Abstract
Spyware infections are becoming extremely pervasive, posing a grave threat to Internet users’ privacy. Control of such an epidemic is increasingly difficult for the existing defense mechanisms, which in many cases rely on detection alone. In this paper, we propose SpyShield, a new containment technique, to add another layer of defense against spyware. Our technique can automatically block the visions of untrusted programs in the presence of sensitive information, which preserves users’ privacy even after spyware has managed to evade detection. It also enables users to avoid the risks of using free software which could be bundled with surveillance code. As a first step, our design of SpyShield offers general protection against spy add-ons, an important type of spyware. This is achieved through enforcing a set of security policies to the channels an add-on can use to monitor its host application, such as COM interfaces and shared memory, so as to block unauthorized leakage of sensitive information. We prototyped SpyShield under Windows XP to protect Internet Explorer and also evaluated it using real plug-ins. Our experimental study shows that the technique can effectively disrupt spyware surveillance in accordance with security policies and introduce only a small overhead.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Browser extensions, http://msdn.microsoft.com/workshop/browser/ext/extensions.asp
The home of spybot search & destroy, http://www.safer-networking.org/
Mozillazine: Extension development, http://kb.mozillazine.org/Dev_:_Extensions
State of Spyware Q2 2006: Consumer Report, http://www.webroot.com/resources/stateofspyware/excerpt.html
Wireshark, http://www.wireshark.org/
DCOM technical overview (1996), http://msdn2.microsoft.com/en-us/library/ms809340.aspx
XPCOM Part 1: An introduction to XPCOM (1996), http://www-128.ibm.com/developerworks/webservices/library/co-xpcom.html
Microsoft Next-Generation Secure Computing Base - Technical FAQ (July 2003), http://www.microsoft.com/technet/archive/security/news/ngscb.mspx?mfr=true
Ucmore toolbar, the search accelerator (2007), http://www.ucmore.com/
Snort developed by sourcefire (January 2006), http://www.snort.org/
Bell, D.E., LaPadula, L.J.: Secure computer systems: Unified exposition and multics interpretation. MTR-2997, available as NTIS AD-A023 588, MITRE Corporation (1976)
Borders, K., Prakash, A.: Web tap: detecting covert web traffic. In: Proceedings of the 11th ACM conference on Computer and communications security, pp. 110–120. ACM Press, New York (2004)
Borders, K., Zhao, X., Prakash, A.: Siren: Catching evasive malware (short paper). In: IEEE S&P, pp. 78–85. IEEE Computer Society Press, Los Alamitos (2006)
Brumley, D., Song, D.X.: Privtrans: Automatically partitioning programs for privilege separation. In: USENIX Security Symposium, pp. 57–72 (2004)
Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic Spyware Analysis. In: Usenix Annual Technical Conference, USA (June 2007)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS (2003)
Jackson, C., Boneh, D., Mitchell, J.C.: Stronger password authentication using virtual machines. Stanford University (submission, 2006)
Khatiwala, T., Swaminathan, R., Venkatakrishnan, V.: Data sandboxing: A technique for enforcing confidentiality policies. In: ACSAC (December 2006)
Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based spyware detection. In: Proceedings of 15th USENIX Security Symposium (August 2006)
Mani, V.: Cross Process Subclassing (2003), http://www.codeproject.com/dll/subhook.asp
McCune, J.M., Perrig, A., Reiter, M.K.: Bump in the ether: A framework for securing sensitive user input. In: Proceedings of the USENIX Annual Technical Conference, June 2006, pp. 185–198 (2006)
Newsome, J., Song, D.X.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: NDSS (2005)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)
Rubin, S., Jha, S., Miller, B.P.: Automatic generation and analysis of nids attacks. In: ACSAC, pp. 28–38 (2004)
Saltzer, J.H.: Protection and the control of information sharing in miltics. Communications of the ACM 17(7), 388–402 (1974)
Schreiber, S.B.: Undocumented Windows 2000 Secret: a programmers cookbook, May 2001. Addison-Wesley, Reading (2001)
von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: Using Hard AI Problems for Security. In: Biham, E. (ed.) Advances in Cryptology – EUROCRPYT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)
Wang, H., Jha, S., Ganapathy, V.: NetSpy: Automatic Generation of Spyware Signatures for NIDS. In: Jesshope, C., Egan, C. (eds.) ACSAC 2006. LNCS, vol. 4186, Springer, Heidelberg (2006)
Wang, Y.-M., Roussev, R., Verbowski, C., Johnson, A., Wu, M.-W., Huang, Y., Kuo, S.-Y.: Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management. In: USENIX LISA 2004 (2004)
Wang, Y.-M., Vo, B., Roussev, R., Verbowski, C., Johnson, A.: Strider ghostbuster: Why it’s a bad idea for stealth software to hide files. Technical Report MSR-TR-2004-71, Microsoft Research (2004)
Willliams, S., Kindel, C.: The component object model: A technical overview (October 1994), http://msdn2.microsoft.com/en-us/library/ms809980.aspx
Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: Proceedings of the 15th USENIX Security Symposium, Vancouver, BC, Canada (August 2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Li, Z., Wang, X., Choi, J.Y. (2007). SpyShield: Preserving Privacy from Spy Add-Ons. In: Kruegel, C., Lippmann, R., Clark, A. (eds) Recent Advances in Intrusion Detection. RAID 2007. Lecture Notes in Computer Science, vol 4637. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74320-0_16
Download citation
DOI: https://doi.org/10.1007/978-3-540-74320-0_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74319-4
Online ISBN: 978-3-540-74320-0
eBook Packages: Computer ScienceComputer Science (R0)