IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM

  • Mario Heiderich
  • Tilman Frosch
  • Thorsten Holz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6961)


Due to its flexibility and dynamic character, JavaScript has become an important tool for attackers. The widespread scripting language often helps them to perform a broad variety of malicious activities, for example to initiate drive-by download exploits or to execute clickjacking attacks. Current defense mechanisms as well as reactive analysis and forensic approaches are often slow or complicated to set up and conduct since an attacker can use many different ways to obfuscate the code or make it hard to obtain a copy of the code in the first place.

In this paper, we introduce a novel approach to analyze this class of attacks by demonstrating how dynamic analysis of websites can be accomplished directly in the browser. We present IceShield, a JavaScript based tool that enables in-line dynamic code analysis as well as de-obfuscation, and a set of heuristics to detect attempts of attacking either a website or the user accessing its contents. Special care needs to be taken to implement the instrumentation in a robust and tamper resistant way since an attacker should not be able to bypass our detection process. We show how features of ECMA Script 5 can be used to freeze object properties, so they cannot be modified during runtime. We implemented a prototype version of IceShield and demonstrate that it detects malicious websites with a small overhead even on devices with limited computing power such as smartphones. Furthermore, IceShield can mitigate detected attacks by changing suspicious elements, so they do not cause harm anymore, thus actually protecting users from such attacks.


Linear Discriminant Analysis User Agent Malicious Code Window Context Attack Vector 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: USENIX Security Symposium (2008)Google Scholar
  2. 2.
    Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating Cross-Site scripting attacks. In: ACM Symposium on Applied Computing, SAC (2006)Google Scholar
  3. 3.
    Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with Goal-Directed model checking. In: USENIX Security Symposium (2008)Google Scholar
  4. 4.
    Wassermann, G., Su, Z.: Static detection of Cross-Site scripting vulnerabilities. In: International Conference on Software Engineering, ICSE (2008)Google Scholar
  5. 5.
    Balduzzi, M.: New insights into clickjacking. In: OWASP AppSec Research (2010)Google Scholar
  6. 6.
    Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: 19th International Conference on World Wide Web (2010)Google Scholar
  7. 7.
    Rieck, K., Krueger, T., Dewald, A.: Cujo: Efficient Detection and Prevention of Drive-by-Download Attacks. In: Annual Computer Security Applications Conference, ACSAC (2010)Google Scholar
  8. 8.
    Guarnieri, S., Livshits, B.: GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In: USENIX Security Symposium (2009)Google Scholar
  9. 9.
    Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja - safe active content in sanitized javascript (2007),
  10. 10.
    Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudhury, P., Venter, H.: The Multi-Principal OS Construction of the Gazelle Web Browser. In: USENIX Security Symposium (2009)Google Scholar
  11. 11.
  12. 12.
    Heyes, G.: Polymorphic javascript (2010),
  13. 13.
    Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode. Mach. Learn. 81 (2010)Google Scholar
  14. 14.
    Oberheide, J., Cooke, E., Jahanian, F.: CloudAV: N-Version Antivirus in the Network Cloud. In: USENIX Security Symposium (2008)Google Scholar
  15. 15.
    Barth, A.: Bug 29278 XSSAuditor bypasses from (2009),
  16. 16.
    Kouzemchenko, A.: Examining and bypassing the IE8 XSS filter (2009),
  17. 17.
    Father, H.: Hooking Windows API - Technics of Hooking API functions on Windows. The CodeBreakers Journal 1 (2004)Google Scholar
  18. 18.
    Willems, C., Holz, T., Freiling, F.: CWSandbox: Towards Automated Dynamic Binary Analysis. IEEE Security and Privacy 5 (2007)Google Scholar
  19. 19.
  20. 20.
  21. 21.
    Mozilla: window.location - MDC (2011),
  22. 22.
    Mozilla: document.URL - MDC (2010),
  23. 23.
    Hastie, T., Tibshirani, R., Friedman, R.: Linear discriminant analysis. In: The Elements of Statistical Learning, p. 84. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    W3C: Client-side scripting techniques for WCAG 2.0 (2004),
  25. 25.
    Masinter, L.: RFC 2397 - the ”data” URL scheme (1998)Google Scholar
  26. 26.
    Mozilla: Gecko - MDC (2011),
  27. 27.
    Mozilla: Gecko-Specific DOM events - MDC (2011),
  28. 28.
    Nava, E.V.: ACS - active content signatures. PST_WEBZINE_0X04 (2006)Google Scholar
  29. 29.
    Phung, P.H., Sands, D., Chudnov, A.: Lightweight Self-Protecting javascript. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS) (March 2009)Google Scholar
  30. 30.
    Johns, M.: Code Injection Vulnerabilities in Web Applications - Exemplified at Cross-site Scripting. PhD thesis. University of Passau, Passau (2009)Google Scholar
  31. 31.
    Deiters, M.: Aspect-Oriented programming (2010),
  32. 32.
    Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Proc. of the 17th Network and Distributed System Security Symposium (2009),
  33. 33.
    Naraine, R.: Drive-by downloads. the web under siege - securelist (2009),
  34. 34.
  35. 35.
    Alexa, the Web Information Company: Top 1,000,000 Sites (2010),
  36. 36.
    Malware Domain List (2010),
  37. 37.
    Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Fast and Precise In-Browser JavaScript Malware Detection. In: USENIX Security Symposium (2011)Google Scholar
  38. 38.
    Wang, Y.M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.T.: Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In: Network and Distributed System Security Symposium, NDSS (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Mario Heiderich
    • 1
  • Tilman Frosch
    • 1
  • Thorsten Holz
    • 1
  1. 1.Chair for Network and Data SecurityRuhr-UniversityBochumGermany

Personalised recommendations