IDS mailing list archives

Re: Obfuscated web pages

From: Jon Oberheide <jon () oberheide org>
Date: Thu, 14 Feb 2008 21:28:53 -0500

On Thu, 2008-02-14 at 16:17 -0500, Gary Flynn wrote:

Tim wrote:

The specific issue of JavaScript obfuscation drives this point home
quite well.   IMO, it is unlikely that any IDS engine could implement
the beast that is ECMAScript and all of it's children and still be safe
while reliably detecting attacks.  It approaches issues similar to the
halting problem.


I suspect that no vendors support this feature ( actual code
execution in some sort of sandbox ) and I was just trying to
verify it.


I would recommend checking out SpyProxy, presented at last year's USENIX
Security.  While it's not a commercial vendor-supported product and has
its share of limitations, it does demonstrate that an inline
execution-based IDS/IPS proxy may be feasible:

http://www.cs.washington.edu/homes/tbragin/spyproxy.pdf

Regards,
Jon Oberheide

-- 
Jon Oberheide <jon () oberheide org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Tim (Feb 14)
  - Re: Obfuscated web pages Gary Flynn (Feb 14)
    - Re: Obfuscated web pages Jon Oberheide (Feb 15)
    - Re: Obfuscated web pages Dustin D. Trammell (Feb 15)
- Re: Obfuscated web pages Kowsik (Feb 14)
- RE: Obfuscated web pages Libershal, David M. (Feb 14)
  - Re: Obfuscated web pages Gary Flynn (Feb 14)
    - Re: Obfuscated web pages Stefano Zanero (Feb 19)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
  - RE: Obfuscated web pages Mike Barkett (Feb 15)
    - Re: Obfuscated web pages Ivan Arce (Feb 21)
    - RE: Obfuscated web pages Mike Barkett (Feb 25)

(Thread continues...)