skip to main content
10.1145/1774088.1774482acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
research-article

ADSandbox: sandboxing JavaScript to fight malicious websites

Published:22 March 2010Publication History

ABSTRACT

We present ADSandbox, an analysis system for malicious websites that focusses on detecting attacks through JavaScript. Since, in contrast to Java, JavaScript does not have any built-in sandbox concept, the idea is to execute any embedded JavaScript within an isolated environment and log every critical action. Using heuristics on these logs, ADSandbox decides whether the site is malicious or not. In contrast to previous work, this approach combines generality with usability, since the system is executed directly on the client running the web browser before the web page is displayed. We show that we can achieve false positive rates close to 0% and false negative rates below 15% with a performance overhead of only a few seconds, what is a bit high for real time application, but supposes a great potential for future versions of our tool.

References

  1. P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis. STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis. In 20th IFIP International Information Security Conference, 2005.Google ScholarGoogle ScholarCross RefCross Ref
  2. Benjamin Livshits, Weidong Cui. Spectator: Detection and Containment of JavaScriptWorms. In USENIX Annual Technical Conference, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Christian Seifert, Ramon Steenson. Capture-Honeypot Client. http://www.nz-honeynet.org/capture.html, 2007.Google ScholarGoogle Scholar
  4. R. S. Cox, S. D. Gribble, H. M. Levy, and J. G. Hansen. A Safety-Oriented Platform for Web Applications. In IEEE Symposium on Security and Privacy, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. A. Dewald. Detection and prevention of malicious websites. Master's thesis, University of Mannheim, Department of Computer Science, 2009.Google ScholarGoogle Scholar
  6. M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: mitigating heap-spraying code injection attacks. In 6th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Google Inc. Safe Browsing for Firefox. http://www.google.com/tools/firefox/safebrowsing.Google ScholarGoogle Scholar
  8. James Newsome, Dawn Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Network and Distributed System Security Symposium (NDSS), 2005.Google ScholarGoogle Scholar
  9. C. Krügel, E. Kirda, D. Mutz, W. K. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In Recent Advances in Intrusion Detection (RAID), 2005.Google ScholarGoogle Scholar
  10. McAfee. SiteAdvisor. http://www.siteadvisor.com.Google ScholarGoogle Scholar
  11. Microsoft. IE8 Security Part III: SmartScreen Filter. http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iii-smartscreen-filter.aspx, 2009.Google ScholarGoogle Scholar
  12. Mozilla Foundation. JSAPI Reference. https://developer.mozilla.org/en/JSAPI_Reference, 2009.Google ScholarGoogle Scholar
  13. Paruj Ratanaworabhan, Benjamin Livshits, Benjamin Zorn. Nozzle: A Defense Against Heap-spraying Code Injection Attacks. Technical report, Microsoft Research Technical Report MSR-TR-2008-176, 2008.Google ScholarGoogle Scholar
  14. Samy. The Samy worm. http://namb.la/popular, 2005.Google ScholarGoogle Scholar
  15. Y.-M. Wang, C. Verbowski, J. Dunagan, Y. Chen, H. J. Wang, and C. Yuan. STRIDER: A Black-box, State-based Approach to Change and Configuration Management and Support. In USENIX LISA, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Yi-Min Wang and Doug Beck and Xuxian Jiang and Roussi Roussev. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites that Exploit Browser Vulnerabilities. In Network and Distributed System Security Symposium (NDSS), 2006.Google ScholarGoogle Scholar

Index Terms

  1. ADSandbox: sandboxing JavaScript to fight malicious websites

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in
      • Published in

        cover image ACM Conferences
        SAC '10: Proceedings of the 2010 ACM Symposium on Applied Computing
        March 2010
        2712 pages
        ISBN:9781605586397
        DOI:10.1145/1774088

        Copyright © 2010 ACM

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 22 March 2010

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article

        Acceptance Rates

        SAC '10 Paper Acceptance Rate364of1,353submissions,27%Overall Acceptance Rate1,650of6,669submissions,25%

        Upcoming Conference

        SAC '24

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader