Re: Client Honeyopt Patent

["Alexandre Dulaunoy" <adulau () gmail com>]

On Dec 21, 2007 8:07 PM, Lance Spitzner <lance () honeynet org> wrote:

> CLAIM #1
> ========
> A system comprising: a browser that is capable of visiting network
> locations as represented by uniform resource locators (URLs); and a
> browser-based vulnerability exploit detector that directs the browser
> to visit a given URL by making an information request to the given
> URL; the browser-based vulnerability exploit detector adapted to
> detect if the given URL accomplishes an exploit on the system after
> the browser makes the information request to the given URL."


http://www.ics.forth.gr/dcs/Activities/papers/replay.pdf (published in 2005
and presented at Usenix Security '05).

"The Shadow Honeypot architecture is a systems approach to handling
network-based attacks, combining filtering, anomaly detection systems
and honeypots in a way that exploits the best features of these
mechanisms, while shielding their limitations. We focus on
transactional applications, i.e., those that handle a series of
discrete requests. Our architecture is not limited to server
applications, but can be used for client-side applications such as web
browsers, P2P clients, etc. As illustrated in Figure 2, the
architecture is composed of three main components: a filtering engine,
an array of anomaly detection sensors and the shadow honeypot, which
validates the predictions of the anomaly detectors. The processing
logic of the system is shown graphically in Figure 3."

and

"4.1.0.2 Mozilla Firefox

For the evaluation of the client case, we used the Mozilla Firefox
browser. For the initial validation tests, we back-ported the recently
reported libpng vulnerability [7] that enables arbitrary code
execution if Firefox (or any application using libpng) attempts to
display a specially crafted PNG image. Interestingly, this example
mirrors a recent vulnerability of Internet Explorer, and JPEG image
handling [6], which again enabled arbitrary code execution when
displaying specially crafted images.

In the tightly-coupled scenario, the protected version of the
application shares the address space with the unmodified version. This
is achieved by transforming the original source code with our DYBOC
tool. Suspicious requests are tagged by the ADS so that they are
processed by the protected version of the code as discussed in Section
3.2.

For the loosely-coupled case, when the AD component marks a request
for processing on the shadow honeypot, we launch the instrumented
version of Firefox to replay the request. The browser is configured to
use a null X server as provided by Xvfb. All requests are handled by a
transparent proxy that redirects these requests to an internal Web
server. The Web server then responds with the objects served by the
original server, as captured in the original session. The workload
that the shadow honeypot can process in the case of Firefox is
determined by how many responses per second a browser can process and
how many different browser versions can be checked. "

They use a client honeypot to validate the input captured before.
There is the "vulnerability exploit detector"  and testing if the
exploit is successful or not.

Maybe useful as prior art ? what's the official "grace period" in US
before filling a patent and doing scientific publication before ?

Hope this helps,

adulau

-- 
--                   Alexandre Dulaunoy (adulau) -- http://www.foo.be/
--                             http://www.foo.be/cgi-bin/wiki.pl/Diary
--         "Knowledge can create problems, it is not through ignorance
--                                that we can solve them" Isaac Asimov