Filtering Out Email Exploits By Learning Trusted Functionality Martin Rinard Department of Electrical Engineering and Computer Science Computer Science.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Applications of Feather-Weight Virtual Machines (FVMs) Hadi Salimi Distributed Systems Lab, School of Computer Engineering, Iran University of Science.

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:

Thank you to IT Training at Indiana University Computer Malware.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

Perimeter Church Perimeter Network Introduction 2005.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 of 2 Going on vacation requires careful preparation and there are a number of things you should do at the office before taking extended time off. This.

Trojan Horse Program Presented by : Lori Agrawal.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.

CSE331: Introduction to Networks and Security Lecture 31 Fall 2002.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Practical PC, 7 th Edition Chapter 9: Sending and Attachments.

Your technology solution partner.™ Security Enterprise Protection Gener C. Tongco Product Manager CT Link Systems Inc.

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Life in a Dangerous World: Developing effective strategies against Virus, Worms and Other Threats Marshall Breeding Vanderbilt University

Prevent Cross-Site Scripting (XSS) attack

32-1 Internet Safety/Security Issues Trojan/Virus precautions When you run an executable program from an untrusted source you’re opening yourself.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely presents:

Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.

(or ?) Short for Electronic Mail The transmission of messages over networks.

Computer Security and Penetration Testing

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Security Awareness: Applying Practical Security in Your World Chapter 4: Chapter 4: Internet Security.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

February 2006Colby College ITS Introduction to Entourage 2008.

Archiving s. How to Manage Auto-Archive in Outlook Your Microsoft Outlook mailbox grows as you create and receive items. To manage the space.

Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.

Microsoft Office Outlook 2013 Microsoft Office Outlook 2013 Courseware # 3252 Lesson 6: Organizing Information.

~Computer Virus~ The things you MUST know Brought to You By Sumanta Majumdar Dept. Of Electrical Engg. 2010,GNIT

Microsoft Outlook Objective The learner will be able to perform basic tasks in Microsoft Outlook 2003.

Chapter 9 Sending and Attachments. 2Practical PC 5 th Edition Chapter 9 Getting Started In this Chapter, you will learn: − How works − How.

Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.

3.05 Protect Your Computer and Information Unit 3 Internet Basics.

Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.

RUBRIC IP1 Ruben Botero Web Design III. The different approaches to accessing data in a database through client-side scripting languages. – On the client.

Priya Ranjan Kumar Dept. Of Computer Science Engg. 2012, RIT.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

A Quick Look At How Works Understanding the basics of how works can make life a lot easier for any user. Especially those who are interested.

Computer Security By Duncan Hall.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

PEMBINA TRAILS Portal System User Guide Prepared by: Jo-Anne Gibson Acadia Junior High Teacher-Librarian.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

DEVICE MANAGEMENT AND SECURITY NTM 1700/1702. LEARNING OUTCOMES 1. Students will manipulate multiple platforms and troubleshoot problems when they arise.

Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.

Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.

Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.

Information Networks. Internet It is a global system of interconnected computer networks that link several billion devices worldwide. It is an international.

Windows Vista Configuration MCTS : Productivity Applications.

Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.

Module: Software Engineering of Web Applications

CSCE 548 Student Presentation Ryan Labrador

TMG Client Protection 6NPS – Session 7.

Lecture 2 - SQL Injection

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Presentation transcript:

Filtering Out Exploits By Learning Trusted Functionality Martin Rinard Department of Electrical Engineering and Computer Science Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology Cambridge, MA 02139

The Problem Systems provide two kinds of functionality Functionality you want Compose a document Send Serve web pages Functionality you don’t want Buffer overflow vulnerabilities Information leaks Easter eggs, backdoors Embedded macros, scripts, active fields Right now you get both kinds of functionality

The Solution Learn which code provides functionality you want Make sure no other code executes Application to vulnerabilities Run program on trusted s Learn which code executes Automatically filter all new s Prerun program on new s Filter out messages that (attempt to) exercise new code Only clean messages delivered to user’s inbox

Pine Client List View Message View

Pine Exploit Send mail message Carefully crafted FROM field To: From: \"\"\"\"\" To: From: \"\"\"\"\" Mail Folder Pine Pine reads message Processes FROM field Overflows buffer End Result Pine crashes before UI starts up Can’t read …

Learning Code That Provides Desired Functionality Mail from Record Executed Code (DynamoRIO) Pine List View Message View 6497 Messages

Filtering Messages Mail from 2002 (Jan-Apr) Pine List View Message View Clean Messages Suspect Messages NoYes User’s Inbox Any New Code? (DynamoRIO)

List View Results Mail from 2002 (Jan-Apr) Pine List View Message View Clean Messages Suspect Messages NoYes 2167 Messages 43 Messages2124 Messages 2% False Positive Rate

Message View Results Mail from 2002 (Jan-Apr) Pine List View Message View Clean Messages Suspect Messages NoYes 2167 Messages 40 Messages2127 Messages 1.8% False Positive Rate

Combined List and Message View Results Mail from 2002 (Jan-Apr) Pine List View Message View Clean Messages Suspect Messages NoYes 2167 Messages 52 Messages2115 Messages 2.4% False Positive Rate

Driving False Positive Rate Lower Larger training set Tolerate some small amount of new code Apply the “procedure test” Allow new blocks But only from previously executed procedures False Positives for 2002 (Jan-Apr), procedure test List View: 2 Message View: 0 Total False Positives: 2 (0.1%)

Finding Exploits Hid Pine exploits in folder Method found and filtered out all exploits 0% false negative rate

Driving False Positive Rate Even Lower How much room is there between Pine Exploit False Positives Pine Exploit (list view) New procedures: 42 New blocks: 339 False Positives (list view) New procedures: 4 New blocks: 108 Consistent with Sam Larsen’s results

Intriguing Tidbit Some new code executions caused by benign changes in environment Time changes Who knows what else Need to periodically rerun trusted inputs to avoid increased false positive rate

What About Other Applications? Microsoft Word, Outlook vulnerabilities identified By Paul Roberts September 13, :07 pm PT BOSTON - VULNERABILITIES have been identified in two widely- used Microsoft products, Microsoft Word and Outlook Express. In Microsoft Word's case, an attacker could steal data from a victim's hard disk, according to alerts posted on the Bugtraq Web site weeks ago and acknowledged by Microsoft on Friday. It would work like this: The attacker creates a Word 97 document and embeds hidden fields, such as the "IncludeText" field, in it. The attacker then s the malicious document to the intended victim. When the victim opens the document, the fields retrieve data from the hard disk. The attacker would then receive the stolen data in the document when the victim s it back to him. Part of standard Microsoft Word functionality!

What About Other Applications? M-073: Microsoft Outlook Editor Vulnerability [Microsoft Security Bulletin MS02-021] April 26, :00 GMT PROBLEM: A security vulnerability exists when Outlook is configured to use Microsoft Word as the editor and the user forwards or replies to a mail from an attacker. PLATFORM: Systems using the following applications for Microsoft Outlook 2000 Microsoft Outlook 2002 DAMAGE: An attacker could exploit this vulnerability by sending a specially malformed HTML containing a script to an Outlook user who has Word enabled as the e- mail editor. If the user replied to or forwarded the , the script would then run, and be capable of taking any action the user could take. SOLUTION:Apply the patch supplied by vendor. VULNERABILITY ASSESSMENT:The risk is MEDIUM. For an attacker to successfully exploit this vulnerability, the user would need to reply to or forward the malicious . Simply reading it would not enable the scripts to run, and the user could delete the mail without risk.

Filtering Individual Pieces Filtering operates on sequence of pieces messages in folder Data items in a Word document Commands in PowerPoint presentation Can filter out individual pieces (not entire folder, document, or presentation) Can eliminate macros from PowerPoint files Can eliminate active fields from Word files Leaves rest of content intact

What About Other Applications? Many applications have input file cleanliness issues JPEG images, PDF files Configuration files Scripts, macros, active fields Key issue is training Pine is relatively small and simple Other applications may be harder to train Need more trusted inputs Maybe use less stringent cleanliness test

Application Community Involvement Training Source of broad range of trusted inputs Share vetting load for external inputs Production Share investigation of suspect inputs Minimize population exposed to exploits

Conclusion Right now you get both kinds of functionality Desirable Undesirable Can learn desirable functionality Eliminate undesirable functionality Works great for filtering Pine messages Potential for other applications as well

Applying Basic Idea to Pine Trusted Messages Pine Record Executed Code New Messages Clean Messages Suspect Messages Does Any New Code Try To Execute? NoYes Pine User’s Folder DynamoRIO from Determina!