Vortragsdetails

WEF - Web Exploit Finder: Automatic Drive-By-Download detection in a virtualized environment

von Benjamin Mack (HdM Stuttgart / xnos Internet Services)

Freitag, 01.06.2007, Saal 4: Kaiserslautern , 15:00-16:00 Uhr

Much has been written about security vulnerabilities in Microsoft Internet Explorer and Mozilla Firefox. Some of these security threats are designed to execute malicious code in the browser. Known as Remote-Code-Execution-Attacks, these threats typically exploit a specific utilization of buffer overflows in an application. They are not only limited to browsers but almost all services and applications that are part of the internet or that use it as a communication platform.

We focus on internet browsers here because of two key problems. First of all, browsers are the primary user interfaces to the World Wide Web. As the rendering engine transforms hypertext into a visual presentation for human, all parts of a webpage have to be interpreted and processed further by the browser—which leads to a complex and error-prone architecture, especially in regard to mobile code (JavaScript, Java, ActiveX, XUL etc.). Secondly, the browser is arguably the most frequently used program in the family of potentially vulnerable software. In contrast to server-based software, a browser is often used by non-technical users, many of whom neither understand the risks or know possible counteractive measures. And even experts are often exposed to the risk of an attack.

In view of this, our goal was to develop a system that automatically detects and identifies malicious websites.

In addition, this system would also be able to serve as a platform for other security and sandbox-tests. One use-case is to automatically analyze various kinds of malware in a secure and easy maintainable virtualized environment.

To meet the requirements involved, our system architecture includes the following components:

* A virtualization layer, using VMware Server and CentOS Linux, to protect the system and to check multiple pages simultaneously. * A specialized rootkit to modify the operating system and detect the malicious pages. * A Browser Control to manage the rootkit and the browser as well as to communicate with our management console. * A Management Console to configure and control the entire system, also based on CentOS Linux.

Über den Autor Benjamin Mack:

Benjamin Mack (Jahrgang 1984) studiert Medieninformatik an der Hochschule der Medien in Stuttgart seit 2003. Im Laufe seines Studiums entwickelte er 2004 zunächst ein Linux-Projekt "BlueLinux", um per Bluetooth auf einem linux-fähigen HP IPAQ Fotodaten zu übertragen. Weiterhin entwickelt er auch aktiv am Open-Source Projekt TYPO3. Nach zwei Arbeits-Auslandsaufenthalten in Chile und den USA entwickelte er mit zwei Kommilitonen das vorzustellende Projekt "Web Exploit Finder", welches automatisiert durch Virtualisierung Lücken in Mozilla Firefox und Microsofts Internet Explorer aufspürt. Durch die dort gewonnenen Erfahrungen startete er die Hosting- und IT-Security-Firma "xnos Internet Services", die mit Xen und vServer zwei mächtige Werkzeuge im Alltag einsetzt. Benjamin arbeitet momentan in Stuttgart an seiner Diplomarbeit, um sein Studium im Herbst 2007 abzuschließen.