Wednesday, December 30, 2009

Java Script Analysis - IPS Device Requirement?

Number of unique attacks on client applications are increasing and in recent past the number of attacks on client applications exceeded the attacks on server applications.  Javascript based attacks is one big chunk of attacks in client side category(it is also called target initiated attacks).  Almost all exploitations of client applications are possible only when the user is attracted to visit some malicious site hosting malicious content  or when user opens bad attachment in received email.    Typically,  whenever user downloads content or opens an attachment in email, appropriate application will be opened to render the data.  Attackers construct the data such a way that it exploits vulnerability in the application.  Vulnerability exploitation can lead to corrupting the system,  getting control of the system and to install troajns, botnets etc.. 

ActiveX application exploitation is one popular method.  ActiveX applications are controlled via javascripts in the pages of the site user is visiting.  Some of these applications don't sanitize the input to their functions.  Attackers take advantage of this and serve the pages with javascript which sends the bad input the functions. I would categorize the type of attacks into following:
  •  Buffer overflow attacks:  Sending long argument to the Activex functions via java script. This can result into taking control of machine by attacker.
  •  Remote Code Execution :  Executing commands via command line tools. Some activex programs provide functions which can execute programs given to them via arguments.
  • Overwriting some files:  Using some vulnerable activex programs, attackers can overwrite any file content.  Typically it is used by attackers to overwrite some system programs with their own executable.
  • Setting and Getting Registry values.
  • Information disclosure :  Reading any arbitrary file contents via activex functions. 
There are other javascript attacks that are possible on the browser itself.  As you all know, browser is complicated applications. It has several modules/functions built into it. Some of these modules can be controlled/accessible via javascript.   Any vulnerability in these modules can be exploited via javascript.   Some of the attacks of this nature are:
  •  DOM Manipulation of HTML page by embedded java script:  Some DOM Manipulations result into browser crash while they are rendered or during cleanup or garbage collection process.
    • Removal of child elements.
    • Modification of child elements
    • Assigning bad values to the elements.
    • Creating circular references across parent and children.
IPS Challenges:

Simple Pattern based detection does not work well to detect these kinds of attacks.
  • Java script is a language by itself.  Patterns can be hidden very easily either through encoders or by different ways of programming logic to generate string (or argument to the ActiveX function). 
  • Simple pattern based protection systems stop (alert) the traffic whenever CLSID and vulnerable method are present.  That is, they don't check for the exploiting argument to the method. This could result into false positives. 
  • Simple pattern based protection systems assume that CLSID and vulnerable methods are present within same packet or together separated by few bytes such as 2K/4K etc..  This can be used by attackers to put these two strings far apart by introducing lot of dummy java script logic or DOM elements. This is one example and there are many ways to evade the detection by IPS devices. Another example is different scripts in the same HTML page exploiting the vulnerability. That is, one java script in beginning of HTML page storing some data in DOM tree and second Java script using this data to pass the bad argument to the vulnerable method.
What IPS Devices need to do?

One way I can think of is adoption of well known sandbox model to detect bad javascripts with less false positives and negatives. Sandbox mechanism typically involves executing javascript in a safe environment.  Internal flow would be some thing like this:
  • Using transparent proxies or WCCP or other mechanisms, collect the HTML data.
  • Get hold of all Java scripts in the page.  If the page is referring to JS file via include primitive, download those java script files too. If the script is referred in the HTTP Referer method, get that too.
  • Concatenate all java scripts into one single entity (file/buffer) and pass it onto sandbox. It is also required to concatenate javascript in IPS rules (which catches the exploit) before passing onto the sandbox.
  • Ensure the sandbox is created in virtual environment (Linux containers is fastest)
  • Before running javascript, create the browser environment.
  • If the javascript that was concatenated from IPS rule is executed and catches the condition that was put in the javascript,  then it can be considered as hit and IPS can take action based on the severity of the rule. Actions include alerting the administrator or stopping the HTML page going to the Client.
Yes. This could be CPU intensive, but it is required beast in my view. Offloading this kind of scanning from the end client would benefit battery powered devices such as Smart phones,  Netbooks etc.. Even in desktop/laptop world, it provides benefit of detecting these at one central place and provided better control for administartors.  With advent of Multicore processors, this kind of processing can be done at central place.

What are security considerations the IPS devices need to worry about?

Malware developers are smart and they continue to evade the detection by intermediate security devices and even try to attack these protection systems.
  • Always use Sandbox mechanism:  If javascript that is being analysed is doing some mischief on system resources, only sandbox system would be affected, but not the rest of protection system.
  • Time the amount of time the analysis is taking and if it exceeds some predefined time kill the analyzing process.   Attackers can develop javascript that goes in continuous loop and can take awayall CPU cycles of protection system.
  • Override some Javascript functions to get better control and get out in case of any issue found.
Detection and protection of internal systems is CPU intensive, but necessary evil in the IPS systems. Many IPS devices in the market don't do good job of detecting these attacks. I believe that in coming years, many IPS devices would have intelligent way of detecting javascript attacks.  Sandbox mechanism is one method I believe would be popular.

No comments: