Reflexion web

    imageThis post focuses on security in general and web resources in particular. The main problem of protection against deliberate attacks is that it is impossible to defend against them. Each new security system creates new vulnerabilities. Every day, new holes open up in various software versions, and as a result, the security process is a process of continuous patching of holes. If the qualification and enthusiasm of a specialist who ensures the security of resources is a cut above potential hackers, then he runs faster in this marathon, and we can talk about a certain “security” of the resource. Otherwise, the administrator has to learn from his own mistakes.

    This whole situation has long caused a certain skepticism of uninitiated people in IT security issues regarding this IT security itself. Quite often, I hear the opinion that investing in new technologies and products to protect information is a waste, since any protection breaks and any new one is no exception.

    This situation made me think about fundamentally new approaches to ensuring security, fundamentally different from traditional ones in that they protect the system even from vulnerabilities unknown today. This idea may seem absurd, but only at first glance. It is enough to recall that behind any attacks on the Internet there is a person who is the same as you and me. An online attack is a combination of some targeted actions with feedback. It is based on a priori information of the attacker and information obtained during the investigation. But there is nothing complicated in making this information untrue. And this is not about simple misinformation, but about protecting systems from research .



    To understand what it is, you must try to imagine how a person receives information about the world around him. Any information essentially belongs to certain categories (classifications), which can correspond to reality only in terms of some parameters (stereotypical scheme). In order not to load the reader with high-tech vocabulary, I will give a simple example. There is, for example, a chair. There is a generally accepted stereotype of the chair - four legs, on them a certain surface and the back of the chair. Everyone will recognize him and they will say for sure that this is a "chair." But if you make it fundamentally different, without legs, surface and back (for example, the first soft shapeless chairs), then no one will call it a chair, although it will perform the same function. By modifying objects beyond recognition, you can hide their functional purpose. A, hiding their functional purpose, you can hide certain activities and even entire business processes. We have a person in Russia who claims to have been engaged in such “concealment” of events and even the activities of entire companies for a long time! However, I didn’t see this in reality, and I don’t know how to modify ordinary objects beyond recognition. But the IT industry provides us with such a suitable ground for such an activity, because you can write anything you like in software.

    And so the technology of protection against system research was born , which makes it possible to make a unique one from any standard process, introducing into it some parameters that are meaningless from the point of view of the objective function of the process. This makes a small additional burden on computing resources (those resources that go to create “uniqueness”), but on the other hand, it performs the main task in terms of security - any a priori information about the system’s operation simply becomes incorrect. In order to investigate the system, an attacker has to rely on some additional assumptions, which can also be made incorrect and thus lead the system into a state of complete chaos for an external observer. At the same time, the target function of the system remains unchanged, but a step to the left, a step to the right - and nothing is clear ...

    How does this happen in reality? Well, the attacker is trying to check the site for SQL injection vulnerabilities and for simplicity it enters a quotation mark or expression like ... id = 1 + 1 and looks at what is happening. And unbelievable! - the system adds up the numbers and displays the page by id = 2. The conclusion is that the SQL injection vulnerability is open. However, then when he tries to get information from the database, he discovers that the system somehow strange displays the wrong information and inadequately responds to the entered parameters. After a while, he finds a new dependence, but then again realizes that it is also not true and continues the meaningless research process.

    The modules developed by the Reflexion Web (Reflexive Web) project work on this principle.. The operation diagram of the PRIS Mirror module is shown in the figure.

    image

    Intercepting the values ​​of the $ _GET and $ _POST arrays, it filters out those that the “normal user” cannot enter and executes requests for them, taking into account the customizable concept of system uniqueness. The result is that we create vast spaces of vulnerabilities in which a potential attacker gets stuck, without even suspecting that they are already being watched in reality. In terms of surveillance, this technology is similar to the already known HoneyPot system, but it differs fundamentally from the latter in that monitoring is not the main task of the module. The main task is to make each system fundamentally different in functional processes from another, and thereby reduce residual risks where this cannot be done so far.

    At this stage, the project is open and we welcome any new ideas, suggestions and assistance in the development!

    Also popular now: