IDS mailing list archives
Re: Obfuscated web pages
From: Ivan Arce <ivan.arce () coresecurity com>
Date: Wed, 20 Feb 2008 20:39:38 -0200
I beg to differ on that comment.I believe that what would be foolish is to suggest that it is theoretically possible to do effective (let alone efficient) inline JS inspection and alerting/blocking, unless of course that suggestion comes along with the theoretical support for such a theoretical hypothesis.
In absence of that we are just left with an escalating arms race of practical implementations of obfuscation techniques vs. de-obfucation+dynamic analysis techniques.
My impression is that in such a scenario the odds are heavily biased against the defensive network device. My admittedly simplistic rationale for such a far fetched thought is that all the principles applicable to a L-4 network IDS outlined by Ptacek & Newsham 10 years ago also apply to this problem and are compounded by the fact that maintaining and monitoring state of a DOM parser and a JavaScript engine is much more difficult than doing it for an endpoint's TCP/IP stack.
My hunch is that the best way to do this is directly at the endpoint and not just anywhere at the endpoint but within the browser and right in the JS engine
-ivan Mike Barkett wrote:
Regarding inline JS inspection, I've said it before and I still believe that one day there will be a full DOM proxy product that is capable of running inline. Yes, its speeds will lag other network devices, and yes, browser attacks will probably be yesterday's news by then anyway, but it would be foolish to suggest that it is theoretically impossible to do. In the meantime, if you have embraced defense-in-depth and gotten yourself a trustworthy network IPS, a thorough endpoint solution, and you use only locked down browsers, then you'll be ok. -MAB
-- "Buy the ticket, take the ride" -HST Ivan Arce CTO CORE SECURITY TECHNOLOGIES http://www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Re: Obfuscated web pages, (continued)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- RE: Obfuscated web pages Mike Barkett (Feb 25)
- Re: Obfuscated web pages Ivan Arce (Feb 29)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Arian J. Evans (Feb 15)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- Re: Obfuscated web pages Dustin D. Trammell (Feb 21)