Most client software’s threat models (e.g. Edge, Chrome) explicitly exclude threats where the local computer was compromised by malware. That’s because, without a trusted computing base, it’s basically impossible to be secure against attackers. This concept was immortalized decades ago in the Ten Immutable Laws of Security: In the intervening years, new technologies (like SecureContinue reading “Defensive Technology: Controlled Folder Access”
Tag Archives: Defender
Defensive Technology: Antimalware Scan Interface (AMSI)
Endpoint security software faces a tough challenge — it needs to be able to rapidly distinguish between desired and unwanted behavior with few false positives and false negatives, and attackers work hard to obfuscate (or cloak) their malicious code to prevent detection by security scanners. To maximize protection, security software wants visibility into attack chainsContinue reading “Defensive Technology: Antimalware Scan Interface (AMSI)”
pushState and URL Blocking
The Web Platform offers a handy API called pushState that allows a website’s JavaScript to change the URL displayed in the address bar to another URL within the same origin without sending a network request and loading a new page. The pushState API is handy because it means that a Web Application can change theContinue reading “pushState and URL Blocking”
Cloaking, Detonation, and Client-side Phishing Detection
Today, most browsers integrate security services that attempt to protect users from phishing attacks: for Microsoft’s Edge, the service is Defender SmartScreen, and for Chrome, Firefox, and many derivatives, it’s Google’s Safe Browsing. URL Reputation services do what you’d guess — they return a reputation based on the URL, and the browser will warn/block loadingContinue reading “Cloaking, Detonation, and Client-side Phishing Detection”
ServiceWorkers vs. Network Filtering
In a recent post, I explored how the design of network security features impact the tradeoffs of the system. In that post, I noted that integrating a URL check directly into the browser provides the security check with the best context, because it allows the client to see the full URL being checked and ifContinue reading “ServiceWorkers vs. Network Filtering”
text/plain 