ADSandbox: Sandboxing JavaScript to fight Malicious Websites
Another project we were working on recently is automated analysis of JavaScript: many of the current drive-by download attacks are triggered by heap-spraying with the help of JavaScript. In order to develop new kinds of honeyclients and to potentially also protect end-users from this threat, we developed a dynamic approach to analyze JavaScript. The basic idea is to instrument a JavaScript interpreter and profile the execution of the code. With the help of certain heuristics, we can then detect malicious code. Full details are available in the paper. The paper itself will appear at the 25th ACM Symposium On Applied Computing (SAC'10) in March 2010. Abstract:
We present ADSandbox, an analysis system for malicious websites that focusses on detecting attacks through JavaScript. Since, in contrast to Java, JavaScript does not have any built-in sandbox concept, the idea is to execute any embedded JavaScript within an isolated environment and log every critical action. Using heuristics on these logs, ADSandbox decides whether the site is malicious or not. In contrast to previous work, this approach combines generality with usability, since the system is executed directly on the client running the web browser before the web page is displayed. We show that we can achieve false positive rates close to 0% and false negative rates below 15% with a performance overhead of only a few seconds, what is a bit high for real time application, but supposes a great potential for future versions of our tool.
This paper was joint work with Andreas Dewald and Felix C. Freiling. You can get the paper at http://honeyblog.org/junkyard/paper/adsandbox-sac10.pdf.
