Mozilla’s Attack-Aware Applications Resist Probes

Mozilla is taking a more proactive approach to secure its applications against attacks. The company is calling this approach “attack aware”.

The idea, explained Mozilla Web security specialist Michael Coates, is to make applications able to identify unusual actions by the user that are deliberate attacks on applications. The goal is to detect attempts to probe an application for weaknesses and block attempts to damage a system while distinguishing between attack behaviour and user errors, such as typos.

Supplemental List-Based Approach

“An attack-aware application uses a blacklist-style detection of a potential attack,” blogged Coates. “It is important to realise that this is not intended to be a substitute for secure design principles. Instead, it is an additional detection capability layered on top of a securely designed application. Think of a bank that has been built securely and then installs an alarm system to detect attempted attacks.”

The challenge to this approach boils down to anomaly detection, said Chris Wysopal, CTO of Veracode.

“There have been attempts to do this at the network level and I don’t know of any successes there,” he said. “Network security ends up falling back on known signatures of attacks. There is more hope for anomaly detection at the application layer because the application has more context, but it will still be difficult.”

Coates agreed that doing this effectively would require the correct selection of detection points that minimise false positives.

“For example, detecting a single tick (‘) within a text field (which could be used for SQL injection testing) is a bad detection point since there will be many false positives with legitimate uses of that character (for example, the name O’Malley, or just typos),” he blogged.

A better detection point would be detecting malicious values within password reset token URLs since there is no reason a user would accidentally modify the URL to include a potential SQL injection attack, he added. For that reason, false positive rates would be low.

“This is only one example of the detection points we are using… Currently, we are monitoring attack reports from our attack-aware applications,” Coates blogged. “This data is all fed into a security-integration manager that allows us to monitor trends and investigate individual attack reports. We are moving towards building a system that will enable us to selectively block the offending user from the application to prevent further attacks.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

33 mins ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

2 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

18 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

20 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

21 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

22 hours ago