Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:55 AM
Connect Directly

Security Bugs Sent to the Sandbox

A researcher at the upcoming Black Hat conference will suggest a new whitelisting method that creates a 'sandbox' for uninvited traffic

What if your network security tools just denied all incoming traffic up front, rather than attempting to filter out known threats?

That's essentially what the Statue of Liberty security project does. The project's "whitelisting" approach sends everything initially to a honeypot, or sandbox system, and sorts it by what's allowed, instead of what's not. Philip Trainor, the researcher who wrote the code, will demonstrate it during his presentation at next week's Black Hat conference in Las Vegas.

"There is no such thing as a secure system," Trainor says. "And most organizations have no plan for when a breach takes place."

Statue of Liberty's whitelisting approach differs from the blacklisting tactic used by most of today's antivirus and intrusion detection/prevention systems. "Instead of worrying about tens of thousands of exploits, it's allowing only things we've accepted into it," says Trainor, a network security engineer for Imperfect Networks. He built this model independently as part of his own research.

Trainor says he'll release his code as open source and hopes to expand on the project with input from other researchers. "I plan to release all code and configuration files associated with this project in the spirit of open source," Trainor says. "An open source project can only benefit from the large pool of contributions from the community."

It doesn't replace blacklisting, however. Trainor ultimately envisions the technology as an enhancement to today's IPS systems, which can be easily bypassed by a new or stealthy attack in a security architecture. (See IDS/IPS: Too Many Holes?) "This could be a potential addition to IPS systems, but not a replacement," he says. "IPS is a very necessary piece of network security today, but it has a lot of room to grow. It's really a developing technology."

There are two ways to deploy the Statue of Liberty technology, Trainor says. "One solution is to incorporate active honeypots into a public network to host potentially malicious events," he says, as well as within an internal IPS system that by default denies traffic and temporarily places it in a trusted zone.

In Trainor's new environment, a Statue of Liberty box (a Linux-based server) sits behind the in-line IPS and firewall and adds another layer of scrutiny. It works a bit like a load balancer to direct traffic. An HTTP "get" request, for instance, would be classified as a "white request" and get pushed to the HTTP server. But an HTTP "post" or "delete" request on a page that wasn't expecting these types of actions would be labeled as a "black request" and would go to the virtual server (a closed sandbox) for analysis. The idea is to also learn about these potential attacks to improve security, Trainor says.

Trainor hopes to demo three attack scenarios within the Statue of Liberty project: Non-malicious but never-seen-before traffic, which goes to the honeypot; an attack the IPS did not stop; and a malicious attack that's never been seen before, which then crashes the honeypot when it's quarantined there. He'll run VMWare along with the HoneyNet Project's honeypot technology, he says.

Statue of Liberty is a way to keep up with, or even get ahead of, new attack modes, which today's IPS systems don't do well. "An IPS has signature sets that are days/weeks/months old," Trainor says.

Trainor's main message: Be prepared. "I'm suggesting that companies have a risk management plan for being breached."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-27
In SmartDraw 2020, the installer gives inherited write permissions to the Authenticated Users group on the SmartDraw 2020 installation folder. Additionally, when the product is installed, two scheduled tasks are created on the machine, SDMsgUpdate (Local) and SDMsgUpdate (TE). The scheduled...
PUBLISHED: 2020-05-27
An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.