Re: Obfuscated web pages

Thu, 21 Feb 2008 11:48:34 -0800 

I beg to differ on that comment.
I believe that what would be foolish is to suggest that it is theoretically possible to do effective (let alone efficient) inline JS inspection and alerting/blocking, unless of course that suggestion comes along with the theoretical support for such a theoretical hypothesis. 


In absence of that we are just left with an escalating arms race of 
practical implementations of obfuscation techniques vs. 
de-obfucation+dynamic analysis techniques.



My impression is that in such a scenario the odds are heavily biased 
against the defensive network device. My admittedly simplistic rationale 
for such a far fetched thought is that all the principles applicable to a 
L-4 network IDS outlined by Ptacek & Newsham 10 years ago also apply to 
this problem and are compounded by the fact that maintaining and 
monitoring state of a DOM parser and a JavaScript engine is much more 
difficult than doing it for an endpoint's TCP/IP stack.



My hunch is that the best way to do this is directly at the endpoint and 
not just anywhere at the endpoint but within the browser and right in the 
JS engine


-ivan


Mike Barkett wrote:

Regarding inline JS inspection, I've said it before and I still believe that
one day there will be a full DOM proxy product that is capable of running
inline.  Yes, its speeds will lag other network devices, and yes, browser
attacks will probably be yesterday's news by then anyway, but it would be
foolish to suggest that it is theoretically impossible to do.  In the
meantime, if you have embraced defense-in-depth and gotten yourself a
trustworthy network IPS, a thorough endpoint solution, and you use only
locked down browsers, then you'll be ok.

-MAB




--
"Buy the ticket, take the ride" -HST

Ivan Arce
CTO

CORE SECURITY TECHNOLOGIES
http://www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.

------------------------------------------------------------------------
























					Reply via email to