Sunday, February 14, 2010

The only winning move is not to play

Did you ever see the movie WarGames?  This featured a computer called the WOPR.  I really liked this movie.  I thought there was a good balance between the human story and the computer.  I liked most of the movie Twister up until the end.  Both movies climaxed with flashing computer lights.  In Twister it was just numbers scrolling on a laptop, which was lame.  In WarGames the flashing lights showed simulated attacks demonstrating the computer learning, and worked well.

Two recent things reminded me of the movie WarGames.  One item was an article in the Washington Post about students hacking into the school computer and changing grades.  The other was the new release of Oracle WebCache that includes a learning rule capability for request filtering.  In the movie, they use Tic-Tac-Toe to help the computer learn.  To try out the new WebCache learning mode I chose Nikto.  This is a web security scanner that sends thousands of requests to test the security of a web server.  This tool is easy to setup and use, and it rhymes with Tic-Tac-Toe.  Let's try it against the Webcache Oracle Process for Request Filtering (WOPRF), and see how it does.

I fired up the new WebCache 11g and chose the new Request Filters menu option.  I looked to see what rules were provided out of the box.  There are less than 10 rules defined!  I checked Metalink for any additional information about the learned rules feature and did not find anything.  I read the documentation, however it does not explain how this feature works.  I looked at the rules that were defined and it included one for the Trace method and another for checking for null bytes.  Those are keepers.  I tried adding a rule and then checked the configuration to see the rule format.  The new rule was added to the webcache.xml file.  It's too bad the rules were not split out into a separate XML file.  Most of the WebCache configuration does not change, but the rules are likely to be updated more regularly.  Managing these in an independent file would have been much better.  If you add rules to block bots and spiders, and other rules for cross site scripting and SQL injection then this will add a lot of entries to the file.

There are two categories for learned rules, method and URL.  I ran Nikto and it sent thousands of requests.  After the test was complete I reviewed the learned rules.    The Method category showed learned rules for all the HTTP methods (OPTIONS, PUT, etc.) with a suggested action of Allow.  The URL category showed 25 learned rules.  This included a number of useful Deny rules for prefixes like cgi-bin and scripts.  The following screen shot shows the URL category with some of the learned rules.


Overall WOPRF was more like Twister rather than WarGames.  If you use mod_security it's easy to find a large number of rules that can be plugged right in and used.  You would either have to create these rules in WebCache or convert the mod_security rules to WebCache format.  Another limitation is the filtering is limited to requests.  This means the response cannot be filtered.  Filtering responses to prevent information leaks with error messages is a basic feature that needs to be there.

If you have a strong filtering mechanism in place to protect the web site, then you can achieve your goal of reaching a draw between people trying to attack the web site and your defenses.  This may convince them that the only winning move is not to play.

No comments:

Post a Comment