InformAction Forums

This is probably too much to request for a browser plugin, but is it possible to have shellcode detection in Noscript?

The idea comes from the fact that the "Forbid scripts globally" option is not meant for all people: it breaks too many sites and finding out allowing which site does the trick can be a little time-consuming, and somewhat impossible for non-technical users, which means a)they choose to uninstall it or b)they browse with "Scripts globally allowed" (I myself am in the latter category).

The problem now arises that there are malware domains that, on simply visiting, try to find out which plugins are installed and exploit them in the appropriate method (a list is available at http://www.malwaredomainslist.com/mdl.php). Antivirus cannot always prevent these attacks (in most cases the attacks are blocked, but I've had a few cases where such malicious pages are not blocked and some attacks do manage to get through).

Is it possible for Noscript to make rough analyses of scripts before they are prevented from running? It could be in the way some IDS/IPS run, by, for example, checking for suspicious patterns : URL/HTML escaping of large blocks of text, long series of string concatenation, Unicode/Base64 concatenation, loading of arbitrary data in situations that are out of context and so on.

I don't have much idea regarding whether it could be done internally inside Firefox -- but it does not look like this can be done with Firefox alone. We can make binaries of tools such as GNU file (checking whether arbitrary data/executables is being loaded), sctest(for shellcode) etc. which could make the analyses and depending upon the results, the scripts will be executed. The binaries have to be kept to a few, though, and instead of telling the user to download them, Noscript can just download the respective version depending upon the platform and keep them in its own directory.

As I have said before, it must be too much a request to make, but it should be implemented if possible: that would make Noscript better than it is in the present.

Thanks,

In a nutshell: no.

NoScript blocks the download of scripts from untrusted sources, so there is no opportunity to analyse them. That's how it protects you. It doesn't try to determine what is dangerous and what is not; it leaves that to the user.

Try Googling "block all drive-by download exploits"; the BLADE tool sounds like what you want.

AFAIK BLADE is not yet downloadable but it does do what Thrawn said and is a good suggestion for what you are looking for but even then it only addresses a specific class of scripted attacks. NS just simply prevents them to be loaded to begin with but the judgement call on it is yours, basically what to allow or not based on your trust of the site.

You can also enable the Blitzableiter filter in NoScript (Options-Advanced-External Filters), which is supposed to sanitise Flash...I'm not sure how good it is, though. And you can use pdf.js to read PDFs instead of native code, and disable unneeded plugins entirely (do you need Java or Silverlight?).

Probably your best defence against viruses is to sandbox your browser; run in a virtual machine, or Sandboxie, or similar. I see that you're on Windows; if you instead use GNU/Linux (perhaps using a dual-boot or virtual machine), you'll be immune to over 99% of malware, and depending on the version you choose, it has features like AppArmor or SELinux that can fine-tune your browser's privileges (as well as the ability to run it in a limited user account).

Also, if you enable 'Options-Embeddings-Apply these restrictions to whitelisted sites too', then NoScript will block plugins and give you a placeholder, even though you're allowing JavaScript everywhere. It's like Firefox's new Click to Play feature (and is compatible with it), but works slightly differently, and has been around for years.