METHODS OF IDENTIFYING ACTIVEX CONTROL DISTRIBUTION SITE, DETECTING SECURITY VULNERABILITY IN ACTIVEX CONTROL AND IMMUNIZING THE SAME

US 20110219454A1
Filed: 11/11/2010
Published: 09/08/2011
Est. Priority Date: 03/05/2010
Status: Abandoned Application

First Claim

Patent Images

1. A method of identifying an ActiveX control distribution site, comprising:

performing a search engine query input from a distribution site identification server to obtain URLs to be tested, and executing a web browser for each of the URLs to access the URLs;

determining whether or not each of the accessed URLs uses an ActiveX control;

collecting information on the ActiveX control and recording the information in a distribution status DB when each accessed URL uses an ActiveX control; and

identifying the ActiveX control distribution site based on the distribution status DB.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a method of identifying an ActiveX control distribution site, detecting a security vulnerability in an ActiveX control and immunizing the same. A security vulnerability existing in an ActiveX control may be automatically detected, effects brought on by the corresponding security vulnerability may be measured, and abuse of the detected security vulnerability in a user PC to be protected may be immediately prevented. Therefore, since the user PC may be protected regardless of a security patch, it is anticipated that security problems in the Internet environment caused by imprudent use of the ActiveX control may be significantly enhanced.

34 Citations

View as Search Results

18 Claims

1. A method of identifying an ActiveX control distribution site, comprising:
- performing a search engine query input from a distribution site identification server to obtain URLs to be tested, and executing a web browser for each of the URLs to access the URLs;
  
  determining whether or not each of the accessed URLs uses an ActiveX control;
  
  collecting information on the ActiveX control and recording the information in a distribution status DB when each accessed URL uses an ActiveX control; and
  
  identifying the ActiveX control distribution site based on the distribution status DB.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein determining whether or not each of the accessed URLs uses an ActiveX control includes analyzing a structure of a document object model (DOM) loaded into a web browser at each of the accessed URLs, and determining whether an ActiveX control is used or not.
  - 3. The method of claim 1, wherein collecting information on the ActiveX control includes collecting a URL of a site where the ActiveX control is used, a URL of an installation file of the ActiveX control, a version, a creation date, a publisher, a hash value for the installation file, and a binary value of the installation file, and recording the collected information together with an identifier in the distribution status DB.
  - 4. The method of claim 1, wherein collecting information on the ActiveX control includes:
    - checking whether a test scheduling is terminated or not when the ActiveX control is not used in each of the accessing URLs to be tested; and
      
      accessing the URLs to be tested after a designated time lapses and determining whether the ActiveX control is used or not when the test scheduling is not terminated.

5. A method of detecting a security vulnerability in an ActiveX control, comprising:
- installing an ActiveX control to be tested from a security vulnerability detection server to a testing PC that operates in a virtual machine;
  
  generating combinations of test input values for testing the ActiveX control;
  
  generating a test web page using the generated combinations of test input values;
  
  executing a web browser to access the generated test web page, monitoring activities of the web browser, and recording a debugging log caused by abnormal termination of the web browser and a resource access log caused by a resource access in a security vulnerability DB; and
  
  detecting a security vulnerability in the ActiveX control based on the security vulnerability DB.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 6. The method of claim 5, wherein generating combinations of test input values for testing the ActiveX control includes generating the combinations of test input values for each callable method, property, and initialization using a predefined basic input value DB.
  - 7. The method of claim 6, wherein generating combinations of test input values for testing the ActiveX control includes:
    - extracting a normal input value for each method and transfer factor from a normal web site using an ActiveX control to be tested and recording the extracted results in a control-specific input value DB; and
      
      generating the combinations of test input values for each callable method, property, and initialization using the basic input value DB and the control-specific input value DB.
  - 8. The method of claim 7, wherein an input value type of the ActiveX control, a test input value type for testing the ActiveX control, and a value representing the test input value in an XML format are recorded in the basic input value DB and the control-specific input value DB.
  - 9. The method of claim 8, wherein the test input value type is classified into Invalid Input having an extreme value not used under normal circumstances so that the presence of the security vulnerability is determined, and Code Coverage that is a value forming every condition enabling entry up to a code point where the security vulnerability occurs due to the Invalid Input value.
  - 10. The method of claim 5, wherein executing the web browser includes recording a debugging log including register and stack statuses for a process when the web browser is abnormally terminated while the activities of the web browser are monitored.
  - 11. The method of claim 5, wherein executing the web browser includes determining whether or not a character string including a magic string is used as a transfer factor of a corresponding API function when the web browser accesses a resource while the activities of the web browser are monitored, and recognizing resource access only when a character string including a magic string is used, and recording a resource access log.
  - 12. The method of claim 11, further comprising hooking a file, a registry, and network-related API functions to monitor resource access activities of the web browser.
  - 13. The method of claim 5, wherein executing the web browser includes recording a vulnerability type of the vulnerability in the ActiveX control, a call type, a method name, and an exploit pattern representing an abnormal use pattern of the ActiveX control together with a vulnerability identifier in the security vulnerability DB.
  - 14. The method of claim 13, wherein the vulnerability type is classified into a buffer overflow security vulnerability type and a resource access security vulnerability type,the vulnerability type is classified as the buffer overflow security vulnerability type when the length of a minimum input value at which a register EIP is changed into Invalid Input among the combinations of input values that cause Access Violation is calculated, andthe vulnerability type is classified as FileAccess security vulnerability of the resource access-type security vulnerability when a file including a magic string affected by an input value is generated, deleted, read, or executed, as RegAccess security vulnerability when a registry entry including a magic string is generated, deleted or read, and as NetAccess security vulnerability when a network access including a magic string occurs.

15. A method of immunizing a security vulnerability in an ActiveX control, comprising:
- updating an exploit pattern DB in which an exploit pattern that is an abnormal use pattern of an ActiveX control at a user PC is recorded, and hooking a function call path of an ActiveX control to be monitored;
  
  monitoring a call of a function of the ActiveX control to be monitored using the hooked code;
  
  measuring a degree of similarity between a transfer factor and the exploit pattern with respect to each function call when the function call of the ActiveX control to be monitored is made;
  
  determining use of the exploit pattern and interrupting the function call when the measured degree of similarity exceeds a predefined threshold, and determining non-use of the exploit pattern and allowing the function call when the measured degree of similarity does not exceed a predefined threshold; and
  
  collecting information on abuse of a vulnerability and transferring the collected information to a security vulnerability detection server when the use of the exploit pattern causes the function call to be blocked.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, wherein updating the exploit pattern DB includes downloading a security vulnerability DB from the security vulnerability detection server and updating the exploit pattern DB using the exploit pattern included in the security vulnerability DB.
  - 17. The method of claim 15, wherein monitoring the call function of the ActiveX control to be monitored includes changing an ActiveX control file registered in a registry, changing a table for a corresponding interface, or sensing a newly installed ActiveX control to hook a function call path of the ActiveX control.
  - 18. The method of claim 16, further comprising recording a URL of a site abusing a vulnerability, a vulnerability ID, a degree of exploit pattern similarity, an ActiveX control call log representing an input value log used when a function call of the ActiveX control is made, and a web document log representing the content of a web document loaded into a web browser when the URL of the site is accessed in the vulnerability abuse site DB based on the information on abuse of a vulnerability transferred from the security vulnerability detection server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
LEE, Dong Hyun, OH, Hyung Geun, KIM, Soo Yong, LEE, Cheol Ho

Application Number

US12/944,050
Publication Number

US 20110219454A1
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 16/00   Information retrieval; Data...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/1433   Vulnerability analysis

METHODS OF IDENTIFYING ACTIVEX CONTROL DISTRIBUTION SITE, DETECTING SECURITY VULNERABILITY IN ACTIVEX CONTROL AND IMMUNIZING THE SAME

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS OF IDENTIFYING ACTIVEX CONTROL DISTRIBUTION SITE, DETECTING SECURITY VULNERABILITY IN ACTIVEX CONTROL AND IMMUNIZING THE SAME

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links