5/13/2018 Browser Guard a Behavior-Based Solution To - slidepdf.com

http://slidepdf.com/reader/full/browser-guard-a-behavior-based-solution-to 1/8

 

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 7, AUGUST 2011 1461

BrowserGuard: A Behavior-Based Solution toDrive-by-Download Attacks

Fu-Hau Hsu, Chang-Kuo Tso, Yi-Chun Yeh, Wei-Jen Wang, and Li-Han Chen

 Abstract —Along with an increasing user population of variousweb applications, browser-based drive-by-download attacks soonbecome one of the most common security threats to the cybercommunity. A user using a vulnerable browser or browser plug-ins may become a victim of a drive-by-download attack rightafter visiting a vicious web site. The end result of such attacksis that an attacker can download and execute any code on thevictim’s host. This paper proposes a runtime, behavior-basedsolution, BrowserGuard, to protect a browser against drive-by-download attacks. BrowserGuard records the download scenarioof every file that is loaded into a host through a browser.Then based on the download scenario, BrowserGuard blocks

the execution of any file that is loaded into a host without theconsent of a browser user. Due to its behavior-based detectionnature, BrowserGuard does not need to analyze the source fileof any web page or the run-time states of any script code, suchas Javascript. BrowserGuard also does not need to maintain anyexploit code samples and does not need to query the reputationvalue of any web site. We utilize the standard BHO mechanism of Windows to implement BrowserGuard on IE 7.0. Experimentalresults show that BrowserGuard has low performance overhead(less than 2.5%) and no false positives and false negatives forthe web pages used in our experiments.

 Index Terms—drive-by-download attack, heap spray, malware,Web browser, intrusion detection, system security.

I. INTRODUCTION

IN THIS PAPER we propose a behavior-based solution,

called BrowserGuard, against drive-by-download attacks

which are one of the most dangerous security threats nowa-

days. A drive-by-download attack utilizes the vulnerabilities

in a browser or browser plug-ins to download and execute

attack code in the address space of the browser without the

consent of the browser users. A drive-by-download attack

is launched through malicious web sites. When a user of a

vulnerable browser visits a malicious web site, the user’s host

will be compromised immediately. According to [1], more

than 1.3% query results provided by Google point to a webpage that performs drive-by-download attacks. Besides, Frei et

al. [2] observed that only 60% of Google users use the latest

version of their browsers. The above research results show

that there are many drive-by-download traps in the Internet

to prey on hosts that use vulnerable browsers or browser

plug-ins. Due to the potent destructive power of the drive-

by-download attacks, many promising solutions have been

Manuscript received 1 August 2010; revised 4 January and 21 February2011.

C.-K. Tso is with the Department of Computer Science and InformationEngineering, National Central University, Jhongli City, Taoyuan County,32001 ROC (e-mail: cktso@csie.ncu.edu.tw).

F.-H. Hsu, Y.-C. Yeh, W.-J. Wang and L.-H. Chen are with National CentralUniversity.

Digital Object Identifier 10.1109/JSAC.2011.110811.

proposed. However, many of them are bothered by non-trivial

false positives, false negatives, or performance overhead.

This paper proposes a runtime, behavior-based solution,

BrowserGuard, to protect a browser against drive-by-download

attacks. BrowserGuard records the download scenario of every

file that is loaded into a host through a browser. Then based

on the download scenario, BrowserGuard blocks the execution

of any file that is loaded into a host without the consent of 

a browser user. Due to its behavior-based detection nature,

BrowserGuard does not need to analyze the source file of any

web page or the run-time states of any script code, such asJavascript. BrowserGuard also does not need to maintain any

exploit code samples and does not need to query the reputation

value of any web site.We utilize the standard BHO mechanism (subsection II-B4)

of Windows to implement BrowserGuard on IE 7.0, which is

the most popular browser nowadays [3] and is the major target

of many drive-by-download attacks [4]. Experimental results

show that BrowserGuard has low performance overhead (less

than 2.5%) and negligible false positives and false negatives.

The remainder of this paper is organized as follows. Section

II discusses the attacking model of typical drive-by-download

attacks and the background knowledge of BrowserGuard.Section III illustrates the mechanism and implementation

details of BrowserGuard. Section IV includes our effectiveness

and performance evaluation. Section V discusses other related

research of this security problem. Section VI concludes this

paper.

II . BACKGROUND

In this section we discuss the details of drive-by-download

attacks, the APIs used by IE 7.0 to download a file, BHO, and

API hooking.

 A. Drive-by-Download Attacks

A drive-by-download attack is launched through a web page

with crafted malicious content. The web server that hosts the

vicious web page may be owned by an attacker or may be

compromised by an attacker or may be a normal benign host

which allows other persons to put their content, such as an

advertisement, in the web pages of the host. To accomplish

a drive-by-download attack, a Malware Bootstrap Function

(MBF) must be injected into the address space of the attacked

browser first. Then the execution flow must be transferred

to the MBF through some vulnerability in the browser or a

plug-in in the browser. In turn, the MBF will download moremalware into the compromised host and execute the malware.

An MBF can be injected into the attacked browser either by a

0733-8716/11/$25.00 c 2011 IEEE

5/13/2018 Browser Guard a Behavior-Based Solution To - slidepdf.com

http://slidepdf.com/reader/full/browser-guard-a-behavior-based-solution-to 2/8

 

1462 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 7, AUGUST 2011

Javascript program or by a long string in some HTML tags in a

web page. The vulnerabilities utilized to transfer the execution

flow of a browser to an MBF can be divided into the following

three types.

C1 misuse APIs [5]–[8]

C2 memory corruption errors [9]–[13]

C3 initialization errors [14]

Type C1 vulnerability is usually created by a browser plug-in, such as ActiveX Control, which erroneously exports a

flow-control function to its users. The flow-control function

allows its user to transfer the execution of a program into

any location specified by the user. Type C2 vulnerability is

usually generated by bugs in browser code or browser plug-ins.

The most famous one is buffer overflow bugs [9]–[12]. Even

though many secure solutions, such as ASLR, DEP, GS, and

so on, have been developed to solve the memory corruption

error problem, attackers continue designing new approaches,

such as heap sprays [15], to invalidate the protection. Type

C3 vulnerability is caused by some exception conditions that

a Javascript engine cannot handle correctly.

  B. IE Components Regarding to File Download and File

 Execution

BrowserGuard blocks drive-by-download attacks based on

the download and execution scenario of a file. There are

three components involved in the file download operation and

the file execution operation in IE. They are file download

component, file execution component, and event component.

The first two components consist of some Application Pro-

gramming Interfaces (API), which are responsible to file

download and file execution. The third component consists of various events of a browser. The following subsections give

detailed discussion about these components.

1) File Download Component: The following four reasons

cause an IE browser legally download a file to a local host.

First, when browsing a web page, in order to display the

web page on the Internet Explorer (IE) browser, IE needs to

download all the objects described in the web page, including

the source code of the web page, script files, Cascading Style

Sheets (CSS), and multimedia files, to local storage. Second,

when a browser user clicks a hyperlink to navigate another

web page, IE needs to download the html file. Third, when a

user clicks the download button in a download dialogue boxto download a file, IE downloads the file. (The dialogue box is

popped up due to a user’s clicking a URL which points to a file

that the browser cannot display on its window.) Fourth, when a

user clicks the hyperlink of an ASP/PHP/JSP file which creates

a new file or when a user puts the cursor over a hyperlink and

clicks the right button of a mouse to open a context menu and

download a file, IE downloads the related file. File download

caused by the above four reasons is accomplished by the file

download component. Files downloaded to a host due to one

of the above reasons are called benign files. Files downloaded

to a host through drive-by-download attacks (Subsection II-A)

are malware.Inside the file download component, IE follows the fol-

lowing steps to download a file. First, Internet Explorer

calls API InternetConnect to open a connection and

receive a handle. Second, using the above internet handle,

Internet Explorer calls API HttpOpenRequest to assign

a name to an object (file). Third, Internet Explorer calls API

InternetReadFile to download the file. Finally, Internet

Explorer calls API WriteFile to save the file into the

Temporary Internet Files directory.

Except the above execution path, there exists another

execution path used by IE to download a file. This ex-ecution path is used when an IE user manually down-

loads a file by clicking the right button of a mouse

or by clicking a hyperlink of a server-side page which

creates a new file. When this happens, IE calls API

DoFileDownload first to open a download window. Next,

it calls APIs InternetConnect, HttpOpenRequest,InternetReadFile, and WriteFile one by one. Finally

based on the directory specified by the user, IE uses APIWriteFile to save the downloaded file in the specified

directory.

2) File Execution Component: IE calls API

CreateProcessW to execute an executablefile. API CreateProcessW in turn calls API

CreateProcessInternalW to load the image of  

the file. After the above operations, IE creates a new child

process.

3) Event Component: IE provides various events to indicate

the occurrence of different activities related to itself. Event

BeforeNavigate2 is one of them. When an object, such

as a window element or a frameset element in the DOM

architecture, is going to be browsed, BeforeNavigate2

will be issued to indicate this activity. The event component of 

BrowserGuard allows BrowserGuard to more precisely decide

under what situation a file is downloaded.4) Browser Helper Object (BHO) and API Hooking: A

Microsoft BHO [16] is a DLL module that will be loaded

into the address space of an IE browser, called the host 

browser of the BHO, when it starts up. The BHO keeps

staying in the address space of the host browser until the

browser finishes. Because a BHO is executed in the same

address space as its host browser, the BHO can perform any

operation that the host browser is allowed to do. The major

component of BrowserGuard is implemented in a BHO, called

 BrowserGuard-BHO.

API hooking [17] is a technique that allows a programmer

to intercept function calls or messages or events passedbetween software functions. BrowserGuard uses Detours [18]

to implement API hooking. Detours replaces the first few

instructions of a target function with an unconditional jump to

a detour function provided by a user. The detour function then

transfers the execution flow of a process back to the original

target function.

III. IMPLEMENTATION

This section describes the design principle, design goals,

and implementation details of BrowserGuard. According to the

file download steps of a browser, BrowserGuard sets severalcheck points on a browser and the Windows kernel to detect

secret download and blocks the execution of downloaded

malware at runtime.

5/13/2018 Browser Guard a Behavior-Based Solution To - slidepdf.com

http://slidepdf.com/reader/full/browser-guard-a-behavior-based-solution-to 3/8

 

HSU et al.: BROWSERGUARD: A BEHAVIOR-BASED SOLUTION TO DRIVE-BY-DOWNLOAD ATTACKS 1463

IE

BrowserGuard-BHO

List Server 

White-list

Blacklist

User Space

Kernel Space

BrowserGuard-Kernel Named Pipe

Fig. 1. Structure, major components, and major data structures of Browser-Guard.

 A. Structure of BrowserGuard 

As fig. 1 shows, BrowserGuard consists of a BrowserGuard-

BHO in every IE process, a BrowserGuard-Kernel in the

kernel space, and a list server process. Each host has only

one list server process. But the host may have several

browsers executing simultaneously; hence, there may existmultiple BrowserGuard-BHOs in a host at the same time.

A BrowserGuard-BHO communicates with the list server

process through a named pipe. Multiple BrowserGuard-BHOs

can communicate with the list server process simultaneously.

The list server process contains two lists, a white-list and

a blacklist. The white-list records the URLs of benign files

(Subsection II-B1) and the hash vales of benign executable

files. The blacklist records the hash values of detected ma-

licious files. Downloading benign files to a host due to the

first three reasons discussed in Subsection II-B1 will trigger

the system to issue event BeforeNavigate2, which in

turn will trigger the execution of the BrowserGuard-BHOfunction, before_navigate, to record the URLs from

which benign files are downloaded (Subsection II-B1). Be-

sides, BrowserGuard also utilizes BrowserGuard-BHO to hook

detour functions (Subsection II-B4) to functions in the file

download component and functions in the file execution com-

ponent. The hooked target functions in the file download com-

ponent contain DoFileDownload, InternetReadFile,

and WriteFile. The hooked function in the file execution

component is CreateProcessInternalW.

BrowserGuard-Kernel is a kernel component of Browser-

Guard. BrowserGuard-Kernel enforces the following two tasks

to prevent the execution of malware and illegal modifi-cations of a white-list and blacklist. First, BrowserGuard-

Kernel ensures that the execution of a program is issued

by CreateProcessInternalW which has been hooked

by BrowserGuard. Second, BrowserGuard-Kernel denies a

request to modify a white-list, if the request is not is-

sued through the code in function before_navigate or

DoFileDownload of  BrowserGuard.

  B. Work  fl ow of BrowserGuard 

BrowserGuard blocks drive-by-download attacks by deny-

ing the execution of malware (subsection II-B1). Browser-Guard provides its protection to a host through a two-phase

mechanism and a kernel component. In the first phase, namely

the filtration phase, BrowserGuard distinguishes malicious

files from benign ones based on the situations under which

the files are downloaded to a local host. In the second phase,

namely the prohibition phase, BrowserGuard denies the re-

quest to execute malicious files. The kernel component blocks

attempts to bypass BrowserGuard. This and next subsections

describe the techniques.

1) Filtration Phase: To be able to distinguish malicious

files from benign ones, BrowserGuard needs to know thesituation under which a file is downloaded to a local host.

With the information, BrowserGuard can deduce whether a

downloaded file is a benign one or malicious one. In order to

collect the required information, BrowserGuard installs several

check points to monitor the behavior of a browser.

The check point before_navigate is a BrowserGuard-

BHO function that is bound to event BeforeNavigate2, so

that the function is invoked whenever a BeforeNavigate2

event is issued. When before_navigate is called, it

records the URL of the related file in the white-list of 

the list server process. As discussed in the previous sub-

section, a benign file download that is not triggered byclicking the hyperlink of an ASP/PHP/JSP file which cre-

ates a new file or by clicking the right mouse button

will always result in the BeforeNavigate2 event. Even

though clicking right mouse button does not trigger eventBeforeNavigate2, this file download request makes IE

to invoke DoFileDownload to perform the download.

DoFileDownload also contains the URL of the file that

is going to be downloaded to a local host. Figure 2 shows

the major functions, data structures, and operations involved

in the filtration phase.

While a user is surfing the WWW, a browser needs to

download various files. All these files are placed in a di-rectory called Temporary Internet Files and they

cannot be directly executed without the admission of the

browser user. On a BrowserGuard-protected browser, normal

file download triggers the execution of  DoFileDownload

or before_navigate. Both functions connect to the list

server process of a host to record URLs in the white-list of 

the process. The URLs are the URLs of the files that are

going to be downloaded to the host. The real download is

performed by API InternetReadFile, which in turn calls

API WriteFile to store the downloaded file.

The detour functions of  InternetReadFile checks

whether the URL of the file that this function is asked todownload is within the white-list. If the URL is within the

white-list, the file is downloaded as usual; but if the URL is not

within the white-list and the first two bytes of the file is “MZ”,

after the file is downloaded to the local host, BrowserGuard

calculates the hash value of the file and adds the hash value

to the black list. “MZ” is the first two bytes of a PE format

file which is the most common format of Windows executable

files. Instead of using the filename extension to find executable

files, BrowserGuard uses “MZ” to find executable files. This

can prevent an attacker from naming an executable file with a

non-executable filename extension first and then changing its

filename extension back to an executable filename extensionbefore executing the file.

The hash value is calculated based on the first 512 bytes of 

a file. BrowserGuard uses the hash value of a file to represent

5/13/2018 Browser Guard a Behavior-Based Solution To - slidepdf.com

http://slidepdf.com/reader/full/browser-guard-a-behavior-based-solution-to 4/8

 

1464 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 7, AUGUST 2011

BeforeNavigate2DoFileDownloadInternetConnect

HttpOpenRequest

InternetReadFile

WriteFile

URL

URL

URL

hash

hash

EventFile DownloadNormal download Download via context menu

BlackList White-list

 Add to white-list

(URL or hash value)

Check white-list

(URL of hash value)

 Add to blacklist

Possible route to

save a file

List Servers

Named Pipe

Internet Explorer 

Fig. 2. Functions, data structures, and operations involved in the filtrationphase.

the file in the blacklist. Hence, BrowserGuard does not need

to compare every byte of two files to determine whether these

two files have the same content. This step can accelerate the

processing time of the prohibition phase and save storage

space.Except adding the hash value of a malicious file into the

blacklist, the detour function of  InternetReadFile also

adds the hash value of a benign executable file into the white-

list. The hash values in the white-list are then used by the

detour function of WriteFile. WriteFile is used to write

a file into storage, such as a disk. Thus, when an executable

fi

le is written to a disk by WriteFile, its detour functionqueries the white-list to check whether the hash value of this

file is logged by InternetReadFile. If the hash value of 

the file is not in the white-list, the file must be transformed

from another non-executable file after the non-executable file

is downloaded to the local host. For example, an attacker

may disguise a malware file as an image file first. After

the disguised file is downloaded to an attacked host by an

MBF, the MBF transforms the file into an executable file

and executes it. Because benign files are not supposed to be

handled in this way, executable files created on a disk using the

above methods are deemed as non-benign files (i.e. malicious

fi

les). WriteFile saves the hash values of thesefi

les intothe blacklist.2) Prohibition Phase: Inside an IE browser,

CreateProcessInternalW is used to execute an

executable file stored on a disk. BrowserGuard hooks this

API to ensure that the API will not execute malware.

BrowserGuard calculates the hash value of the executable

file first. Then BrowserGuard checks whether the white-list

and blacklist contain the same hash value. If the blacklist

does not contain the hash value but the white-list contains

the hash value, API CreateProcessInternalW runs the

executable file. Otherwise, it blocks the execution of the file.

C. Prevention of Checkpoint-Bypassing

Various checkpoints installed by BrowserGuard are the

critical instructions used to detect downloaded malware and

prevent the execution of the downloaded malware. If an

attacker can bypass these checkpoints, she/he can successfully

accomplish a drive-by-download attack on a BrowserGuard-

protected browser. BrowserGuard utilizes various approaches

to ensure that, if the download and execution of a program

do not follow the normal path and does not pass the pre-

defined checkpoints, BrowserGuard can detect it and block

the execution.1) Protecting the Checkpoints in DoFileDownload and 

before_navigate: This subsection describes the ap-

proaches that BrowserGuard uses to prevent attackers from

adding URLs to the white-list by directly calling API

DoFileDownload and before_navigate from an MBF

or executing copied versions of these APIs in an MBF.

DoFileDownload and before_navigate connect to

the list server process in a host to record URLs in the white-

list of the process. Inside the kernel, BrowserGuard-Kernel

ensures only instructions inside functions DoFileDownload

and before_navigate can add a URL to the white-list. In

a BrowserGuard-protected browser, the URLs are transmittedfrom an IE process to a list server process. Thus, kernel

functions need to be used to accomplish this work. Hence,

by recording the return addresses used to return to API

DoFileDownload or before_navigate from the kernel

after the kernel transmits a URL from an IE process to the

white-list of a list server process, BrowserGuard-Kernel can

infer the addresses of the legal user space instructions that

can initialize the transmission. Thus, BrowserGuard can deny

any request to transmit a URL to the white-list of a list server

process if the request is not issued through instructions insideDoFileDownload and before_navigate.

Besides, even if an MBF directly calls DoFileDownloador before_navigate to add URLs of malware to the

white-list, BrowserGuard still can detect the behavior due to

the following reason: When the above behavior occurs, the ex-

ecution flow still needs to return to the MBF because the MBF

has to download and execute the malware or the execution flow

finally needs to transfer to CreateProcessInternalW

which is the only legal API inside a BrowserGuard-protected

browser to create a new process (subsection III-C2). On a

Windows system, due to DEP, the stack segment and data

segments of a process are not executable. Hence, an MBF can

only be stored in the heap segment of a process. As a result,

by checking whether the stack return addresses contain a heapaddress or the address of  CreateProcessInternalW

when DoFileDownload or before_navigate is exe-

cuted, BrowserGuard can prevent these two APIs from being

directly called by an MBF.

2) Protecting the Checkpoint in

CreateProcessInternalW : To avoid that an MBF

bypasses the check point inside the detour function hooked

to CreateProcessInternalW by directly jumping to

the sixth byte of this function, BrowserGuard utilizes a

new software interrupt, BGSetFlag, to solve the problem.

BGSetFlag is an element of BrowserGuard-Kernel.

Because BGSetFlag is a software interrupt, after a threadinvokes this software interrupt in the user address space,

the thread switches from user mode into kernel mode and

the system will store the address (a return address) of the

5/13/2018 Browser Guard a Behavior-Based Solution To - slidepdf.com

http://slidepdf.com/reader/full/browser-guard-a-behavior-based-solution-to 5/8

 

HSU et al.: BROWSERGUARD: A BEHAVIOR-BASED SOLUTION TO DRIVE-BY-DOWNLOAD ATTACKS 1465

instruction right after the calling instruction in the kernel

mode stack of the thread. For a process, the first execution

of  BGSetFlag results in the recording of the above return

address, called anchor address of the process, and the setting

of the BG_CHECKED flag. Every subsequent execution of 

BGSetFlag compares the return address stored in the kernel

mode stack of the process with the anchor address first. If 

these two addresses are the same, the BG_CHECKED flagwill be set; otherwise, the flag is cleaned. Inside the kernel

address space, the native API in charge of the creation of a

new process checks the BG_CHECKED flag first. Only when

the flag is set, the API creates a new process and then cleans

the flag. Otherwise, it aborts the process creation request.

BrowserGuard adds an invocation statement of  BGSetFlag

in the detour function of  CreateProcessInternalW

to make sure that the detour function is executed when a

process creates a new process. Except BrowserGuard-Kernel,

the detour function of  CreateProcessInternalW is

another place where BrowserGuard blocks the execution

of malware downloaded by a drive-by-download attack.The above approach is also used to prevent attackers from

bypassing the detour function of  InternetReadFile.

IV. EVALUATION

In this section, we discuss the results of various experiments

that were made to evaluate the effectiveness and ef ficiency

of BrowserGuard. What follows are the specifications of the

hosts, operating systems, and browsers used in our experi-

ments. All browsers used in our experiments are IE 7.0 and are

executed in a guest machine. The guest machine is executed

on a host machine through VMware. The web server used in

our tests is installed in a remote Linux machine.

• local client machine:

 – guest machine: (OS: Windows XP SP2 (32bit),

Browser: IE 7.0)

 – VMware 7.0.1 (Memory: 1024 MB)

 – host machine (OS: Windows 7 (32bit), CPU: Intel

Core2Duo CPU P8600 2.4 GHz, Memory: 3 GB)

• remote server machine: (OS: Ubuntu 10.04, Web Server:

Apache 2)

  A. Effectiveness

To evaluate the effectiveness of BrowserGuard, we made

various tests to evaluate the false positives and false negatives

created by BrowserGuard.

To test the false positives of BrowserGuard, we chose the

top 500 ranking websites from Alexa [19] and visited them

using an IE browser with BrowserGuard. Because surfing these

websites did not make BrowserGuard to issue any drive-by-

download attack alert and these websites were not reported by

Google as malicious websites, the number of false positives

of BrowserGuard for these websites is zero.

In order to evaluate the false negatives of BrowserGuard,

we used Metasploit framework [20] to generate 10 maliciousweb pages based on the 9 exploits for IE 7.0 listed in Table

I. We installed these 10 malicious web pages in a remote

server machine. All these web pages contain both shellcode

and exploit code used to launch drive-by-download attacks;

hence, these web pages compromised our test machines im-

mediately after we use an ordinary IE 7.0 to view these web

pages. However, when using a browser with BrowserGuard

to visit these pages, even though the related malware were

still downloaded to the local host, all of them were blocked

when the shellcode tried to execute them. Hence, the number

of false negatives of BrowserGuard for these malicious webpages is zero.

Among the 10 malicious web pages, number 5 is a special

one because it stores malware in a file with JPEG image

file header first. After the disguised file is downloaded to

the local host, the file is transformed back to an executable

file. But BrowserGuard still thwarted the attack of number

5 web page. Hence, no matter how attackers encrypt the

malware. BrowserGuard still can detect the malware before

it is executed.Table II shows comparisons of the detection accuracy be-

tween BrowserGuard and other similar work [21]–[24]. Some

work does not provide complete data; hence, in Table IIwe use N/A to represent the unavailable data. IMC [24] is

a signature-based solution; hence, if the database does not

contain the signatures for a vulnerability, the false negative

rate will increase to 48%. Besides, [25] proposed an approach

to bypass Nozzle’s detection recently. Hence, the figure shows

that BrowserGuard is an accurate solution.

 B. Performance Overhead 

Static code analysis shows that the performance overhead

imposed by BrowserGuard is mainly caused by the following

operations. First, when an object is going to be navigated,

BrowserGuard makes some memory access to enlist the URLof the object to the white-list. Second, BrowserGuard needs to

read the header of a downloaded file to check whether the first

two bytes of the file are “MZ”. Third, BrowserGuard needs to

execute extra code to handle event reception and API hooking.To evaluate the performance overhead introduced by

BrowserGuard, we measured the time period between the time

when a browser issues a request to view a web page and the

time when the browser finish the download of the web page

with or without BrowserGuard. We chose 5 web pages from

Alexa Top Sites to make our measurements. For each web

site, we tested the time to finish the above operations 2000

times to collect the statistics. The extra time introduced byBrowserGuard is almost fixed; hence, when a user visits a web

page, the performance overhead imposed by BrowserGuard is

determined by the original time needed to download the web

page. The original download time is affected by many factors,

such as the workload of a web site, the size of a web page,

the computation power of a web site, the transmission time of 

a web page, and so on. To reduce the influence of the above

factors, we mirror all tested web pages in a separate local

server. Hence, the whole testing environment is built in a local

network so that we can make sure that the measured data is

under minimized affection of network transmitting velocity.

Overall, the worst case performance overhead in our tests is2.5%. Table III lists the results.

Figure 3 shows comparisons of performance overhead be-

tween BrowserGuard and other similar work. Some work does

5/13/2018 Browser Guard a Behavior-Based Solution To - slidepdf.com

http://slidepdf.com/reader/full/browser-guard-a-behavior-based-solution-to 6/8

 

1466 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 7, AUGUST 2011

TABLE IRESULTS OF FALSE NEGATIVE TESTS . I N THIS TABLE MS B MEANS MICROSOFT SECURITY BULLETIN

Number MSB CVE-ID Description Result

1 MS06-014 2006-0003 RDS.Dataspace ActiveX Control Vulnerability Blocked2 MS06-055 2006-4868 VML Fill Method Buffer Overflow Blocked

3 MS06-067 2006-4777 Daxctle.ocx Keyframe Function Heap Overflow Blocked4 MS07-017 2007-0038 ANI LoadAniIcon Function Buffer Overflow Blocked5 MS07-017 2007-0038 The Malicious Executable is encoded in a jpg file. Blocked

6 MS08-078 2008-4844 Data Binding Memory Corruption Blocked7 MS09-002 2009-0075 CFunctionPointer Uninitialized Memory Corruption Blocked8 MS09-072 2009-3672 getElementsByTagName Memory Corruption Blocked9 MS10-002 2010-0249 HTML Object Memory Corruption Blocked

10 MS10-018 2010-0806 DHTML Behaviors Use-after-free Blocked

TABLE IICOMPARISONS OF THE DETECTION ACCURACY BETWEEN

BROWSERGUARD AND OTHER SIMILAR WORK

False Positive Rate False Negative Rate

BrowserGuard 0% 0%Nozzle 50% Threshold 0% 0%

BuBBle N/A 0%JSAND 10.9% 0.2%

IMC 0% 48%(0%)

TABLE IIIPERFORMANCE OVERHEAD INTRODUCED BY BROWSERGUARD

Mirrored web site BrowserGuard W/O BrowserGuard Overheadavg.(sec) avg.(sec)

news.yahoo.com 4.933 4.891 0.9%w3.org 0.867 0.857 1.2%

youtube.com 1.227 1.211 1.3%imdb.com 1.520 1.483 2.5%

facebook.com 1.538 1.527 0.7%

not provide complete data; hence, in Fig. 3 we use N/A tomean the unavailable data. Figure 3 shows that BrowserGuard

has low performance overhead.

V. RELATED WOR K

In this section, we discuss related work in the literature.

Many drive-by-download attacks are triggered by vulnerable

ActiveX controls. Microsoft uses Kill-Bit [26] to mitigate this

problem. However, Kill-Bit does not patch any executable.

Instead, it just blocks the use of certain known vulnerable

ActiveX Controls. If a particular ActiveX Control is marked as

unsafe through Kill-Bit, the ActiveX Control will never be in-voked by any application. However, attackers can utilize non-

ActiveX-Control vulnerabilities to launch a drive-by-download

attack and not all vulnerabilities of all ActiveX controls are

unveiled.

Many drive-by-download attacks use heap sprays [15] to

accomplish the attacks. Nozzle [21] detects heap spray at-

tacks based on the observation that shellcode used in a heap

spray attack is usually prepended with a long NOP sled.

Experimental results showed that Nozzle has small number

of false positives and false negatives. However, if an attacker

writes NOP sleds and shellcode into a heap string after Nozzle

finishes its examination, Nozzle is not able to detect the attack.Besides, elaborately created attack strings still can bypass

Nozzle’s detection. Manuel Egele et al. [27] utilize library

libemb to emulate x86 instructions to detect shellcode stored

0

5

10

15

20

25

30

35

40

45

50

B    r    o   w    

s   e   r    G    u   a   r    d     

N     o   z    z    l     e    5     %    

 S    a   m     p   l     e    R    

a   t    e   

N     o   z    z    l     e    2    5     %    

 S    a   m     p   l     e    R    

a   t    e   

B    u   B    

B    l     e   

J     S    A    N     D    

I     M     C    

   O  v  e  r   h  e  a   d   F  a

  c   t  o  r  s  o   f   P  a  g  e   L  o  a   d   T   i  m  e   (   %   )

1.32

6.4

45

4.82

N/A 1.5

Fig. 3. Comparisons of performance overhead between BrowserGuard andother similar work

in a Javascript variable. However, this solution introduces non-

trivial performance overhead and elaborately created attack

strings still can bypass their detection.

HSP [28] controls the number and location of int 80 instruc-

tions in a process and hides the whereabouts of the only legal

int 80 instruction; hence, HSP makes it dif ficult for attackers

to issue a system call, let alone a heap spray attack. HSP

is a compiler-based solution; hence, current version of HSP

cannot provide protection for static linked libraries. However,

very few if not none browsers use static linked libraries.

L. Lu et al. [29] adopt similar philosophy of blocking

the execution of suspicious executable files as BrowserGuarddoes. By sandboxing all downloaded objects in a secure zone,

their work, Blade, prohibits supervised process from operating

unauthorized files in the secure zone. Blade captures user

behaviors, such as clicking a mouse button on a download-

related popup window, to mark user-consent downloaded files

as authorized. Blade has zero error rate. However, it may pose

performance issues to non-browser processes due to the special

secure zone design that once a user tries to manipulate a file,

OS should check whether this file is in the secure zone.

Gadaleta et al. [23] defeat heap sprays by randomly insert-

ing interrupt instructions inside every Javascript string variable

before storing it in the heap and reverting the modified stringto the original string before using it. If the execution flow

is redirected to the shellcode stored in a Javascript string

variable, it cannot be successfully executed.

5/13/2018 Browser Guard a Behavior-Based Solution To - slidepdf.com

http://slidepdf.com/reader/full/browser-guard-a-behavior-based-solution-to 7/8

 

HSU et al.: BROWSERGUARD: A BEHAVIOR-BASED SOLUTION TO DRIVE-BY-DOWNLOAD ATTACKS 1467

Another popular defense mechanism against drive-by-

download attacks is the browser reputation system. In this

system, before displaying a web page on a browser, the

browser automatically connects to a remote database to check

the reputation of the web page first. Only web pages with

good reputation can display on the browser. Various antivirus

vendors, such as Norton SafeWeb [30], McAFee SiteAdvisor

[31], and Trend Micro TrendProtect [32], adopted this ap-proach to deal with drive-by-download attacks. However, the

browser reputation system has no guarantee that all websites

are under their monitor. Besides, they have non-trivial false-

positives and it takes a while to update out-of-date or wrong

data in the database or to add new data to the database.

Some solutions, such as Provos et al. [1], Moshchuk et al.

[33], Capture-HPC [34], and HoneyMonkey [35], use high-

interaction honey browsers to visit web sites and monitor the

behavior of these web sites in the underlying operating system

to detect malicious web pages. The behavior includes creation

of  files or new processes and creation or modification of 

Registry. Cova et al. [22] utilize machine learning and anomalydetection in an emulation environment to automatically detect

and analyze malicious Javascript code in malicious web pages.

Their solution, JSAND, can simulate the presence of any

ActiveX controls or plug-ins required by a web page. Dewald

et al. [36] log critical actions triggered by the execution of 

Javascript code in a web page. Then utilizing heuristics on

the logs, their solution, ADSandbox, decides whether the web

page is malicious. Basically these solutions are not integrated

into a browser; hence, they are not able to provide real

time protection to browsers. Moreover, these solutions cannot

detect malicious web content when the honey browser does

not have the vulnerability that is used by the exploits in themalicious page. Furthermore, it is a challenging work for them

to examine all web pages.

C. Song et al. [24] detect drive-by-download attacks by

matching the inter-module communication events with pre-

defined vulnerability signatures. However, its signature-based

property makes it dif ficult to detect zero-day attacks.

V I. CONCLUSION

Drive-by-download attacks are one of the most severe

security threats to computer and network systems nowadays.

In this paper, we present BrowserGuard, a runtime, behavior-based solution to drive-by-download attacks. BrowserGuard

analyzes the download scenario of every downloaded object.

Based on the download scenario, BrowserGuard blocks the

execution of any executable file that is downloaded to the host

machine without the consent of a user. This light-weighted

technique introduces less than 2.5% performance overhead

because no simulation or static web page analysis is required.

BrowserGuard also does not need to maintain any attack

string signatures or web site reputation. Experimental results

show that BrowserGuard has no false negative to past exploit

samples and no false positive to top 500 rated websites.

Currently, BrowserGuard is implemented on Windows InternetExplorer 7.0 because most exploits in the wild targeting this

version of IE. Although BrowserGuard only supports IE 7.0

on a Windows system, we believe the defense model of 

BrowserGuard can serve as a guide to develop similar tools

for other browsers.

ACKNOWLEDGMENT

Our work is funded by National Science Committee of 

Taiwan (ROC), and the numbers of the Projects are NSC 99-

2220-E-008-001 and NSC 99-2219-E-008-001.

REFERENCES

[1] N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose, “All youriFRAMEs point to us,” in Proc. 17th conference on USENIX securitysymposium. USENIX Association, 2008, pp. 1–15.

[2] S. Frei, T. Dubendorfer, G. Ollmann, and M. May, “Understanding theweb browser threat: examination of vulnerable online web browser pop-ulations and the “insecurity iceberg”,” ETH, Eidgenossische TechnischeHochschule Zurich, Communication Systems Group, Tech. Rep., 2008.

[3] “NetApplications Company News (December 1, 2008).” [Online].Available: http://www.netapplications.com/newsarticle.aspx?nid=45

[4] “National Vulnerability Database.” [Online]. Available: http://nvd.nist.gov/

[5] M. Egele, E. Kirda, and C. Kruegel, “Mitigating drive-by downloadattacks: challenges and open problems, open research problems,” in

 INetSec 2009. Open Research Problems in Network Security, 2009.[6] “Microsoft Of fice Snapshot Viewer ActiveX vulnerability.”

[Online]. Available: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2463

[7] “Microsoft Security Bulletin MS06-014 - Vulnerability in the MicrosoftData Access Components (MDAC) Function Could Allow CodeExecution.” [Online]. Available: http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

[8] “Sina dloader class activex control ‘downloadandinstall’ methodarbitrary file download vulnerability.” [Online]. Available: http://www.securityfocus.com/bid/30223/info

[9] C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie,A. Grier, P. Wagle, and Q. Zhang, “Stackguard: automatic adaptivedetection and prevention of buffer-overflow attacks,” in Proc. 7thconference on USENIX Security Symposium - Volume 7 . USENIXAssociation, 1998, pp. 5–5.

[10] Aleph One, Smashing the Stack For Fun and Pro fit . Phrack Magazine,1996.

[11] L.-H. Chen, F.-H. Hsu, C.-H. Huang, C.-W. Ou, C.-J. Lin, and S.-C.Liu, “A robust kernel-based solution to control-hijacking buffer overflowattacks,” Journal of Information Science and Engineering, vol. 27, no. 3,2011.

[12] T.-C. Chiueh and F.-H. Hsu, “RAD: a compile-time solution to bufferoverflow attacks,” in Proc. 21st International Conference on Distributed 

Computing Systems, 2001, pp. 409–417.[13] J. Xu, P. Ning, C. Kil, Y. Zhai, and C. Bookholt, “Automatic diagnosis

and response to memory corruption vulnerabilities,” in Proc. 12th ACM 

conference on Computer and communications security, ser. CCS ’05.ACM, 2005, pp. 223–234.

[14] “Microsoft Internet Explorer “window()” Arbitrary Code ExecutionVulnerability.” [Online]. Available: http://secunia.com/advisories/15546/

[15] A. Sotirov, “Heap feng shui in JavaScript,” BlackHat Europe, 2007.

[16] D. Esposito, “Browser Helper Objects: The Browser the Way YouWant It.” [Online]. Available: http://msdn.microsoft.com/en-us/library/bb250436(VS.85).aspx

[17] I. Ivanov, “API hooking revealed.” [Online]. Available: http://www.codeproject.com/KB/system/hooksys.aspx

[18] “Detours.” [Online]. Available: http://research.microsoft.com/en-us/projects/detours/

[19] “Alexa Internet.” [Online]. Available: http://www.alexa.com[20] “Metasploit.” [Online]. Available: http://www.metasploit.com[21] P. Ratanaworabhan, B. Livshits, and B. Zorn, “NOZZLE: a defense

against heap-spraying code injection attacks,” in Proc. 18th conferenceon USENIX security symposium. USENIX Association, 2009, pp. 169–186.

[22] M. Cova, C. Kruegel, and G. Vigna, “Detection and analysis of drive-by-download attacks and malicious javascript code,” in Proc. 19thinternational conference on World wide web, ser. WWW ’10. ACM,

2010, pp. 281–290.[23] F. Gadaleta, Y. Younan, and W. Joosen, “Bubble: A javascript engine

level countermeasure against heap-spraying attacks,” in Engineering

Secure Software and Systems, ser. Lecture Notes in Computer Science,vol. 5965. Springer, 2010, pp. 1–17.

5/13/2018 Browser Guard a Behavior-Based Solution To - slidepdf.com

http://slidepdf.com/reader/full/browser-guard-a-behavior-based-solution-to 8/8

 

1468 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 7, AUGUST 2011

[24] C. Song, J. Zhuge, X. Han, and Z. Ye, “Preventing drive-by downloadvia inter-module communication monitoring,” in Proc. 5th ACM Sym-

  posium on Information, Computer and Communications Security, ser.ASIACCS ’10. ACM, 2010, pp. 124–134.

[25] Y. Ding, T. Wei, T. Wang, Z. Liang, and W. Zou, “Heap taichi: exploitingmemory allocation granularity in heap-spraying attacks,” in Proc. 26th

 Annual Computer Security Applications Conference, ser. ACSAC ’10.ACM, 2010, pp. 327–336.

[26] “Microsoft Security Research & Defense.” [Online]. Avail-

able: http://blogs.technet.com/srd/archive/2008/02/06/The-Kill 2D00Bit-FAQ 3A00 -Part-1-of-3.aspx[27] M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda, “Defending browsers

against drive-by downloads: Mitigating heap-spraying code injection at-tacks,” in Proc. 6th International Conference on Detection of Intrusions

and Malware, and Vulnerability Assessment , ser. DIMVA ’09. Springer-Verlag, 2009, pp. 88–106.

[28] F.-H. Hsu, C.-H. Huang, C.-H. Hsu, C.-W. Ou, L.-H. Chen, and P.-C.Chiu, “HSP: A solution against heap sprays,” Journal of Systems and 

Softwware, vol. 83, pp. 2227–2236, 2010.[29] L. Lu, V. Yegneswaran, P. Porras, and W. Lee, “BLADE: an attack-

agnostic approach for preventing drive-by malware infections,” in Proc.

17th ACM conference on Computer and communications security, ser.CCS ’10. ACM, 2010, pp. 440–450.

[30] “Norton safe web.” [Online]. Available: http://safeweb.norton.com/[31] “McAFee SiteAdvisor.” [Online]. Available: http://safeweb.norton.com/

[32] “Trend Micro’s TrendProtect.” [Online]. Available: http://www.trendsecure.com/portal/en-US/tools/security tools/trendprotect[33] A. Moshchuk, T. Bragin, D. Deville, S. D. Gribble, and H. M. Levy,

“Spyproxy: execution-based detection of malicious web content,” inProc. 16th conference on USENIX Security Symposium. USENIXAssociation, 2007, pp. 3:1–3:16.

[34] “The Honeynet Project. Capture-HPC.” [Online]. Available: https://projects.honeynet.org/capture-hpc

[35] Y.-M. Wang, D. Becker, and X. Jiang, “Automated web patrol withstrider honeymonkeys: Finding web sites that exploit browser vulnerabil-ities,” in Proc. Symposium on Network and Distributed System Security,2006.

[36] A. Dewald, T. Holz, and F. C. Freiling, “Adsandbox: sandboxing  javascript to fight malicious websites,” in Proc. 2010 ACM Symposium

on Applied Computing, ser. SAC ’10. ACM, 2010, pp. 1859–1864.

Fu-Hau Hsu received his Ph.D. degree in thedepartment of computer science from Stony BrookUniversity, New York, USA in 2004. He is an assis-tant professor at National Central University and hashad an appointment in the Department of ComputerScience and Information Engineering since August2005. He is af filiated with the Advanced DefenseLab and the Wireless and Multimedia Lab.

Chang-Kuo Tso is a Ph.D. student in the Depart-ment of Computer Science and Information Engi-neering of National Central University. He receivedhis M.S. degree in computer science and informa-tion engineering from National Central University,Taoyuan, Taiwan, in 2009. His researches are secu-rity issues about OS design, mobile devices, espe-cially Windows Mobile and Android, and networksecurity.

Yi-Chun Yeh received the B.S degree in computerscience and engineering from Tatung University, in2007, and the M.S degree in computer science andinformation engineering from National Central Uni-versity, in 2009. He is currently working toward thePh.D. degree in Department of Computer Scienceand Information Engineering, National Central Uni-versity with Prof. Fu-Hau Hsu. His research interestsinclude malware technology, firmware development,operating system and mobile security.

Wei-Jen Wang is an Assistant Professor of Com-puter Science and Information Engineering at Na-tional Central University, Taiwan. He received hisB.S. degree and M.S. degree in computer informa-tion science from National Chiao Tung University,Taiwan, in 1997 and 1999, respectively. He receivedhis Ph.D. in computer science from RensselaerPolytechnic Institute in 2006. His research inter-ests include concurrent programming models andlanguages, cloud/grid/Internet computing, distributegarbage collection, and data hiding.

Li-Han Chen is a Ph.D. student in the Departmentof Computer Science and Information Engineeringof National Central University. He received his M.S.

degree in computer science and information engi-neering from National Central University, Taoyuan,Taiwan, in 2008, and his B.S. degree in chemicalengineering from National Tsing Hua University.His research areas include mobile security, operatingsystem, and network security.