rst labs effectively constraining active scripting on the win32 platform anup k. ghosh reliable...
TRANSCRIPT
![Page 1: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/1.jpg)
RST Labs
Effectively Constraining Active Scripting on the Win32 Platform
Anup K. GhoshReliable Software Technologies
www.rstcorp.com
![Page 2: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/2.jpg)
RST Labs
Technical Objectives
• Address the threat of a significant class of mobile malicious code:– active scripting
• Constrain active scripting capability effectively to balance:– legitimate uses vs. malicious uses
• Generalize from detection of specific malicious code instances to classes of malicious code
• Protect the entire platform, not just specific applications
![Page 3: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/3.jpg)
RST Labs
Assumptions and Scope
• What threats/attacks is your project addressing?– Active scripting based attacks (local/mobile)
• What assumptions does your project make?– Active scripting attacks use Active Scripting
Interface• doesn’t cover non-active-scripting attacks and
attacks that break the active scripting engine
• What policies can we enforce?– Methods of accessing applications/system
– Access to specific objects/methods in given applications
![Page 4: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/4.jpg)
RST Labs
Active Scripting
• A pervasive form of enterprise computing that requires both content (the script) and an interpreter.
• Scripting is often used as “Turing glue” to connect and drive disparate software components.
Active Scripting Applications/Hosts• Web browsers• Mail readers• Embedded HTML viewers• MS Office 2000 applications• Windows Scripting Host
Active Scripting Languages• Perl• Jscript• VBscript/VBA (macros)• Rexx• Python
![Page 5: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/5.jpg)
RST Labs
Why Is this Problem Important?
Symantec’s Malicious Code Top Threats:
Active Scripting Vulnerabilities
• 14 new vulnerabilities found in Microsoft Applications during 2000
1516
![Page 6: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/6.jpg)
RST Labs
Current Approaches
• Virus detection software– instance driven, not
generalizable• Turn off Active Scripting
– effective, but crippling– Try running your browser
without Javascript • Sandbox the browser
– Browsers are highly multi-functional pieces of software
– Scripts run outside browsers, too
• Filter at firewalls– too many ways around
• Analyze mobile code– encryption/obfuscation
can defeat these efforts
![Page 7: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/7.jpg)
RST Labs
Technical Approach
• Instrument appropriate interface to effectively constrain behavior of active scripts– Active Scripting API used by all scripting
technologies to script programs/components
– Document Object Model is appropriate level to write/enforce scripting properties
• Belief: – range of full scripting behavior is >> range of
actual behavior used in Web/mail browsing and transactions.
WidelyUsed
VeryDangerous
![Page 8: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/8.jpg)
RST Labs
Script
Internet
ScriptInterpreter
Application/System
CO
MScript Script
InterpreterApplication/System
CO
M
CO
MPolicyEnforcer
All necessary implementation information givenby COM and ActiveScripting API
![Page 9: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/9.jpg)
RST Labs
Approach By Way of Example
Script
Script exploits browser hole
Script saves itself in startup directory
User runs script on next re-boot
Script mails personal documents out to all contacts
Surreptitiously downloads
![Page 10: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/10.jpg)
RST Labs
Protecting the Machine
Script exploits browser hole
Script saves itself in startup directory
User runs script on next re-boot
Script mails personal documents out to all contacts
![Page 11: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/11.jpg)
RST Labs
Classes of Attacks Covered
• Malicious script email attachments
![Page 12: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/12.jpg)
RST Labs
Classes of Attack Addressed
• Embedded malicious email scripts
![Page 13: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/13.jpg)
RST Labs
Classes of Attack Addressed
• Scripts that exploit Web browser holes (e.g., Guninski holes)
Script
![Page 14: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/14.jpg)
RST Labs
Classes of Attack Addressed
• Scripts that exploit ActiveX controls marked safe for scripting
![Page 15: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/15.jpg)
RST Labs
Classes of Attack Addressed
• Scripting of Microsoft Office Applications
![Page 16: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/16.jpg)
RST Labs
Classes of Attack Addressed
• Scripting of other desktop applications
![Page 17: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/17.jpg)
RST Labs
Classes of Attack Addressed
• Javascripts, VBscripts, macros, proprietary, and future scripting technologies– Scripting is becoming increasingly common in
enterprise environments
– Microsoft encourages 3rd party scripting engines and has published a fully documented API for that purpose
![Page 18: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/18.jpg)
RST Labs
Inferring, Developing, and Enforcing Policy• In order to effectively constrain Active Scripting
behavior, we need to:– define and enforce policy at the appropriate
interface.
• Problem: what constitutes a good policy for constraining Active Scripts?
• Belief: malicious scripts will exercise functionality outside normal range of benign scripts.
• Approach: infer/extract policy from empirical results of benign/malicious script actual behavior
![Page 19: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/19.jpg)
RST Labs
Approach: Log Behavior, Extract Policy• All scripts encountered by
wrapped applications are logged
• Script logs are formatted in XML
• Logs record actions/events taken by the script
• XML formatted logs provide
– A well-defined and configurable method for logging scripts used within applications
– Searchable tags that can be advantageous for parsing the script logs
Logs will be mined to determine what behavior distinguishes malicious from benign scripts.
![Page 20: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/20.jpg)
RST Labs
Major Risks and Risk Mitigation Plan
• Develop rule base/policy language that is:– too constraining
– too simple (doesn’t capture subtleties of attacks)
– too complex to use in practice
– ineffective against novel threats
• Mitigation Plan:– infer set of rules from observed behavior.
– test against scripts previously not seen.
![Page 21: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/21.jpg)
RST Labs
Accomplishments
• Developed instrumentation framework that applies to all Win32 executables
• Demonstrated capability to constrain malicious active scripts
• Logging behavior of actual scripts• Released Just Be Friends --- spin-off of
technology that better addresses ILOVEYOU threat than Microsoft’s patch.
![Page 22: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/22.jpg)
RST Labs
Quantitative Metrics
• Performance overhead of technique• False positive/false negative rates of correctly
classifying benign/malicious scripts
![Page 23: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/23.jpg)
RST Labs
Expected Major Achievements
• Software tool to wrap any Win32 application against malicious scripts
• Experimental results on effective policies• Experimental results on false positives and rates
of correct detection
![Page 24: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/24.jpg)
RST Labs
Task Schedule
Instrument active scripting engine
Explore “real world” usage
Demonstrate proof-of-concept
Benchmark technology against malicious scripts
Deliver prototype implementation
Feb ‘00 Jul ‘00 Feb ‘01 Jul ‘01Develop Policies
![Page 25: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/25.jpg)
RST Labs
Technology Transfer
• Patent inventions• Release and make software freely available• Market, sell, and license technology to leading
commercial vendor in this market space.
![Page 26: RST Labs Effectively Constraining Active Scripting on the Win32 Platform Anup K. Ghosh Reliable Software Technologies](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ebc5503460f94bc4d55/html5/thumbnails/26.jpg)
RST Labs
Questions, Acknowledgements, and Contact Info
RST Sandboxing Team
• Dur Berrier• Anup Ghosh• Timothy Hollebeek• Michael Pelican
{dur,anup, tim,mpelican}@rstcorp.com
www.rstcorp.com
“Sandboxing Mobile Code Execution Environments”
DARPA Contract #F30602-99-C-0172