Content Security Measures

Protecting against unsafe content in the physical world and cyber space

1. Background

In the physical world we are, sadly, used to seeing a variety of measures used to protect us against unsafe or undesirable content. These aim to detect explosives or contraband so the threat can be removed. 

Content also carries a threat in the cyber world, but here the mysteries of how this world operates make it difficult to understand that nature of the threat and consequently how effective countermeasures are.

In this article, various forms of cyber content defence are compared against their physical counterpart. The aim is to show the differences between the various kinds of defence in such a way their effectiveness, or lack of it, can be appreciated.

2. Scanning

Objects can be scanned to check them for unsafe content. This is standard practice at airports, where people and baggage are scanned by X-Ray machines to give a view of what they are carrying and what they contain. The operators look for patterns of known unsafe content, such as weapons and drugs.

If anything untoward is found, the person or bag is stopped and a more detailed search is conducted to find out exactly what the suspicious object is. If it turns out to be benign, then the person or bag is sent on its way, but otherwise they’re going to be “helping police with their enquiries”.

The cyber equivalent is Anti Virus Scanning. Here a file is scanned, matching the bytes inside it against a database of patterns that uniquely identify unsafe content – specifically malware. If there’s a match, the file is blocked or deleted, or perhaps put into quarantine so expert investigators can assess it. If the file is an attachment to an email, it might be removed from the message and the message allowed to continue. If the file is on disk it might be deleted. Where the file is embedded in another, a PDF embedded in a Word document for example, the embedded file might be removed from the parent. 

Scanning is limited to detecting unsafe content whose nature is known. New forms of weapons won’t be recognised by the security staff manning the scanners, as was the case when terrorists first adopted liquid explosives instead of plastic explosives. New ways of hiding drugs will also get past the scanners. Only once the techniques become known can the scanning tools and procedures be adapted to detect their use.

Similarly, malware that’s entirely new will not match any pattern in the database and so won’t be stopped. Eventually, such malware will become known, at which point it is referred to as a “zero day attack” because this is when the timer starts on the race to update the database of signatures to prevent further instances of the attack spreading. But, of course, this does nothing to stop use of the new technique prior to its discovery.

3. Safe Detonation

We all know that suspicious bags or vehicles might get destroyed by the security services. This might mean a robot is sent in to open it up and look inside, while everybody keeps well back. If the bag is some harmless lost luggage, then it might get torn up in the process, but otherwise no harm is done. Same with a vehicle that’s just badly parked – it might have its door blown open, but there’s no wider damage. However, if the bag or vehicle contains explosives these could detonate, but no serious harm is done as everyone is kept at a safe distance. 

In the physical world, once the object has been opened up it might well be difficult or expensive to mend it. So, the technique is used sparingly. But in cyber space it’s easy to clone files, so the equivalent process can be applied much more routinely, and here it’s referred to as Sandboxed Detonation.

A suspicious file is executed, or opened up using an appropriate application, and the resulting behaviour is monitored closely. If there are any unsafe or unusual actions, then the content is deemed unsafe and is blocked. If all looks good, the content is deemed safe and allowed to continue its journey. To prevent any actual damage occurring from the actions performed, the application is run inside a sandbox – this is an environment that contains damage but allows activity within it to be monitored. Also, it is a copy of the file that’s placed in the sandbox so if it’s safe, but destroyed in the process of establishing this, the original file can still be delivered.

Sandboxed detonation works well, compared to scanning, but if the attacker knows how it is going to be done, they can take steps to evade detection. In the physical case, they can hide explosives with delayed action triggers that are unaffected by the initial remote search. In the cyber case, the malware can simply not do anything odd while it is in the sandbox – for example, it can wait for certain user interactions to take place before invoking any suspicious actions.

Like the physical world case, sandboxed detonation in cyber space can only be used sparingly, not because of the damage it causes but because of the resources it consumes. It takes CPU cycles and time to open up the suspicious data, which is expensive and results in a poor user experience (nobody wants to wait for their content). For this reason, sandboxed detonation is not usually applied to content that comes from sources that are thought to be completely trustworthy, but in a “zero trust” world that leaves nobody. 

4. Sanitisation

The airport scanning process looks for unsafe content, but in most cases if something is found the passenger is not prevented from boarding. Typically, the offending object is removed and discarded with no further investigation. This is the case with the bottle of water that’s lying forgotten in hand luggage. It could be a liquid explosive, but that’s highly unlikely especially as terrorists know they will not be able to get it past the scanners so won’t try. That means there’s no point in doing a thorough check – it just gets discarded. 

The cyber space equivalent is called Content Disarm and Reconstruct (CDR). Here a file is dismantled into discreet data components and these are checked against a database of parts that are known to have the potential to be unsafe. Note, this is not a database of parts that are known to be unsafe. Just like the airport scanner decrees any bottle of liquid is potentially unsafe and must be discarded, CDR decrees any executable data to be potentially unsafe and so discards it. A bottle of liquid is known to be potentially unsafe and gets discarded in the physical world, and code is known to be potentially unsafe and gets discarded in the cyber world, even when the item is actually safe.

Once all potentially unsafe parts have been discarded, CDR re-assembles the remaining parts to form a new file that’s as close to the original as possible, given some bits are missing. Typically, this will mean some scripts in a document are removed, but the rest of the document is delivered.

The physical measure only works because we have learnt what should be discarded through bitter lessons. The same is true of CDR in cyber space. It is not always clear what data in a file could be unsafe, so only after an attack is discovered to have exploited some unusual form of unsafe data can CDR be updated to deal with it.

This makes CDR a detection technology. It can only stop attacks that rely on parts which are known to be potentially unsafe. Attacks that rely only on parts thought to be safe will get through.

5. Replacement

There’s another form of physical security that’s used only in very special circumstances, where the risk posed by something potentially hazardous is so great that it is simply not allowed in. One example of this is clothing. 

In a factory where things, for example space satellites, must be assembled in a clean room, the technicians are required to change from their normal clothes into special suits. This is because their clothes cannot be inspected or cleaned to the required standard reliably or within reasonable time and cost. Another example is where a patient is to undergo an MRI scan. The risk of them carrying any metal object is so great that a change of clothes into clean hospital robes is essential.

The measure here is about replacing something that has the potential to be unsafe with something that’s equivalent, but which is known to be safe. In cyber space the equivalent is called Content Threat Removal (CTR).

CTR takes a file and examines it to establish what it would look and feel like to the recipient. This is the information content of the data. For documents, this means noting the text content, its layout and styling, how images are arranged, any associated meta-data and so forth. Anything that does not have known and understood behaviour is ignored – for example, code and scripts in the file are not examined, because it is invariably impossible to determine what such things do under all circumstances. The result of the examination is a description of what makes the file unique – the information it conveys. Once this description has been created, the original file is discarded. In its place a new file is created, one that exactly meets the description of the original. This is known to be safe, because it is built from new known parts and does not contain any parts from the original file. 

In the physical world, the new clothes do not look identical to the original, but they do not need to. It would take a lot of effort to scan the person’s clothes and “3D Print” a new set that looked and felt the same, except for any unwanted dirt or metal. But in cyber space this is a practical proposition when it comes to files. A new PDF that looks and feels exactly like the original, apart from any scripts, can be built quickly and easily. That means the technique can be applied widely and routinely, rather than just in the limited special circumstances of its physical counterpart.

The fundamental characteristic of these measures is that they work without needing to detect what is unsafe. They work by knowing what is needed and replicating it in a safe way. This is what sets them apart from the measures discussed earlier.

Most file formats support a variety of means of representing a document. To be sure that what is constructed is safe, it is important to only used tried and tested mechanisms and components. These are the ones that are used routinely and so are known to be safely handled by the applications in use. Using unusual features of a file format, especially any used in the original file, must be avoided in case some application is unable to handle them safely.

The technicians working in the clean room transform the way they dress as they enter, and CTR transforms the way digital content is represented as data. But the kind of transformation applied by CTR – the process of information extraction and building new data employing the methods normally used – is special and unique, avoiding any need to rely on detection or special knowledge of future attacks in order to completely defeat the content threat.

6. Summary

In summary, physical defences and their cyber equivalents are mostly dependent on the ability to know what is unsafe and to detect it. Such defences can never be complete, as adversaries will always be able to find new ways of delivering an attack that evades detection. But in the physical world it is possible to provide a complete defence through Replacement, and the cyber equivalent of this is Content Threat Removal. 

Content Threat Removal is at the core of Deep Secure’s solutions. That’s why they are able to provide 100% defence (Verified by independent research) against the malware threat in content, while delivering a pixel perfect user experience that has 0% false positives. 

The table below summarises the relationship between the various physical and cyber defences.