Proceedings of the 17th ACM conference on Computer and communications security - CCS '10
Web-based surreptitious malware infections (i.e., drive-by downloads) have become the primary method used to propagate malicious software onto computers across the Internet. To address this threat, we present a browserindependent operating system kernel extension designed to eliminate driveby malware installations. We call this system BLADE (Block All Driveby download Exploits). BLADE prudently asserts that all executable files delivered through browser downloads must result from explicit user
... onsent. It transparently redirects every browser download into a nonexecutable secure zone on disk, and remaps to the filesystem only those browser downloads to which a programmatically inferred user-consent is correlated. BLADE effectively thwarts the ability of browser-based exploits to surreptitiously download and execute malicious content, thereby preventing successful infections. Providing such protection without requiring prior knowledge of the exploit method guarantees BLADE's immunity to circumvention techniques and zero-day threats that directly contribute to today's pervasiveness of drive-by malware. We present the design of our BLADE prototype implementation for the Microsoft Windows platform, and report results from an extensive empirical evaluation of BLADE's effectiveness on popular browsers. Our evaluation includes multiple versions of IE and Firefox, against 1,934 active malicious URLs, representing a broad spectrum of web-based exploits now plaguing the Internet. BLADE successfully blocked all drive-by malware install attempts with zero false positives and a 3% worst-case performance cost.