Sunday Jan 22

Jart in the News

HostExploit Twitter

Researchers Offer 'BLADE' to Cut PC Exploitation

Attention: open in a new window. PDFPrintE-mail

Drive-by-downloads could soon become history, according to a research paper from a group of academics at Georgia Tech.

Their system, called the BLADE (BLock All Drive-by download Exploits), is based on user consent and is guaranteed to prevent downloads through the backdoor from unsolicited, malicious programs.

Now here is a tool that sounds impressive and, according to its developers, can immunize Window systems from the thousands of drive-by download exploits that infect our computers every day. It works within the kernel of the operating system, the bridge between applications and data processing, serving to protect the crack between the layers where drive-by exploits can covertly install malicious binary coding.

Basically, BLADE removes files, or unrequested downloads, to a “secure zone” (a virtual storage area). Before you shout, “It’s a sandbox!” -- no, according to the researchers, the technique used here is different. BLADE is based on user consent. It tracks user mouse clicks and collects information on user download authorizations (“disk footprints”). This information is matched against files in the secure zone. Only matching files are remapped to the user’s file system. Unlike sandboxing, no execution of files takes place in the secure zone.

BLADE developers are claiming 100 percent effectiveness during the test period to date. Internet Explorer 6.0 configured with Adobe Reader 8.0, Adobe Flash 8.0, and JVM 5.0 was found to be the most vulnerable to exploits, but, thankfully, not one of the latest zero-day exploits bypassed the BLADE system. See a YouTube live demo here.

The researchers are assured from results in the lab that signals used to convey or interpret users’ responses cannot be forged by attackers, although testing so far has only been carried out from user “mouse clicks.” In their words, “adding support for keyboard input using the same principle should be straightforward.”

Another “subtle issue” occurs when the “Correlator” that compares downloaded files against those in the secure zone has to perform a domain name lookup in the local DNS cache when resolving to a corresponding IP address. However, testing has proved to be successful due to the “trusted kernel component,” the researchers say. Results are impressive: "BLADE was successful at blocking all 7,925 attempted drive-by malware installs while generating zero false alarms. Furthermore, all downloaded malicious binaries were safely quarantined into the secure zone," the researchers contend.

So, is this truly the answer to drive-by exploits? Certainly they claim to have countermeasures to spoofing attacks, download injection and process hijacking attacks, and coercing attacks. Well, perhaps not quite: As BLADE is effective only against a binary executable, it cannot prevent the covert installation of interpreted scripts. But it’s still pretty good, as the researchers note that “the overwhelming majority of current drive-by download malware is delivered as binaries.”

The next stage will be a free Internet release of BLADE to the public, thanks to funding provided by the National Science Foundation, the US Army Research Office, and the Office of Naval Research. This situation has already raised one or two concerns about the level of scrutiny coming from a project with governmental backing. What’s more, the expectations for this tool have been building. There has been extensive news coverage about the project with many promises about its delivery, so we are all now expecting something that will do what it says.

Of course, this raises the question: How is it we depend upon a group of open-source and university researchers to come up with system that is 100 percent effective, when, according to BLADE’s research, “miss” rates from current anti-virus programs we pay for are running at 30 percent effectiveness? This is similar to rates for browser-based security and operating system-provided prevention. Still, such an application is a welcome advance in security for any PC user, and a big score for open-source and academic research.

By jart armin


Jart Armin