DBSHIELD: SECURING DROPBOX AGAINST MALWARE DIST RIBUTION ANAND BHATIA (ANANDR ) & TEJASWI SUDHA (T SUDHA) CONTENTS Abstract........................................................................................................................................................ 3 Introduction ................................................................................................................................................ 3 Dropbox - the growth story .................................................................................................................. 3 Dropbox – INSECURE BY DESIGN? .................................................................................................. 4 Motivations for an enhanced client ......................................................................................................... 5 DBShield - Conceptual overview ............................................................................................................. 6 Features ................................................................................................................................................... 6 Evaluation of available anti-malware engines ................................................................................... 6 DBShield- usage scenario ...................................................................................................................... 7 DBShield implementation ..................................................................................................................... 8 Client api review .................................................................................................................................... 8 Leveraging the dropbox rest api .......................................................................................................... 8 Implementation ...................................................................................................................................... 9 Performance evaluation .......................................................................................................................... 12 Results .................................................................................................................................................... 13 Lessons learnt ........................................................................................................................................... 13 Planned optimizations & future work .................................................................................................. 14 Conclusions ............................................................................................................................................... 14 Acknowledgements ................................................................................................................................. 14 References ................................................................................................................................................. 15 ABSTRACT Cloud based file storage services becoming increasingly popular off-late as they offer convenience & seamless folder based sharing. Among the host of options, Dropbox has proved to be the leader due its ease-of-use, cross platform client availability and low cost of entry. It has proved especially popular in academic circles too as it offers up to 18 GB of free storage space, easily meeting the needs of students. These services have also caught the attention of a more nefarious group of people namely malware and spam distributors. These groups have exploited the multiple security vulnerabilities in the new cloud based offerings towards their end. Using the sharing features of such services it offers them an easy avenue of spreading malware. To prevent epidemics, it is unwise to rely on the end-users to deploy the protections necessary to contain malware to the infected host. In this report, we present the design, implementation and evaluation of DBShield– a security enhanced Dropbox command line client which offers malware protection “out-of-the-box” thereby removing the burden of anti-malware protection from the end users. It utilizes ClamAV – an Open Source antimalware engine to offer cross-platform protection for both upstream and downstream file syncing. As DBShield is written in Perl, we are able to offer a security without compromising on cross platform compatibility of the standard Dropbox Client. We also discuss the various attack vectors used against Dropbox in the past and ones which could be potentially used in the future. We have implemented a proof-of-concept prototype for both Linux & Windows platforms, tested it against real-world malware and performed performance measurements to optimize the client performance. INTRODUCTION Up until recently, the most common way to share files on a personal or small team-based projects was to send them via email. With the advent cloud computing and broadband internet penetration, a new paradigm to file sharing has gained rapid prominence. Centralized cloud based file sharing and syncing had made it much simpler to view, edit and access common files from any terminal at any location. Of the host of cloud based storage service providers, Dropbox reigns supreme having the largest market share and user base with over 100 million users [1]. DROPBOX - THE GROWTH STORY Dropbox, which started out in September 2008 uses a freemium model of business. It offers both free and paid accounts. There are several factors which contributed to Dropbox’s rapid growth. Some of them are: It offers support for variety of devices across multiple Operating systems ranging from Mac OSX to Android devices. It offers free accounts starting at 2GB of storage expandable right up to 18GB. It is very easy to use requiring little to no setup to getting the sync working. It is making rapid inroads into the smartphone space with HTC & Sony Ericsson making deals to offer bundled crowd storage to augment on board storage on the device. Fig. 1: Shows the rapid growth that Dropbox has witnessed over past few years. DROPBOX – INSECURE BY DESIGN? However, all these advantages seem to be just the silver lining which hides a darker cloud. Many security experts have lambasted Dropbox for its insecure design [2][3][4]. The initial version of Dropbox client suffered from the following security loopholes: 1. No encryption at client end. This allows easy spoofing of data packets and the corresponding hashes. 2. Trust based assumptions for client-sent hashes. This is among the more well- known exploits where using a client to spoof hashes allows end users to gain access to arbitrary files not necessarily owned by the user. 3. Weak data possession protocols[2].Dropbox doesn’t not employ any provable possession algorithms to ensure data possession by clients leaving user data essential public. 4. Direct Download attacks. This employs knowledge of host-id which is a unique identifier linking a device to a particular user’s account to download chunks of the users data without owning the data itself. These loopholes were expectedly exploited and Dropbox has suffered no less than 3 security breaches [4]. There were two major attack vectors targeting these loopholes: 1. Data and Information leak using loopholes 1 through 4. 2. Online “slack-space” [3] All of the above issues have more or less been fixed or are slated to be fixed in future Dropbox versions. The new security features introduced by Dropbox include TWO-FACTOR AUTHENTICATION and DROPPING DE-DUPLICATION partially to ensure data privacy for owners. These “enhancement” though still buggy, address the aforementioned attack vectors. MOTIVATIONS FOR AN ENHANCED CLIENT While Dropbox developers have begun to deal with existing attack vectors, there is a worrisome up an coming mode of attack: malware and spam distribution. Initial instances of these ideas in implementations have already been spotted in the wild from as early as early 2012 [5] [6]. The very genesis of these attacks is engrained within the Dropbox Terms of service “You, not Dropbox, will be fully responsible and liable for what you copy, share, upload, download or otherwise use while using the Services. You must not upload spyware or any other malicious software…You, and not Dropbox, are responsible for maintaining and protecting all of your stuff. Dropbox will not be liable for any loss or corruption of your stuff…” This asserts that Dropbox is just a file storage and syncing service. It does not and will not for the near future provide any malware filter or protection of user data. Malware attacks manifest in three different ways: 1. Trojan distribution. Malware cartels have been using Dropbox’s public folders to host and later download spyware on to infected machines. Thus, Dropbox serves as an easy always available means to infect even partially compromised machines. 2. Spammer abuse. Dropbox’s public folder also serves as the perfect way to host public URLS to which are in essence spammy links to advertisers. Spammers leverage the credence of Dropbox URLS to trick people to generate click-throughs. 3. Accidental spread across owner devices. This attack occurs when a user shares a file benign on one machine, but harmful on the other via dropbox’s automatic syncing thereby leading to a malware epidemic. There have been several requests by users of the popular client to integrate some basic anti- virus protection in at an added cost but that feature request