Rozzle: De-Cloaking Internet Malware with Multi-Execution
Ben Livshits
Abstract:
While static and runtime methods for malware detection been proposed
in the literature, both on the client side, for just-in-time
in-browser detection, as well as offline, crawler-based malware
discovery, these approaches encounter the same fundamental limitation.
Web-based malware tends to be environment-specific, targeting a
particular browser, often attacking specific versions of installed
plugins. This targeting occurs because the malware exploits
vulnerabilities in specific plugins and fail otherwise. As a result, a
fundamental limitation for detecting a piece of malware is that
malware is triggered infrequently, only showing itself when the right
environment is present. In fact, we observe that using current
fingerprinting techniques, just about any piece of existing malware
may be made virtually undetectable with the current generation of
malware scanners.
In our upcoming Oakland S&P 2012 paper, we propose Rozzle, a
JavaScript multi-execution virtual machine, as a way to explore
multiple execution paths within a single execution so that
environment-specific malware will reveal itself. Using large-scale
experiments, we show that Rozzle increases the detection rate for
offline runtime detection by almost seven times. In addition, Rozzle
triples the effectiveness of online runtime detection. We show that
Rozzle incurs virtually no runtime overhead and allows us to replace
multiple VMs running different browser configurations with a single
Rozzle-enabled browser, reducing the hardware requirements, network
bandwidth, and power consumption.References:
Ben has published papers at PLDI, POPL, Oakland Security, Usenix Security, CCS, SOSP, ICSE, FSE, and many other venues. He is known for his work in software reliability and especially tools to improve software security, with a primary focus on approaches to finding buffer overruns in C programs and a variety of security vulnerabilities (cross-site scripting, SQL injections, etc.) in Web-based applications. He is the author of several dozen academic papers and patents. Lately he has been focusing on how Web 2.0 application and browser reliability, performance, and security can be improved through a combination of static and runtime techniques. Ben generally does not speak of himself in the third person.