 aps-AV is a security solution that bases on innovative design principes paired with state-of-the art
protection and security of AV solutions in businesses, aps-AV three tier architecture ensures a safe, easy and flexible integration into existing infrastructures. Since the potentially harmful data is neither parsed nor inspected or interpreted in any other way before it reaches the firewalled analytic environment, even successful parsing-related attacks on adjacent systems and networks will have no impact on it.
With the Application Protection System – Anti Virus, or aps-AV, n.runs AG offers the first member of the n.runs aps system platform which was especially developed for the protection and security of AV solutions in businesses. The set up of the aps-AV solution (previously known under the code name of “ParsingSafe“) follows the design paradigms of a BSL-4 virus laboratory, whereby control, shielding and destruction mechanisms are recreated. This architecture ensures a safe, easy and flexible integration into existing infrastructures. Since the potentially harmful data is neither parsed nor inspected or interpreted in any other way before it reaches the firewalled analytic environment, even successful parsing-related attacks on adjacent systems and networks will have no impact on it.
Together with the AV-vendors who are technology partners, n.runs guarantees the functions, availability and safety of AV-solutions and prevents the takeover of the mail server and its clients by an attacker. To this end the solution supports mail systems like standard SMTP mailers, Lotus Notes and Exchange. The aps-AV environment is also designed in accordance with the principle of „defense in depth“, in this case however the AV-software itself is also considered a target.
In order to build up an environment similar to a “class4” virus laboratory, the architecture is divided up into three tiers, i.e. the front end, the distribution and the execution tier. These three protection zones are separated by firewalls as shown in fig. 2. The different systems can only communicate across these security layers by means of a special multi path protocol developed in accordance with the security requirements of the architecture.
Figure 2 : aps-AV Three-Tier Architektur
In this case the design of the system is not based on trust relationships. All data is transferred in such a way that only the necessary data to operate the solution is transferred, for this principal cryptographic features are used. During the design and implementation there was strict avoidance of inspecting the data transferred to the Execution Environment and the AV-scanners. Parsing of data will simply not take place.
aps-AV stands out for its secure architecture, which achieves a simple and flexible integration into existing infrastructures. Potentially harmful data are not processed, inspected and/or interpreted before they are shunted to a secure area for analysis. For this reason, even successful parsing-specific attacks will have no effect on neighboring systems and networks.In order to protect aps-AV itself from attacks, it has been completely written in highly secure managed code (C#), thereby reducing its attack surface to an absolute minimum.
In this process aps-AV will neither examine the data for known virus signatures nor submit it to any parsing operations. Only after the data has entered the execution environment, which next to running on a high security operating system does not provide any network interfaces, the AV-engines start their work and check the e-mail attachments for malicious code. If any abnormality is detected, the whole environment will be completely deleted, including the operating system, and the incident will be marked as an attack on the respective AV-product.
Then, the distribution engine will either give the go-ahead or else induce the blocking of the e-mail. Moreover, the incident will be centrally logged and reported.
In order to protect the aps-AV itself from attacks, it has been completely written in highly secure managed code ( C#) , thereby reducing its attack surface to an absolute minimum.
In addition all processes within the 3-tier architecture are mutually authenticated. The communication between the three core components is protected by signatures and a special multipath protocol. During implementation no unsafe code was produced, nor have unsafe methods or libraries (p/Invoke) been used.
Figure 3 : aps-av Key features
aps-AV protects your investments, by reusing your current AV software. Additionaly AV infrastructures can be centralised due to the open interfaces offered by aps-AV, this underlines the current trend towards centralisation and can lead to advantages in terms of operating costs.
 Independent researchers and security experts from n.runs AG have demonstrated over the last year that anti virus software allow precisely what they are supposed to protect against: the infiltration and execution of malicious code.
During research and tests hundreds of vulnerabilities were discovered in Anti-Virus programs that companies rely on to protect their assets. These vulnerabilities permit Denial-of-Service-Attacks (DoS) and allow malicious code to be smuggled past perimeter security into the company network. Even arbitrary program code can be executed with the help of AV software. Every AV program available on the market is affected by a number of these vulnerabilities. As a consequence even SANS rated Anti-Virus software as one of the biggest attack vectors for the Year 2007 in their "Top-20 2007 Security Risks ". n.runs believes this will not change for the next years to come.
Anti-Virus Systems have a very specific goal: the recognition of as many potentially damaging data as possible. In order to achieve this, AV programs have to be able to understand and process many different file formats. This is made all the more difficult by the fact that malware resorts to a variety of tricks in order to remain undetected.
These tricks mean that the formats also have to be supported and understood above and beyond specifications.
Upon inspection of the AV software, it became clear that the unusually high number of bugs is attributable to a necessary function of the AV programs - the parsing of data formats.
In order to make binary data interpretable and comprehensible, they are split into blocks and structures. This process is known as “parsing“. Through false assumptions during parsing, conditions occur which allow program code to be infiltrated and executed.
 Every single one of the Anti–Virus products has its own specific vulnerabilities. Therefore the use of multiple AV-products will also multiply the number of potential targets and thus increase the risk of attack. This leads to a rather paradoxal situation: The more AV-software is installed, the easier the attacker will find his way into the system.
Just one single bug in the parsing engine of any of the virus scanners may give an attacker the opportunity to gain control over the mail server through which e-mail is passing. This server might be situated at the very core of the company and allow the attacker to access all data on the mail server, the place where in many cases the entire electronic communication of a company is processed. Moreover, the attacker can use this access as a gateway to other sections of the network and to exploit trust relationships. In addition, the security software is often located on the same section of a company network as is the critical data. The security software itself generally runs with administrative access rights, which makes it a very attractive target for attackers.
If the attacker is able to find a bug in the parsing engine of the AV-software, he can use it to access the mail server by sending for example an e-mail with a prepared ZIP attachment.
Security software is widely used and strategically placed in precisely those places in the company network where critical data is stored.
An attacker can manipulate internal systems that have AV software installed. This way the attacker can, for example send an e-mail with a specially crafted attachment, and achieve different goals, including but not limited to:
- Execution of the attackers’ code of choice, often with the access rights of the AV solution. Thus, often the attacker can access the entire e-mail correspondence and pivot into other segments of the network.
- The AV Infrastructure can be brought to a complete halt through Denial-of-Service attacks. This can lead to a complete stop of E-mail Infrastructure.
- The protection provided by the AV Infrastructure can be completely bypassed – viruses and other malware are delivered directly to the end user.
Figure 1 : Attack on a Corporate AV Infrastructure
1. The Attacker sends an E-mail with an attachment exploiting a vulnerability in AV B
2. AV A does not detect any malware and lets the email pass
3. AV B parses the mail and the bug is triggered, the code of choice is executed
4. The payload specified by the attacker connects back to the attacker (as one possibility)
5. The Attacker gets an interactive command-shell on the Mail Server
An external attacker can carry out various manipulations on those internal systems on which the AV-software is run. Since parsing as a mechanism of detection is indispensable to detect malware, n.runs sees only one possible solution: Embed the existing Anti-Virus products with their high detection rates in an highly secure architecture. This prevents successful attacks against the existing E-mail and AV-infrastructure.
This was the goal when n.runs developed aps-AV, known so far under the codename ‘ParsingSafe’. By including the established AV-software vendors as technology partners, n.runs guarantees a high detection rate while reducing the attack surface and increasing the overall security. It also gu of investments already made in AV software and infrastructure, since the companies can continue to use their existing AV-solutions.
|
