RST Labs Sandboxing Mobile Code Execution Environments Timothy Hollebeek.

Slides:

Advertisements

Similar presentations

InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team (Nanjing)

Advertisements

Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.

Applications of Feather-Weight Virtual Machines (FVMs) Hadi Salimi Distributed Systems Lab, School of Computer Engineering, Iran University of Science.

Software Security & Privacy Risks in Mobile E-Commerce Kartikeya Kakarala CSCI 5939-Independent Study Wireless Application Protocols.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Introduction To Java Objectives For Today â Introduction To Java â The Java Platform & The (JVM) Java Virtual Machine â Core Java (API) Application Programming.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

An Evaluation of the Google Chrome Extension Security Architecture

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Java Chapter 22 - Student. Why Java? ADVANTAGESDISADVANTAGES Has _____________ capabilities__________ ( times) than languages compiled directly.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.

Web server security Dr Jim Briggs WEBP security1.

Computer Security and Penetration Testing

Customer confidential 1 Privilege Management Sean Moore Solutions Specialist.

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

Chapter 6: Hostile Code Guide to Computer Network Security.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Introducing ETIS n Express Term Internet Server is Express Term ‘on the Net’ n All the features of Express Term, plus –Complete control of your site look.

SEC835 Database and Web application security Information Security Architecture.

Life in a Dangerous World: Developing effective strategies against Virus, Worms and Other Threats Marshall Breeding Vanderbilt University

Prevent Cross-Site Scripting (XSS) attack

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.

COM vs. CORBA Computer Science at Azusa Pacific University September 19, 2015 Azusa Pacific University, Azusa, CA 91702, Tel: (800) Department.

Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Large D&B process. Framework - deliverables Contract Budget Timeplan SOW BriefSpecificationProductGo liveProject review Initiate Explore Concept Produce.

1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.

International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Online Translation Service Capstone Design Eunyoung Ku Jason Roberts Jennifer Pitts Gregory Woodburn Kim Tran.

RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies

18-jan-962. ETH-W4 (ra)1 security on the Web l security l authentication l privacy.

Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine

Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.

1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.

J. Scott Hawker p. 1Some material © Rational Corp. Rational Unified Process Overview See and use the RUP Browser on lab machines.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Mobile Agent Security Presented By Sayuri Yonekawa October 17, 2000.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

1 Firewalls - Introduction l What is a firewall? –Firewalls are frequently thought of as a very complex system that is some sort of magical, mystical..

Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.

Computer Security By Duncan Hall.

Client-Server applications Introduction to Java Applets Client-server architectures Why do Applets exist? What can an Applet do?

Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Critical Security Controls

World Wide Web policy.

SQL Injection Attacks Many web servers have backing databases

POPULAR POWER Security Issues of Peer-to-Peer Systems

Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein

16. Account Monitoring and Control

Test 3 review FTP & Cybersecurity

6. Application Software Security

Presentation transcript:

RST Labs Sandboxing Mobile Code Execution Environments Timothy Hollebeek

RST Labs Technical Objectives Provide interception framework that allows policies to be enforced on mobile scripts Provide policies which mitigate problems associated with mobile scripts while preserving functionality Widely Used Very Dangerous

RST Labs Initial Perception: JavaScript/VBscript isn’t dangerous Little or no security built into language originally Not capable of a “traditional” security hole

RST Labs Evolution of Scripting Languages More and more capabilities available Able to interact with other technologies (Java, ActiveX, forms) Very easy to write –used everywhere –very low code quality

RST Labs Evolution of Security Servers with important information must interact with a large number of untrusted machines Isolating machines and limiting the services they use is increasingly impractical Same is true of applications

RST Labs Today: Scripts are very dangerous BUGTRAQ messages: Consequences: “Overflow”“Javascript” Can run arbitrary code Can read or alter sensitive information No need to run code Sensitive information already read or altered

RST Labs Why? Have full access to browser/host application –spoofing attacks, “viruses” Used as “Turing glue” in many attacks –copy/paste file upload –“BubbleBoy” scripting of flawed ActiveX controls Very easy to manipulate forms and/or documents Very little or no inherent security CERT Advisory CA : too easy to inject scripts almost anywhere

RST Labs Java applets are (sometimes) blocked at firewall. ActiveX Controls Script ActiveX controls are not allowed unless trusted. Scripts are passed through. Attachments/macros pass through.

RST Labs Existing Practice: “Solutions” Turn off Active Scripting (CERT) Sandbox the browser Filter at firewalls Analyze mobile code

RST Labs Turn off Active Scripting? Used everywhere Many forms stop functioning Nontrivial links and indexes Graceful degradation is rare

RST Labs Ask for help? Vendor attention to this problem is “inadequate” Existing ActiveScripting security settings are all targetted at past security flaws GeorgiGuninski: Hotmail doesn’t filter <IMG SRC=“javascript: Microsoft Support: We’ve fixed this problem Georgi Guninski: Hotmail doesn’t filter <IMG LOWSRC=“javascript: “penetrate and patch”

RST Labs Consider browser to be potentially malicious? People do EVERYTHING with browsers Preserving browser functionality would require very complex policies and architectures

RST Labs Filter? SSL Lots of ways to embed scripts in HTML/DHTML/YAML Encoding issues (UTF-7, %xx) Malformed tags ( ) Very difficult to do correctly

RST Labs Analyze? If/When a script is found: –eval(): key bits of source code could be encrypted –obfuscation commonly used to hide source code –static analysis can’t find everything

RST Labs Technical Approach: Enforce security at a well-defined interface ActiveScripting API: –fully documented (Microsoft wants 3rd party engines) –likely target for future web scripting technologies Document Object Model –control at correct level –simple, effective policies –easy to specify, implement and guarantee

RST Labs Script Internet Script Interpreter Host Application COM Script Interpreter Host Application COM Policy Enforcer All necessary implementation information given by COM and ActiveScripting API

RST Labs Roll back the clock: allow approved usage DOM: –window print scrollTo scrollBy status location Later: more sophisticated policies (if/when necessary)

RST Labs Roll back the clock: allow approved usage DOM: –window scrollTo scrollBy Later: more sophisticated policies (if/when necessary)

RST Labs Major Risks Does not solve the “authorship” problem Attacks that fall outside scope of solution –Context-sensitive attacks –Security flaws in scripts Performance penalties

RST Labs Accomplishments Developed approach for reducing risk from active scripting Interception technology has been validated Able to log scripts

RST Labs Quantitative Metrics Assess performance overhead with policies in place Benchmark effectiveness of general policies against known malicious scripts Evaluate simplicity and scope of policies

RST Labs Expected Major Achievements 3rd party control over scripts with no vendor or web site designer’s cooperation Language neutral and implementation neutral implementation Substantial reduction of risk with minimal decrease in functionality

RST Labs Task Schedule Instrument active scripting engine Explore “real world” usage Demonstrate proof-of-concept Benchmark technology against malicious scripts Deliver prototype implementation Feb ‘00Jul ‘00Feb ‘01Jul ‘01 Develop Policies

RST Labs Transition of Technology Release interception technology and policy enforcer for general use License technology to vendors

RST Labs Contact Information Timothy Hollebeek Anup Ghosh