Wednesday, August 15, 2007

Browser bugs vs. attacks on same origin policy

A bar-room conversation with a colleague at Black Hat led me to think about this question, and here are my thoughts, for what they're worth.

Today's browsers are full of Oday, particularly in the processing of images and other media, and in plug-ins like ActiveX controls. At the same time, a thriving area of current research is focused on attacks against the browser same origin policy, involving JSON hijacking, DNS rebinding, other workarounds and logic flaws. Which of these areas is more worthy of our attention?

Here are two polarised (and somewhat caricatured) opinions:

  • If I want to compromise a web user, I can just find a browser Oday and completely own them. Attacks against same origin policy are lame and unnecessary.
  • I agree we can't ignore browser bugs if we’re trying to protect web apps. We need to find defences in the application that can stand up to a compromised browser.
Of these two positions, the second is the easiest to shoot down. Aside from a narrow subset of browser bugs, no defences in the application can protect against a compromised browser. If an attacker can execute arbitrary machine-level code within a user's browser, then they completely own that user's interaction with any web application.
Does that mean we must accept the first position? There are several reasons why not:
  • Many would-be attackers are not capable of discovering and exploiting a browser Oday, but can understand and deliver attacks against the same origin policy. Defences that frustrate only some attackers are still worthwhile.
  • Attacks against the same origin policy make interesting research. Most security researchers are interested in class breaks and new genres of attacks, rather than individual bugs. The types of vulnerabilities that exist within browsers, and the ways they can be discovered, are more interesting than the latest bug in an image parser. Similarly, generic ways of circumventing the same origin policy are more interesting than the latest means of inducing network timeouts, to port scan other domains.
  • This area of web security is a weakest link problem, in that an attacker needs to find either a browser bug or a same origin policy bypass to compromise a user. Conventional defence-in-depth does not apply - a robust same origin policy can still be defeated through a bug in the browser, and vice versa. This means that protecting users entails resolving both problem areas. Browser vendors are taking security seriously, and bugs are going to get progressively harder to find and exploit. Meanwhile, research into attacking and defending same origin restrictions needs to continue, so that this is not left as the weak link when browsers become more resilient.

Thursday, August 9, 2007

Black Hat retrospective

My mind and body are now partly recovered from the madness that is Vegas, and I've pieced together as many recollections as I'm able to.

First off, the webappsec training went really well, with some great feedback from the ~70 participants, and the customary job offer made to the CTF winner. It's pretty hard work standing up and talking for four days, but I met some great people and got lots of good ideas to make the course even better next time.

Once the training and jet lag were out of the way, the partying ratcheted up a few notches, and we saw plenty of the nocturnal delights that Vegas has to offer. As well as Caesars, we spent a fair bit of time at Luxor, Venetian and other hotels.

shadow bar

The WASC/OWASP party in the Shadow Bar was great, with much of the webappsec world in attendance, and an opportunity to meet people face to face whom I'd previously only corresponded with.

The Microsoft party took over the top floor of Pure, and drew a wider crowd, with seemingly half of the con getting an invitation, or maybe I was just seeing double by that point.

I also staggered into the iDefense party, and even blagged a VIP wristband, as did several others to the bemusement of some senior iDefense folks who wanted to talk about our contributions to the vulnerability programme. The Hard Rock cafe is a cool venue, although I don't think the crew of assembled geeks did it full justice.

Unsurprisingly, with all of the opportunities for imbibation, our attendance at the actual conference was patchy during the mornings. I was sorry to miss a few good talks, but I have the slides and was able to catch up with many interesting people during the evenings.

RSnake and PortSwigger

I made it to Billy Hoffman's Ajax talk, which was entertaining as usual but didn't contain anything new for me.

I also caught Joanna's update on virtualisation-based rootkits, and her attempts to avoid detection. Like most of areas security, this is an asymmetric problem - while she is sticking her fingers in as many dykes as she can, people only need to find one hole that can't be plugged. In terms of detection of some kind of unexpected virtualisation at least, it appears that timing attacks in particular aren't going to go away any time soon.

Defcon provided some early excitement with this year's badge. J-Lo and I spent the first few minutes struggling through our hangovers figuring out how to reprogram them to make rude words appear.

defcon badge

The Defcon talks were a bit more offbeat, and I caught ones on malicious toasters, video games and various rants. In general, I thought the more mainstream technical talks were a bit disappointing - fairly introductory with little in terms of new ideas. There is definitely room for some easy talks for people who are unfamiliar with a particular area, but it would be good to know in advance what is "for dummies" and what is more innovative.

All in all, it was a fantastic week, but it's good to be home. Vegas messes you up, physically and mentally. I'm nearly back to normal now. It will be great to go back next year.