Presentation is loading. Please wait.

Presentation is loading. Please wait.

RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies www.rstcorp.com.

Published byGarey Gibbs Modified over 8 years ago

Similar presentations

Presentation on theme: "RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies www.rstcorp.com."— Presentation transcript:

1 RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies www.rstcorp.com

2 RST Labs Technical Objectives Address the threat of a significant class of mobile malicious code: –active scripting Constrain active scripting capability effectively to balance: –legitimate uses vs. malicious uses Generalize from detection of specific malicious code instances to classes of malicious code Protect the entire platform, not just specific applications

3 RST Labs Assumptions and Scope What threats/attacks is your project addressing? –Active scripting based attacks (local/mobile) What assumptions does your project make? –Active scripting attacks use Active Scripting Interface doesn’t cover non-active-scripting attacks and attacks that break the active scripting engine What policies can we enforce? –Methods of accessing applications/system –Access to specific objects/methods in given applications

4 RST Labs Active Scripting A pervasive form of enterprise computing that requires both content (the script) and an interpreter. Scripting is often used as “Turing glue” to connect and drive disparate software components. Active Scripting Applications/Hosts Web browsers Mail readers Embedded HTML viewers MS Office 2000 applications Windows Scripting Host Active Scripting Languages Perl Jscript VBscript/VBA (macros) Rexx Python

5 RST Labs Why Is this Problem Important? Symantec’s Malicious Code Top Threats: Active Scripting Vulnerabilities 14 new vulnerabilities found in Microsoft Applications during 2000 15 16

6 RST Labs Current Approaches Virus detection software –instance driven, not generalizable Turn off Active Scripting –effective, but crippling –Try running your browser without Javascript Sandbox the browser –Browsers are highly multi- functional pieces of software –Scripts run outside browsers, too Filter at firewalls –too many ways around Analyze mobile code –encryption/obfuscation can defeat these efforts

7 RST Labs Technical Approach Instrument appropriate interface to effectively constrain behavior of active scripts –Active Scripting API used by all scripting technologies to script programs/components –Document Object Model is appropriate level to write/enforce scripting properties Belief: –range of full scripting behavior is >> range of actual behavior used in Web/mail browsing and transactions. Widely Used Very Dangerous

8 RST Labs Script Internet Script Interpreter Application/System COM Script Interpreter Application/System COM Policy Enforcer All necessary implementation information given by COM and ActiveScripting API

9 RST Labs Approach By Way of Example Script Script exploits browser hole Script saves itself in startup directory User runs script on next re-boot Script mails personal documents out to all contacts Surreptitiously downloads

10 RST Labs Protecting the Machine Script exploits browser hole Script saves itself in startup directory User runs script on next re-boot Script mails personal documents out to all contacts

11 RST Labs Classes of Attacks Covered Malicious script email attachments

12 RST Labs Classes of Attack Addressed Embedded malicious email scripts

13 RST Labs Classes of Attack Addressed Scripts that exploit Web browser holes (e.g., Guninski holes) Script

14 RST Labs Classes of Attack Addressed Scripts that exploit ActiveX controls marked safe for scripting

15 RST Labs Classes of Attack Addressed Scripting of Microsoft Office Applications

16 RST Labs Classes of Attack Addressed Scripting of other desktop applications

17 RST Labs Classes of Attack Addressed Javascripts, VBscripts, macros, proprietary, and future scripting technologies –Scripting is becoming increasingly common in enterprise environments –Microsoft encourages 3rd party scripting engines and has published a fully documented API for that purpose

18 RST Labs Inferring, Developing, and Enforcing Policy In order to effectively constrain Active Scripting behavior, we need to: –define and enforce policy at the appropriate interface. Problem: what constitutes a good policy for constraining Active Scripts? Belief: malicious scripts will exercise functionality outside normal range of benign scripts. Approach: infer/extract policy from empirical results of benign/malicious script actual behavior

19 RST Labs Approach: Log Behavior, Extract Policy All scripts encountered by wrapped applications are logged Script logs are formatted in XML Logs record actions/events taken by the script XML formatted logs provide – A well-defined and configurable method for logging scripts used within applications –Searchable tags that can be advantageous for parsing the script logs Logs will be mined to determine what behavior distinguishes malicious from benign scripts.

20 RST Labs Major Risks and Risk Mitigation Plan Develop rule base/policy language that is: –too constraining –too simple (doesn’t capture subtleties of attacks) –too complex to use in practice –ineffective against novel threats Mitigation Plan: –infer set of rules from observed behavior. –test against scripts previously not seen.

21 RST Labs Accomplishments Developed instrumentation framework that applies to all Win32 executables Demonstrated capability to constrain malicious active scripts Logging behavior of actual scripts Released Just Be Friends --- spin-off of technology that better addresses ILOVEYOU threat than Microsoft’s patch.

22 RST Labs Quantitative Metrics Performance overhead of technique False positive/false negative rates of correctly classifying benign/malicious scripts

23 RST Labs Expected Major Achievements Software tool to wrap any Win32 application against malicious scripts Experimental results on effective policies Experimental results on false positives and rates of correct detection

24 RST Labs Task Schedule Instrument active scripting engine Explore “real world” usage Demonstrate proof-of-concept Benchmark technology against malicious scripts Deliver prototype implementation Feb ‘00Jul ‘00Feb ‘01Jul ‘01 Develop Policies

25 RST Labs Technology Transfer Patent inventions Release and make software freely available Market, sell, and license technology to leading commercial vendor in this market space.

26 RST Labs Questions, Acknowledgements, and Contact Info RST Sandboxing Team Dur Berrier Anup Ghosh Timothy Hollebeek Michael Pelican {dur,anup, tim,mpelican}@rstcorp.com www.rstcorp.com “Sandboxing Mobile Code Execution Environments” DARPA Contract #F30602-99-C-0172

Download ppt "RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies www.rstcorp.com."

Similar presentations

Configuration management

Configuration management
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.

Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Mobile Code Java, JavaScript, ActiveX Prepared By : Radwan Abu Jassar Supervised By : Dr. Lo ’ ai Tawalbeh New York Institute of Technology (winter 2007)

Mobile Code Java, JavaScript, ActiveX Prepared By : Radwan Abu Jassar Supervised By : Dr. Lo ’ ai Tawalbeh New York Institute of Technology (winter 2007)
Scelta della tecnologia di presentazione dei dati.

Scelta della tecnologia di presentazione dei dati.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Lesson 1: Understanding Browsers. This unit is a set of investigations into how to protect against digital threats, and how to detect digital crimes.

Lesson 1: Understanding Browsers. This unit is a set of investigations into how to protect against digital threats, and how to detect digital crimes.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 5: Multimedia on the Web.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 5: Multimedia on the Web.

Similar presentations

Ads by Google