The present invention relates to methods for generic hooking of computer applications in order to monitor and prevent execution of security-sensitive operations.
The exposure of computer systems to malicious attacks threatens the integrity of secure data storage and transactions. Today's attacks have become very sophisticated. For example, consider a simple JavaScript code extract that originally reads as follows:
<html>  <SCRIPT Language = “javascript”>  Ctrl = new ActiveXObject(“VisualFoxPro.Application”);  Ctrl.ExecuteRequest(“This  function  will  crash  the  browser  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”)  </SCRIPT></html>
The above code exploits a known vulnerability in Microsoft Internet Explorer (CVE-2007-4790), and will crash the browser as soon as the user visits a malicious website containing the code.
In order to bypass inspection by security applications, such a script could be modified to read as:
<html>  <SCRIPT Language = “javascript”>  Var a = “VisualFoxPro”;  Var b = “.Application”;  Ctrl = new ActiveXObject(a+b);  Ctrl.ExecuteRequest(“This  function  will  crash  the  browser  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”)  </SCRIPT></html>
This simple example is easy for an attacker to create, and can foil all existing security tools that are currently known.
In other words, by using string concatenation, an attacker can bypass all known pattern-matching security applications. Moreover, such a code will also bypass any network-based IDS/IPS/Firewall without detection. Current system-security techniques are unable to handle such obfuscated code, and cannot protect JavaScript code (and other scripted languages) appropriately.
Even in the absence of code obfuscation, it is much more convenient to inspect Web scripts and other code as late as possible, provided security is maintained, in order for the security software to have access to the complete and accurate run-time state of the code being inspected.
It would be desirable to have methods for generic hooking of computer applications in order to monitor and prevent execution of security-sensitive operations.