filtering out email exploits by learning trusted functionality martin rinard department of...
TRANSCRIPT
Filtering Out Email Exploits By Learning Trusted Functionality
Martin RinardDepartment of Electrical Engineering and Computer
ScienceComputer Science and Artificial Intelligence Laboratory
Massachusetts Institute of TechnologyCambridge, MA 02139
The Problem• Systems provide two kinds of functionality• Functionality you want
• Compose a document• Send email• Serve web pages
• Functionality you don’t want• Buffer overflow vulnerabilities • Information leaks• Easter eggs, backdoors• Embedded macros, scripts, active fields
• Right now you get both kinds of functionality
The Solution
• Learn which code provides functionality you want
• Make sure no other code executes• Application to email vulnerabilities
• Run email program on trusted emails• Learn which code executes• Automatically filter all new emails
•Prerun email program on new emails•Filter out messages that (attempt to)
exercise new code• Only clean messages delivered to user’s inbox
Pine Email Exploit
Send mail messageCarefully crafted FROM field
To: [email protected]: <code>\"\"\"\"\"<addr>
To: [email protected]: <code>\"\"\"\"\"<addr>
Mail Folder
Pine• Pine reads message• Processes FROM field• Overflows buffer
End Result• Pine crashes before UI starts up• Can’t read email…
Learning Code That Provides Desired Functionality
Mail from 1997-2001
Record Executed
Code (DynamoRIO)
Pine• List View• Message View
6497 Messages
Filtering Email Messages
Mail from2002 (Jan-Apr)
Pine• List View• Message View
CleanMessages
SuspectMessages
NoYes
User’sInbox
Any New Code?
(DynamoRIO)
List View Results
Mail from2002 (Jan-Apr)
Pine• List View• Message View
CleanMessages
SuspectMessages
NoYes2167 Messages
43 Messages 2124 Messages
2% False Positive Rate
Message View Results
Mail from2002 (Jan-Apr)
Pine• List View• Message View
CleanMessages
SuspectMessages
NoYes2167 Messages
40 Messages 2127 Messages
1.8% False Positive Rate
Combined List and Message View Results
Mail from2002 (Jan-Apr)
Pine• List View• Message View
CleanMessages
SuspectMessages
NoYes2167 Messages
52 Messages 2115 Messages
2.4% False Positive Rate
Driving False Positive Rate Lower
• Larger training set• Tolerate some small amount of new code• Apply the “procedure test”
• Allow new blocks• But only from previously executed procedures
• False Positives for 2002 (Jan-Apr), procedure test• List View: 2• Message View: 0• Total False Positives: 2 (0.1%)
Finding Exploits
• Hid Pine exploits in email folder• Method found and filtered out all
exploits• 0% false negative rate
Driving False Positive Rate Even Lower
• How much room is there between • Pine Exploit• False Positives
• Pine Exploit (list view)• New procedures: 42• New blocks: 339
• False Positives (list view)• New procedures: 4• New blocks: 108
• Consistent with Sam Larsen’s results
Intriguing Tidbit
• Some new code executions caused by benign changes in environment• Time changes• Who knows what else
• Need to periodically rerun trusted inputs to avoid increased false positive rate
What About Other Applications?Microsoft Word, Outlook vulnerabilities identified
By Paul Roberts September 13, 2002 5:07 pm PT
BOSTON - VULNERABILITIES have been identified in two widely-used Microsoft products, Microsoft Word and Outlook Express.
In Microsoft Word's case, an attacker could steal data from a victim's hard disk, according to alerts posted on the Bugtraq Web site weeks ago and acknowledged by Microsoft on Friday.
It would work like this: The attacker creates a Word 97 document and embeds hidden fields, such as the "IncludeText" field, in it. The attacker then e-mails the malicious document to the intended victim. When the victim opens the document, the fields retrieve data from the hard disk. The attacker would then receive the stolen data in the document when the victim e-mails it back to him.
Part of standard Microsoft Word functionality!
What About Other Applications?
M-073: Microsoft Outlook E-mail Editor Vulnerability[Microsoft Security Bulletin MS02-021]April 26, 2002 15:00 GMT PROBLEM: A security vulnerability exists when Outlook is
configured to use Microsoft Word as the e-mail editor and the user forwards or replies to a mail from an attacker.
PLATFORM: Systems using the following applications for e-mail: Microsoft Outlook 2000 Microsoft Outlook 2002
DAMAGE: An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing a script to an Outlook user who has Word enabled as the e-mail editor. If the user replied to or forwarded the e-mail, the script would then run, and be capable of taking any action the user could take.
SOLUTION:Apply the patch supplied by vendor. VULNERABILITY ASSESSMENT:The risk is MEDIUM. For an
attacker to successfully exploit this vulnerability, the user would need to reply to or forward the malicious e-mail. Simply reading it would not enable the scripts to run, and the user could delete the mail without risk.
Filtering Individual Pieces
• Filtering operates on sequence of pieces• Email messages in folder• Data items in a Word document• Commands in PowerPoint presentation
• Can filter out individual pieces (not entire folder, document, or presentation)• Can eliminate macros from PowerPoint files• Can eliminate active fields from Word files
• Leaves rest of content intact
What About Other Applications?
• Many applications have input file cleanliness issues• JPEG images, PDF files• Configuration files• Scripts, macros, active fields
• Key issue is training• Pine is relatively small and simple• Other applications may be harder to train
• Need more trusted inputs• Maybe use less stringent cleanliness test
Application Community Involvement
• Training• Source of broad range of trusted
inputs• Share vetting load for external inputs
• Production• Share investigation of suspect inputs• Minimize population exposed to
exploits
Conclusion
• Right now you get both kinds of functionality• Desirable• Undesirable
• Can learn desirable functionality• Eliminate undesirable functionality• Works great for filtering Pine email
messages• Potential for other applications as well