Xinran Wang Palo Alto Networks
download slides (PDF)
Java vulnerability is becoming the most popular exploit vector in the wild. Three zero-day Java vulnerabilities were found in the wild in just the first two months of 2013. Due to the wide deployment of Java in browsers and the high reliability of Java vulnerability, Java exploits are heavily used in numerous infamous exploit kits such as Blackhole and Redkit. According to VirusTotal, the number of Java exploit samples submitted have increased from 8,000 at the beginning of this year to 300,000 at the beginning of March. It is very challenging to accurately identify the vulnerabilities, if any, used in the Java exploit samples. This is not only because of the huge volume of exploit samples, but also the advanced obfuscation technique used.
In this paper, we first explain the Java security model and demonstrate several recent zero-day exploits, and show why Java vulnerability is much more reliable than buffer overflow. Several Java exploit samples from popular exploit kits are dissected. We analyse common obfuscation techniques used and show why static analysis is ineffective for analysing Java exploits. Then, we present a dynamic analysis tool. The tool records calls to the Java Core API during the execution of a Java exploit. The recorded API traces are used to identify known vulnerabilities. Furthermore, we propose several heuristics in the tool used to identify zero-day exploits. Finally, we report the results of an experiment based on over 5,000 Java exploit codes and 5,000 benign Java applets collected in the wild. The results shows that the tool identified known vulnerabilities of exploit code with very few positives and false negatives.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.