Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Obfuscated web pages

from [Ivan Arce] Network Security [Permanent Link]
Subject: Re: Obfuscated web pages
Date: Wed, 20 Feb 2008 20:39:38 -0200 
I beg to differ on that comment.

I believe that what would be foolish is to suggest that it is theoretically possible to do effective (let alone efficient) inline JS inspection and alerting/blocking, unless of course that suggestion comes along with the theoretical support for such a theoretical hypothesis.

In absence of that we are just left with an escalating arms race of practical implementations of obfuscation techniques vs. de-obfucation+dynamic analysis techniques.

My impression is that in such a scenario the odds are heavily biased against the defensive network device. My admittedly simplistic rationale for such a far fetched thought is that all the principles applicable to a L-4 network IDS outlined by Ptacek & Newsham 10 years ago also apply to this problem and are compounded by the fact that maintaining and monitoring state of a DOM parser and a JavaScript engine is much more difficult than doing it for an endpoint's TCP/IP stack.

My hunch is that the best way to do this is directly at the endpoint and not just anywhere at the endpoint but within the browser and right in the JS engine

-ivan


Mike Barkett wrote: 
Regarding inline JS inspection, I've said it before and I still believe that
one day there will be a full DOM proxy product that is capable of running
inline.  Yes, its speeds will lag other network devices, and yes, browser
attacks will probably be yesterday's news by then anyway, but it would be
foolish to suggest that it is theoretically impossible to do.  In the
meantime, if you have embraced defense-in-depth and gotten yourself a
trustworthy network IPS, a thorough endpoint solution, and you use only
locked down browsers, then you'll be ok.

-MAB



--
"Buy the ticket, take the ride" -HST

Ivan Arce
CTO

CORE SECURITY TECHNOLOGIES
http://www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Obfuscated web pages, Dustin D. Trammell
Next by Date:  ICSA Lab Network IPS RSS Feed, Walsh, John (Jack)
Previous by Thread:  RE: Obfuscated web pages, Mike Barkett
Next by Thread:  Re: Obfuscated web pages, parveenvashishtha
Indexes:  [Date] [Thread] [Top] [All Lists]