• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文学位 >Detection, Diagnosis and Mitigation of Malicious Javascript with Enriched Javascript Executions
【24h】

Detection, Diagnosis and Mitigation of Malicious Javascript with Enriched Javascript Executions

机译:具有丰富的Javascript执行功能的恶意Javascript的检测,诊断和缓解

获取原文
获取原文并翻译 | 示例
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Malicious JavaScript has become an important attack vector for software exploitation attacks and imposes a severe threat to computer security. In particular, three major class of problems, malware detection, exploit diagnosis, and exploits mitigation, bring considerable challenges to security researchers. Although a lot of research efforts have been made to address these threats, they have fundamental limitations and thus cannot solve the problems.;Existing analysis techniques fall into two general categories: static analysis and dynamic analysis. Static analysis tends to produce inaccurate results (both false positive and false negative) and is vulnerable to a wide series of obfuscation techniques. Thus, dynamic analysis is constantly gaining popularity for exposing the typical features of malicious JavaScript. However, existing dynamic analysis techniques possess limitations such as limited code coverage and incomplete environment setup, leaving a broad attack surface for evading the detection.;Once a zero-day exploit is captured, it is critical to quickly pinpoint the JavaScript statements that uniquely characterize the exploit and the payload location in the exploit. However, the current diagnosis techniques are inadequate because they approach the problem either from a JavaScript perspective and fail to account for "implicit" data flow invisible at JavaScript level, or from a binary execution perspective and fail to present the JavaScript level view of exploit.;Although software vendors have deployed techniques like ASLR, sandbox, etc. to mitigate JavaScript exploits, hacking contests (e.g.,PWN2OWN, GeekPWN) have demonstrated that the latest software (e.g., Chrome, IE, Edge, Safari) can still be exploited. An ideal JavaScript exploit mitigation solution should be flexible and allow for deployment without requiring code changes.;To combat malicious JavaScript, this dissertation addresses these problems through enriched executions, which explore arbitrary paths for detection, preserve JS-binary semantics for diagnosis, and perturbs memory with chaff code for mitigation.;Firstly, JSForce, a forced execution engine for JavaScript, is proposed and developed to improve the detection results of current malicious JavaScript detection techniques. It drives an arbitrary JavaScript snippet to execute along different paths without any input or environment setup. While increasing code coverage, JSForce can tolerate invalid object accesses while introducing no runtime errors during execution.;Secondly, JScalpel, a system that utilizes the JavaScript context information from the JavaScript level to perform context-aware binary analysis, is presented for JavaScript exploit diagnosis. In essence, it performs JS-Binary analysis to (1) generate a minimized exploit script, which in turn helps to generate a signature for the exploit, and (2) precisely locate the payload within the exploit. It replaces the malicious payload with a friendly payload and generates a PoV for the exploit.;Thirdly, ChaffyScript, a vulnerability-agnostic mitigation system, is introduced to block JavaScript exploits via undermining the memory preparation stage. Specifically, given suspicious JavaScript, ChaffyScript rewrites the code to insert memory perturbation code, and then generates semantically-equivalent code. JavaScript exploits will fail as a result of unexpected memory states introduced by memory perturbation code, while the benign JavaScript still behaves as expected since the memory perturbation code does not change the JavaScript's original semantics.
机译:恶意JavaScript已成为软件利用攻击的重要攻击媒介,并严重威胁计算机安全。特别是,三大类问题,即恶意软件检测,漏洞利用诊断和漏洞利用缓解,给安全研究人员带来了相当大的挑战。尽管已针对这些威胁进行了大量研究工作,但它们具有根本的局限性,因此无法解决问题。现有的分析技术分为两大类:静态分析和动态分析。静态分析往往会产生不准确的结果(误报和误报),并且易受多种混淆技术的影响。因此,动态分析因暴露恶意JavaScript的典型功能而不断受到欢迎。但是,现有的动态分析技术具有局限性,例如有限的代码覆盖范围和不完整的环境设置,为逃避检测留下了广阔的攻击面。一旦捕获到零日漏洞,快速确定唯一表征JavaScript的语句至关重要漏洞利用和漏洞利用中的有效负载位置。但是,当前的诊断技术是不够的,因为它们要么从JavaScript的角度解决问题,要么无法解决JavaScript级别不可见的“隐式”数据流,要么从二进制执行的角度解决问题,并且无法展现JavaScript的利用水平视图。 ;尽管软件供应商已部署了ASLR,沙箱等技术来减轻JavaScript的利用,但黑客竞赛(例如PWN2OWN,GeekPWN)已证明仍可以利用最新软件(例如Chrome,IE,Edge,Safari)。理想的JavaScript漏洞缓解解决方案应具有灵活性,并允许在不更改代码的情况下进行部署。为了与恶意JavaScript对抗,本论文通过丰富的执行解决了这些问题,这些执行探索了检测的任意路径,保留了用于诊断的JS二进制语义,并产生了干扰。首先,提出并开发了JSForce(一种用于JavaScript的强制执行引擎)以改善当前恶意JavaScript检测技术的检测结果。它驱动一个任意的JavaScript代码段以沿不同的路径执行,而无需任何输入或环境设置。在增加代码覆盖率的同时,JSForce可以容忍无效的对象访问,同时在执行过程中不引入运行时错误。其次,提出了JScalpel,该系统利用来自JavaScript级别的JavaScript上下文信息进行上下文感知的二进制分析,以进行JavaScript漏洞诊断。 。从本质上讲,它执行JS-Binary分析,以(1)生成最小化的利用脚本,进而帮助生成利用的签名,以及(2)在利用内精确定位有效负载。它用友好的有效负载替换了恶意的有效负载,并为漏洞利用生成了PoV。第三,引入了ChaffyScript,一个与漏洞无关的缓解系统,通过破坏内存准备阶段来阻止JavaScript漏洞利用。具体而言,在给定可疑JavaScript的情况下,ChaffyScript重写该代码以插入内存扰动代码,然后生成语义上等效的代码。由于内存扰动代码引入了意外的内存状态,因此JavaScript利用将失败,而良性JavaScript仍会按预期方式运行,因为内存扰动代码不会更改JavaScript的原始语义。

著录项

  • 作者

    Hu, Xunchao.;

  • 作者单位

    Syracuse University.;

  • 授予单位 Syracuse University.;
  • 学科 Computer engineering.;Computer science.
  • 学位 Ph.D.
  • 年度 2017
  • 页码 133 p.
  • 总页数 133
  • 原文格式 PDF
  • 正文语种 eng
  • 中图分类
  • 关键词

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号