Effectively Constraining Active Scripting on the Win32 Platform - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Effectively Constraining Active Scripting on the Win32 Platform

Description:

Generalize from detection of specific malicious code instances to ... effective, but crippling. Try running your browser without Javascript. Sandbox the browser ... – PowerPoint PPT presentation

Number of Views:24
Avg rating:3.0/5.0
Slides: 27
Provided by: anupk1
Category:

less

Transcript and Presenter's Notes

Title: Effectively Constraining Active Scripting on the Win32 Platform


1
Effectively Constraining Active Scripting on the
Win32 Platform
  • Anup K. Ghosh
  • Reliable Software Technologies
  • www.rstcorp.com

2
Technical Objectives
  • Address the threat of a significant class of
    mobile malicious code
  • active scripting
  • Constrain active scripting capability effectively
    to balance
  • legitimate uses vs. malicious uses
  • Generalize from detection of specific malicious
    code instances to classes of malicious code
  • Protect the entire platform, not just specific
    applications

3
Assumptions and Scope
  • What threats/attacks is your project addressing?
  • Active scripting based attacks (local/mobile)
  • What assumptions does your project make?
  • Active scripting attacks use Active Scripting
    Interface
  • doesnt cover non-active-scripting attacks and
    attacks that break the active scripting engine
  • What policies can we enforce?
  • Methods of accessing applications/system
  • Access to specific objects/methods in given
    applications

4
Active Scripting
  • A pervasive form of enterprise computing that
    requires both content (the script) and an
    interpreter.
  • Scripting is often used as Turing glue to
    connect and drive disparate software components.
  • Active Scripting Applications/Hosts
  • Web browsers
  • Mail readers
  • Embedded HTML viewers
  • MS Office 2000 applications
  • Windows Scripting Host
  • Active Scripting Languages
  • Perl
  • Jscript
  • VBscript/VBA (macros)
  • Rexx
  • Python

5
Why Is this Problem Important?
  • Symantecs Malicious Code Top Threats
  • Active Scripting Vulnerabilities
  • 14 new vulnerabilities found in Microsoft
    Applications during 2000

6
Current Approaches
  • Virus detection software
  • instance driven, not generalizable
  • Turn off Active Scripting
  • effective, but crippling
  • Try running your browser without Javascript
  • Sandbox the browser
  • Browsers are highly multi-functional pieces of
    software
  • Scripts run outside browsers, too
  • Filter at firewalls
  • too many ways around
  • Analyze mobile code
  • encryption/obfuscation can defeat these efforts

7
Technical Approach
  • Instrument appropriate interface to effectively
    constrain behavior of active scripts
  • Active Scripting API used by all scripting
    technologies to script programs/components
  • Document Object Model is appropriate level to
    write/enforce scripting properties
  • Belief
  • range of full scripting behavior is gtgt range of
    actual behavior used in Web/mail browsing and
    transactions.

8
Internet
Application/System
Script Interpreter
Script
COM
Policy Enforcer
Script Interpreter
Application/System
Script
COM
COM
All necessary implementation information given by
COM and ActiveScripting API
9
Approach By Way of Example
malicious
Web surfing
script
Surreptitiously downloads
Script exploits browser hole
Script saves itself in startup directory
Script mails personal documents out to all
contacts
User runs script on next re-boot
10
Protecting the Machine
Script exploits browser hole
Script saves itself in startup directory
Script mails personal documents out to all
contacts
User runs script on next re-boot
11
Classes of Attacks Covered
  • Malicious script email attachments

12
Classes of Attack Addressed
  • Embedded malicious email scripts

13
Classes of Attack Addressed
  • Scripts that exploit Web browser holes (e.g.,
    Guninski holes)

14
Classes of Attack Addressed
  • Scripts that exploit ActiveX controls marked safe
    for scripting

15
Classes of Attack Addressed
  • Scripting of Microsoft Office Applications

16
Classes of Attack Addressed
  • Scripting of other desktop applications

17
Classes of Attack Addressed
  • Javascripts, VBscripts, macros, proprietary, and
    future scripting technologies
  • Scripting is becoming increasingly common in
    enterprise environments
  • Microsoft encourages 3rd party scripting engines
    and has published a fully documented API for that
    purpose

18
Inferring, Developing, and Enforcing Policy
  • In order to effectively constrain Active
    Scripting behavior, we need to
  • define and enforce policy at the appropriate
    interface.
  • Problem what constitutes a good policy for
    constraining Active Scripts?
  • Belief malicious scripts will exercise
    functionality outside normal range of benign
    scripts.
  • Approach infer/extract policy from empirical
    results of benign/malicious script actual
    behavior

19
Approach Log Behavior, Extract Policy
  • All scripts encountered by wrapped applications
    are logged
  • Script logs are formatted in XML
  • Logs record actions/events taken by the script
  • XML formatted logs provide
  • A well-defined and configurable method for
    logging scripts used within applications
  • Searchable tags that can be advantageous for
    parsing the script logs

Logs will be mined to determine what behavior
distinguishes malicious from benign scripts.
20
Major Risks and Risk Mitigation Plan
  • Develop rule base/policy language that is
  • too constraining
  • too simple (doesnt capture subtleties of
    attacks)
  • too complex to use in practice
  • ineffective against novel threats
  • Mitigation Plan
  • infer set of rules from observed behavior.
  • test against scripts previously not seen.

21
Accomplishments
  • Developed instrumentation framework that applies
    to all Win32 executables
  • Demonstrated capability to constrain malicious
    active scripts
  • Logging behavior of actual scripts
  • Released Just Be Friends --- spin-off of
    technology that better addresses ILOVEYOU threat
    than Microsofts patch.

22
Quantitative Metrics
  • Performance overhead of technique
  • False positive/false negative rates of correctly
    classifying benign/malicious scripts

23
Expected Major Achievements
  • Software tool to wrap any Win32 application
    against malicious scripts
  • Experimental results on effective policies
  • Experimental results on false positives and rates
    of correct detection

24
Task Schedule
Benchmark technology against malicious scripts
Explore real world usage
Feb 00
Jul 00
Feb 01
Jul 01
Deliver prototype implementation
Develop Policies
Instrument active scripting engine
Demonstrate proof-of-concept
25
Technology Transfer
  • Patent inventions
  • Release and make software freely available
  • Market, sell, and license technology to leading
    commercial vendor in this market space.

26
Questions, Acknowledgements, and Contact Info
  • RST Sandboxing Team
  • Dur Berrier
  • Anup Ghosh
  • Timothy Hollebeek
  • Michael Pelican
  • dur,anup, tim,mpelican_at_rstcorp.com
  • www.rstcorp.com

Sandboxing Mobile Code Execution Environments
DARPA Contract F30602-99-C-0172
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Effectively Constraining Active Scripting on the Win32 Platform" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!