26C3: Protection against Flash security holes
Felix "FX" Lindner of Recurity Labs presented his open source "Blitzableiter" (lightning rod) project at the 26th Chaos Communication Congress (26C3). The tool analyses and cleans up Flash code before playback and is designed to prevent security holes in Adobe Flash from being exploited. Flash is one of the most commonly used points of entry for attackers who try to compromise PCs during visits to web pages.
To prevent the frequently recurring security issues in Adobe's software from being exploited, the Blitzableiter tool checks SWF files for their integrity. Embedded ActionScript code is detected, analysed and cleaned up. The wrapper can also verify whether embedded objects such as JPEG images comply with the specification.
However, Flash malware tends to use the multimedia format within its specification, for example to simulate clicks on ads or redirect users to pages that try to make them install alleged virus scanners which turn out to be scareware. To prevent this, the wrapper redirects certain security-related function calls, such as ActionGetURL2 for opening web pages, to its own code, which can then monitor it use with mechanisms such as a same origin policy. The tool can reportedly even prevent CSRF attacks that, for instance, allow small Flash movies to secretly reconfigure a router.
To ensure that Blitzableiter was doing its job well, the security expert checked it with 20 real, functionally different exploits. None of them slipped through the tool's net. One problem with the concept is, however, that legitimate Flash files may no longer function correctly; in a test involving a set of 95,000 SWF files, 92 per cent passed the format check, but only 82 per cent survived the entire debugging procedure. However, larger Flash portals such as YouTube or YouPorn remain functional without restrictions, said Lindner.
The majority of problems are reportedly created by Flash files that try to conceal the code they contain. As this doesn't make sense and is mainly used in malicious software, the tool blocks such methods, explained FX. Furthermore, Blitzableiter currently only supports the standard AVM1 virtual environment; code for the more recent AVM2 is currently still blocked by the tool. According to the developer, however, AVM2 isn't even properly supported by the development tools and has, therefore, not become very popular yet.
Other potential problems are code size and performance. At present, the normalisation process still causes the code to grow to about 220 per cent of its original size, but there is still room for optimisation, said Lindner. The code checking reportedly causes a delay of about a second – measured on a fairly state-of-the-art system. FX conceded that he would currently probably have little joy with the wrapper on his old notebook.
The project is still incomplete. Items on the agenda include the checking of embedded multimedia objects and the support of AVM2. The source code of some of the libraries in C# for .Net and Mono are currently available to download under a free licence (GPLv3). The open source approach is important because it allows thorough testing of the defence mechanisms themselves and enables the tool to be incorporated into applications such as Firefox or the Squid proxy server, explained FX.