Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:55 AM
Connect Directly

Security Bugs Sent to the Sandbox

A researcher at the upcoming Black Hat conference will suggest a new whitelisting method that creates a 'sandbox' for uninvited traffic

What if your network security tools just denied all incoming traffic up front, rather than attempting to filter out known threats?

That's essentially what the Statue of Liberty security project does. The project's "whitelisting" approach sends everything initially to a honeypot, or sandbox system, and sorts it by what's allowed, instead of what's not. Philip Trainor, the researcher who wrote the code, will demonstrate it during his presentation at next week's Black Hat conference in Las Vegas.

"There is no such thing as a secure system," Trainor says. "And most organizations have no plan for when a breach takes place."

Statue of Liberty's whitelisting approach differs from the blacklisting tactic used by most of today's antivirus and intrusion detection/prevention systems. "Instead of worrying about tens of thousands of exploits, it's allowing only things we've accepted into it," says Trainor, a network security engineer for Imperfect Networks. He built this model independently as part of his own research.

Trainor says he'll release his code as open source and hopes to expand on the project with input from other researchers. "I plan to release all code and configuration files associated with this project in the spirit of open source," Trainor says. "An open source project can only benefit from the large pool of contributions from the community."

It doesn't replace blacklisting, however. Trainor ultimately envisions the technology as an enhancement to today's IPS systems, which can be easily bypassed by a new or stealthy attack in a security architecture. (See IDS/IPS: Too Many Holes?) "This could be a potential addition to IPS systems, but not a replacement," he says. "IPS is a very necessary piece of network security today, but it has a lot of room to grow. It's really a developing technology."

There are two ways to deploy the Statue of Liberty technology, Trainor says. "One solution is to incorporate active honeypots into a public network to host potentially malicious events," he says, as well as within an internal IPS system that by default denies traffic and temporarily places it in a trusted zone.

In Trainor's new environment, a Statue of Liberty box (a Linux-based server) sits behind the in-line IPS and firewall and adds another layer of scrutiny. It works a bit like a load balancer to direct traffic. An HTTP "get" request, for instance, would be classified as a "white request" and get pushed to the HTTP server. But an HTTP "post" or "delete" request on a page that wasn't expecting these types of actions would be labeled as a "black request" and would go to the virtual server (a closed sandbox) for analysis. The idea is to also learn about these potential attacks to improve security, Trainor says.

Trainor hopes to demo three attack scenarios within the Statue of Liberty project: Non-malicious but never-seen-before traffic, which goes to the honeypot; an attack the IPS did not stop; and a malicious attack that's never been seen before, which then crashes the honeypot when it's quarantined there. He'll run VMWare along with the HoneyNet Project's honeypot technology, he says.

Statue of Liberty is a way to keep up with, or even get ahead of, new attack modes, which today's IPS systems don't do well. "An IPS has signature sets that are days/weeks/months old," Trainor says.

Trainor's main message: Be prepared. "I'm suggesting that companies have a risk management plan for being breached."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.