Maddin, Donnerstag, 29. November 2007, 17:05 DeepSec 2007 Roundup Last friday I had the honour of giving a talk at DeepSec2007 in Vienna. Due to other obligations I unfortunately could only attend the final day of the conference.
The day started with a keynote presentation by Jeff Moss, the founder of BlackHat. He gave a really entertaining talk on responsible disclosure using the Mike Lynn/ISS/CISCO-debacle of 2005 as an example. Jeff was followed by Halvar Flake who talked about (semi-)automatic malware classification using his tool BinDiff. BinDiff looks fantastic. I am always intrigued by tools that combine clever algorithms with a good looking and usable GUI. While I don't necessary completely agree with Halvar's assessment why his technique is significantly better than the competing approaches, I learned a lot from his presentation. Then I had to to some last minute refinements on my slides and meet some people, therefore I skipped most of the trailing presentations.
The next talk I attended was my own, which went fine. Once again (a probably for the last time) I presented on CSRF. This time I skipped most parts concerning our protection mechanisms and concentrated more on the various exploiting aspects using real life examples and demoing Justus's CSRF-exploit-o-mat, which allows the automatic creation of a working exploit in less the 5 seconds. I got some good questions and had a couple of nice conversations in the hallway.
The conference ended for me with Melanie Rieback's presentation on RFIDGuardian. The RFIDGuardian is a small wearable appliance which is able to intercept, alter, or block communication between RFID-readers and RFID-tags (e.g., your passport, tags in your clothing, or tags you didn't even know you had). The appropriate action which the guardian should execute can be selected on a per tag basis, thus allowing a rather fine-grained control. The feature I liked the most is, that the tool provides auditing/logging capabilities which enable the user to exactly establish when and where somebody tried to access RFID-tags during the day. Right now, only prototypes exist but Melanie's research group is trying to get some funding for mass production, which would result in a possible end-consumer price around 200 €. As all the basic information (software, hardware design) is open and free (GPL, CC) it is also possible to build your own device at home, provided you have a soldering iron and know what you are doing ( a note to my stundents: If anybody wants to do this as a part of his master's thesis, drop me a line).
In the evening fukami, Stefan Esser, and I attended Monochrome's fantastically entertaining Taugshow. The show's talk-guests on stage were (among others) Cory Doctorow, Tim Pritlove and Jeff Moss. The secret highlight of the show was a friendly american who almost chocked when he was trying to eat a dollar-bill (which he did to support the US economy).
In summary, DeepSec was a very pleasant and inspiring experience. My only regret is that my time was to limited so that I missed the first day and neither had the time to check out the Meta-Lab nor visit the Roböexotica-event.
Maddin, Mittwoch, 19. September 2007, 15:31 Why I do not like taint tracking While I was giving a talk yesterday on our dynamic and language based approaches concerning the avoidance of code injection vulnerabilities at Laboratory for Dependable Distributed System at the University of Mannheim, I came up with a nice description, why I dislike dynamic taint tracking:
Preventing code injection exploits using dynamic taint tracking is like letting a thief in your house and checking his bag for stolen goods at the very moment he tries to leave. It might work, but only if you never lose track of the gangster and if you really know your house. However, I would prefer a solution that does not let thieves in my house in the first place.
(Nonetheless, I think taint tracking obviously has a valid place in the defender's arsenal)
Besides discussing DNS rebinding for firewall circumvention, Protecting Browsers from DNS Rebinding Attacks by Jackson et al. also covers DNS-rebinding-based IP-hijacking, which can be used to commit click-fraud (an malicious application of the attack I have not thought of before). Furthermore, the authors propose a couple of defensive strategies, of which two have especially caught my attention:
To protect a given intranet, they propose a firewall solution. This special firewall specifically filters DNS traffic and denies DNS resolution of external hostnames to internal IP addresses. A nice idea that is easy to deploy within a company network.
Furthermore, they suggest to alter the web browser's pinning strategy from strict IP-pinning to class C-pinning. This means DNS rebinding within the same /24 range is permitted. Such a policy would allow using DNS-Rebinding for load-balancing and failure recovery while preventing the discussed attacks. This is a better policy as we enforce in LocalRodeo - it prevents the intranet-targeted attacks as well as we do but also counters IP-hijacking. For allowing dynamic-DNS restricting the IP changes to class C is probably to strict though.
Dynamic Pharming Attacks and the Locked Same-Origin Policies for Web Browser by Karlof et al. shows how pharming attacks can employ DNS-rebinding to subvert strong authentication mechanisms like client-side SSL (another malicious application I had not thought of before). To counter this threat the propose a "locked same-origin policy" that does not only take domain, port, and protocol into consideration but also requires that the private keys of the web page's respective SSL-certs match (an approach that obviously only works for web pages served via https).
I think this solution is a pointer in the right direction. Making the security properties of a web application depended on something that is not directly controlled by the application itself (DNS) was a bad idea in the first place. In the future we should work replacing this policy by something more appropriate and fine-grained.
Maddin, Freitag, 15. Juni 2007, 21:36 CfP: NordSec 2007 - The 12th Nordic Workshop on Secure IT Systems The 2nd Call for Paper for the 12th Nordic Workshop on Secure IT Systems (NordSec 2007) has been published a while ago. I am very proud to be one of the members of the program committee and would love to see many submissions to the workshop.
Important dates:
Paper submissions due: 23 July
Notification to authors: 10 September
Final papers due: 24 September
The workshop will be held from October 11 - 12 2007 in Reykjavik, Iceland
About NordSec
NordSec 2007 is organized by Reykjavik University, in Iceland, with a special
focus on Language-based Techniques in Security. Since 1996, the NordSec
workshops have brought together computer security researchers and
practitioners from the Nordic countries, Northern Europe, and elsewhere. The
workshop has an emphasis on applied computer security and is intended to
encourage interaction between academic and industrial research.
Confirmed invited speakers are:
Cedric Fournet, Microsoft Research, Cambridge, UK
Greg Morrisett, Harvard University, Cambridge, USA
The workshop is linked to a special issue of the Journal of Logic and
Algebraic Programming. Authors of selected technical papers may be invited
to submit revised versions for consideration in this special issue.
For a list of applicable topics please refer to the CfP webpage.
A special focus of the 2007 NordSec workshop are Language-based Techniques
in computer security and their applications; papers and extended abstracts
on this topic are especially welcome. Students, researchers, and industry
professionals working in this area are encouraged to submit to the workshop.
Maddin, Dienstag, 12. Juni 2007, 10:25 2nd Rule: You do blog about Bar Camp I attended the first BarCamp in Hamburg which took place last weekend. The lack of technical content was somewhat disappointing to me. However, the content of a BarCamp is a reflection of the interests of the attendee so I am not complaining. The Hamburg crowd seems to be hungry for business, as most sessions revolved around starting companies, getting users or making money.
I gave a short session on web security with a focus on issues that may arise due to the specific characteristics of the web2.0. While I had comparatively few participants we still had a nice and rewarding discussion.
Maddin, Mittwoch, 18. April 2007, 17:21 New LocalRodeo Version We just released a new version of LocalRodeo, our little anti-JavaScript-malware Firefox extension.
Debug-mode. If the debug checkbox is activated, Firefox will print verbose debug messages to the commandline-console that was used to start the browser.
So, if you are interested please take LocalRodeo for a testdrive and let us know if anything breaks.
Maddin, Donnerstag, 5. April 2007, 17:04 The state of hacking SessionSafe It has been a month or so since I wrote about SessionSafe. To my delight a couple of people have taken an interest in the matter. Here is a short summary of the various discussions:
Deferred Loading
There was not a lot of controversy about this topic. Only Wladimir Palant made some suggestions how to streamline the implementation. Anyway, as Firefox is about to implement http-only cookies the need for Deferred Loading slowly vanishes (with Deferred Loading mainly being a http-only implementation for browsers that does not support it natively).
Subdomain Switching
In the original blog entry and in the ph-neutral presentation I hinted that I considered the combination of Deferred Loading and Subdomain Switching to be sufficiently secure. Kuzza55 brought to my attention that by using anti-dns-pinning and subsequently spoofing the host header with either XHR or the low level socket functions some of the protection provided by Subdomain Switching can be bypassed (as the authentication cookie for secure.domain.tld can be sent by the attacker). Therefore, as long not all browsers support http-only cookies and anti-pinning is still an option, we need one-time URLs.
Besides this, I still consider Subdomain Switching a powerful tool to mitigate the effects of malicious XSS.
One-Time URLs
As I expected, most feedback revolved around the JavaScript trickery that is necessary to hide the random nonces from malicious XSS. At some point during the discussion I posted my old PoC which spurred even more hacking attempts. It started out with a watch/unwatch--problem that Kuzza55 found, closely followed by possible caching issues. Then Kishor found a silly coding mistake of mine in the PoC. This was succeeded by a IE and Opera specific technique that required to overwrite the document-object found by kazuho, who also found two additional problems.
Fortunately all of these issues are avoidable and resolved in the PoC. As long as references to all vital resources are kept by the Randomizer in a tamper proof local copy and all values passed to the go()-function are examined carefully, the one-time-URL concept itself is still feasible. However due to the highly dynamic nature of JavaScript, nobody can foresee wether there are more sneaky ways to trick the Randomizer. I think kazuho summed it up the best:
Although I agree that it might theoretically be possible to hide a link from XSS, I wonder if its practically possible.
Various bits
During the ongoing work of fixing the PoC, I learned some new aspects of JavaScript:
Right now, all browser's JS implementations are single threaded. This means a running JS is never interrupted by second script (e.g., because of the triggering of an event). This comes in handy, as race condition based issues are not possible. This also explains the glaring absence of locks/semaphores and related language tools in JS. I do not know if this standardized or if the JS-interpreters behave that way just because the browser's developers could not be bothered to write threading coder. If anyone knows something more precise I would like to learn about it.
Internet Explorer acts strangely when it comes to redefining certain global objects. If in a single <script>-block the document-element is overwritten it is set to "undefined" even before the redefining instruction is executed. Try this in IE:
alert(document);
var document = "foo bar";
alert(document);
Usually alert(document); results in "[object]" but in this case the first alert results in "undefined". This leaves my kind of puzzled.
Maddin, Donnerstag, 8. März 2007, 13:59 Heading towards ACM SAC'07 Tomorrow I'll leave Germany to attend the ACM SAC 2007 conference which takes place in Seoul/Korea this year. I will present our work on transparently countering code injection attacks via approximating data/code separation in String values.
In the unlikely event that one of the readers of this blog happens to be in Seoul next week or even at the conference - drop me a line and I will buy you a beer.
Maddin, Montag, 5. März 2007, 16:46 Paper: SessionSafe - Implementing XSS Immune Session Handling My SessionSafe-paper is online for quite a while now, but I never found the time to write about it. The paper describes three methods that, if used in combination, allow to protect web applications against session hijacking even in situations when a XSS attack already successfully injected malicious JavaScript code into the application.
XSS problems are not always caused by flaws in the web application itself. Instead they may arise due to external factors, like the expect header problem, vulnerable browser extensions (e.g., the Adobe PDF UXSS), or unwise usage of eval() in Greasemonkey-scripts. For this reason such a second line of defence is useful even if an web application is well audited and believed to be secure. The paper was presented at ESORICS 2006 and published in the conference's proceedings.
Abstract (fat free version):
[...] In this paper we classify currently known attack methods to enable the development of countermeasures against [session hijacking]. By close examination of the resulting attack classes, we identify the web application’s characteristics which are responsible for enabling the single attack methods: The availability of session tokens via JavaScript, the pre-knowledge of the application’s URLs and the implicit trust relationship between webpages of same origin. Building on this work we introduce three novel server side techniques to prevent session hijacking attacks. Each proposed countermeasure removes one of the identified prerequisites of the attack classes. SessionSafe, a combination of the proposed methods, protects the web application by removing the fundamental requirements of session hijacking attacks, thus disabling the attacks reliably.
In hindsight I tend to consider the JavaScript based Randomizer object to be the weakest part of the paper as I am not fully convinced that some JavaScript implementation might not provide a non-standard mechanism to either obtain the encapsulated list of nonces or hijack the document.location property. E.g., one of the paper's reviewers warned about an attacker that tries to overwrite the setter-function of the document.location property. While Kuzza55 showed how to counter such an attempt, the whole business still leaves an uneasy feeling. However even the combination of Deferred Loading and Subdomain Switching still provides decent enough protection, as I have discussed in my ph-neutral 0x7d6 presentation. Also implementing the Randomizer object either in Flash or as a Java applet should get rid of my JavaScript worries.
Misc. remarks and updates:
I have to thank Andre Luerssen. Without him I would not have considered the background-XSS-propagation attack vector.
Christian Weitendorf implemented the paper's techniques for J2EE as part of his Master's thesis. The thesis is still in review. We are thinking about releasing the code afterwards. Stay tuned.
Furthermore, after reading the paper, Collin Jackson pointed me to a small but significant error in the paper's example code: Instead of
nonce = validNonces[path];
in Listing 1.1 it should better be
var nonce = validNonces[path];.
Otherwise the nonce would be stored as a property of the global window object.
A closing remark: The research that did lead to this paper was probably the most fun I yet had in academia.
Maddin, Montag, 19. Februar 2007, 12:28 LocalRodeo - Client-side protection against JavaScript Malware After contributing to show how to breakthings, it is about time to start fixing things: Justus Winter and I are happy to present the first (beta) version of LocalRodeo, a Firefox extension that aims to protect against attacks which lately have been summarized under the term JavaScript Malware.
LocalRodeo specifically counters two attack vectors:
Intranet Exploration (i.e. JavaScript portscanning and fingerprinting): The extension classifies all network locations to be either local or external, with local locations being part of the intranet. All http requests that have an external origin (i.e. were generated within the execution context of an external webpage) and a local target (i.e. an intranet resource) are canceled by LocalRodeo.
Anti DNS-Pinning: LocalRodeo detects this attack method by monitoring DNS answers. The switch of a given domain from external to local (or vice versa) is a clear indication of an anti-pinning attack. If such a switch is detected, all further requests from or to the malicious domain are prohibbited.
If you feel like it, please take the extension for a testdrive and let us know if anything went wrong. Enjoy.
Due to problems at my provider, the LocalRodeo webpage can't be reached temporarily. I hope that problem will we solved in the next hours. Here is an replacement site. (problem solved)
DeepSec 2007 Roundup
Last friday I had the honour of giving a talk at DeepSec2007 in Vienna. Due to other obligations I unfortunately...
by Maddin (2007-11-29 17:05)
Why I do not like taint tracking
While I was giving a talk yesterday on our dynamic and language based approaches concerning the avoidance of code injection...
by Maddin (2007-09-19 15:31)
Thanks, & Chink in the Armor?
I just wanted to thank you for writing the Local Rodeo Firefox extension, and to urge you to improve and...
by richgn (2007-08-10 22:08)
DNS rebinding at CCS'07
This year's ACM conference on Computer and Communication Security (CCS) features two excellent papers on DNS Rebinding (the attack formerly...
2nd Rule: You do blog about Bar Camp
I attended the first BarCamp in Hamburg which took place last weekend. The lack of technical content was somewhat disappointing...
by Maddin (2007-06-12 10:25)
New LocalRodeo Version
We just released a new version of LocalRodeo, our little anti-JavaScript-malware Firefox extension.
Release notes:
Fixes for some issues found...
by Maddin (2007-04-18 17:21)
The state of hacking SessionSafe
It has been a month or so since I wrote about SessionSafe. To my delight a couple of people have...
by Maddin (2007-04-05 17:04)
Heading towards ACM SAC'07
Tomorrow I'll leave Germany to attend the ACM SAC 2007 conference which takes place in Seoul/Korea this year. I will...
by Maddin (2007-03-08 13:59)
Some attacks
I only found this paper last night when I saw a thread on sla.ckers.org about it (shame on me), and...
