Upload
garey-gibbs
View
218
Download
0
Embed Size (px)
Citation preview
RST Labs
Effectively Constraining Active Scripting on the Win32 Platform
Anup K. GhoshReliable Software Technologies
www.rstcorp.com
RST Labs
Technical Objectives
• Address the threat of a significant class of mobile malicious code:– active scripting
• Constrain active scripting capability effectively to balance:– legitimate uses vs. malicious uses
• Generalize from detection of specific malicious code instances to classes of malicious code
• Protect the entire platform, not just specific applications
RST Labs
Assumptions and Scope
• What threats/attacks is your project addressing?– Active scripting based attacks (local/mobile)
• What assumptions does your project make?– Active scripting attacks use Active Scripting
Interface• doesn’t cover non-active-scripting attacks and
attacks that break the active scripting engine
• What policies can we enforce?– Methods of accessing applications/system
– Access to specific objects/methods in given applications
RST Labs
Active Scripting
• A pervasive form of enterprise computing that requires both content (the script) and an interpreter.
• Scripting is often used as “Turing glue” to connect and drive disparate software components.
Active Scripting Applications/Hosts• Web browsers• Mail readers• Embedded HTML viewers• MS Office 2000 applications• Windows Scripting Host
Active Scripting Languages• Perl• Jscript• VBscript/VBA (macros)• Rexx• Python
RST Labs
Why Is this Problem Important?
Symantec’s Malicious Code Top Threats:
Active Scripting Vulnerabilities
• 14 new vulnerabilities found in Microsoft Applications during 2000
1516
RST Labs
Current Approaches
• Virus detection software– instance driven, not
generalizable• Turn off Active Scripting
– effective, but crippling– Try running your browser
without Javascript • Sandbox the browser
– Browsers are highly multi-functional pieces of software
– Scripts run outside browsers, too
• Filter at firewalls– too many ways around
• Analyze mobile code– encryption/obfuscation
can defeat these efforts
RST Labs
Technical Approach
• Instrument appropriate interface to effectively constrain behavior of active scripts– Active Scripting API used by all scripting
technologies to script programs/components
– Document Object Model is appropriate level to write/enforce scripting properties
• Belief: – range of full scripting behavior is >> range of
actual behavior used in Web/mail browsing and transactions.
WidelyUsed
VeryDangerous
RST Labs
Script
Internet
ScriptInterpreter
Application/System
CO
MScript Script
InterpreterApplication/System
CO
M
CO
MPolicyEnforcer
All necessary implementation information givenby COM and ActiveScripting API
RST Labs
Approach By Way of Example
Script
Script exploits browser hole
Script saves itself in startup directory
User runs script on next re-boot
Script mails personal documents out to all contacts
Surreptitiously downloads
RST Labs
Protecting the Machine
Script exploits browser hole
Script saves itself in startup directory
User runs script on next re-boot
Script mails personal documents out to all contacts
RST Labs
Classes of Attacks Covered
• Malicious script email attachments
RST Labs
Classes of Attack Addressed
• Embedded malicious email scripts
RST Labs
Classes of Attack Addressed
• Scripts that exploit Web browser holes (e.g., Guninski holes)
Script
RST Labs
Classes of Attack Addressed
• Scripts that exploit ActiveX controls marked safe for scripting
RST Labs
Classes of Attack Addressed
• Scripting of Microsoft Office Applications
RST Labs
Classes of Attack Addressed
• Scripting of other desktop applications
RST Labs
Classes of Attack Addressed
• Javascripts, VBscripts, macros, proprietary, and future scripting technologies– Scripting is becoming increasingly common in
enterprise environments
– Microsoft encourages 3rd party scripting engines and has published a fully documented API for that purpose
RST Labs
Inferring, Developing, and Enforcing Policy• In order to effectively constrain Active Scripting
behavior, we need to:– define and enforce policy at the appropriate
interface.
• Problem: what constitutes a good policy for constraining Active Scripts?
• Belief: malicious scripts will exercise functionality outside normal range of benign scripts.
• Approach: infer/extract policy from empirical results of benign/malicious script actual behavior
RST Labs
Approach: Log Behavior, Extract Policy• All scripts encountered by
wrapped applications are logged
• Script logs are formatted in XML
• Logs record actions/events taken by the script
• XML formatted logs provide
– A well-defined and configurable method for logging scripts used within applications
– Searchable tags that can be advantageous for parsing the script logs
Logs will be mined to determine what behavior distinguishes malicious from benign scripts.
RST Labs
Major Risks and Risk Mitigation Plan
• Develop rule base/policy language that is:– too constraining
– too simple (doesn’t capture subtleties of attacks)
– too complex to use in practice
– ineffective against novel threats
• Mitigation Plan:– infer set of rules from observed behavior.
– test against scripts previously not seen.
RST Labs
Accomplishments
• Developed instrumentation framework that applies to all Win32 executables
• Demonstrated capability to constrain malicious active scripts
• Logging behavior of actual scripts• Released Just Be Friends --- spin-off of
technology that better addresses ILOVEYOU threat than Microsoft’s patch.
RST Labs
Quantitative Metrics
• Performance overhead of technique• False positive/false negative rates of correctly
classifying benign/malicious scripts
RST Labs
Expected Major Achievements
• Software tool to wrap any Win32 application against malicious scripts
• Experimental results on effective policies• Experimental results on false positives and rates
of correct detection
RST Labs
Task Schedule
Instrument active scripting engine
Explore “real world” usage
Demonstrate proof-of-concept
Benchmark technology against malicious scripts
Deliver prototype implementation
Feb ‘00 Jul ‘00 Feb ‘01 Jul ‘01Develop Policies
RST Labs
Technology Transfer
• Patent inventions• Release and make software freely available• Market, sell, and license technology to leading
commercial vendor in this market space.
RST Labs
Questions, Acknowledgements, and Contact Info
RST Sandboxing Team
• Dur Berrier• Anup Ghosh• Timothy Hollebeek• Michael Pelican
{dur,anup, tim,mpelican}@rstcorp.com
www.rstcorp.com
“Sandboxing Mobile Code Execution Environments”
DARPA Contract #F30602-99-C-0172