WeXpose: Towards on-Line Dynamic Analysis of Web Attack Payloads using Just-In-Time Binary Modification

Jennifer Bellizzi, Mark Vella

2015

Abstract

Web applications constitute a prime target for attacks. A subset of these inject code into their targets, posing a threat to the entire hosting infrastructure rather than just to the compromised application. Existing web intrusion detection systems (IDS) are easily evaded when code payloads are obfuscated. Dynamic analysis in the form of instruction set emulation is a well-known answer to this problem, which however is a solution for off-line settings rather than the on-line IDS setting and cannot be used for all types of web attacks payloads. Host-based approaches provide an alternative, yet all of them impose runtime overheads. This work proposes just-in-time (JIT) binary modification complemented with payload-based heuristics for the provision of obfuscation-resistant web IDS at the network level. A number of case studies conducted with WeXpose, a prototype implementation of the technique, shows that JIT binary modification fits the on-line setting due to native instruction execution, while also isolating harmful attack side-effects that consequentially become of concern. Avoidance of emulation makes the approach relevant to all types of payloads, while payload-based heuristics provide practicality.

References

  1. Abbasi, A., Wetzels, J., Bokslag, W., Zambon, E., and Etalle, S. (2014). On emulation-based network intrusion detection systems. In Research in Attacks, Intrusions and Defenses, pages 384-404. Springer.
  2. Afooshteh, A. N. (2014). Taintless. In Blackhat Arsenal. Blackhat.
  3. Bruening, D., Zhao, Q., and Amarasinghe, S. (2012). Transparent dynamic instrumentation. In ACM SIGPLAN Notices, volume 47, pages 133-144. ACM.
  4. Cova, M., Kruegel, C., and Vigna, G. (2010). Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the 19th international conference on World wide web, pages 281-290. ACM.
  5. Egele, M., Scholte, T., Kirda, E., and Kruegel, C. (2012). A survey on automated dynamic malware-analysis techniques and tools. volume 44, page 6. ACM.
  6. Erickson, J. (2008). Hacking: The art of exploitation. No Starch Press.
  7. Kruegel, C. (2014). Full system emulation: Achieving successful automated dynamic analysis of evasive malware. In Proc. BlackHat USA Security Conference.
  8. Maggi, F., Matteucci, M., and Zanero, S. (2010). Detecting intrusions through system call sequence and argument analysis. volume 7, pages 381-395. IEEE.
  9. Polychronakis, M., Anagnostakis, K. G., and Markatos, E. P. (2006). Network-level polymorphic shellcode detection using emulation. In Detection of Intrusions and Malware & Vulnerability Assessment, pages 54- 73. Springer.
  10. Portokalidis, G. and Keromytis, A. D. (2010). Fast and practical instruction-set randomization for commodity systems. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 41-48. ACM.
  11. Schreck, T., Berger, S., and Göbel, J. (2013). Bissam: Automatic vulnerability identification of office documents. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 204-213. Springer.
  12. Sekar, R. (2009). An efficient black-box technique for defeating web application attacks. In NDSS.
  13. Shimamura, M. and Kono, K. (2009). Yataglass: Networklevel code emulation for analyzing memory-scanning attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 68-87. Springer.
  14. Sikorski, M. and Honig, A. (2012). Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software. No Starch Press.
  15. Snow, K. Z., Krishnan, S., Monrose, F., and Provos, N. (2011). Shellos: Enabling fast detection and forensic analysis of code injection attacks. In USENIX Security Symposium.
  16. Srivastava, A. and Giffin, J. (2010). Automatic discovery of parasitic malware. In Recent Advances in Intrusion Detection, pages 97-117. Springer.
  17. Tripp, O., Pistoia, M., Fink, S. J., Sridharan, M., and Weisman, O. (2009). Taj: effective taint analysis of web applications. volume 44, pages 87-97. ACM.
  18. Van der Veen, V., Cavallaro, L., Bos, H., et al. (2012). Memory errors: the past, the present, and the future. In Research in Attacks, Intrusions, and Defenses, pages 86-106. Springer.
  19. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. (2007). Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS.
  20. Wang, Z. and Jiang, X. (2010). Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 380-395. IEEE.
  21. Weichselbaum, L., Neugschwandtner, M., Lindorfer, M., Fratantonio, Y., van der Veen, V., and Platzer, C. (2014). Andrubis: Android malware under the magnifying glass. Vienna University of Technology.
  22. Xu, W., Bhatkar, S., and Sekar, R. (2006). Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Usenix Security, pages 121- 136. USENIX.
  23. Yin, H., Poosankam, P., Hanna, S., and Song, D. (2010). Hookscout: Proactive binary-centric hook detection. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 1-20. Springer.
Download


Paper Citation


in Harvard Style

Bellizzi J. and Vella M. (2015). WeXpose: Towards on-Line Dynamic Analysis of Web Attack Payloads using Just-In-Time Binary Modification . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 5-15. DOI: 10.5220/0005502600050015


in Bibtex Style

@conference{secrypt15,
author={Jennifer Bellizzi and Mark Vella},
title={WeXpose: Towards on-Line Dynamic Analysis of Web Attack Payloads using Just-In-Time Binary Modification},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},
year={2015},
pages={5-15},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005502600050015},
isbn={978-989-758-117-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - WeXpose: Towards on-Line Dynamic Analysis of Web Attack Payloads using Just-In-Time Binary Modification
SN - 978-989-758-117-5
AU - Bellizzi J.
AU - Vella M.
PY - 2015
SP - 5
EP - 15
DO - 10.5220/0005502600050015