Filtering Out Email Exploits By Learning Trusted Functionality

Martin RinardDepartment of Electrical Engineering and Computer

ScienceComputer Science and Artificial Intelligence Laboratory

Massachusetts Institute of TechnologyCambridge, MA 02139

The Problem• Systems provide two kinds of functionality• Functionality you want

• Compose a document• Send email• Serve web pages

• Functionality you don’t want• Buffer overflow vulnerabilities • Information leaks• Easter eggs, backdoors• Embedded macros, scripts, active fields

• Right now you get both kinds of functionality

The Solution

• Learn which code provides functionality you want

• Make sure no other code executes• Application to email vulnerabilities

• Run email program on trusted emails• Learn which code executes• Automatically filter all new emails

•Prerun email program on new emails•Filter out messages that (attempt to)

exercise new code• Only clean messages delivered to user’s inbox

Pine Email Client

List View

Message View

Pine Email Exploit

Send mail messageCarefully crafted FROM field

To: john.doe@cs.uni.eduFrom: <code>\"\"\"\"\"<addr>

To: john.doe@cs.uni.eduFrom: <code>\"\"\"\"\"<addr>

Mail Folder

Pine• Pine reads message• Processes FROM field• Overflows buffer

End Result• Pine crashes before UI starts up• Can’t read email…

Learning Code That Provides Desired Functionality

Mail from 1997-2001

Record Executed

Code (DynamoRIO)

Pine• List View• Message View

6497 Messages

Filtering Email Messages

Mail from2002 (Jan-Apr)

Pine• List View• Message View

CleanMessages

SuspectMessages

NoYes

User’sInbox

Any New Code?

(DynamoRIO)

List View Results

Mail from2002 (Jan-Apr)

Pine• List View• Message View

CleanMessages

SuspectMessages

NoYes2167 Messages

43 Messages 2124 Messages

2% False Positive Rate

Message View Results

Mail from2002 (Jan-Apr)

Pine• List View• Message View

CleanMessages

SuspectMessages

NoYes2167 Messages

40 Messages 2127 Messages

1.8% False Positive Rate

Combined List and Message View Results

Mail from2002 (Jan-Apr)

Pine• List View• Message View

CleanMessages

SuspectMessages

NoYes2167 Messages

52 Messages 2115 Messages

2.4% False Positive Rate

Driving False Positive Rate Lower

• Larger training set• Tolerate some small amount of new code• Apply the “procedure test”

• Allow new blocks• But only from previously executed procedures

• False Positives for 2002 (Jan-Apr), procedure test• List View: 2• Message View: 0• Total False Positives: 2 (0.1%)

Finding Exploits

• Hid Pine exploits in email folder• Method found and filtered out all

exploits• 0% false negative rate

Driving False Positive Rate Even Lower

• How much room is there between • Pine Exploit• False Positives

• Pine Exploit (list view)• New procedures: 42• New blocks: 339

• False Positives (list view)• New procedures: 4• New blocks: 108

• Consistent with Sam Larsen’s results

Intriguing Tidbit

• Some new code executions caused by benign changes in environment• Time changes• Who knows what else

• Need to periodically rerun trusted inputs to avoid increased false positive rate

What About Other Applications?Microsoft Word, Outlook vulnerabilities identified

By Paul Roberts September 13, 2002 5:07 pm PT

BOSTON - VULNERABILITIES have been identified in two widely-used Microsoft products, Microsoft Word and Outlook Express.

In Microsoft Word's case, an attacker could steal data from a victim's hard disk, according to alerts posted on the Bugtraq Web site weeks ago and acknowledged by Microsoft on Friday.

It would work like this: The attacker creates a Word 97 document and embeds hidden fields, such as the "IncludeText" field, in it. The attacker then e-mails the malicious document to the intended victim. When the victim opens the document, the fields retrieve data from the hard disk. The attacker would then receive the stolen data in the document when the victim e-mails it back to him.

Part of standard Microsoft Word functionality!

What About Other Applications?

M-073: Microsoft Outlook E-mail Editor Vulnerability[Microsoft Security Bulletin MS02-021]April 26, 2002 15:00 GMT PROBLEM: A security vulnerability exists when Outlook is

configured to use Microsoft Word as the e-mail editor and the user forwards or replies to a mail from an attacker.

PLATFORM: Systems using the following applications for e-mail: Microsoft Outlook 2000 Microsoft Outlook 2002

DAMAGE: An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing a script to an Outlook user who has Word enabled as the e-mail editor. If the user replied to or forwarded the e-mail, the script would then run, and be capable of taking any action the user could take.

SOLUTION:Apply the patch supplied by vendor. VULNERABILITY ASSESSMENT:The risk is MEDIUM. For an

attacker to successfully exploit this vulnerability, the user would need to reply to or forward the malicious e-mail. Simply reading it would not enable the scripts to run, and the user could delete the mail without risk.

Filtering Individual Pieces

• Filtering operates on sequence of pieces• Email messages in folder• Data items in a Word document• Commands in PowerPoint presentation

• Can filter out individual pieces (not entire folder, document, or presentation)• Can eliminate macros from PowerPoint files• Can eliminate active fields from Word files

• Leaves rest of content intact

What About Other Applications?

• Many applications have input file cleanliness issues• JPEG images, PDF files• Configuration files• Scripts, macros, active fields

• Key issue is training• Pine is relatively small and simple• Other applications may be harder to train

• Need more trusted inputs• Maybe use less stringent cleanliness test

Application Community Involvement

• Training• Source of broad range of trusted

inputs• Share vetting load for external inputs

• Production• Share investigation of suspect inputs• Minimize population exposed to

exploits

Conclusion

• Right now you get both kinds of functionality• Desirable• Undesirable

• Can learn desirable functionality• Eliminate undesirable functionality• Works great for filtering Pine email

messages• Potential for other applications as well

Applying Basic Idea to Pine

Trusted Messages

Pine

Record Executed Code

New Messages

CleanMessages

SuspectMessages

Does Any New Code Try To Execute?

NoYes

Pine

User’sFolder

DynamoRIO from Determina!