1Browser SecurityJohn MitchellQuestion from last time: Purifyu Goal• Instrument a program to detect run-time memoryerrors (out-of-bounds, use-before-init) andmemory leaksu Technique• Works on relocatable object code– Link to modified malloc that provides tracking tables• Memory access errors: insert instruction sequencebefore each load and store instruction• Memory leaks: GC algorithmBrowser securityu Browser uses network and local disk• Potential for outside access to local datau Brower interprets code from network• HTML, JavaScript, ActiveX, Javau Browser installs, executes plug-ins• Acrobat, Shockwave, …u Malicious code can pose risks• Consume resources• Steal information• Compromise system A browser is an operating system2Microsoft Issues New IE Browser Security Patch By Richard Karpinski• Microsoft has released a security patch that closessome major holes in its Internet Explorer browser• The so-called "cumulative patch" fixes six differentIE problems ...• Affected browsers include Internet Explorer 5.01,5.5 and 6.0.• Microsoft rated the potential security breaches as"critical."Tuesday, February 12, 2002Latest patch addresses:• A buffer overrun associated with an HTML directive... Hackers could use this breach to run maliciouscode on a user's system.• A scripting vulnerability that would let an attackerread files on a user's systems.• A vulnerability related to the display of file names... Hackers could … misrepresent the name of a file... and trick a user into downloading an unsafe file.• A vulnerability that would allow a Web page toimproperly invoke an application installed on auser's system to open a file on a Web site.• … more …3Tour of security issuesu Cookiesu JavaScriptu ActiveXu Java• Most of lecture devoted to Java– Representative case, more developed security modelu Using a network proxy to increase securityu Plug-ins ?Cookiesu Http is stateless protocol; cookies add state• Other method: modify URLBrowserServerEnters form dataStores cookieBrowserServerRequests cookieReturns dataCookie issuesu Policy• Cookie from site S can be returned to site S onlyu Problems• Cookies maintain record of your browsing habits• Sites can share this information (e.g., doubleclick)• Attacks could invade your “privacy”08 Nov 2001 Users of Microsoft's browser and e-mail programs couldbe vulnerable to having their browser cookies stolen ormodified due to a new security bug in Internet Explorer(IE), the company warned today.JavaScriptu Language executed by browseru Used in many attacks• Cookie attack from last slide: With the assistance of some JavaScript code, anattacker could construct a Web page or HTML-based e-mail that could access any cookie in thebrowser's memory or those stored on disk ...4ActiveXu ActiveX controls reside on client's machine,activated by HTML object tag on the page• ActiveX controls are not interpreted by browser• Compiled binaries executed by client OS• Can be downloaded and installedu Security model relies on three components• Digital signatures to verify source of binary• IE policy can reject controls from network zones• Controls marked by author as safe for initialization,safe for scripting which affects the way control usedOnce accepted, installed and started, no control over executionJava Appletu Local windowu Download• Seat map• Airline datau Local data• User profile• Credit cardu Transmission• Select seat• Encrypted msgSecurity Risksu Annoyance or inconvenience• Display large window that ignores mouse input• Play irritating sound and do not stop• Consume CPU cycles, memory, network bandwidth …u Export confidential information• Communication is generally possible• Prevent access to password file, credit card number, …• Subtle attack: trick dialog boxes ...u Modify or compromise system• Delete files, call system functionsMobile code security mechanismsu Examine code before executing• Java bytecode verifier performs critical testsu Interpret code and trap risky operations• Java bytecode interpreter does run-time tests• Security manager applies local access policyu Beyond the Browser: code modification• Replace standard calls by calls to “safe” versions• Check parameters to standard methods to makesure they are in appropriate ranges5Java Backgroundu Compiler and Virtual Machine• Compiler produces bytecode• Virtual machine loads classes on demand, verifiesbytecode properties, interprets bytecodeu Why this design?• Portability– Transmit bytecode across network• Minimize machine-dependent part ofimplementation– Do optimization on bytecode when possible– Keep bytecode interpreter simpleA.classA.javaJavaCompilerB.classLoaderVerifierLinkerBytecode InterpreterJava Virtual MachineCompile source codeNetworkJava Virtual Machine ArchitectureClass loaderu Runtime system loads classes as needed• When class is referenced, loader searches for fileof compiled bytecode instructionsu Default loading mechanism can be replaced• Define alternate ClassLoader object– Extend the abstract ClassLoader class and implementation• Can obtain bytecodes from network– VM restricts applet communication to site that suppliedappletVerifieru Bytecode may not come from standard compiler• Evil hacker may write dangerous bytecodeu Verifier checks correctness of bytecode• Every instruction must have a valid operation code• Every branch instruction must branch to the start ofsome other instruction, not middle of instruction• Every method must have a structurally correctsignature• Every instruction obeys the Java type disciplineLast condition is fairly complicated .6Bytecode interpreteru Standard virtual machine interprets instructions• Perform run-time checks such as array bounds• Possible to compile bytecode class file to native codeu Java programs can call native methods• Typically functions written in CType Safety of JVMu Load-time type checkingu Run-time type checking• All casts are checked to make sure type safe• All array references are checked to be within bounds• References are tested to be not null before dereferencu Additional features• Automatic garbage collection• NO pointer arithmetic If program accesses memory, the memory is allocatedto the program and declared with correct typeWhy is typing a security feature?u Java sandbox mechanisms rely on type safetyu Example• Unchecked cast lets applet make any
View Full Document
Unlocking...