A Cloud-Based Service That Protects End-User Devices from Malware in Email Attachments and Web Links

We have seen a significant increase in cyberattacks that leverage malware-bearing email attachments and malware-infected web sites. A recent report by Symantec1 reports that 1 in every 359 emails sent in July, 2017 included malware – a 20% increase over previous months. Even more alarming is the fact that such malware is inexpensive and readily available for purchase2.

The root of this problem is the lack of a mechanism that allows users to open email attachments and visit web sites safely. Today, when a user clicks on an attachment in an email, the user's software opens the attachment with a program such as Adobe Reader or in a browser tab and the user's device can become infected if the program has a vulnerability that an attacker can exploit with a carefully designed attachment. Similarly, when a user clicks on a link to a web site, the user's device can become infected if the web site contains malware. Unfortunately, existing solutions such as anti-virus software are not foolproof and are vulnerable to previously unknown (zero-day) attacks.

We propose a "lightweight" Cloud-based Service that can protect a user's "device" (which can be a laptop computer, or a mobile device such as an iphone, ipad or android device) from malware in email attachments and web sites without adversely affecting the user experience. By protecting the user device, the Service also prevents the malware from establishing a "beachhead" on a device that could be used to infect other systems in a business or other enterprise. The Cloud-based Service leverages 1) a Secure CPU technology that protects the confidentiality and integrity of a "Secure Object" from the other software on a system, 2) virtualization technology that is used in conjunction with the Secure CPU technology to provide "Secure Virtual Machines", and 3) a graphical desktop sharing tool that allows a user to safely interact with an attachment or a web site through a secure virtual machine.

The Cloud-based Service leverages an extension to a web browser (Google Chrome in our proof of concept implementation) and provides several protections: 1) it protects the integrity of client devices and enterprises from the unintentional downloading of malware when a user opens an attachment or clicks on a web link; 2) It protects the confidentiality of user information by protecting the integrity of client devices and by protecting client information within secure virtual machines; 3) it protects the integrity of any public keys or digital certificates that a secure virtual machine may use to authenticate the identity of web sites (e.g. so that a user can have a high-level of confidence that he is connected to his bank's web site, say, and not a fraudulent web site that has been set up to collect credentials and other information).

Importantly, the Cloud-based Service can protect against these attacks -- including previously unknown (zero-day) attacks -- without having to determine whether an email attachment or web site is malicious. The Cloud-based Service doesn't know and doesn't care.

By: Anrin Chakraborti, Rick Boivie, Zhongshu Gu, Mehmet Kayaalp, Ankita Lamba, Dimitrios Pendarakis

Published in: RC25662 in 2017


Questions about this service can be mailed to reports@us.ibm.com .