in the Cloud 6 Jan Schaumann THE USENIX MAGAZINE A System Administration Parable: The Waitress and the Water Glass 12 ThomaS a. LimonceLLi Migrating from Hosted Exchange ­Service to In-House Exchange Solution 18 T Roy mckee NETWORKING IPv6 Transit: What You Need to Know 23 mT aT Ryanczak SU EC RITY Secure Email for Mobile Devices 29 B Rian kiRouac Co LUMNS Practical Perl Tools: Perhaps Size Really Does Matter 36 Davi D n. BLank-eDeLman Pete’s All Things Sun: The “Problem” with NAS 42 Pe TeR BaeR GaLvin iVoyeur: Pockets-o-Packets, Part 3 48 Dave JoSePhSen /dev/random: Airport Security and Other Myths 53 RoT BeR G. FeRReLL B OOK reVIEWS Book Reviews 56 El izaBeTh zwicky, wiTh BRanDon chinG anD Sam SToveR US eniX NOTES USA Wins World High School Programming Championships—Snaps Extended China Winning Streak 60 RoB koLSTaD Con FERENCES 2010 USENIX Federated Conferences Week: 2010 USENIX Annual Technical Conference Reports 62 USENIX Conference on Web Application Development (WebApps ’10) Reports 77 3rd Workshop on Online Social Networks (WOSN 2010) Reports 84 2nd USENIX Workshop on Hot Topics in Cloud Computing (HotCloud ’10) Reports 91 2nd Workshop on Hot Topics in Storage and File Systems (HotStorage ’10) Reports 100 Configuration Management Summit Reports 104 2nd USENIX Workshop on Hot Topics in Parallelism (HotPar ’10) Reports 106 The Advanced Computing Systems Association oct10covers.indd 1 9.7.10 1:54 PM Upcoming Events 24th Large InstallatIon system admInIstratIon ConferenCe (LISA ’10) Sponsored by USENIX in cooperation with LOPSA and SNIA november 7–12, 2010, San joSe, Ca, USa http://www.usenix.org/lisa10 aCm/IfIP/USENIX 11th InternatIonaL mIddLeware ConferenCe (mIddLeware 2010) nov.
    [Show full text]
  • A Multidimensional Analysis of Malicious and Compromised Websites Davide Canali
    A multidimensional analysis of malicious and compromised websites Davide Canali To cite this version: Davide Canali. A multidimensional analysis of malicious and compromised websites. Cryptography and Security [cs.CR]. Télécom ParisTech, 2014. English. NNT : 2014ENST0009. tel-01361433 HAL Id: tel-01361433 https://pastel.archives-ouvertes.fr/tel-01361433 Submitted on 7 Sep 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. 2014-ENST-0009 EDITE - ED 130 Doctorat ParisTech T H È S E pour obtenir le grade de docteur délivré par TELECOM ParisTech Spécialité « Informatique et Réseaux » présentée et soutenue publiquement par Davide CANALI le 12 Février 2014 Plusieurs Axes d’Analyse de sites web compromis et malicieux Directeur de thèse : Davide BALZAROTTI Jury M. Levente BUTTYÁN , Professeur, CrySyS Lab, Budapest University of Technology and Economics Rapporteur M. Michael Donald BAILEY , Professeur, Network and Security Research Group, University of Michigan Rapporteur M. Guillaume URVOY-KELLER , Professeur, Laboratoire I3S, Université de Nice Examinateur M. Marc DACIER , Professeur Associé, Département Réseaux et Sécurité, EURECOM Examinateur M. William ROBERTSON , Maitre de Conferences, Systems Security Lab, Northeastern University Examinateur M. Refik MOLVA , Professeur, Département Réseaux et Sécurité, EURECOM Examinateur TELECOM ParisTech école de l’Institut Télécom - membre de ParisTech 2014-ENST-0009 EDITE - ED 130 ParisTech Ph.D.
    [Show full text]
  • Computational Resource Abuse in Web Applications
    Computational Resource Abuse in Web Applications Juan David Parra Rodriguez Dissertation eingereicht an der Fakult¨atf¨ur Informatik und Mathematik der Universit¨at Passau zur Erlangung des Grades eines Doktors der Naturwissenschaften A dissertation submitted to the faculty of computer science and mathematics in partial fulfillment of the requirements for the degree of doctor of natural sciences Betreuer: Prof. Dr. rer. nat. Joachim Posegga Passau, Germany, April 2019 Abstract Internet browsers include Application Programming Interfaces (APIs) to support Web applications that require complex functionality, e.g., to let end users watch videos, make phone calls, and play video games. Meanwhile, many Web applications employ the browser APIs to rely on the user's hardware to execute intensive computation, access the Graphics Processing Unit (GPU), use persistent storage, and establish network connections. However, providing access to the system's computational resources, i.e., processing, storage, and networking, through the browser creates an opportunity for attackers to abuse resources. Principally, the problem occurs when an attacker compromises a Web site and includes malicious code to abuse its visitor's computational resources. For example, an attacker can abuse the user's system networking capabilities to perform a Denial of Service (DoS) attack against third parties. What is more, computational resource abuse has not received widespread attention from the Web security community because most of the current specifications are focused on content and session properties such as isolation, confidentiality, and integrity. Our primary goal is to study computational resource abuse and to advance the state of the art by providing a general attacker model, multiple case studies, a thorough anal- ysis of available security mechanisms, and a new detection mechanism.
    [Show full text]
  • Towards Detection and Prevention of Malicious Activities Against Web Applications and Internet Services
    Towards Detection and Prevention of Malicious Activities Against Web Applications and Internet Services Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨at fur¨ Elektrotechnik und Informationstechnik an der Ruhr-Universit¨at Bochum vorgelegt von Apostolos Zarras aus Athen, Griechenland Bochum, August 2015 Tag der mundlichen¨ Prufung:¨ 27.08.2015 Gutachter: Prof. Dr. Thorsten Holz, Ruhr-Universit¨at Bochum Zweitgutachter: Prof. Dr. Herbert Bos, Vrije Universiteit Amsterdam Abstract The Internet has witnessed a tremendous growth the last years. Undoubtedly, its services and mostly the World Wide Web have become an integral part in the lives of hundreds of millions of people, who use it in daily basis. Unfortunately, as the Internet's popularity increases, so does the interest of attackers who seek to exploit vulnerabilities in users' machines. What was primary meant to be mainly a competition among computer experts to test and improve their technical skills has turned into a multi-billion dollar business. Nowadays, attackers try to take under their control vulnerable computers that will allow them to perform their nefarious tasks, such as sending spam emails, launching distributed denial-of-service (DDoS) attacks, generate revenue from online advertisements by performing click-frauds, or stealing personal data like email accounts and banking credentials. In this dissertation, we address the security issues online users face every day from two points of view. First, we investigate how infected computers that constitu- te a botnet|network of compromised machines which are remotely controlled by an entity, known as botmaster|perform their malicious activities and we propose countermeasures against them. We study two of the most fundamental Internet pro- tocols, SMTP and HTTP, and leverage the fact that numerous entities, including cybercriminals, implement these protocols with subtle but perceivable differences, which we can accurately detect.
    [Show full text]
  • A Solution for the Automated Detection of Clickjacking Attacks
    A Solution for the Automated Detection of Clickjacking Attacks Marco Balduzzi Manuel Egele Institute Eurecom Technical University Vienna Sophia-Antipolis [email protected] [email protected] Engin Kirda Davide Balzarotti Christopher Kruegel Institute Eurecom Institute Eurecom University of California Sophia-Antipolis Sophia-Antipolis Santa Barbara [email protected] [email protected] [email protected] ABSTRACT 1. INTRODUCTION Clickjacking is a web-based attack that has recently received Web applications have evolved from simple collections of a wide media coverage. In a clickjacking attack, a malicious static HTML documents to complex, full-fledged applica- page is constructed such that it tricks victims into clicking tions containing hundreds of dynamically generated pages. on an element of a different page that is only barely (or not The combined use of client and server-side scripting allows at all) visible. By stealing the victim’s clicks, an attacker developers to provide highly sophisticated user interfaces could force the user to perform an unintended action that is with the look-and-feel and functionalities that were previ- advantageous for the attacker (e.g., initiate an online money ously only reserved to traditional desktop applications. At transaction). Although clickjacking has been the subject the same time, many web applications have evolved into of many discussions and alarming reports, it is currently mesh-ups and aggregation sites that are dynamically con- unclear to what extent clickjacking is being used by attackers structed by combining together content and functionalities in the wild, and how significant the attack is for the security provided by different sources.
    [Show full text]
  • Automated Web Patrol with Strider Honeymonkeys: Finding Web Sites That Exploit Browser Vulnerabilities
    Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King Microsoft Research, Redmond Abstract these analyses provide very useful and detailed information about which vulnerabilities are exploited and Internet attacks that use malicious web sites to install which malware programs are installed, such efforts are not malware programs by exploiting browser vulnerabilities scalable, do not provide a comprehensive picture of the are a serious emerging threat. In response, we have problem, and are generally ineffective at efficiently developed an automated web patrol system to finding new malicious sites. automatically identify and monitor these malicious sites. To address these issues, we developed a system that We describe the design and implementation of the Strider uses a pipeline of active, client-side, Virtual Machine HoneyMonkey Exploit Detection System, which consists of (VM)-based honeypots [H,HC], called Strider a pipeline of “monkey programs” running possibly HoneyMonkeys, to perform large-scale, systematic and vulnerable browsers on virtual machines with different automated web patrol. The HoneyMonkey system uses patch levels and patrolling the Web to seek out and monkey programs1 that run within virtual machines with classify web sites that exploit browser vulnerabilities. OS’s of various patch levels to drive web browsers in an Within the first month of utilizing this system, we attempt to mimic human web browsing. Our approach identified 752 unique URLs hosted on 288 web sites that adopts a state-management methodology to cybersecurity: could successfully exploit unpatched Windows XP instead of directly detecting the acts of vulnerability machines.
    [Show full text]
  • IEEE Paper Template in A4 (V1)
    International Journal of Engineering Inventions ISSN: 2278-7461, www.ijeijournal.com Volume 1, Issue 8 (October2012) PP: 01-06 AUTOMATED WEB PATROLING WITH EXPLOIT DETECTION OF MALICIOUS SITES 1 2 Ms. Rajashree C. Sonawane , Prof. Mrs. S.M.Jaybhaye 1,2Department of Information TechnologySinhgad College of Engineering, University of Pune, Pune Abstract:––Client-side attacks are on the rise malicious websites that exploit vulnerabilities in the visitor’s browser are posing a serious threat to client security, compromising innocent users who visit these sites without having a patched web browser. Malicious websites are websites which have any kind of content that could be a threat for the security of the clients requesting particular sites. Currently, there is neither a freely available comprehensive database of threats on the Web nor sufficient freely available tools to build such a database. The purpose of an exploit is almost always to introduce some piece of arbitrary code on the victim machine, as a way to achieve a larger attack goal. It is not uncommon to see a malicious web page attempting to exploit multiple browser vulnerabilities in order to maximize the chance of a successful attack. Hence Honey Monkeys, introduce the Monkey-Spider project. Utilizing it as a client honey pot, the portray the challenge in such an approach and evaluate system as a high-speed, Internet scale analysis tool to build a database of threats found in the wild. Furthermore, it evaluates the system by analysing different crawls performed. I. INTRODUCTION Internet attacks that use a malicious or hacked web site to exploit unpatched client-side vulnerabilities of visiting browsers are on the rise.
    [Show full text]
  • Tamper-Resilient Methods for Web-Based Open Systems
    TAMPER-RESILIENT METHODS FOR WEB-BASED OPEN SYSTEMS A Thesis Presented to The Academic Faculty by James Caverlee In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the College of Computing Georgia Institute of Technology August 2007 Copyright c 2007 by James Caverlee TAMPER-RESILIENT METHODS FOR WEB-BASED OPEN SYSTEMS Approved by: Ling Liu, Advisor Sham Navathe College of Computing College of Computing Georgia Institute of Technology Georgia Institute of Technology William B. Rouse, Co-Advisor Sushil K. Prasad Tennenbaum Institute, Industrial & Department of Computer Science Systems Engineering (Joint Appointment Georgia State University with College of Computing) Georgia Institute of Technology Jonathon Giffin Calton Pu College of Computing College of Computing Georgia Institute of Technology Georgia Institute of Technology Date Approved: 18 June 2007 For Sherry iii ACKNOWLEDGEMENTS I am pleased to acknowledge the generous support of the Tennenbaum Institute in providing me a Tennenbaum Fellowship for this research. In addition, I am grateful for the positive influence and the many contributions of a number of special people – people who have encouraged, guided, and inspired me. My parents are my foundation. Sam and Ellen Caverlee are two incredibly encouraging and supportive parents. They have been with me every step of the way, encouraging me to push myself to my limits and supporting me when I fall short. They are an inspiration to me and provide a blueprint for how to live a moral life. I love you, Mom and Dad. My brother John has always been there for me. John has a way of grounding me, so that I maintain my focus and don’t float off into a self-imposed nerd orbit.
    [Show full text]