BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Talks.cam//talks.cam.ac.uk// X-WR-CALNAME:Talks.cam BEGIN:VEVENT SUMMARY:Rozzle: De-Cloaking Internet Malware - Ben Livshits DTSTART:20150916T120000Z DTEND:20150916T130000Z UID:TALK60682@talks.cam.ac.uk CONTACT:Peter Sewell DESCRIPTION:In recent years\, attacks that exploit vulnerabilities in brow sers and their associated plugins have increased significantly. These atta cks are often written in JavaScript and literally millions of URLs contain such malicious content.\n\nWhile static and runtime methods for malware d etection been proposed in the literature\, both on the client side\, for j ust-in-time in-browser detection\, as well as offline\, crawler-based malw are discovery\, these approaches encounter the same fundamental limitation . Web-based malware tends to be environment-specific\, targeting a particu lar browser\, often attacking specific versions of installed plugins. This targeting occurs because the malware exploits vulnerabilities in specific plugins and fail otherwise. As a result\, a fundamental limitation for de tecting a piece of malware is that malware is triggered infrequently\, onl y showing itself when the right environment is present. In fact\, using cu rrent fingerprinting techniques\, just about any piece of existing malware may be made virtually undetectable with the current generation of malware scanners.\n\nWe propose Rozzle\, a JavaScript multi-execution virtual mac hine\, as a way to explore multiple execution paths within a single execut ion\, designed for environment-specific malware to reveal itself. Using la rge-scale experiments\, we show that Rozzle increases the detection rate f or offline runtime detection by almost seven times. We show that Rozzle in curs virtually no runtime overhead and allows us to replace multiple VMs r unning different browser configurations with a single Rozzle-enabled brows er\, reducing the hardware requirements\, network bandwidth\, and power co nsumption. LOCATION:FW11 END:VEVENT END:VCALENDAR