SpyProxy takes Web apps security fight to ‘virtual sandbox’

Faced with volumes of browser vulnerabilities and Web-based exploits designed to take advantage of the flaws, security researchers presented a new process for protecting users with execution-based malware detection at the ongoing Usenix Security Symposium in Boston on Wednesday.

In a demonstration led by Alexander Moshchuk, a University of Washington graduate student who is part of a research team that has developed a tool that uses the technique for filtering out malicious programs, the expert pitched the use of “virtual sandboxing” as an effective means for testing Web applications for suspicious behavior before they reach end-users’ browsers.

With the threat of drive-by attacks and zero day exploits expanding on a daily basis as malware authors advance their sophistication, security experts have increasingly downplayed the efficacy of traditional signature-based anti-virus technologies for stopping many online attacks.

As a result, several new techniques have emerged for protecting end-users before vulnerabilities can be identified and patched. Virtualization is one of the technological means being adopted by many researchers attempting to address the problem, and Moshchuk highlighted the use of the technique in a tool created at UW and named SpyProxy.

Injected as a virtual machine that sits between an end-users’ browser and a Web site, SpyProxy promises to download and test any application that the browser is directed toward in order to weed-out potential attacks.

In a matter of seconds, the security program can effectively run and analyze any type of Web page or application to determine whether it contains the hallmarks of many threats, the researcher said.

“SpyProxy has limitations, but nonetheless we feel that it can be an effective new weapon in the Internet security arsenal, as a low-cost way to block real zero days that is complimentary to existing techniques and actively makes the Web browsing experience more secure,” Moshchuk said.

If you add up the number of days that Microsoft’s Internet Explorer was vulnerable to published attacks during 2006, the total equates to roughly nine months of opportunities for malware authors to deliver their threats to end-users, said Moshchuk, who observed that business users in particular can ill afford to remain exposed to viruses and other threats on such a regular basis.

Execution-based malware detection cannot identify some advanced forms of threat such as so-called cross-site scripting (XSS) scams based on their latent nature, but most active attacks can be unearthed with relative ease, Moshchuk said.

SpyProxy works by creating a virtual machine that mirrors the same browser as that being used by someone running the tool and fully renders any page or application that is accessed to determine whether the URL contains an attack.

While the process does lead to delays in Web page delivery, on the order of roughly three seconds per URL in an unmodified state, the tradeoff of eliminating many zero days and drive-bys will make the technology acceptable to some end-users, the researcher maintains.

In a test of roughly 2,000 Web site requests carried out by the UW team over 124 individual URLs, the researchers found some 27 active browser exploits and 73 spontaneous downloads that could represent malware, adware, or other unwanted programs. The group maintains that SpyProxy identified and blocked all of the threats.

In terms of scalability, SpyProxy — which the group plans to distribute free of charge — was designed to handle multiple users on clusters of workstations. According to Moshchuk, a single-CPU device can process roughly 82,000 page requests in one day, which he estimated as sufficient coverage for approximately 800 users per machine. A quad-core machine could reasonably be expected to protect several thousand users in a single organization, he said.

One limitation of SpyProxy: it works more effectively on sites that contain larger volumes of static content such as text, although it is taxed to scan applications that behave similarly to general purpose software programs, the researcher said.

Another problem is that the tool sometimes struggles to determine when a page or application has completely finished loading, and when to pass content along to the end-user, which could lead to additional latency concerns.

However, in a modified state where the tool is set to eliminate unnecessary scanning by allowing sites that have already been tested — but which have not been changed since a previous download — to flow through without constraint, or to allow pages with only static content to flow to the user unabated, the amount of time needed to allow SpyProxy to run its course drops to only 600 milliseconds, according to Moshchuk.

Another manner to speed the downloading process and overall performance of the tool could be to deliver different portions of sites that are being tested as individual scans are being completed.

Moshchuk said that the UW team hopes that other security researchers will apply similar techniques in addressing malware with active detection, and promised that it will also continue to expand and improve SpyProxy.

“This isn’t about building a perfect security tool. We really care about exploring the technique further,” Moshchuk said. “But we think that people can already begin using the tool without affecting the end-user experience too much.”