Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D....
-
Upload
marianna-gray -
Category
Documents
-
view
213 -
download
1
Transcript of Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D....
![Page 1: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/1.jpg)
Interception and Analysis Framework for Win32 Scripts
www.cigital.com(not for public release)
Tim Hollebeek, [email protected]
![Page 2: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/2.jpg)
OverviewOverview
• Background• Preliminary characterization of
attacks/threats• What we’ve built• Coverage of threats• Tech Transfer successes• Integration
![Page 3: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/3.jpg)
Background: ActiveScriptingBackground: ActiveScripting
• Microsoft architecture for integrating scripts with applications in a language-neutral way.
• Scripting is often used as “Turing glue” to connect and drive disparate software components.
Active Scripting Applications/Hosts
• Web browsers• Mail readers• Embedded HTML viewers• MS Office 2000 applications• Windows Scripting Host
Active Scripting Languages• Perl• Jscript• VBscript/VBA (macros)• Rexx• Python
![Page 4: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/4.jpg)
Technical ObjectivesTechnical Objectives
• Address the threat of a significant class of mobile malicious code:– ActiveScripting (JScript, VBscript)
• Provide interception and logging framework that allows policies to be developed and enforced
• Constrain active scripting capability effectively to balance:– legitimate uses vs. malicious uses
![Page 5: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/5.jpg)
ScopeScope
• Malicious Scripts on Microsoft Windows based platforms
– Script-based viruses, trojans– malicious web pages– malicious HTML embedded in various files
– Especially: scripts that use one of about 30 vulnerabilities that allow compromise of the machine from scripts
(most recent … 9 days ago)
![Page 6: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/6.jpg)
Attacker ObjectivesAttacker Objectives
• Traditional “malware” activities– Viruses, trojan horses
• Fully compromising host computers• Accessing sensitive data/manipulating
sensitive functionality– Compromising script-aware applications– Compromising script-dependent applications
![Page 7: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/7.jpg)
Why is this easy?Why is this easy?
• MS Windows contains lots of bad code and very few boundaries
• Microsoft architecture is script-friendly
• “big bag of components”• Much of this infrastructure built to
support distributed applications
![Page 8: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/8.jpg)
DefensesDefenses
• Must be at the correct level (or multi-level)
• Most existing defenses aren’t:– Secure sessions– Filtering– Signature schemes– Kernel/filesystem level defenses
• Commercial world focused on today’s attacks
![Page 9: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/9.jpg)
Categories of Malicious Scripts
Categories of Malicious Scripts
Easy
Hard
VeryHard!
• Malicious scripts distributed as attachments
• Scripts that exploit the distributed nature of web applications
• Malicious scripts injected into dynamic web pages
• Malicious scripts that manipulate legitimate functionality
• Embedded scripts that exploit flaws in components or host applications
![Page 10: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/10.jpg)
Malicious Script Capability Matrix
Malicious Script Capability Matrix
Attach Flaw Legitimate Inject Webbased
ILOVEYOU
Kak
Malicious web site
E*TRADE hack
E-bayla
Web bugs
E-mail wiretapping
Future threats
![Page 11: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/11.jpg)
Intercepting ActiveScriptingIntercepting ActiveScripting
• What works well:– Blocking access to flawed components/methods
• Feasible:– Correlating script activity with lower level
information– Reducing exposure of script-aware applications– Restricting script actions to safer subset
• Still difficult:– Script-dependent and script-based applications
![Page 12: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/12.jpg)
Tech TransferTech Transfer
• Produced:– Robust prototype
• Capable of extensive logging of script behavior on a number of machines to a remote server
• Ability to block malicious script actions• Stable, efficient
– Developing prototype into a tool to be used by Air Force community
– Extensive logs (14,000 distinct scripts, gigabytes of information about their execution)
– JustBeFriends (~4000 downloads)
![Page 13: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/13.jpg)
IntegrationIntegration
• We can provide:
• Information on all page views• Script contents and URLs• Information on script behavior• During script execution:
– Accesses to all members and methods (with parameters) of Automation objects the scripting engine interacts with
– All actions of the scripting engine– Other related COM methods
(possibly) user level correlation information
![Page 14: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/14.jpg)
LogsLogs
• 3 Cigital Labs researchers• 6-12 months of browsing• Work-related and “other” sites
• Also some “random” browsing (uses Yahoo!)
![Page 15: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/15.jpg)
ArchitectureArchitecture
Scripting Engine
Script Actions
Browser Architecture
Events
EventManager
Policy
XML
CentralizedLogging Server
![Page 16: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/16.jpg)
ConclusionsConclusions
• Architecture provides a very successful and flexible way to monitor and control scripts on Windows systems
• Can address commonly exploited risks from malicious scripts, which are unaddressed by current generation of commercial tools
• Work still needed to get a handle on more complex attacks
![Page 17: Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com.](https://reader035.fdocuments.in/reader035/viewer/2022072015/56649eda5503460f94be9767/html5/thumbnails/17.jpg)
ENDEND
• The End