TPMitigation |
|
« Mitigation of drive-by-malware using a transparent proxy » |
|
Content:
1. Why?
2. Who?
3. How?
4. Implementation
5. Download
6. Installation
7. Converters
"In 2009, the number of malicious programs in the Kaspersky Lab collection reached 33.9 million."
(Kaspersky Security Bulletin 2009. Malware Evolution 2009)
Today we're faced with the problem that users might get infected by one of 33.9 million malware programs
by just doing what they might do every day without having a bad conscience: internet-surfing.
(Article of the German magazine "heise Security")
So, sure there are the "classical" approaches like using an anti-virus application - but looking at the
statistics, there are so huge amounts of malware that proactive-solutions are getting more and more important.
I am Peter Falkensteiner and I'm currently a student of the graduate-program "informationmanagement and computer-security". Apart from studying I'm currently working for a governmental IT-company.
The theory, this project is based on, says that malicious code on web-pages will not
sustain the conversion of the content. For example, if there is a GIF-image in the website you are visiting
that would use a vulnerability (e.g. CVE-2008-0015) to compromise your system; if you convert the malicious
image to the JPEG-format before sending it to your browser, the attack will not work.
For this project we will use the concept of a transparent HTTP-proxy illustrated in Fig. 1.
The proxy acts as HTTP-server which has to get the intercepted HTTP-traffic to the server. After fetching the content
from the original target-webserver by the proxy, the content is tested for mitigation strategies and sent back to
the original client.
To get the desired redirection on linux-gateways, you might want to visit http://www.faqs.org/docs/Linux-mini/TransparentProxy.html.
If you want to run the transparent proxy on your linux-gateway, you may only need the following command:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
Where "eth0" is the internal network interface and "8080" is the port, the transparent proxy is listening on.
So, if an internal system is accessing a trusted internet-website hosting some image-based maleware, the
proxy will forward the request and convert the content retrieved. (Fig. 2)
The concept sounds simple, right? But there must be some issues! Yes, there are:
The concept of interception and redirection at a gateway is a type of man-in-the-middle attack, but there are no
security-features in HTTP-protocol that would notice the interception of traffic in that form.
If it comes to security for HTTP, the Secure-Socket-Layer (SSL) or Transport-Layer-Security (TLS) are used,
which will prevent such redirections. So, if you got a secured HTTPS-connection, this concept will not work.
The performance of the conversion is a major issue too. Looking at average internet-surfing behaviour,
image and PDF conversions are subjective fast enough - performance problems arise processing formats used in office-applicaitons (.doc,.xls etc.).
These UML-diagrams should show you the simple architecture of the implemented TPMitigation software.
The component-diagram shows two external and three internal components, which correspond to the class diagram.
Download:
Download at sourceforge
Requirements:
Java Runtime Environment 1.6 - http://java.sun.com/
jPDFAssemble(TM) - http://www.qoppa.com/pdfassemble/
Take a look at the showcase:
TPMitigation CVE-2008-0015 Showcase
default.properties
file in the
/src/main/resources
directory if compiling from source, or in the root-directory of the JAR-file:
# # IP-address, on which the proxy-server is listening. # server.listenaddress=0.0.0.0 # # Port, on which the proxy-server is listening. # server.port=8080 # # Size of the server's connection-backlog-size. # server.queuesize=100 # # HTTP-Proxy mock-up - act as "normal" HTTP-Server. For testing-purpose only. # mitigation.mockup=false mitigation.mockupsite=www.google.com # # The default conversion-format for mitigation of image-based attacks. # mitigation.defaultimageformat=jpg # # Use the same image-format for the conversion as the original content. # mitigation.sameimageformat=true # # Logging configuration # java.util.logging.ConsoleHandler.level=INFO # # Konfiguration of jPDFAssemble(TM) # In case you have a license-key for jPDFAssemble(TM) # you may want to enter it here. # #PDFAssemble.key=
Converter
-interface:
/** * Interface for all converters. * @author Peter Falkensteiner */ public interface Converter { /** Check if the content is applicable for this conversion. * @param contentType Content-Type-String from the HTTP-Header * @return true if this converter is applicable for mitigation, false otherwise. */ public boolean isApplicable(String contentType); /** Convert the content read from inputStream and write it back to outputStream. * @param contentType Content-Type-String from the HTTP-Header * @param inputStream provides the content. * @param outputStream gets the converted content. * @throws IOException in case of a conversion-error */ public void convert(String contentType, InputStream inputStream, OutputStream outputStream) throws IOException; /** The produced content-type of the converter. * @param contentType Content-Type-String from the HTTP-Header * @return HTTP content-type-string */ public String getTargetFormat(String contentType); }
javax.imageio.ImageIO
from JRE to convert images.