Presentation is loading. Please wait.

Presentation is loading. Please wait.

Filtering Out Email Exploits By Learning Trusted Functionality Martin Rinard Department of Electrical Engineering and Computer Science Computer Science.

Published byGerard Thomas Modified over 9 years ago

Similar presentations

Presentation on theme: "Filtering Out Email Exploits By Learning Trusted Functionality Martin Rinard Department of Electrical Engineering and Computer Science Computer Science."— Presentation transcript:

1 Filtering Out Email Exploits By Learning Trusted Functionality Martin Rinard Department of Electrical Engineering and Computer Science Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology Cambridge, MA 02139

2 The Problem Systems provide two kinds of functionality Functionality you want Compose a document Send email Serve web pages Functionality you don’t want Buffer overflow vulnerabilities Information leaks Easter eggs, backdoors Embedded macros, scripts, active fields Right now you get both kinds of functionality

3 The Solution Learn which code provides functionality you want Make sure no other code executes Application to email vulnerabilities Run email program on trusted emails Learn which code executes Automatically filter all new emails Prerun email program on new emails Filter out messages that (attempt to) exercise new code Only clean messages delivered to user’s inbox

4 Pine Email Client List View Message View

5 Pine Email Exploit Send mail message Carefully crafted FROM field To: john.doe@cs.uni.edu From: \"\"\"\"\" To: john.doe@cs.uni.edu From: \"\"\"\"\" Mail Folder Pine Pine reads message Processes FROM field Overflows buffer End Result Pine crashes before UI starts up Can’t read email…

6 Learning Code That Provides Desired Functionality Mail from 1997-2001 Record Executed Code (DynamoRIO) Pine List View Message View 6497 Messages

7 Filtering Email Messages Mail from 2002 (Jan-Apr) Pine List View Message View Clean Messages Suspect Messages NoYes User’s Inbox Any New Code? (DynamoRIO)

8 List View Results Mail from 2002 (Jan-Apr) Pine List View Message View Clean Messages Suspect Messages NoYes 2167 Messages 43 Messages2124 Messages 2% False Positive Rate

9 Message View Results Mail from 2002 (Jan-Apr) Pine List View Message View Clean Messages Suspect Messages NoYes 2167 Messages 40 Messages2127 Messages 1.8% False Positive Rate

10 Combined List and Message View Results Mail from 2002 (Jan-Apr) Pine List View Message View Clean Messages Suspect Messages NoYes 2167 Messages 52 Messages2115 Messages 2.4% False Positive Rate

11 Driving False Positive Rate Lower Larger training set Tolerate some small amount of new code Apply the “procedure test” Allow new blocks But only from previously executed procedures False Positives for 2002 (Jan-Apr), procedure test List View: 2 Message View: 0 Total False Positives: 2 (0.1%)

12 Finding Exploits Hid Pine exploits in email folder Method found and filtered out all exploits 0% false negative rate

13 Driving False Positive Rate Even Lower How much room is there between Pine Exploit False Positives Pine Exploit (list view) New procedures: 42 New blocks: 339 False Positives (list view) New procedures: 4 New blocks: 108 Consistent with Sam Larsen’s results

14 Intriguing Tidbit Some new code executions caused by benign changes in environment Time changes Who knows what else Need to periodically rerun trusted inputs to avoid increased false positive rate

15 What About Other Applications? Microsoft Word, Outlook vulnerabilities identified By Paul Roberts September 13, 2002 5:07 pm PT BOSTON - VULNERABILITIES have been identified in two widely- used Microsoft products, Microsoft Word and Outlook Express. In Microsoft Word's case, an attacker could steal data from a victim's hard disk, according to alerts posted on the Bugtraq Web site weeks ago and acknowledged by Microsoft on Friday. It would work like this: The attacker creates a Word 97 document and embeds hidden fields, such as the "IncludeText" field, in it. The attacker then e-mails the malicious document to the intended victim. When the victim opens the document, the fields retrieve data from the hard disk. The attacker would then receive the stolen data in the document when the victim e-mails it back to him. Part of standard Microsoft Word functionality!

16 What About Other Applications? M-073: Microsoft Outlook E-mail Editor Vulnerability [Microsoft Security Bulletin MS02-021] April 26, 2002 15:00 GMT PROBLEM: A security vulnerability exists when Outlook is configured to use Microsoft Word as the e-mail editor and the user forwards or replies to a mail from an attacker. PLATFORM: Systems using the following applications for e-mail: Microsoft Outlook 2000 Microsoft Outlook 2002 DAMAGE: An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing a script to an Outlook user who has Word enabled as the e- mail editor. If the user replied to or forwarded the e-mail, the script would then run, and be capable of taking any action the user could take. SOLUTION:Apply the patch supplied by vendor. VULNERABILITY ASSESSMENT:The risk is MEDIUM. For an attacker to successfully exploit this vulnerability, the user would need to reply to or forward the malicious e-mail. Simply reading it would not enable the scripts to run, and the user could delete the mail without risk.

17 Filtering Individual Pieces Filtering operates on sequence of pieces Email messages in folder Data items in a Word document Commands in PowerPoint presentation Can filter out individual pieces (not entire folder, document, or presentation) Can eliminate macros from PowerPoint files Can eliminate active fields from Word files Leaves rest of content intact

18 What About Other Applications? Many applications have input file cleanliness issues JPEG images, PDF files Configuration files Scripts, macros, active fields Key issue is training Pine is relatively small and simple Other applications may be harder to train Need more trusted inputs Maybe use less stringent cleanliness test

19 Application Community Involvement Training Source of broad range of trusted inputs Share vetting load for external inputs Production Share investigation of suspect inputs Minimize population exposed to exploits

20 Conclusion Right now you get both kinds of functionality Desirable Undesirable Can learn desirable functionality Eliminate undesirable functionality Works great for filtering Pine email messages Potential for other applications as well

21 Applying Basic Idea to Pine Trusted Messages Pine Record Executed Code New Messages Clean Messages Suspect Messages Does Any New Code Try To Execute? NoYes Pine User’s Folder DynamoRIO from Determina!

Download ppt "Filtering Out Email Exploits By Learning Trusted Functionality Martin Rinard Department of Electrical Engineering and Computer Science Computer Science."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Applications of Feather-Weight Virtual Machines (FVMs) Hadi Salimi Distributed Systems Lab, School of Computer Engineering, Iran University of Science.

Applications of Feather-Weight Virtual Machines (FVMs) Hadi Salimi Distributed Systems Lab, School of Computer Engineering, Iran University of Science.
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
Perimeter Church Perimeter Network Introduction 2005.

Perimeter Church Perimeter Network Introduction 2005.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
1 of 2 Going on vacation requires careful preparation and there are a number of things you should do at the office before taking extended time off. This.

1 of 2 Going on vacation requires careful preparation and there are a number of things you should do at the office before taking extended time off. This.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.

Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.
CSE331: Introduction to Networks and Security Lecture 31 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 31 Fall 2002.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Practical PC, 7 th Edition Chapter 9: Sending E-mail and Attachments.

Practical PC, 7 th Edition Chapter 9: Sending and Attachments.
Your technology solution partner.™ Security Enterprise Protection Gener C. Tongco Product Manager CT Link Systems Inc.

Your technology solution partner.™ Security Enterprise Protection Gener C. Tongco Product Manager CT Link Systems Inc.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

Similar presentations

Ads by Google