Analyzing and Defending Against Evolving Web Threats

The browser has evolved from a simple program that displays static web pages into a continuously-changing platform that is shaping the Internet as we know it today. The fierce competition among browser vendors has led to the introduction of a plethora of features in the past few years. At the same time, it remains the de facto way to access the Internet for billions of users. Because of such rapid evolution and wide popularity, the browser has attracted attackers, who pose new threats to unsuspecting Internet surfers.In this dissertation, I present my work on securing the browser againstcurrent and emerging threats. First, I discuss my work on honeyclients,which are tools that identify malicious pages that compromise the browser, and how one can evade such systems. Then, I describe a new system that I built, called Revolver, that automatically tracks the evolution of JavaScriptand is capable of identifying evasive web-based malware by finding similarities in JavaScript samples with different classifications. Finally, I present Hulk, a system that automatically analyzes and classifies browser extensions

S3C2 Summit 2023-06: Government Secure Supply Chain Summit

Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing fatal damage to businesses and organizations. Past well-known examples of software supply chain attacks are the SolarWinds or log4j incidents that have affected thousands of customers and businesses. The US government and industry are equally interested in enhancing software supply chain security. On June 7, 2023, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 17 practitioners from 13 government agencies. The goal of the Summit was two-fold: (1) to share our observations from our previous two summits with industry, and (2) to enable sharing between individuals at the government agencies regarding practical experiences and challenges with software supply chain security. For each discussion topic, we presented our observations and take-aways from the industry summits to spur conversation. We specifically focused on the Executive Order 14028, software bill of materials (SBOMs), choosing new dependencies, provenance and self-attestation, and large language models. The open discussions enabled mutual sharing and shed light on common challenges that government agencies see as impacting government and industry practitioners when securing their software supply chain. In this paper, we provide a summary of the Summit.Comment: arXiv admin note: text overlap with arXiv:2307.16557, arXiv:2307.1564

S3C2 Summit 2202-09: Industry Secure Suppy Chain Summit

Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing fatal damage to businesses and organizations. Past well-known examples of software supply chain attacks are the SolarWinds or log4j incidents that have affected thousands of customers and businesses. The US government and industry are equally interested in enhancing software supply chain security. We conducted six panel discussions with a diverse set of 19 practitioners from industry. We asked them open-ended questions regarding SBOMs, vulnerable dependencies, malicious commits, build and deploy, the Executive Order, and standards compliance. The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain. This paper summarizes the summit held on September 30, 2022

Fingerprinting in Style: Detecting Browser Extensions via Injected Style Sheets

International audienceBrowser extensions enhance the web experience and have seen great adoption from users in the past decade. At the same time, past research has shown that online trackers can use various techniques to infer the presence of installed extensions and abuse them to track users as well as uncover sensitive information about them. In this work we present a novel extension-fingerprinting vector showing how style modifications from browser extensions can be abused to identify installed extensions. We propose a pipeline that analyzes extensions both statically and dynamically and pinpoints their injected style sheets. Based on these, we craft a set of triggers that uniquely identify browser extensions from the context of the visited page. We analyzed 116K extensions from Chrome's Web Store and report that 6,645 of them inject style sheets on any website that users visit. Our pipeline has created triggers that uniquely identify 4,446 of these extensions, 1,074 (24%) of which could not be fingerprinted with previous techniques. Given the power of this new extension-fingerprinting vector, we propose specific countermeasures against style fingerprinting that have minimal impact on the overall user experience

Αποδοτική αντιμετώπιση επιθέσεων τύπου Dial

Ο τρόπος με τον οποίο επικοινωνούμε σήμερα έχει αλλάξει λόγω της εξέλιξης της τεχνολογίας Voice over IP (VoIP), η οποία επέτρεψε τη διασύνδεση του Διαδικτύου και του τηλεφωνικού δικτύου, καθώς οι χρήστες του Διαδικτύου και του τηλεφωνικού δικτύου, καθώς οι χρήστες του Διαδικτύου μπορούν να καλέσουν σταθερά ή κινητά τηλέφωνα μέσς υπηρεσιών VoIP. Παρά το γεγονός ότι η τεχνολογία αυτή έχει πολλά πλεονεκτήματα και έχει υιοθετηθεί ευρέως, υπάρχουν ανησυχίες για την ασφάλεια αυτής της διασύνδεσης, που πρέπει να εξεταστούν. Το επίκεντρο αυτής της εργασίας είναι να διερευνήσει τα προβλήματα ασφάλειας που προκύπτουν καθιστώντας προσιτές τις συσκευές τηλεφώνου μέσω του Διαδικτύου με τη χρήση της τεχνολογίας VoIP. Στα πλαίσια αυτής της εργασίας, έχουμε πραγματοποιήσει επιθέσεις μέσω Διαδικτύου, οι οποίες στοχεύουν στο να διατηρούν τις τηλεφωνικές συσκευές απασχολημένες, έτσι ώστε να αποτρέπονται οι θεμιτοί χρήστες από το να αποκτήσουν πρόσβαση. Χρησιμοποιούμε τον όρο DIAL (Digitally Initiated Abuse of teLephones), ή, στην απλή μορφή, επίθεση DIAL, για να αναφερθούμε σε αυτήν τη συμπεριφορά. Έχουμε αναπτύξει ένα περιβάλλον προσομοίωσης για την μοντελοποίηση μιας Dial επίθεσης, προκειμένου να ποσοτικοποιηθεί το πλήρες δυναμικό της και να μετρήσουμε την επίδραση των παραμέτρων της επίθεσης. Με βάση τα αποτελέσματα της προσομοίωσης πραγματοποιούμε την επίθεση ελεγχόμενα στον πραγματικό κόσμο. Με τη χρήση ενός Voice over IP (VoIP) παρόχου ως το μέσο της επίθεσης, καταφέρνουμε να απασχολήσουμε μια συσκευή απασχολημένη για το 85% της διάρκειας της επίθεσης με τη χρήση μόνο τριων κλήεων ανά δευτερόλεπτο και έτσι καθιστάμε τη συσκευη άχρηστη. Η επίθεση έχει μηδενικό οικονομικό κόστος, χρησιμοποιεί αμελητέα ποσότητα υπολογιστικών πόρων και δεν μπορεί να εντοπιστεί ο επιτιθέμενος. Επιπλέον, η φύση της επίθεσης είναι τέτοια που ο καθένας μπορεί να ξεκινήσει μια Dial επίθεση προς οποιαδήποτε τηλεφωνική συσκευή. Η δική μας έρευνα των υφιστάμενων αντισταθμιστικών μέτρων σε VoIP παρόχους δείχνει ότι ακολουθούν την προσέγγιση όλα ή τίποτα, αλλά το πιο σημαντικό είναι ότι τα συστήματα ανίχνευσης ανώμαλης συμπεριφοράς αντιδρούν αργά στις επιθέσεις μας, καθώς καταφέραμε να πραγματοποιήσουμε δεκάδες χιλιάδες κλήσεις, πριν γίνουμε αντιληπτοί. Για να το αντιμετωπίσουμε αυτό, προτείνουμε ένα ευέλικτο σύστημα ανίχνευσης ανώμαλης συμπεριφοράς για κλήσεις VoIP, το οποίο προωθεί δικαιοσύνη για τους θεμιτούς καλούντες. Με το σύστημα μας ως μέσο αντιμετώπισης, είναι δύσκολο ένας επιτιθέμενος να κρατήσει τη συσκευή απασχολημένη για περισσότερο από το 5% της διάρκειας της επίθεσης. Προτείνουμε επίσης τεχνικές άμυνας στην πλευρά του θύματος, τις οποίες τις υλοποιήσαμε ως ένα πλήρως λειτουργικό τηλεφωνικό κέντρο χρησιμοποιώντας τηλεφωνικά CAPTCHAs, το ποίο αντικρούει επιθέσεις τύπου DIAL.The way we communicate nowadays has changed due to the advancement of Voice Over IP (VoIP) technology, which has enabled the interconnection of the Internet and the telephone network as Internet users can call landline or mobile devices through VoIP services. ALthough, this technology has many advantages and has been widely deployed, there are security concerns that yet have to be examined. The focus of this work is to explore the security properties that arise from making accesible telephone devices from the Internet through the use of VoIP. We carry out attacks using Internet services that aim to keep telephone devices busy, hindering legitimate callers drom gaining access. We use the term DIAL (Digitally Initiated Abuse of teLephones), or, in the simple form, Dial attack, to refer to this behavior. We develop a simulation environment for modeling a Dial attack in order to quantify its full potential and measure the effect of attack parameters. Based on the simualtion's results we perform the attack in the real-world. By using a Voice over IP (VoIP) provider as the attack medium, we manage to hold an existing landline device busy for 85% of the attack duration by issuing only 3 calls per second and, thus, render the device unusable. The attack has zero financial cost, requires negligible computational resources and cannot be traced back to tha attacker. Furthermore, the nature of the attack is such that anyone can launch a Dial attack towards any telephone device. Our investigation of existing countermeasures in VoIP providers shows that they follow an all-or-nothing approach, but mist importantly, that their anomaly detection systems react slowly against our attacks, as we managed to issue tens of thousands of calls before getting spotted. To cope with this, we propose a flexible anomaly detection system for VoIP calls, which promotes fairness for callers. With our system in place it is hard for an adversary to keep the device busy for more than 5% of the duration of the attack. We also propose defenses on the client side, implemented as a fully functional call centre with the use of Phone CAPTACHs to defend against DIAL attacks

Revolver: An Automated Approach to the Detection of Evasive Web-based Malware

In recent years, attacks targeting web browsers and their plugins have become a prevalent threat. Attackers deploy web pages that contain exploit code, typically written in HTML and JavaScript, and use them to compromise unsuspecting victims. Initially, static techniques, such as signature-based detection, were adequate to identify such attacks. The response from the attackers was to heavily obfuscate the attack code, rendering static techniques insufficient. This led to dynamic analysis systems that execute the JavaScript code included in web pages in order to expose malicious behavior. However, today we are facing a new reaction from the attackers: evasions. The latest attacks found in the wild incorporate code that detects the presence of dynamic analysis systems and try to avoid analysis and/or detection. In this paper, we present Revolver, a novel approach to automatically detect evasive behavior in malicious JavaScript. Revolver uses efficient techniques to identify similarities between a large number of JavaScript programs (despite their use of obfuscation techniques, such as packing, polymorphism, and dynamic code generation), and to automatically interpret their differences to detect evasions. More precisely, Revolver leverages the observation that two scripts that are similar should be classified in the same way by web malware detectors (either both scripts are malicious or both scripts are benign); differences in the classification may indicate that one of the two scripts contains code designed to evade a detector tool. Using large-scale experiments, we show that Revolver is effective at automatically detecting evasion attempts in JavaScript, and its integration with existing web malware analysis systems can support the continuous improvement of detection techniques.

You are what you include: Large-scale evaluation of remote JavaScript inclusions

JavaScript is used by web developers to enhance the interactivity of their sites, offload work to the users ’ browsers and improve their sites ’ responsiveness and user-friendliness, making web pages feel and behave like traditional desktop applications. An important feature of JavaScript, is the ability to combine multiple libraries from local and remote sources into the same page, under the same namespace. While this enables the creation of more advanced web applications, it also allows for a malicious JavaScript provider to steal data from other scripts and from the page itself. Today, when developers include remote JavaScript libraries, they trust that the remote providers will not abuse the power bestowed upon them. In this paper, we report on a large-scale crawl of more than three million pages of the top 10,000 Alexa sites, and identify the trust relationships of these sites with their library providers. We show the evolution of JavaScript inclusions over time and develop a set of metrics in order to assess the maintenance-quality of each JavaScript provider, showing that in some cases, top Internet sites trust remote providers that could be successfully compromised by determined attackers and subsequently serve malicious JavaScript. In this process, we identify four, previously unknown, types of vulnerabilities that attackers could use to attack popular web sites. Lastly, we review some proposed ways of protecting a web application from malicious remote scripts and show that some of them may not be as effective as previously thought