Analyzing Distributed Denial of Service Tools: The Shaft Case
LISA '00 Proceedings of the 14th USENIX conference on System administration
Polaris: virus-safe computing for Windows XP
Communications of the ACM - Privacy and security in highly dynamic systems
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
A Systematic Approach to Uncover Security Flaws in GUI Logic
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
BrowserShield: vulnerability-driven filtering of dynamic HTML
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
The ghost in the browser analysis of web-based malware
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Application-level isolation and recovery with solitude
Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
SpyProxy: execution-based detection of malicious web content
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
SS'08 Proceedings of the 17th conference on Security symposium
CloudAV: N-version antivirus in the network cloud
SS'08 Proceedings of the 17th conference on Security symposium
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
PhoneyC: a virtual client honeypot
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
NOZZLE: a defense against heap-spraying code injection attacks
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
The multi-principal OS construction of the gazelle web browser
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads
Proceedings of the 20th international conference on World wide web
SURF: detecting and measuring search poisoning
Proceedings of the 18th ACM conference on Computer and communications security
ToMaTo: a trustworthy code mashup development tool
Proceedings of the 5th International Workshop on Web APIs and Service Mashups
Understanding the prevalence and use of alternative plans in malware with network games
Proceedings of the 27th Annual Computer Security Applications Conference
AdSentry: comprehensive and flexible confinement of JavaScript-based advertisements
Proceedings of the 27th Annual Computer Security Applications Conference
Identifying native applications with high assurance
Proceedings of the second ACM conference on Data and Application Security and Privacy
On the fragility and limitations of current browser-provided clickjacking protection schemes
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Early detection of malicious behavior in JavaScript code
Proceedings of the 5th ACM workshop on Security and artificial intelligence
Autonomous learning for detection of JavaScript attacks: vision or reality?
Proceedings of the 5th ACM workshop on Security and artificial intelligence
Knowing your enemy: understanding and detecting malicious web advertising
Proceedings of the 2012 ACM conference on Computer and communications security
Manufacturing compromise: the emergence of exploit-as-a-service
Proceedings of the 2012 ACM conference on Computer and communications security
Beyond the blacklist: modeling malware spread and the effect of interventions
Proceedings of the 2012 workshop on New security paradigms
CodeShield: towards personalized application whitelisting
Proceedings of the 28th Annual Computer Security Applications Conference
Analyzing and defending against web-based malware
ACM Computing Surveys (CSUR)
AppIntent: analyzing sensitive data transmission in android for privacy leakage detection
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Revolver: an automated approach to the detection of evasiveweb-based malware
SEC'13 Proceedings of the 22nd USENIX conference on Security
Efficient and effective realtime prediction of drive-by download attacks
Journal of Network and Computer Applications
Hi-index | 0.01 |
Web-based surreptitious malware infections (i.e., drive-by downloads) have become the primary method used to deliver malicious software onto computers across the Internet. To address this threat, we present a browser independent operating system kernel extension designed to eliminate driveby malware installations. The BLADE (Block All Drive-by download Exploits) system asserts that all executable files delivered through browser downloads must result from explicit user consent and transparently redirects every unconsented browser download into a nonexecutable secure zone of disk. BLADE thwarts the ability of browser-based exploits to surreptitiously download and execute malicious content by remapping to the file system only those browser downloads to which a programmatically inferred user-consent is correlated, BLADE provides its protection without explicit knowledge of any exploits and is thus resilient against code obfuscation and zero-day threats that directly contribute to the pervasiveness of today's drive-by malware. We present the design of our BLADE prototype implementation for the Microsoft Windows platform, and report results from as extensive empirical evaluation of its effectiveness on popular browsers. Our evaluation includes multiple versions of IE and Firefox, against 1,934 active malicious URLs, representing a broad spectrum of web-based exploits not plaguing the Internet. BLADE successfully blocked all drive-by malware install attempts with zero false positives and a 3% worst-case performance cost.