Abstract
Due to its flexibility and dynamic character, JavaScript has become an important tool for attackers. The widespread scripting language often helps them to perform a broad variety of malicious activities, for example to initiate drive-by download exploits or to execute clickjacking attacks. Current defense mechanisms as well as reactive analysis and forensic approaches are often slow or complicated to set up and conduct since an attacker can use many different ways to obfuscate the code or make it hard to obtain a copy of the code in the first place.
In this paper, we introduce a novel approach to analyze this class of attacks by demonstrating how dynamic analysis of websites can be accomplished directly in the browser. We present IceShield, a JavaScript based tool that enables in-line dynamic code analysis as well as de-obfuscation, and a set of heuristics to detect attempts of attacking either a website or the user accessing its contents. Special care needs to be taken to implement the instrumentation in a robust and tamper resistant way since an attacker should not be able to bypass our detection process. We show how features of ECMA Script 5 can be used to freeze object properties, so they cannot be modified during runtime. We implemented a prototype version of IceShield and demonstrate that it detects malicious websites with a small overhead even on devices with limited computing power such as smartphones. Furthermore, IceShield can mitigate detected attacks by changing suspicious elements, so they do not cause harm anymore, thus actually protecting users from such attacks.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: USENIX Security Symposium (2008)
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating Cross-Site scripting attacks. In: ACM Symposium on Applied Computing, SAC (2006)
Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with Goal-Directed model checking. In: USENIX Security Symposium (2008)
Wassermann, G., Su, Z.: Static detection of Cross-Site scripting vulnerabilities. In: International Conference on Software Engineering, ICSE (2008)
Balduzzi, M.: New insights into clickjacking. In: OWASP AppSec Research (2010)
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: 19th International Conference on World Wide Web (2010)
Rieck, K., Krueger, T., Dewald, A.: Cujo: Efficient Detection and Prevention of Drive-by-Download Attacks. In: Annual Computer Security Applications Conference, ACSAC (2010)
Guarnieri, S., Livshits, B.: GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In: USENIX Security Symposium (2009)
Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja - safe active content in sanitized javascript (2007), http://code.google.com/p/google-caja/
Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudhury, P., Venter, H.: The Multi-Principal OS Construction of the Gazelle Web Browser. In: USENIX Security Symposium (2009)
Mozilla: String - MDC (2011), https://developer.mozilla.org/en/Core_JavaScript_1.5_Reference/Global_Objects/String#Methods_2
Heyes, G.: Polymorphic javascript (2010), http://www.thespanner.co.uk/2008/02/27/polymorphic-javascript/
Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode. Mach. Learn. 81 (2010)
Oberheide, J., Cooke, E., Jahanian, F.: CloudAV: N-Version Antivirus in the Network Cloud. In: USENIX Security Symposium (2008)
Barth, A.: Bug 29278 XSSAuditor bypasses from sla.ckers.org (2009), https://bugs.webkit.org/show_bug.cgi?id=29278
Kouzemchenko, A.: Examining and bypassing the IE8 XSS filter (2009), http://www.slideshare.net/kuza55/examining-the-ie8-xss-filter
Father, H.: Hooking Windows API - Technics of Hooking API functions on Windows. The CodeBreakers Journal 1 (2004)
Willems, C., Holz, T., Freiling, F.: CWSandbox: Towards Automated Dynamic Binary Analysis. IEEE Security and Privacy 5 (2007)
Mozilla: defineProperty - MDC (2011), https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/Object/defineProperty
Mozilla: defineProperties - MDC (2011), https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/Object/defineProperties
Mozilla: window.location - MDC (2011), https://developer.mozilla.org/en/window.location
Mozilla: document.URL - MDC (2010), https://developer.mozilla.org/en/document.URL
Hastie, T., Tibshirani, R., Friedman, R.: Linear discriminant analysis. In: The Elements of Statistical Learning, p. 84. Springer, Heidelberg (2001)
W3C: Client-side scripting techniques for WCAG 2.0 (2004), http://www.w3.org/TR/2004/WD-WCAG20-SCRIPT-TECHS-20041119/
Masinter, L.: RFC 2397 - the ”data” URL scheme (1998)
Mozilla: Gecko - MDC (2011), https://developer.mozilla.org/en/Gecko
Mozilla: Gecko-Specific DOM events - MDC (2011), https://developer.mozilla.org/en/Gecko-Specific_DOM_Events
Nava, E.V.: ACS - active content signatures. PST_WEBZINE_0X04 (2006)
Phung, P.H., Sands, D., Chudnov, A.: Lightweight Self-Protecting javascript. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS) (March 2009)
Johns, M.: Code Injection Vulnerabilities in Web Applications - Exemplified at Cross-site Scripting. PhD thesis. University of Passau, Passau (2009)
Deiters, M.: Aspect-Oriented programming (2010), http://msdn.microsoft.com/en-us/library/aa288717VS.71.aspx
Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Proc. of the 17th Network and Distributed System Security Symposium (2009), http://www.adambarth.com/papers/2010/barth-felt-saxena-boodman.pdf
Naraine, R.: Drive-by downloads. the web under siege - securelist (2009), http://www.securelist.com/en/analysis?pubid=204792056
OWASP: Enterprise security API (2011), http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Alexa, the Web Information Company: Top 1,000,000 Sites (2010), http://www.alexa.com/topsites
Malware Domain List (2010), http://www.malwaredomainlist.com/mdlcsv.php
Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Fast and Precise In-Browser JavaScript Malware Detection. In: USENIX Security Symposium (2011)
Wang, Y.M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.T.: Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In: Network and Distributed System Security Symposium, NDSS (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Heiderich, M., Frosch, T., Holz, T. (2011). IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM. In: Sommer, R., Balzarotti, D., Maier, G. (eds) Recent Advances in Intrusion Detection. RAID 2011. Lecture Notes in Computer Science, vol 6961. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23644-0_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-23644-0_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23643-3
Online ISBN: 978-3-642-23644-0
eBook Packages: Computer ScienceComputer Science (R0)