Nozzle:
Runtime heap spray detector
Nozzle is a runtime monitoring infrastructure that detects attempts by attackers to spray the heap. Nozzle uses lightweight emulation techniques to detect the presence of objects that contain executable code. To reduce false positives, we developed a notion of global “heap health”.
The Nozzle lightweight emulator scans heap allocated object data to identify valid x86 code sequences, disassembling the code and building a control flow graph. Because the attack jump target cannot be precisely controlled, the emulator follows control flow to identify basic blocks that are likely to be reached through jumps from multiple offsets into the object.
We have developed a novel approach to mitigate this problem using global heap health metrics, which effectively distinguishes benign allocation behavior from malicious attacks. Fortunately, an inherent property of heap spraying attacks is the fact such attacks affect the heap globally. Consequently, Nozzle exploits this property to drastically reduce the false positive rate.
Zozzle:
Mostly static JavaScript malware detector
Zozzle is a low-overhead solution for detecting and preventing JavaScript malware that is fast enough to be deployed in the browser.
Our approach uses Bayesian classification of hierarchical features of the JavaScript abstract syntax tree to identify syntax elements that are highly predictive of malware.
Our experimental evaluation shows that Zozzle is able to detect JavaScript malware through mostly static code analysis effectively. Zozzle has an extremely low false positive rate of 0.0003, which is less that one in quarter million. Despite this high accuracy, the Zozzle classifier is very fast, with a throughput at over 1 MB of JavaScript code per second.
Rozzle:
Multi-execution approach to revealing cloaking JavaScript malware
In recent years, attacks that exploit vulnerabilities in browsers and their associated plugins have increased significantly. These attacks are often written in JavaScript and literally millions of URLs contain such malicious content.
While static and runtime methods for malware detection been proposed in the literature, both on the client side, for just-in-time in-browser detection, as well as offline, crawler-based malware discovery, these approaches encounter the same fundamental limitation. Web-based malware tends to be environment-specific, targeting a particular browser, often attacking specific versions of installed plugins. This targeting occurs because the malware exploits vulnerabilities in specific plugins and fail otherwise. As a result, a fundamental limitation for detecting a piece of malware is that malware is triggered infrequently, only showing itself when the right environment is present. In fact, we observe that using current fingerprinting techniques, just about any piece of existing malware may be made virtually undetectable with the current generation of malware scanners.
Rozzle is a JavaScript multi-execution virtual machine, a way to explore multiple execution paths within a single execution so that environment-specific malware will reveal itself. Using large-scale experiments, we show that Rozzle increases the detection rate for offline runtime detection by almost seven times. In addition, Rozzle triples the effectiveness of online runtime detection. We show that Rozzle incurs virtually no runtime overhead and allows us to replace multiple VMs running different browser configurations with a single Rozzle-enabled browser, reducing the hardware requirements, network bandwidth, and power consumption.
-
- Ben Livshits (opens in new tab) ([email protected] (opens in new tab))
- Ben Zorn (opens in new tab) ([email protected] (opens in new tab))
- Paruj Ratanaworabhan, (opens in new tab) Kasetsart University ([email protected] (opens in new tab))
- Charlie Curtsinger (opens in new tab), UMass Amherst ([email protected] (opens in new tab))
- Scott Kaplan (opens in new tab), Amherst College ([email protected] (opens in new tab))
-
- Microsoft Research has cooked up ‘Zozzle,’ a tool to detect malicious JavaScript (opens in new tab)
- Microsoft Research Develops Zozzle JavaScript Malware Detection Tool (opens in new tab)
- Microsoft Builds JavaScript Malware Detection Tool (SlashDot) (opens in new tab)
- “Nozzle: Counteracting Memory Exploits (opens in new tab)“, by Janie Chang, Dr. Dobbs Journal, November 24, 2009
- MSDN Channel 9 Video: (opens in new tab) “Heap Spraying Attack Detection with Nozzle”, (opens in new tab)Ben Livshits and Ben Zorn, interviewed by Peli de Halleux, March 25, 2009
People
Ricardo Gutierrez
Senior Software Engineer
Ben Zorn
Partner Researcher