TPMitigation icon

TPMitigation

« Mitigation of drive-by-malware using a transparent proxy »

2010, Peter Falkensteiner
f a l k e n s t e i n e r @ g m a i l . c o m

 

Content:
1. Why?
2. Who?
3. How?
4. Implementation
5. Download
6. Installation
7. Converters

Why?

"In 2009, the number of malicious programs in the Kaspersky Lab collection reached 33.9 million."
(Kaspersky Security Bulletin 2009. Malware Evolution 2009)

Today we're faced with the problem that users might get infected by one of 33.9 million malware programs by just doing what they might do every day without having a bad conscience: internet-surfing.
(Article of the German magazine "heise Security")

So, sure there are the "classical" approaches like using an anti-virus application - but looking at the statistics, there are so huge amounts of malware that proactive-solutions are getting more and more important.

Who?

I am Peter Falkensteiner and I'm currently a student of the graduate-program "informationmanagement and computer-security". Apart from studying I'm currently working for a governmental IT-company.

How?

The theory, this project is based on, says that malicious code on web-pages will not sustain the conversion of the content. For example, if there is a GIF-image in the website you are visiting that would use a vulnerability (e.g. CVE-2008-0015) to compromise your system; if you convert the malicious image to the JPEG-format before sending it to your browser, the attack will not work.

For this project we will use the concept of a transparent HTTP-proxy illustrated in Fig. 1.
Transparent Proxy


The proxy acts as HTTP-server which has to get the intercepted HTTP-traffic to the server. After fetching the content from the original target-webserver by the proxy, the content is tested for mitigation strategies and sent back to the original client.

To get the desired redirection on linux-gateways, you might want to visit http://www.faqs.org/docs/Linux-mini/TransparentProxy.html.
If you want to run the transparent proxy on your linux-gateway, you may only need the following command:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

Where "eth0" is the internal network interface and "8080" is the port, the transparent proxy is listening on.

So, if an internal system is accessing a trusted internet-website hosting some image-based maleware, the proxy will forward the request and convert the content retrieved. (Fig. 2)
transparent proxy maleware mitigation


The concept sounds simple, right? But there must be some issues! Yes, there are:
The concept of interception and redirection at a gateway is a type of man-in-the-middle attack, but there are no security-features in HTTP-protocol that would notice the interception of traffic in that form. If it comes to security for HTTP, the Secure-Socket-Layer (SSL) or Transport-Layer-Security (TLS) are used, which will prevent such redirections. So, if you got a secured HTTPS-connection, this concept will not work.
The performance of the conversion is a major issue too. Looking at average internet-surfing behaviour, image and PDF conversions are subjective fast enough - performance problems arise processing formats used in office-applicaitons (.doc,.xls etc.).

Implementation

These UML-diagrams should show you the simple architecture of the implemented TPMitigation software. The component-diagram shows two external and three internal components, which correspond to the class diagram.

component model class model

Download

Download:
Download at sourceforge

Requirements:
Java Runtime Environment 1.6 - http://java.sun.com/
jPDFAssemble(TM) - http://www.qoppa.com/pdfassemble/

Take a look at the showcase:
TPMitigation CVE-2008-0015 Showcase

Installation

We need to set up routing to let the proxy work "transparent" as man-in-the-middle, so we configure the gateway to redirect the traffic to the proxy-application. So for linux we set up iptables-prerouting:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

We may need to configure the application by setting paramters in the default.properties file in the /src/main/resources directory if compiling from source, or in the root-directory of the JAR-file:
#
# IP-address, on which the proxy-server is listening.
#
server.listenaddress=0.0.0.0
#
# Port, on which the proxy-server is listening.
#
server.port=8080
#
# Size of the server's connection-backlog-size.
#
server.queuesize=100

#
# HTTP-Proxy mock-up - act as "normal" HTTP-Server. For testing-purpose only.
#
mitigation.mockup=false
mitigation.mockupsite=www.google.com

#
# The default conversion-format for mitigation of image-based attacks.
#
mitigation.defaultimageformat=jpg
#
# Use the same image-format for the conversion as the original content.
#
mitigation.sameimageformat=true

#
# Logging configuration
#
java.util.logging.ConsoleHandler.level=INFO

#
# Konfiguration of jPDFAssemble(TM)
#  In case you have a license-key for jPDFAssemble(TM)
#  you may want to enter it here.
#
#PDFAssemble.key=
    

Then you need to set the path, where to find the jPDFAssemple JAR-file:

set JPDFASSEMBLE=PATH_TO_jPDFAssemble.jar

The application can be run by issuing the following command:

java -Xms 128M -Xmx 512M -jar JAR-FILE


Converters

All converters have to implement the Converter-interface:
/**
 * Interface for all converters.
 * @author Peter Falkensteiner
 */
public interface Converter {

	/** Check if the content is applicable for this conversion.
	 * @param contentType Content-Type-String from the HTTP-Header
	 * @return true if this converter is applicable for mitigation, false otherwise.
	 */
	public boolean isApplicable(String contentType);

	/** Convert the content read from inputStream and write it back to outputStream.
	 * @param contentType Content-Type-String from the HTTP-Header
	 * @param inputStream provides the content.
	 * @param outputStream gets the converted content.
	 * @throws IOException in case of a conversion-error
	 */
	public void convert(String contentType, InputStream inputStream, OutputStream outputStream) throws IOException;

	/** The produced content-type of the converter.
	 * @param contentType Content-Type-String from the HTTP-Header
	 * @return HTTP content-type-string
	 */
	public String getTargetFormat(String contentType);
}