Sunday, November 2, 2008

::An analysis of Internet Explorer Vulnerability Report applying Systems Theories::

Bijairimi Abdul Awal, Romain Babel, Zoran Milinkovic: DSV KTH, 2005

Introduction

Nowadays, there exist an undefined number of systems: systems could be living as human and animal, organization as a company and social society, or machine as a computer. But in what is system made of? And how could we describe it in order to make the definition easier to understand? In this report we will define what a system is and take a concrete example which could explain more precisely its theory. For it, we will approach our study on a web browser system weakness: system's vulnerability which permits numerous exploitations such as DDoS attack, viruses, worms or other kind of risks. For example the Internet Explorer is particularly exposed to those kinds of attacks. How could it be applied to Systems Theory?

Definitions

Web Browser

A web browser is a software application that enables a user to display and interact with HTML documents hosted by web servers or held in a file system.

Systems

A system is a whole which could be a set of different parts taken from the environment. We cannot control part by part, the system has to be thought as a whole. All those parts of the system have relationships between each other: that's why it is impossible to extract one of those and analyse it as a single part.

The function of any system is to convert or process energy, information, or materials into a product or outcome for use within the system, or outside of the system (the environment) or both.

Open system is a system which has relations with environments. Environments have and influence on the input of open system and using the inputs, can change a state of the system and make the system it less secure.

Meanwhile close system is a system which has no relations with environmetns.

Security

Security is being free of danger (harm, threat). In our case it is impossible to complete 100% secure (Internet Explorer is an open system).

Vulnerability

It refers to a weakness or other opening in a system. It is a flaw in a product that makes it infeasible

Systems Theory and Internet Explorer

According to SSK, “a system is defined as a set of objects together with relationships between the objects and between their attributes related to each other and to their environments as to form a whole”.

If we look at Internet Explorer as a system we can see that “Internet Explorer System” is not different from others. The Internet Explorer System has the same systems characteristics (objectives, environment, resources, components and management) and the key concepts (set, objects, relationships, attributes, environment and whole).

A web browser has a goal to show a required page from an internet connection or hard disk. The browser will be the process part in order to decode data into human readable pages. It would be an interpreter of the data transfer.

Environments constitute all that is “outside” the system’s control. It signifies that the environment contains and surrounds the system but has a plenty of relationships with. The system itself can have little or no influence to the environment. In our case, the system is the web browser and its environment would be:

  • Internet: this system from the environment has strong relationship with our system (browser).the data will come to our system from Internet.
  • User: this living system will decide what page he wants to show and then what data he wants to threat.
  • Computer: this system will host the browser. You cannot separate those 2 systems
  • Operating System: Internet Explorer is a subsystem of an operating system and we can look the operating system as the environment for Internet Explorer.
  • Technology: this system would be every physical connection between internet and our system.

The resources are what are concretely inside the system in order to make it working. In our case, the resources of the browser are their own parts of browser: developed program code, and then its engine.

The components are all those activities that contribute to the realization of the system’s objectives. In others words, it means that those components are absolutely useful if we want to make the process working. Here we will need more than the simple browser program. The components would be:

  • OS
  • Internet connection
  • Data
  • Internet Explorer with all its components

The system must be controlled in order to precede its task. Managers must make some kind of control of what the process is doing. In an open system as ours, changes are inevitable: changes could be intrusion or error data which may cause lot of problem for the process or even for the environment. A manager is able to control this kind of problem by controlling outputs and feedback as it is characterized in Cybernetics systems.

Web browser is made of set which is the collection of elements inside the system (for ex. skins, engine, plug-ins, etc.).

Objects are the elements of a system and could be divided into three functional categories: inputs, processes and outputs.

  • Inputs can come from the internet, a user or from hard disk. On user input (request for some page in the browser), the request will be sent out to some medium and data will be received as an input into browser. Here we have a feedback from environment.
  • Process is the browser engine that prepares received data for the output in human readable format. Also, there is a process that reads user input, prepares the URL and sends it to environment.
  • Outputs are browser panel (where a page will be displayed), internet connection (request for a page).

Relationships are links between the objects. There are three categories of relationships: symbiotic, synergistic and redundant. Objects that are not linked could be looked as closed subsystem. They don’t have any inputs or outputs and that objects are not interested for us. In Internet Explorer, we have an example of relationship between an address bar and browser’s engine. The address bar is the object of browser and is used as an input object where a user enters a URL. The address bar is in the relationship with browser’s engine.

All objects or relationships have their attributes, defining and accompanying. Internet Explorer has attributes as the version of browser, size and type of fonts, etc.

Internet Explorer and all its parts work as a whole. They work as an independent framework, which the main goal is page taken from some media in human readable format and show them to the user.

Internet Explorer Vulnerability Report [2]

It's already well known that Internet Explorer has a lot of weaknesses such as DDoS, system access, etc. Here we shall try to apply the Systems Theory to the report.

This report describes the statistics of the most attacks during current years.

Monthly report:

As we can see from the graph below, Internet Explorer has been vulnerable for a long time since Secunia started to follow vulnerabilities for Internet Explorer. In the graph, during all this years Internet Explorer has been vulnerable all the time and Secunia rated this product as Highly Critical.

In the next graphs, we will look to Internet Explorer vulnerabilities from different views and for some of them we shall give some view applying Systems Theory.

Solution Status Report:

The pie graph presents solved and how many unresolved issues Internet Explorer has.

From the Systems Theory view, we can define a diagram of how patches have influence to Internet Explorer. Here, an environment will be the vendor who tries to fix all vulnerabilities that exist in the web browser.

When a system is attacked by any kind of intrusion, the system is more or less infected and then the environment will be as well.

It appends a failure when a flaw is discovered into the system, and when it’s possible to change the process into the system and then it could change its objectives. For instance, worms are not known as virus but are using Internet explorer as an entrance into the environment.

When a failure is discover on the web browser system, patch are developed. It means that we modify the process into the system by any mean in order to avoid the failure.

Criticality:

When a system is attacked by any kind of intrusion, the system is more or less infected and then the environment will be as well.

It appends a failure when a flaw is discovered into the system, and when it’s possible to change the process into the system and then it could change its objectives. For instance, worms are not known as virus but are using Internet explorer as an entrance into the environment.

When a failure is discover on the web browser system, patch are developed. It means that we modify the process into the system by any mean in order to avoid the failure.

From the graph, according to Secunia report, we can see that more then 40% criticalities are highly or extremely critical. With this high percentage of criticalities, how is Internet Explorer secure?

From where Internet Explorer could be attacked?:

In the graph below, Secunia shows where Internet Explorer is vulnerable. For this comparison, Secunia divided attacks into three groups: From Remote, From Local Network and Local System.

As the graph shows, 99% attacks are coming from remote. Usually “from remote” we understand “from the internet”. If the network hasn’t been set up correct, updated and secured, according to an issue from Slashdot site, average time for “infection” of Internet Explorer is 12 minutes.

How to prevent remote attacks? From Systems Theory, we can do something with environment little or nothing. In our case, we are able to manage operating system and to set up a firewall correctly. With setting firewall up correctly, we ensure that we shall not have attacks directly from the internet

All other remote attacks are at most human errors, like answering on pop-ups, installing suspicious software from the internet, opening infected emails, etc.

Impact:

This pie graph showed below presents the different attacks dated from 2003 until 2005. We can see that the most vulnerability threat is system access which could be summarized as an intrusion into the system thanks to the Internet explorer flaw.

As we can see on the pie graph, the largest numbers of attacks through Internet Explorer flaw are the system access. By Internet Explorer, one intruder is able to access in the environment files. Then by the system’s process, the intrusion permits to access the framework which is not under control by our system.

Summary

As a part of the Information Systems, it is crucial to view the web browser systems and any other parts of the Information systems as a whole. This system cannot be seen as an independent part, we have to think about the entire environment in order to make it secure. The browser system cannot be seen as a close system which is just relying on its vendor to update the security patches. We must see the browser as an open system which is interconnected to other objects. In any other words we have to see it in holistic view.

As an open system, the browser itself is impossible to control everything outside its boundary, but it can do something within its own boundary, such as control its process and its outputs.

Thus, the browser system applying systems theory could be a good solution to get the system more optimized and secured. In this report, we just applied how to view the browser system in holistic view. Here, we still didn't come out with the total solution or strategy of the web browser systems security. Hopefully we can do this later. The most important thing here is to make us comfortable and familiar with the systems theory approach which could be applied to the all subjects of life especially to the field of Information and Communication Security.

Reference

1. Schoderbek, Schoderbek, Kafalas: Management Systems, Custom Edition, McGraw-Hill, 1998 [SSK]

2. Secunia report: http://secunia.com/product/11/

No comments: