Running code in browser poses security risks●Compromise host–Write to file system–Interfere with other processes in browser environment●Steal information–Read file system–Read information associated with other browser processes (e.g., other windows)–Fool the user–Reveal information through traffic analysisBrowser sandbox●Idea–Code executed in browser has only restricted access to OS, network, and browser data structures●Isolation–Similar to address spaces or SFI, conceptually–Browser is a “weak” OS–Same-origin principle●Browser “process” consists of related pages and the site they come fromJava●General programming language●Web pages may contain Java code–Java executed by Java Virtual Machine–Special security measures associated with Java code from remote URLs●Javascript, other security models are based on Java security modelJava Applet●Local window●Download –Seat map–Airline data●Local data–User profile–Credit card●Transmission–Select seat–Encrypted msgMobile code security mechanisms●Examine code before executing–Java bytecode verifier performs critical tests●Interpret code and trap risky operations–Java bytecode interpreter does run-time tests–Security manager applies local access policy●Security manager policy based on–Site that suppplied the code–Code signing – who signed it?A.classA.javaJavaCompilerB.classLoaderVerifierLinkerBytecode InterpreterJava Virtual MachineCompile source codeNetworkJava Virtual Machine ArchitectureClass loader●Runtime system loads classes as needed–When class is referenced, loader searches for file of compiled bytecode instructions●Default loading mechanism can be replaced –Define alternate ClassLoader object●Extend the abstract ClassLoader class and implementation–Can obtain bytecode from network ●VM restricts applet communication to site that supplied appletVerifier●Bytecode may not come from standard compiler–Evil hacker may write dangerous bytecode ●Verifier checks correctness of bytecode–Every instruction must have a valid operation code –Every branch instruction must branch to the start of some other instruction, not middle of instruction –Every method must have a structurally correct signature –Every instruction obeys the Java type disciplineLast condition is fairly complicated .Type Safety of JVM●Load-time type checking●Run-time type checking–All casts are checked to make sure type safe–All array references are checked to be within bounds–References are tested to be not null before dereference●Additional features–Automatic garbage collection –NO pointer arithmetic If program accesses memory, the memory is allocated to the program and declared with correct typeHow do we know verifier is correct?●Many early attacks based on verifier errors●Formal studies prove correctness–Abadi and Stata–Freund and Mitchell●Found error in initialize-before-use analysisJVM uses stack machine●JavaClass A extends Object { int i void f(int val) { i = val + 1;}}●BytecodeMethod void f(int) aload 0 ; object ref this iload 1 ; int val iconst 1 iadd ; add val +1 putfield #4 <Field int i> returndata arealocal variablesoperandstackReturn addr, exception info, Const pool res.JVM Activation Recordrefers to const poolJava Object Initialization●No easy pattern to match.●Multiple refs to same uninitialized object.Bug in Sun’s JDK 1.1.4●Example:variables 1 and 2 contain references to two different objects,verifier thinks they are aliasesSecurity Manager●Java library functions call security manager●Security manager object answers at run time –Decide if calling code is allowed to do operation –Examine protection domain of calling class●Signer: organization that signed code before loading●Location: URL where the Java classes came from –Uses the system policy to decide access permissionStack Inspection● Permission depends on–Permission of calling method–Permission of all methods above it on stack●Up to method that is trusted and asserts this trust Many details omittedjava.io.FileInputStreammethod fmethod gmethod hStories: Netscape font / passwd bug; Shockwave plug-inActiveX●ActiveX controls reside on client's machine, activated by HTML object tag on the page–ActiveX controls are not interpreted by browser–Compiled binaries executed by client OS–Controls can be downloaded and installed●Security model relies on three components–Digital signatures to verify source of binary–IE policy can reject controls from network zones–Controls marked by author as safe for initialization, safe for scripting which affects the way control usedOnce accepted, installed and started, no control over executionInstalling ControlsIf you install and run, no further control over the code. In principle, browser/OS could apply sandboxing, other techniques for containing risks in native code. But don’t count on it.Risks associated with controls●MSDN Warning–An ActiveX control can be an extremely insecure way to provide a feature●Why?–A COM object, control can do any user action●read and write Windows registry●access the local file system–Other web pages can attack a control●Once installed, control can be accessed by any page●Page only needs to know class identifier (CLSID)●Recommendation: use other means if possiblehttp://msdn.microsoft.com/library/default.asp?url=/code/list/ie.aspIE Browser Helper Objects (Extensions)●COM components loaded when IE starts up●Run in same memory context as the browser●Perform any action on IE windows and modules–Detect browser events●GoBack, GoForward, and DocumentComplete–Access browser menu, toolbar and make changes –Create windows to display additional information –Install hooks to monitor messages and actions●Summary: No protection from extensionshttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.aspDynamic content●Servers often generate client-specific content–E.g., your shopping cart, your portal home page, ...●Simplest method: CGI programs–Client connects to server–Server spawns CGI program in a new process–Script generates contents of web page●Problem: slow–Interpreters (perl, python, php) slow to start up–Even creating processes is somewhat slowSolution: Embeded interpreter●Embed script interpreter into web server–Eliminates
View Full Document
Unlocking...