網頁服務(Web Service) 是網際網路上目前最被廣為使用的服務之一,透過瀏覽器使用各式各樣的網站提供的各種服務已成為許多人生活的一部分,瀏覽器也成為許多人與外界接觸的重要媒介。而隨著網頁瀏覽器的重要性的與日俱增與使用者的日益普及,攻擊瀏覽器已經成為現今最有效的入侵個人電腦的方式之一。最近幾年,一種被稱為「Drive-by-Download」的著名瀏覽器攻擊機制已經成功地利用瀏覽器的漏洞(如瀏覽器或安裝於其內的plug-ins 的緩衝區溢位漏洞)與惡意的網頁入侵無數的個人電腦並安裝各式各樣的惡意程式於其內。攻擊者利用各種方式(例如入侵網頁伺服器,或發起SQL injection,或利用廣告) 對存放在網頁伺服器內的網頁注入惡意的網頁程式碼。除非被攻擊者仔細地檢查網頁原始碼,否則被攻擊者的瀏覽器在瀏覽這些網頁時便會在毫無知覺下遭到攻擊,因為被注入的網頁程式碼並不會顯現在網頁上。當有漏洞的瀏覽器讀到被注入惡意程式碼的網頁時,惡意程式碼便會開始嘗試取得執行瀏覽器的電腦的控制權,並於取得控制權後秘密地下載其他各式各樣的惡意程式至該主機內並且在背景自動執行這些惡意程式。在本計畫中我們將利用Windows-BHO 在瀏覽器中部署各式各樣的檢查點以蒐集每個透過瀏覽器載入至主機的執行檔的載入流程,並根據蒐集到的流程,過濾出未經使用者認可的下載行為,以直接於瀏覽器中阻止相關執行檔的執行。此外我們也將利用Windows device driver 在Windows Kernel 中佈建各式檢查機置以防止攻擊者閃避瀏覽器中的檢查點或偽造檢查結果。我們以執行檔下載的行為模式為基礎的解決方案(我們稱為BrowserGuard) 將不需要分析任何網頁的內容,也不需動態分析網頁中 Script 變數的內容,便能直接阻擋瀏覽器去執行那些被秘密下載下來的執行檔。我們計畫將BrowserGuard 實作在Windows 上的Internet Explorer 7.0 的瀏覽器上,我們預期我們的成果將會有很高的精確度,但只會造成系統很小的負擔。 Along with an increasing user population of various web applications, browser-based drive-by-download attacks soon become one of the most common security threats to the cyber community. A user using a vulnerable browser or browser plug-ins may become a victim of a drive-by-download attack right after visiting a vicious web site. The end result of such attacks is that an attacker can download and execute any code on the victim’s host; hence, it allows the attacker to get the full control of the host. This project proposes a runtime, browser-based solution, BrowserGuard, to protect a browser against drive-by-download attacks. BrowserGuard records the download scenario of every file that is loaded into a host through a browser. Then based on the download scenario, BrowserGuard blocks the execution of any file that is loaded into a host without the consent of a browser user. Due to its behavior-based detection nature, BrowserGuard does not need to analyze the source file of any web page or the run-time states of any Script code, such as Javascript. BrowserGuard also does not need to maintain any exploit code samples and does not need to query the reputation value of any web site. We utilize the standard BHO mechanism of Windows to implement BrowserGuard on IE 7.0. We expect that BrowserGuard will have low performance overhead and low false positives and false negatives. 研究期間:10008 ~ 10107
