Presentation is loading. Please wait.

Presentation is loading. Please wait.

JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)

Similar presentations


Presentation on theme: "JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)"— Presentation transcript:

1 JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)

2 Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 2 Outline The Web 2.0 Security Picture1 Position: Boundary Challenges2 Example: Drive-by Pharming3 Other Examples and Parting Thoughts4

3 Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 3 The Web 2.0 Picture WEB SERVER CLIENT MACHINE WEB SERVER 3 Intranet web devices 4 Plug-ins / Extensions 5 Multiple Browsers 6 Local online apps 2 Content aggregation 1 User-driven content

4 Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 4 What Makes it Hard Unprecedented amount of content (not always trustworthy) Aggregation of content on local client and also by intermediaries (same-origin policy workarounds) Intranet devices often have web servers (internet/intranet boundary issues) Web browsers augmented with plug-ins (not always trustworthy & complicate interactions) Machines may have many local web browsers that communicate over HTTP, render HTML, and emulate JavaScript (increased attack surface). Some local client applications can interact with web browser and provide combined online / offline capabilities (compromises can lead to machine ownership). 4

5 Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 5 Main Position Points and Examples There are many pieces in the puzzle. The policies governing boundaries between these pieces needs to be better understood and better enforced. If we get this wrong, *-script code running in one context, can affect another. Example: Drive-by Pharming. 5

6 Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 6 Drive-by Pharming Overview Attack concept developed by Sid Stamm, Markus Jakobsson, and me that strongly leverages prior work on JavaScript host scanning presented by Grossman at BlackHat. Local broadband routers (both wired and wireless) offer a web management interface for device configuration –Consequently, these devices contain a web server that runs a web app The web app is often susceptible to cross-site request forgeries (made easier since there is usually a default password that users often fail to change) Broadband routers govern DNS settings… Can change these settings from a remote location; victim only has to view web page containing malicious JavaScript to become infected 6

7 Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 7 Drive-by Pharming Flow Home broadband / wireless router Web Browser Good DNS Server Rogue DNS Server Your Bank Not Your Bank Web site with JavaScript Malware Click Me!!!

8 Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 8 Drive-by Pharming Current Status Working proof of concept code for various Linksys, Netgear,and DLINK routers No known instances In the Wild yet Similar concept can be used to upgrade router firmware Solutions –Simple bandaid: change password on home router –More fundamental: protect the web app on the router from Cross-Site Request Forgeries –Way to implement second soln: web app requires and validates unpredictable value hidden somewhere on web page containing config. management interface 8

9 Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 9 Other Examples and Parting Thoughts Other Examples: –Overtaking Google Desktop (Amit, Allan & Sharabani) –Universal XSS (Di Paola & Fedon) Not understanding boundaries associated with the plethora of component and failing to understand and enforce policies governing boundaries can have devastating consequences Things are getting more complex! New technologies like Silverlight, etc., are looming. 9 © 2007 Symantec Corporation. All rights reserved. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE.


Download ppt "JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)"

Similar presentations


Ads by Google