A simple example of Defense-in-Depth is protecting a PC from remote compromise by keeping the machine up-to-date on patches AND surrounding it with a firewall. Should a firewall fail for some reason, the PC remains resilient against remote exploitation because it is properly patched. If the PC falls behind on its patches, which frequently happens, a well-configured firewall protects against compromise by denying inbound connections.
Web browsers also have a notion of Defense-in-Depth, but the major vendors don’t ship them with as many layers as they could (or should?). By my count, Chrome installs with three layers. Fortunately, with a simple configuration change and installing a specific add-on, anyone can add two more layers of defense and dramatically improve their protection against browser exploitation and PC malware infection. Before discussing the specifics, we should first describe the attack pathology we’re defending against.
A very common way malware is propagated is by visiting “infected” websites. Infected websites could be hosting the malware package itself, or including it as part of third-party Web page content, like an advertisement. When a browser, such as Chrome, visits an infected website it could be exploited via an unpatched software flaw. It is also possible, if not typical, for the exploit to target an installed browser plugin like Flash. We pick on Chrome and Flash only because they provide extra layer of defense that the other browsers and other extensions including Java and Quicktime do not. A sandbox.
To successfully compromise a Chrome browser with five layers of Defense-in-Depth, the attacker must overcome:
1) Phishing and malware detection
“Phishing and malware detection,” enabled by default in Chrome, gives users an interstitial warning that, “Visiting this site may harm your computer.” This is essentially a curated blacklist of dangerous websites and is by no means ever complete. For an attacker to bypass the phishing and malware layer of defense, one of three things would have to take place:
- Their victim would have to manually disable this setting in the preferences, which is unlikely yet possible.
- Their victim must REALLY wants to see the dancing monkey on the next screen and is willing to risk infection to do so. As we know, people click past warning screens all the time.
- The attacker plants their malware in a location that evades, even temporarily, detection by Google’s and their partners. Certainly possible.
It is prudent to assume one of these three scenarios may transpire and the layer of defense will fail, so we need another.
2) Ad Blocking
Instead of setting up their own infected websites, or compromising otherwise legitimate websites and injecting them with malware, malware purveyors commonly purchase advertising impressions and use them to mass distribute their wares to a potential victim. Malicious advertisements are often referred to as “malvertisements.” Millions of malvertisements can be purchased for mere dollars and this is where ad blocking, with extensions such as Ad Block and Adblock Plus, prove highly effective.
Ad blocking extensions, which do not ship with a mainstream Web browser, prevent HTTP requests from being sent to well-known advertising networks and downloading potentially malicious content. If your browser doesn’t download a malvertisement, then it obviously can’t be exploited by it. With ad blocking, a Web browser may remain unscathed even while visiting a website currently infected by malvertisements. So, not only does ad blocking make for a more pleasant user experience, it makes surfing the Web much safer!
Since ad blocking is itself a black list, a malicious ad could potentially slip through, and if so, another layer of defense is necessary.
3) Plug-in Blocking
As mentioned earlier, malware exploits are well-known for targeting Web browser plug-ins/extensions such as Flash, Java, Quicktime, and others that auto-execute by default when called by a website. Theoretically, if extensions did not auto-execute, extensions could also not be auto-exploited. To make this theory a reality, in Chrome you can disable the auto-execution of plug-ins.
- Wrench > Preferences
- Under the Hood > Privacy
- Click the “Content Settings…” button
- Scroll down to “Plug-ins” and select “Block all.”
Now for Flash, Java, or Quicktime, etc files to play, a user must specifically allow it with additional clicks.
Normally, extension-based exploits that lead to malware are embedded invisibly so their victim doesn’t see them, especially in malvertisements, which means there is little reason to click to allow them to play. This also means if there is a movie on the screen, or something else that you really want to see, it should be safe enough to allow — but not always. So, something malicious might still find a way to load and another layer of defense is necessary.
4) Software Security & Auto / Silent Patching
Google (maker of Chrome), and Adobe (maker of Flash) have invested extraordinary amounts of resources to improve the security quality of the software they ship. Despite their best efforts, software flaws will remain, often found by outsiders, and their products will need to be patched frequently. Patching frequency leads to patch fatigue and without help, every user falls behind eventually.
To help, Google and Adobe ship with an integrated auto and/or silent update feature for their software. Chrome and Flash regularly check on their own accord if they need to be patched so users don’t have to remember. Doing so has proved measurably effective in keeping users up-to-date on their patches and by extension, secure. However, it is possible for attackers to slip an exploit within the window of time before a would-be victim patches, or they may leverage a zero-day exploit for which no patch exists. This brings us to our last layer of defense-in-depth.
5) Sandbox
A sandbox is a software security wrapper that encompasses both Chrome and the Flash plug-in in a highly-restricted, low-privilege environment. Java and Quicktime do not have a sandbox, but they should. Firefox is working on theirs. Should an attacker leverage an unpatched exploit, or one for where no patch exists, they’ll need another exploit that allows them to breach the sandbox. This means the attacker will need two exploits instead of just one. This is another significant hurdle to overcome because with present security offense knowledge, sandboxes are notoriously difficult to escape.
For an attacker to succeed in infecting a users PC with malware via the Chrome browser, they’ll have to somehow overcome five layers of Defense-in-Depth…
First, the attacker must keep their malware off black-listed sites or have the malware in a location attractive enough where the victim is convinced to manually ignore all the big red warning signs.
Second, upon landing on the infected Web page the malware must NOT come from a well-known advertising network, but if so, the victim must be enticed to specifically allow the ad to load.
Third, should the malware try to exploit an extension, the victim must manually allow the extension to load, and the visible content must be attractive enough to convince them to do so.
Fourth, the attacker’s exploit must be newer or faster than Chrome and Adobe’s patch management system, or they’ll need to use a zero-day vulnerability.
Lastly, that attacker will need to exploit another vulnerability to escape the sandbox. Then, and only then, after bypassing all five layers of Defense-in-Depth will an attacker be able to infect a user’s PC with malware.
Collectively, when considering all these layers, Chrome users should be able to click on anything on a Web page that they want, which is the nature of the Web, and not become infected with malware. Of course there are several more speed bumps and layers to be added with other configuration settings and add-ons, but with these five, everyone can do it easily.
So, block all extensions and install ad blocking software. Happy clicking!
