Lessons learned while PROTECTING GMAIL

Elie Bursztein, Nicolas Lidzborski, & Vijay Eranti

THE GMAIL SECURITY AND ANTI-ABUSE TEAM

2004 2016

LESSONS WE’VE LEARNED WHILE protecting Gmail users for over a decade

Malware

5 MAIN THREATSTO GMAIL

Malware

AccountHijacking

5 MAIN THREATSTO GMAIL

Malware

AccountHijacking

Phishing

5 MAIN THREATSTO GMAIL

XSS

Malware

AccountHijacking

PhishingWeb Attacks

5 MAIN THREATSTO GMAIL

XSS

Spam

Malware

AccountHijacking

PhishingWeb Attacks

5 MAIN THREATSTO GMAIL

900 MILLION+ USERShundreds of billions of messages per week

We launched login challenges In 2011

http://goo.gl/xMctOL

NEVER STOP IMPROVING YOUR DEFENSES

Phishers updated their kits to ask for the challenge answers

THERE IS NO SILVER BULLET

99.9% accuracy detecting spammy email

91.7% Large linear ML classifier

+4.7%rule based system

+3.5%deep learning

?Next gen

http://goo.gl/0jgK96 *incremental coverage measurement

TUNE YOUR CLASSIFIER to match your product need

Spam classified as good

Good classified as Spam

https://goo.gl/0jgK96

False Negative

less than 0.1%

less than 0.05%False

Positive

IMPLEMENT CATCH-UP MECHANISMS

EMPOWER USERSto take action through meaningful UI

https://goo.gl/gqk6Bn & https://goo.gl/sL5VWC

USE OVERWHELMING FORCEDeploy many countermeasures at once

EMAIL ATTACHMENT

ATTACKS COME IN BURSTSplan for it

DON’T PROCESS TWICE

Whitelisting and blacklisting allows

up to 50% reduction in computation

Caching

Gmail does not allow executable attachments

EXE

BE SECURE BY DESIGN

Caching

Policy

USE ENSEMBLE LEARNINGmultiple anti-viruses are combined

0.62 4

NUMBER OF ANTI-VIRUS ENGINE

F1 S

CO

RE

6 8 10 12 14

0.8

0.7

0.9

1 .0

Union

Majority Voting

Threshold = 3

Threshold = 5

Logit_wo_family

RF_wo_family

Bayes_wo_family

Logit_with_family

RF_with_family

Bayes_with_family

Caching

Policy

Multiple Engines

Caching

Policy

Multiple Engines

Dynamic Execution

USE DYNAMIC EXECUTION

to catch undetected malwares (very rare)

IMPLEMENT EMERGENCY BLOCKING SYSTEMS

Unpredictable attacks and bugs happen. Get as ready as possible for it

Caching

Policy

Multiple Engines

Dynamic Execution

Fast Rules

ENCRYPT EVERYTHINGin transit and at rest

OUTBOUND

82%Messages from Gmail

to other providersare encrypted

INBOUND

62%Messages from other

providers to Gmailare encrypted

https://goo.gl/iv2tIa * Gmail always tries to encrypt email communication. Encryption failures are due to other providers not supporting encryption

https://goo.gl/1tLf3w

Closure Templates Strict Autoescaping

VS

Manual and Unsafe Escaping

BE METRICS DRIVEN

Number of XSS affecting Gmail webmail fixed per quarter

2008 2009 2010

0

1

2

3

4

5

2011 2012 2013 2014 2015

Q1

Q2

Q3

Q4

NU

MB

ER O

F EX

PLO

ITA

BLE

XS

S

PREVENT BUGS THROUGH GOOD SOFTWARE DESIGN

script-src frame-src

CSP blocks a lot of bad stuff CSP helped us identify potential XSS

CSP violations for Google Inboxjust before launch

Smart labels potential XSS

<! <img src="><img src=x onerror=alert(1)// ">45.7% 54.3%

IMPLEMENT DEFENSE IN DEPTH

CSP

Linear Classifiers

Deep Learning

Security audits

Encryption

Static Analyzers

DDOS prevention

Antivirus

Dynamic Execution

Fuzzing

Auto-escaping

PAY FOR BUGSit’s worth it

0

10

20

30

40

50

$0

$5000

$10000

$15000

$20000

$25000

amount awarded

number of bugs

2010 2011 2012 2013 2014 2015

Dynamic renderingCSS, Javascript. E.g Media Queries

Hacked siteGood sites used in phishing attacks

Email security standardsYet to be fully adopted

Advanced phishing attacks e.g spear phishing

KEY CHALLENGES IN 2016

Combine detection technologies in each layerThere is no silver bullet so diversification is key to lasting security.

Defense in depthAdd multiple layers of security because sooner or later an attacker will break one.

Have a strong team that keeps runningIt takes all your efforts to keep the product clean. No rest for the brave.

KEY TAKEAWAYS

Thank you!