DNS Web Web Request Policy Framework 1,a) 2 1 2011 11 30, 2012 6 1 Web Web Drive-by download Gumblar Web Web JavaScript Web Web Request Policy Framework Request Policy Framework Web Gumblar DNS Proposal and Evaluation of Web Access Control System Request Policy Framework for Cooperation of DNS and a Web Browser Takashi Uemura 1,a) Yusuke Kosuda 2 Ryoichi Sasaki 1 Received: November 30, 2011, Accepted: June 1, 2012 Abstract: The drive by download attack technique such as Gumblar, which compromise websites by infecting them with a virus and direct operations, has been increasing rapidly in recent years. Existing measures to detect dangerous scripts using a Web browser cannot protect against all of the attacks, because it is difficult for everyone to find dangerous scripts. Therefore, the authors devised a mechanism named RPF (Request Policy Framework) that uses a highly accuracy whitelist obtained by using a Web browser cooperating with the DNS server. This paper reports the detailed mechanism of RPF, the prototype program, evaluation results of its function and performance, and the consideration of coverage by RPF. Keywords: access control and authentication, Web security, Gumblar, DNS 1. Web Web Gumblar Web Gumblar Web Drive-by download Web 1 Tokyo Denki University, Adachi, Tokyo 120 8551, Japan 2 NEC NEC Soft Ltd, Koto, Tokyo 136 0082, Japan a) uemura@isl.im.dendai.ac.jp Web Web Gumblar Web Driveby download Gumblar 1 (1-a) (1-b) Web (2) (3-a) Web c 2012 Information Processing Society of Japan 2107
1 Gumblar Fig. 1 Flow of Gumblar attack. Fig. 2 2 RequestPolicy Example of operation based on RequestPolicy. (3-b) (4) PC (5) Web Web Web Web Gumblar IP Web IP false positive false negative Web Web Request Policy Framework 2 3 4 5 6 2. 2.1 Web Web (1) Web Web JavaScript Web Web Web Web Web NoScript [1] Firefox Web Web Web Web.htaccess Gumblar (2) Web Web Web Firefox RequestPolicy [2] RequestPolicy Web img script iframe 2 www.example.co.jp Web Web ads.example.com, mal.example.net RequestPolicy c 2012 Information Processing Society of Japan 2108
RequestPolicy Web NoScript Web API Web NoScript Web Web (3) Web Web Web gred [3] Gumblar Watch [4] Web Web Web Web Web Web 0 2.2 Web (1) Web Web Web Web Web Page Inspection WPI [5] WPI false negative 0% Web Web false positive 3.53% (2) Web [6] Web Web Web Web 3.33% (1) (3) [7] Web Web script iframe (4) [8] Web Web Web Web Web Gumblar 2.3 (1) c 2012 Information Processing Society of Japan 2109
(2) Web Web Web Web (3) Web Web NoScript Gumblar RequestPolicy RequestPolicy (4) Web Web 3. 3.1 2 Web RequestPolicy 1 Web 2 Web 3 Web 4 Web Web Web 1 Gumblar Web Web Web 2 Web Web 0 3 Gumblar 4 3.2 RequestPolicy DNS Sender Policy Framework SPFSPF 1 RFC4408 [9] DNS IP IP A RR 1 SPF TXT *1 RR IP TXT Web 2 Web DNS Web DNS 1 Web Web RequestPolicy DNS TXT Web Web DNS RequestPolicy Web Web *1 DNS SPF RR c 2012 Information Processing Society of Japan 2110
3 RPF Fig. 3 Basic format of RPF information. 3.3 Request Policy Framework RequestPolicy Sender Policy Framework Request Policy Framework RPFRPF Web DNS 1 Web RPF Firefox 2 Web Web Web DNS 3 DNS 2 Web TXT 1 3 Web Web Web Gumblar Web RPF DNS TXT SPF 3 RPF DNS TXT RPF RPF DNS TXT +dn: Web -all 3.4 Request Policy Framework 3.3 RPF Web RPF Web 4 1 Web RPF Web Web 4 www.example.co.jpweb 4 RPF Web Fig. 4 Mechanism for Web access under RPF environment. 2 Web Web Web Web DNS RPF 3 RPF Web Web 4 3 RPF +dn: a3.example.co.jp ads.example.com Web mal.example.net Web RPF -all RPF Web Web Web img script iframe Gumblar.htaccess 3.5 Request Policy Framework RPF Web RPF Web Web c 2012 Information Processing Society of Japan 2111
Web RPF RPF Web DNS 3.6 Web Web Web 0 RPF Web Web Web RPF Gumblar 4. 4.1 Web RequestPolicy RPF RPF RequestPolicy Web Mozilla Firefox version 8.0.1 JavaScript CSS XPCOM XUL 400 DNS RPF RPF DNS DNS RPF 4.2 RPF Web Web Flash Web Web RequestPolicy Web Web 5Web 1 3 3 1 RPF RequestPolicy Web Firefox Web 2 6 3 7 RPF 5 Fig. 5 List of cross-domain requests. c 2012 Information Processing Society of Japan 2112
Fig. 8 8 RPF RPF information for experiments. Fig. 6 6 Method for permission of destination domain. Fig. 9 9 Items for operation check experiments. 7 Fig. 7 Method for copy of destination domain. RPF Web Flash Web *2 Web 5. 5.1 RPF Web DNS RPF Web Web img YouTube Web Web 4 DNS TXT 3 8 Web TXT RPF RPF RequestPolicy Web 9 *2 SPF include Web DNS RPF Web YouTube YouTube RPF SPF ip4/ip6 Web RPF Web 5.2 4.2 Web Web [10] 10 c 2012 Information Processing Society of Japan 2113
Table 1 1 Experimental result for support function. Table 2 2 Result of speed measurement. Yahoo! JAPAN 3 Web Web DNS DNS 1 Web 3 5.1 Web Web Web iframe Web RPF iframe RPF 5.3 RPF RPF DNS RPF Web Web 5.2 Firefox RPF RequestPolicy Firefox Web 10 2 RPF RequestPolicy Web Web 9% 3 Web Table 3 Relationships between domains and Web sites. 5.4 RPF Web Web 4 3 1 Web Web RPF Web Web RPF img RPF script iframe RPF c 2012 Information Processing Society of Japan 2114
10 Fig. 10 Ratio on type of damages. Gumblar Web [11] 10 Web Web RPF 1 Gumblar 8 Web 1 SSL Same Origin Policy [12] [13] Web Web RPF 6. 6.1 DNS DNS DNS DNS RPF DNS RPF DNS RPF Web Web DNS Source Port Randomization DNSSEC [14] RPF 6.2 Web DNS RPF DNS DNS DNS TTL Time To LiveWeb RPF Web TTL RPF RPF TTL 3,600 1 Web 1 RPF RPF TTL 86,400 1 RPF TTL TTL 86,400 TXT RPF TTL 6.3 Web DNS RPF DNS Web DNS Web DNS RPF RPF Web DNS Web Web RPF RPF Web DNS [15], [16] 7. Gumblar Drive-by download Web Web DNS Request Policy Framework RPF Gumblar RPF RPF c 2012 Information Processing Society of Japan 2115
RPF Web RPF DNS RPF RPF [1] Mozilla Corporation: NoScript, Add-ons for Firefox, available from https://addons.mozilla.org/ja/firefox/ addon/noscript/ (accessed 2012-03-26). [2] Samuel, J. and Zhang, B.: RequestPolicy: Increasing Web Browsing Privacy through Control of Cross-Site Requests, Proc. Privacy Enhancing Technologies Symposium, Vol.5672, pp.128 142 (2009). [3] gred http://www.securebrain.co.jp/products/gred/ index.html 2011-11-25. [4] at+link Gumblar Gumblar Watch http://www.at-link.ad.jp/topics/news/ news-20100225.html 2011-11-25. [5] Chia-Mei, C., Wan-Yi, T. and Hsiao-Chung, L.: Anomaly Behavior Analysis for Web Page Inspection, Proc. 2009 1st International Conference on Networks & Communications (NETCOM 09 ), pp.358 363 (2009). [6] Web CSEC Vol.2011-CSEC-54, No.32, pp.1 6 (2011). [7] Web CSEC Vol.2010- CSEC-48, No.9, pp.1 7 (2010). [8] Web CSEC Vol.2011-CSEC-52, No.53, pp.1 6 (2011). [9] Internet Engineering Task Force (IETF), Sender Policy Framework (SPF) for Authorizing Use of Domains in E- Mail, Version 1, available from http://www.ietf.org/ rfc/rfc4408.txt (accessed 2011-11-28). [10] 500 http://akimoto.jp/japan/ 2012-03-17. [11] gred Vol.7 2010 1 4-1 Gumblar 2010 1 http://www.securebrain.co.jp/about/news/2010/02/ gred-report7.html 2012-03-08. [12] Same-Origin http://gihyo.jp/dev/serial/01/web20sec/0002 2012-03-08. [13] SSL @ http://takagihiromitsu.jp/diary/20100501.html 2012-03-08. [14] DNSSEC http://venus.gr.jp/opf-jp/opm15/jpopm15-08.pdf 2011-11-11. [15] http://support.sakura.ad.jp/manual/ dom/zone.html 2012-03-21. [16] WebARENA DNS http://web.arena.ne.jp/suitex/spec/domain/dns.html 2012-03-21. 2011 4 Web 2008 NEC 20 1971 3 4 2001 4 2007 4 1998 2002 2007 IT 2008 c 2012 Information Processing Society of Japan 2116