Whitetrash
A dynamic web whitelisting plugin for the squid web proxy. Trash the bad traffic with a whitelist that only lets the 'good' stuff through.
- License: GPL
- OS: Linux
- Language: Python
A dynamic web whitelisting plugin for the squid web proxy. Trash the bad traffic with a whitelist that only lets the 'good' stuff through.
The goal of Whitetrash is to provide a user-friendly and sysadmin-friendly proxy that makes it significantly harder for malware to use HTTP and SSL for:
The operation of whitetrash is best demonstrated by the flash demo and screenshots.
Whitetrash features:
Whitetrash implements a whitelisted web proxy as a Squid plugin.
Generally whitelisting is defined as having a default deny policy, and only allowing specific types of objects/packets/requests/strings/accounts - those that are known to be 'good'. Blacklisting is the opposite of this process where all types of objects/packets/requests/strings/accounts etc. are allowed by default, and only specific 'bad' entities on the blacklist are denied.
Whitetrash whitelists web traffic at the domain level, and is a powerful technique to eliminate (or at least make difficult) communications for a lot of malware.
Whitelisting is a technique that makes it difficult for malware to use HTTP and SSL.
Consider the following common scenario: malware is delivered to the user in the form of a word processor document attached to an email. The user opens the document, and the malware executes. The malware's next actions are usually to use HTTP to download tools, beacon back to the attacker, or exfiltrate data. With a whitelist in place, all of these actions will be blocked because the attacker's domain is not in the whitelist.
The whitelist also provides good protection against browser exploits, which often employ cross-site scripting or other techniques to present a legitimate looking web-page while downloading content from the attacker's website. The ghost in the browser paper told us malware is almost always downloaded from a different domain to the one visited by the user. With a whitelist in place, the download from the attacker's domain will be blocked.
A sophisticated attacker will often use different domains for exploitation, command/control, and data exfiltration. A whitelist will block all of these additional domains.
Performance testing has been conducted using the funkload web testing framework. Testing scripts and configurations are included in the code repository so the testing can be reproduced. The tests described below were completed with whitetrash running inside a vmware session on a desktop Dual Pentium 3 GHz with 2 GB of RAM, with around 23 000 entries in the whitelist.
The first test was designed to exercise whitetrash's ability to produce a page for a domain already in the whitelist. Below are the results from four separate machines making a combined 2000 simultaneous requests for a domain in the whitelist. The results show this test was easily handled by whitetrash, but producing the page was slow on occassions due to the upstream proxy - these testing sessions actually caused the upstream to crash.
A second test was performed to test whitetrash's ability to add a large number of new websites into the whitelist. In this test, 400 then 600 new websites were added to the whitelist simultaneously by requesting a new page (GET) and submitting the completed form (POST). Whitetrash handled this stress, which is representative of a reasonably large organisation since additions to the whitelist should be much less frequent than selects. See the results here
Further testing results will be made available here as they are completed.