Is there a simple architectural solution to drive by attacks?

Been learning about drive by attacks on wilders.

It seems that there should be an OS solution for this. When I browse websites, I dont want the browser to change my system. Whether playing videos, or entering input into a javascript. Period. When I download a file, I am happy to have it downloaded into a special sandbox, and seperately retieve it. Same with bookmarks.

Is this too hard to do in the OS (windows or linux)? Or even in the browser?

EDIT: Hmmm this seems like protected mode in Vista/win 7.

 

The OS can do it allready. it can be set through Access control list/setting integrity level and through GPedit or registry yourself (the 1806 trick).

See (credits to Sully) http://blog.case.edu/bes7/

 

Linux has been doing this since it was developed in 1991. Other *nixes have been doing it for much longer.

 

standard user + default execution deny, using Software Restriction Policies, AppLocker, Pretty Good Security, Comodo Internet Security, etc.

 

Has it? How can I use those features in Linux AFAIK, firefox can download anywhere and run files?

 

Uh, Firefox does not have access to anything outside of the user account, so it can't "download anywhere." And if being restricted to the user account is not enough for you, then you can enable AppArmor (a form of a MAC system) that will lock Firefox down to where it can't even do much within the user account.

Code:

sudo aa-enforce /etc/apparmor.d/*firefox*

 

Just one of the many awesome, user friendly ways of configuring things in linux

 

Yes, I meant inside the user acount; and there malware can steal personal info etc.
Unfortunately apparmor seems to be dead, and unavailable in debian lenny; so I'm downloading selinux right now

 

I don't think this would qualify as architechural but then again I don't know much about it minus a few reviews. But this Blade project has been talked about here on wilders in the past-
http://www.blade-defender.org/
http://krebsonsecurity.com/2010/02/blade-hacking-away-at-drive-by-downloads/


It seems to have been a secret project for a long time now so I'm not sure of its current status.

 

It might be dead in Debian, but it ain't dead as a project. In fact, it is slated to finally be added to the upstream kernel sources at the next kernel release, which means every Linux distro will then have it.

 

Thats awesome!!

 

Aigle, you will finally have you HIPS in Linux!

 

AppArmor, SELinux, grsecurity, SMACK, TOMOYO -- none of them are new. It's just most people have never heard of them and don't want to learn them. AppArmor has been there for years for those who used he right distros. It's just that now all distros will have it built-in. I have tried to explain this to Aigle numerous times before, but he doesn't listen.

 

Who is Aigle?

 

More like Sanboxie, Applocker and SRP, but not quite. Not at all comparable to HIPS.
You can "confine" certain risky apps, that is mainly internet facing services, browsers, pdf viewers (but I've read it can do RBAC and user confinement now too) Apparmor profiles specify which folders and files a program can read, write and execute. A restrictive firefox profile for example would prevent having write and execute permission in the same folder stopping any kind of dropper attack, now block access to perl, python and the like and you can stop the script attack vector as well. In the case something still gets through that it can't do anything to your system because you've only allowed write access to ~/Downloads, tmp and .mozilla/firefox/your.profile.

 

Thanks katio for the simple explanation. It looks like AppArmor is EXACTLY what I am looking for, it'll stop drive by attacks dead in their tracks
I really like how specific access is given to specific apps on where they can write/read and execute.

Cant wait for it to be integrated into the kernel.

In the meantime, I'll be looking at SeLinux. Anyone have any tutorials on how that operates and any tips?


Is their a corresponding AppArmor like app for windows?

 

SELinux is much more complicated and more capable than AppArmor. SELinux is a true MAC system and can also do RBAC as well as MLS (multi-level-security).

A HIPS would be the closest thing. I don't consider AppArmor like Sandboxie because AppArmor is not a virtualization app.

The creator of AppArmor gave a talk several years ago illustrating what it can do. You can find it here.