Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Fwd: TOMORROW - May 30 - Rozzle: De-Cloaking Internet Malware with Multi-Execution - Ben Livshits
3 views
Skip to first unread message
Tanvi Vyas
May 29, 2012, 1:21:59 PM5/29/12
to dev-se...@lists.mozilla.org
Begin forwarded message:
> *From:* Ankur Taly <at...@stanford.edu <mailto:at...@stanford.edu>>
> *Date:* May 29, 2012 8:36:39 AM PDT
> *To:* security-seminar <security...@lists.stanford.edu
> <mailto:security...@lists.stanford.edu>>
> *Subject:* *TOMORROW - May 30 - Rozzle: De-Cloaking Internet Malware
> with Multi-Execution - Ben Livshits*
>
> Title: Rozzle: De-Cloaking Internet Malware with Multi-Execution
>
> Speaker: Ben Livshits
>
> Abstract:
>
> While static and runtime methods for malware detection been proposed
> in the literature, both on the client side, for just-in-time
> in-browser detection, as well as offline, crawler-based malware
> discovery, these approaches encounter the same fundamental limitation.
> Web-based malware tends to be environment-specific, targeting a
> particular browser, often attacking specific versions of installed
> plugins. This targeting occurs because the malware exploits
> vulnerabilities in specific plugins and fail otherwise. As a result, a
> fundamental limitation for detecting a piece of malware is that
> malware is triggered infrequently, only showing itself when the right
> environment is present. In fact, we observe that using current
> fingerprinting techniques, just about any piece of existing malware
> may be made virtually undetectable with the current generation of
> malware scanners.
> In our upcoming Oakland S&P 2012 paper, we propose Rozzle, a
> JavaScript multi-execution virtual machine, as a way to explore
> multiple execution paths within a single execution so that
> environment-specific malware will reveal itself. Using large-scale
> experiments, we show that Rozzle increases the detection rate for
> offline runtime detection by almost seven times. In addition, Rozzle
> triples the effectiveness of online runtime detection. We show that
> Rozzle incurs virtually no runtime overhead and allows us to replace
> multiple VMs running different browser configurations with a single
> Rozzle-enabled browser, reducing the hardware requirements, network
> bandwidth, and power consumption.References:
>
> Bio:
>
> Ben has published papers at PLDI, POPL, Oakland Security, Usenix
> Security, CCS, SOSP, ICSE, FSE, and many other venues. He is known for
> his work in software reliability and especially tools to improve
> software security, with a primary focus on approaches to finding
> buffer overruns in C programs and a variety of security
> vulnerabilities (cross-site scripting, SQL injections, etc.) in
> Web-based applications. He is the author of several dozen academic
> papers and patents. Lately he has been focusing on how Web 2.0
> application and browser reliability, performance, and security can be
> improved through a combination of static and runtime techniques. Ben
> generally does not speak of himself in the third person.
>
> Date: May 30 2012 (Wednesday)
> Time: 1630 hrs
> Place: Gates 463A
> --++**==--++**==--++**==--++**==--++**==--++**==--++**==
> security-seminar mailing list
> security...@lists.stanford.edu
> <mailto:security...@lists.stanford.edu>
> https://mailman.stanford.edu/mailman/listinfo/security-seminar
>
> *From:* Ankur Taly <at...@stanford.edu <mailto:at...@stanford.edu>>
> *Date:* May 29, 2012 8:36:39 AM PDT
> *To:* security-seminar <security...@lists.stanford.edu
> <mailto:security...@lists.stanford.edu>>
> *Subject:* *TOMORROW - May 30 - Rozzle: De-Cloaking Internet Malware
> with Multi-Execution - Ben Livshits*
>
> Title: Rozzle: De-Cloaking Internet Malware with Multi-Execution
>
> Speaker: Ben Livshits
>
> Abstract:
>
> While static and runtime methods for malware detection been proposed
> in the literature, both on the client side, for just-in-time
> in-browser detection, as well as offline, crawler-based malware
> discovery, these approaches encounter the same fundamental limitation.
> Web-based malware tends to be environment-specific, targeting a
> particular browser, often attacking specific versions of installed
> plugins. This targeting occurs because the malware exploits
> vulnerabilities in specific plugins and fail otherwise. As a result, a
> fundamental limitation for detecting a piece of malware is that
> malware is triggered infrequently, only showing itself when the right
> environment is present. In fact, we observe that using current
> fingerprinting techniques, just about any piece of existing malware
> may be made virtually undetectable with the current generation of
> malware scanners.
> In our upcoming Oakland S&P 2012 paper, we propose Rozzle, a
> JavaScript multi-execution virtual machine, as a way to explore
> multiple execution paths within a single execution so that
> environment-specific malware will reveal itself. Using large-scale
> experiments, we show that Rozzle increases the detection rate for
> offline runtime detection by almost seven times. In addition, Rozzle
> triples the effectiveness of online runtime detection. We show that
> Rozzle incurs virtually no runtime overhead and allows us to replace
> multiple VMs running different browser configurations with a single
> Rozzle-enabled browser, reducing the hardware requirements, network
> bandwidth, and power consumption.References:
>
> Bio:
>
> Ben has published papers at PLDI, POPL, Oakland Security, Usenix
> Security, CCS, SOSP, ICSE, FSE, and many other venues. He is known for
> his work in software reliability and especially tools to improve
> software security, with a primary focus on approaches to finding
> buffer overruns in C programs and a variety of security
> vulnerabilities (cross-site scripting, SQL injections, etc.) in
> Web-based applications. He is the author of several dozen academic
> papers and patents. Lately he has been focusing on how Web 2.0
> application and browser reliability, performance, and security can be
> improved through a combination of static and runtime techniques. Ben
> generally does not speak of himself in the third person.
>
> Date: May 30 2012 (Wednesday)
> Time: 1630 hrs
> Place: Gates 463A
> --++**==--++**==--++**==--++**==--++**==--++**==--++**==
> security-seminar mailing list
> security...@lists.stanford.edu
> <mailto:security...@lists.stanford.edu>
> https://mailman.stanford.edu/mailman/listinfo/security-seminar
>
0 new messages