IDS mailing list archives

Re: Obfuscated web pages

From: Ivan Arce <ivan.arce () coresecurity com>
Date: Wed, 20 Feb 2008 20:39:38 -0200

I beg to differ on that comment.

I believe that what would be foolish is to suggest that it istheoretically possible to do effective (let alone efficient) inline JSinspection and alerting/blocking, unless of course that suggestion comesalong with the theoretical support for such a theoretical hypothesis.

In absence of that we are just left with an escalating arms race ofpractical implementations of obfuscation techniques vs.de-obfucation+dynamic analysis techniques.

My impression is that in such a scenario the odds are heavily biasedagainst the defensive network device. My admittedly simplistic rationalefor such a far fetched thought is that all the principles applicable to aL-4 network IDS outlined by Ptacek & Newsham 10 years ago also apply tothis problem and are compounded by the fact that maintaining andmonitoring state of a DOM parser and a JavaScript engine is much moredifficult than doing it for an endpoint's TCP/IP stack.

My hunch is that the best way to do this is directly at the endpoint andnot just anywhere at the endpoint but within the browser and right in theJS engine


-ivan


Mike Barkett wrote:

Regarding inline JS inspection, I've said it before and I still believe that
one day there will be a full DOM proxy product that is capable of running
inline.  Yes, its speeds will lag other network devices, and yes, browser
attacks will probably be yesterday's news by then anyway, but it would be
foolish to suggest that it is theoretically impossible to do.  In the
meantime, if you have embraced defense-in-depth and gotten yourself a
trustworthy network IPS, a thorough endpoint solution, and you use only
locked down browsers, then you'll be ok.

-MAB


--
"Buy the ticket, take the ride" -HST

Ivan Arce
CTO

CORE SECURITY TECHNOLOGIES
http://www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.

------------------------------------------------------------------------

Current thread:

Re: Obfuscated web pages, (continued)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
  - RE: Obfuscated web pages Mike Barkett (Feb 15)
    - Re: Obfuscated web pages Ivan Arce (Feb 21)
    - RE: Obfuscated web pages Mike Barkett (Feb 25)
    - Re: Obfuscated web pages Ivan Arce (Feb 29)
- Re: Obfuscated web pages Jamie Riden (Feb 14)
- RE: Obfuscated web pages Mike Barkett (Feb 14)
  - Re: Obfuscated web pages Arian J. Evans (Feb 15)
    - RE: Obfuscated web pages Mike Barkett (Feb 15)
  - Re: Obfuscated web pages Ivan Arce (Feb 21)
- Re: Obfuscated web pages parveenvashishtha (Feb 15)
- Re: Re: Obfuscated web pages parveenvashishtha (Feb 19)
- Re: Obfuscated web pages holly . stewart (Feb 19)
- Re: Obfuscated web pages partner50113371 (Feb 19)
  - Re: Obfuscated web pages Dustin D. Trammell (Feb 21)
- Re: Obfuscated web pages dxp (Feb 29)