Cenzic 232 Patent
Paid Advertising
web application security lab

The Matrix as a Security Model

One way to deal with web application security threats is to prevent them (IPS), one way is to detect them (IDS/HIDS) and then there’s another way that I came up with called the Matrix. It’s loosely based on the same concept of a honeynet where you show something as vulnerable but in reality you are watching what they are doing. The difference between a honeynet and the Matrix is that in a honeynet you are actually allowing them to hack a network device (which is being heavily monitored) and in the Matrix you are giving them erroneous information upon detection of a possible threat. Let me preface this post by saying this is not completely thought out and comments/flames are welcome.

So how would the Matrix work? Basically you would have to have the equivalent of Snort signatures that looked for specific known strings that were used by automated vulnerabiliy scanners and all other known malicious strings. Once they were detected you could provide an alternate environment for the duration of that user’s session that gave erroneous information, including erroneous vulnerabilities. Of course, Cross Site Scripting is easier to deal with than most as all you are doing is reflecting what the user typed. Remote shell inclusion is tricky, but could potentially work, where you give someone the information back that they would expect. SQL injection is the hardest, where you have to allow the user to get fake information out of a database - maybe returing fake credit card information/passwords, etc… is a possibility. The possibilies are there, it would just take work to refine.

The biggest advantage with this security model is that it assumes that you are already vulnerable and that you have vested interest in finding the bad guys. It also assumes that bad guys will go for the lowest common denominator, in terms of vulnerabilies (IE: go for the easiest vunerabilities first). Making the hacker’s life seem easier by allowing them to find fake vulnerabilities quicker can help reduce the overall threat by giving you time to see what they are doing and where they are coming from, etc…. It does not actually reduce the threat unless you monitor the users who are caught in the Matrix cosely and attempt to locate and patch what they either did find or would find before they can go public with the information or exploit it for their own means, as they still will have access to the same system and the vulnerabilities will still be there. The advantage over IPSs and Firewalls is that the hackers aren’t aware of the fact that they have been stopped from their activities.

Ultimately, I think there is something to this security model, even if it is seriously flawed in the incarnation that I have described it. Also it could potentially be extremely cost prohibitive and there may be more vulnerabilities introduced by allowing a user to find vulnerabilities solely for the purpose of tracking adversary movements around the website in question. For instance, let’s say that once a vulnerability test has been detected, the website switches into Matrix mode, giving them an alternate environment. It could still be used against the website, where the hacker simply sends two requests to the server and gets the same result as if they only sent one, and the Matrix would actually cause the vector in question. As I said, this is a seriously flawed implimentation, but there may be something to it.

4 Responses to “The Matrix as a Security Model”

  1. oguz Says:

    very good

  2. ha.ckers.org web application security lab - Archive » Honeytokens Says:

    […] A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. A honeytoken is no different. It is a small snippet of data that sets off alarms whenever it is used. Jeremiah Grossman brought this to my attention in regards to using it within the “Matrix security model” I discussed last week. Honestly, I’ve used this technique in the past, but it makes a lot of sense in the context of a Matrix security model where you can seed your database with information that when “used” it sets off alarms. […]

  3. Spyware Says:

    If I understand this correctly, this Matrix model provides an obscure barrier between the “real” website and the hacker. It’s an interesting idea, really. But why obscure/confuse hackers if you already spotted them? It seems like you need to deduce before this can have any effect. Somehow be forewarned about a hacker, as it were. You have to spot him before he attacks, how? You can only use the power of assumption for this, and that’s not a flawless power. It has been proven Regex fails to spot everything and everone. And if you blacklist, just throw them off the website, why keep ‘em busy with a fun game? Not that I don’t fancy a fun game or two though.

  4. Roinin Says:

    Here is why misinformation can be useful.

    You detect a hacker using some security means, if you start throwing him erroneous information then he won’t know, or better, wrongly assume what it was that gave him away… so when he comes back, he will go through the same step that you found him with the first time, allowing you to find him again so you can once again confuse him before blocking him.

    Hackers are persistent, if they find a wall, they stop, take a step back, and make another approach. By concealing your hacker detection methods, misdirecting them, and then blocking them, they will continue to trip your triggers that allows you to find them without ever knowing the real cause of why they are being stopped.