RST Labs

Effectively Constraining Active Scripting on the Win32 Platform

Anup K. GhoshReliable Software Technologies

www.rstcorp.com

RST Labs

Technical Objectives

• Address the threat of a significant class of mobile malicious code:– active scripting

• Constrain active scripting capability effectively to balance:– legitimate uses vs. malicious uses

• Generalize from detection of specific malicious code instances to classes of malicious code

• Protect the entire platform, not just specific applications

RST Labs

Assumptions and Scope

• What threats/attacks is your project addressing?– Active scripting based attacks (local/mobile)

• What assumptions does your project make?– Active scripting attacks use Active Scripting

Interface• doesn’t cover non-active-scripting attacks and

attacks that break the active scripting engine

• What policies can we enforce?– Methods of accessing applications/system

– Access to specific objects/methods in given applications

RST Labs

Active Scripting

• A pervasive form of enterprise computing that requires both content (the script) and an interpreter.

• Scripting is often used as “Turing glue” to connect and drive disparate software components.

Active Scripting Applications/Hosts• Web browsers• Mail readers• Embedded HTML viewers• MS Office 2000 applications• Windows Scripting Host

Active Scripting Languages• Perl• Jscript• VBscript/VBA (macros)• Rexx• Python

RST Labs

Why Is this Problem Important?

Symantec’s Malicious Code Top Threats:

Active Scripting Vulnerabilities

• 14 new vulnerabilities found in Microsoft Applications during 2000

1516

RST Labs

Current Approaches

• Virus detection software– instance driven, not

generalizable• Turn off Active Scripting

– effective, but crippling– Try running your browser

without Javascript • Sandbox the browser

– Browsers are highly multi-functional pieces of software

– Scripts run outside browsers, too

• Filter at firewalls– too many ways around

• Analyze mobile code– encryption/obfuscation

can defeat these efforts

RST Labs

Technical Approach

• Instrument appropriate interface to effectively constrain behavior of active scripts– Active Scripting API used by all scripting

technologies to script programs/components

– Document Object Model is appropriate level to write/enforce scripting properties

• Belief: – range of full scripting behavior is >> range of

actual behavior used in Web/mail browsing and transactions.

WidelyUsed

VeryDangerous

RST Labs

Script

Internet

ScriptInterpreter

Application/System

CO

MScript Script

InterpreterApplication/System

CO

M

CO

MPolicyEnforcer

All necessary implementation information givenby COM and ActiveScripting API

RST Labs

Approach By Way of Example

Script

Script exploits browser hole

Script saves itself in startup directory

User runs script on next re-boot

Script mails personal documents out to all contacts

Surreptitiously downloads

RST Labs

Protecting the Machine

Script exploits browser hole

Script saves itself in startup directory

User runs script on next re-boot

Script mails personal documents out to all contacts

RST Labs

Classes of Attacks Covered

• Malicious script email attachments

RST Labs

Classes of Attack Addressed

• Embedded malicious email scripts

RST Labs

Classes of Attack Addressed

• Scripts that exploit Web browser holes (e.g., Guninski holes)

Script

RST Labs

Classes of Attack Addressed

• Scripts that exploit ActiveX controls marked safe for scripting

RST Labs

Classes of Attack Addressed

• Scripting of Microsoft Office Applications

RST Labs

Classes of Attack Addressed

• Scripting of other desktop applications

RST Labs

Classes of Attack Addressed

• Javascripts, VBscripts, macros, proprietary, and future scripting technologies– Scripting is becoming increasingly common in

enterprise environments

– Microsoft encourages 3rd party scripting engines and has published a fully documented API for that purpose

RST Labs

Inferring, Developing, and Enforcing Policy• In order to effectively constrain Active Scripting

behavior, we need to:– define and enforce policy at the appropriate

interface.

• Problem: what constitutes a good policy for constraining Active Scripts?

• Belief: malicious scripts will exercise functionality outside normal range of benign scripts.

• Approach: infer/extract policy from empirical results of benign/malicious script actual behavior

RST Labs

Approach: Log Behavior, Extract Policy• All scripts encountered by

wrapped applications are logged

• Script logs are formatted in XML

• Logs record actions/events taken by the script

• XML formatted logs provide

– A well-defined and configurable method for logging scripts used within applications

– Searchable tags that can be advantageous for parsing the script logs

Logs will be mined to determine what behavior distinguishes malicious from benign scripts.

RST Labs

Major Risks and Risk Mitigation Plan

• Develop rule base/policy language that is:– too constraining

– too simple (doesn’t capture subtleties of attacks)

– too complex to use in practice

– ineffective against novel threats

• Mitigation Plan:– infer set of rules from observed behavior.

– test against scripts previously not seen.

RST Labs

Accomplishments

• Developed instrumentation framework that applies to all Win32 executables

• Demonstrated capability to constrain malicious active scripts

• Logging behavior of actual scripts• Released Just Be Friends --- spin-off of

technology that better addresses ILOVEYOU threat than Microsoft’s patch.

RST Labs

Quantitative Metrics

• Performance overhead of technique• False positive/false negative rates of correctly

classifying benign/malicious scripts

RST Labs

Expected Major Achievements

• Software tool to wrap any Win32 application against malicious scripts

• Experimental results on effective policies• Experimental results on false positives and rates

of correct detection

RST Labs

Task Schedule

Instrument active scripting engine

Explore “real world” usage

Demonstrate proof-of-concept

Benchmark technology against malicious scripts

Deliver prototype implementation

Feb ‘00 Jul ‘00 Feb ‘01 Jul ‘01Develop Policies

RST Labs

Technology Transfer

• Patent inventions• Release and make software freely available• Market, sell, and license technology to leading

commercial vendor in this market space.

RST Labs

Questions, Acknowledgements, and Contact Info

RST Sandboxing Team

• Dur Berrier• Anup Ghosh• Timothy Hollebeek• Michael Pelican

{dur,anup, tim,mpelican}@rstcorp.com

www.rstcorp.com

“Sandboxing Mobile Code Execution Environments”

DARPA Contract #F30602-99-C-0172