14 DAY TRIAL // Security researchers from German security firm Recurity Labs, have developed a new technology to defend against Flash-based attacks and plan to release it as a Firefox plug-in. Named Blitzableiter, it analyzes SWF files for malicious code in real-time, before allowing the browser to load them.
Blitzableiter, which is German for lightening rod, is a technology that works much like the behavioral analysis protection layers in some anti-malware products. The suspect files, in this case Flash file in .SWF format, are executed inside a sandbox where their code is analyzed for irregularities that could point to an attack.
"I have high hopes that it will automatically remove a large section of the attacks against Flash. This defense is unique in that there's no signatures involved. We based everything on principles and not attack signatures," Felix Lindner, senior security consultant at Recurity Labs, who plans to present the tool at the upcoming Black Hat USA 2010 security conference, told SearchSecurity.com.
The malicious SWF files that Blitzableiter aims at detecting can be classified in two categories, malformed ones causing memory corruption in the player and well formed ones that abuse the Flash Player API for evil purposes. However, the program's job does not end with stopping bad SWFs, the technology being able to normalize the code and recreate good versions of file, which is then served to the browsers.
There are some aspects of this approach to consider, one being performance and another being the impact on file size. As far as performance is concerned, on a state of the art machine, the Recurity researchers recorded an average time of 0,44 seconds SWF parsing and validation and 0,45 seconds for API call patching and a clean version of the file. In total, the whole operation for a file that needs patching can take almost a second on a powerful computer.
Because all API calls are being patched in this process to conform to the specification the size of the resulting SWF file can be significantly larger than that of the original. After tests which involved patching 82,214 files, researchers determined an average code size increase of 224% per file.
Considering those numbers Blitzableiter's drawbacks seems acceptable compared to the security benefits. The technology will be available to both Flash developers as a stand-alone tools and users as a browser plug-in, which apparently will be packaged together with NoScript, a very popular security extension for Firefox.
You can follow the editor on Twitter @lconstantin