making the case for sandbox v1.1 (sd conference 2007)

Secure Design for the .NET Framework:

Sandboxing

Dinis Cruz, SD Best Practices 2007, September 21, Boston

2

Secure Design for the .NET Framework: Sandboxing

Two Sections:

– Section 1) Making the case for Sandboxed environments(and why Microsoft and Sun are Asleep at the wheel)

– Section 2: Sandboxing: Where we need to go! (and how Code Access Security can be used to mitigate against the OWASP Top 10)

3

Who am I?

Director of Advanced Technologies, Ounce Labs

Chief OWASP Evangelist

Independent Consultant, various

Skills:– Researcher on .NET Security– Reverse Engineering– Source Code Security Reviews – Development of Secure Architectures– Developer (from ASM to C#, from Amiga to x86)

– Irreverent

4

Section #1

Sandboxing: Where are we today?

(and why Microsoft and Sun are sleeping at the wheel)

5

Overview

Sandboxing: Where are we today? (and why Microsoft and Sun are sleeping at the wheel)

Sandboxing (aka executing code in a low privileged environment) is a very effective security defense against external malicious code or internal benign code executed with malicious intent.In this presentation Dinis Cruz will present a technical review of the current Sandboxing technologies and show practical examples of where they are used today.

The technologies covered will include: – Code Access Security (Microsoft), Java Security Manager (Sun),

Flash Security Sandbox (Abobe), Web Browser's Security (Firefox and Internet Explorer), Transparency (used in Microsoft's Silverlight), AIR Security Sandbox (Abobe), Java Web Start and Java FX (Sun), Office Macros (Microsoft and OpenOffice), MOICE (Microsoft Office Isolated Conversion Environment), Widgets (Apple, Yahoo) and Gadgets (Vista, Google Desktop).

6

Inconvenient Truth

Software security is a mess!!!!!

Not because the software industry creates exploitable vulnerabilities, but because it doesn’t understand what those vulnerabilities look like and doesn’t learn from past mistakes!

The buyers/users have no visibility on the ‘real’ security status of our software world

Software is everywhere (from cars, to websites, to medical appliances, to banking systems, to toys, to elevators, to weapons, to communication devices, to energy transportation systems, etc…)

– Our society is currently very dependent on software and will become even more in the future

And nobody has a complete picture of how big this mess is, since its complexity has outgrown the human capacity to analyze it!

7

There are no metrics!

How can customers purchase secure solutions if they can’t measure security?

I know more about an Orange Juice I buy from the local store than I know about the software I buy (winzip for example)

My only decision is to accept (or not) the EULA

Image from OWASP’s metrics project & Jeff Williams’ Presentation(http://www.owasp.org/index.php/Types_of_application_security_metrics)

8

We need containment

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Where we are going on the right direction:

9

Sandbox anybody? (or ‘Can I 0wn you please?’)

And where we are NOT going on the right direction:











10

Widgets going mobile

Who owns an iPhone? (can I 0wn you too?)







11

What is a Sandboxed environment

“A Sandbox is a code execution environment where access to assets is provided based on a pre-defined or dynamic security policy”

Also called ‘multi-layered security architecture’

Examples of Common Sandboxes– Kernel / User-land Isolation (Windows, Mac OS X, Linux)– “User A” Process vs “User B” Process– Windows ACLs

• on every type of Windows objects

– Browser’s “Same Origin Policy” (to prevent XSS)– Internet Explorer Security Zones– Vista UAC (User Access Control)

• This is actually a “Sand Dune”

– Flash Sandbox

– Java Security Manager– Microsoft Code Access Security (CAS)

12

Sandboxing

Sandboxing has two main benefits

– Contain malicious code– Contain benign code executed with malicious content

And several positive side effects:– Give end users visibility on the application’s security risk

profile– Define ‘Attack Surface’ (for example all input points)– Detect attacks (since they need to break out of the Sandbox)– Allow ‘certification’ services – VERY IMPORTANT: Allow the reward of companies that

develop ‘secure’ software (i.e. finally it would make business sense to write ‘secure’ applications)

13

You can use SandBoxing to mitigate:

OWASP Top 10 2007– A1: Cross Site Scripting (XSS)– A2: Injection Flaws– A3: Malicious File Execution– A4: Insecure Direct Object Reference– A5: Cross Site Request Forgery (CSRF)– A6: Information Leakage and Improper Error Handling– A7: Broken Authentication and Session Management– A8: Insecure Cryptographic Storage– A9: Insecure Communications– A10: Failure to Restrict URL Access

7 Kingdoms – 1: Input Validation & Representation– 2: API Abuse– 3: Security Features– 4: Time and State– 5: Error Handling– 6: Code Quality– 7: Encapsulation (+ *Environment)

14

Sandbox everything!

The key is to:– Separate Code from Data

• Most Injection flaws are ‘Type Safety’ issues:– SQL Injection

– XSS– Html Header Injection– Etc…

Creating database queries and manipulating HTML are very privileged actions and should not be allowed by normal code

– Protect Application Assets with Sandboxes• Will solve most authorization issues

– Have VISIBILITY on the security implications of actions

– Run code in ‘least privilege’ environment

15

Proposed Business model

Instead of today’s model where 100% of the code can do everything

I want a world where 99% of the code runs in a very tight Sandbox and 1% of the code runs with the extra privileges– This 1% will need to certified by a trusted entity (internal or

external)– The 99% can be updated directly (using auto-update

systems)– But the 1% can only be updated once certified

– With this model Code Scanning Tools would make a MASSIVE difference (both in the 1% and in the 99% code)

I want to buy this service! Where are the providers?

16

No malicious code please

Today we live in a world where the security of our systems depend on our ability to avoid malicious code from execute inside those systems

– But Malicious code will find its way into our systems either placed by malicious users with authorized access, or via an exploitation of a vulnerability in the underlying OS or Support Applications (web server, .NET framework, etc...).

The question is: "How can you limit the damage caused by malicious code?". – And that is mainly dependent on how robust and secure the run-time environment used to execute the

malicious code is.

– And with Full Trust ASP.NET (or .NET console/windows applications) there is no protection to everything that the impersonated user as access to, and very litle protection to the OS.

(Code Access Security) is one of the best ideas that come out of Microsoft and one that (if fully implemented and supported) could solve this problem.

It seems that we are still in the ’Infrastucture Security Paradigm' instead of being on the 'Application Security

In another words: We are still trying to stop the barbarians at the gates, but (in 2007) the barbarians are already inside and will be much more in the future.

17

10 Immutable Laws of Security*

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

Law #5: Weak passwords trump strong security Law #6: A computer is only as secure as the administrator is trustworthy Law #7: Encrypted data is only as secure as the decryption key Law #8: An out of date virus scanner is only marginally better than no

virus scanner at all Law #9: Absolute anonymity isn't practical, in real life or on the Web Law #10: Technology is not a panacea

*See http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true

18

Looking closer at Law #1

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

– “…It's an unfortunate fact of computer science: when a computer program runs, it will do what it's programmed to do, even if it's programmed to be harmful. When you choose to run a program, you are making a decision to turn over control of your computer to it.

– Once a program is running, it can do anything, up to the limits of what you yourself can do on the computer.

• It could monitor your keystrokes and send them to a website. • It could open every document on the computer, and change the word "will" to "won't" in all

of them. • It could send rude emails to all your friends. • It could install a virus. • It could create a "back door" that lets someone remotely control your computer. • It could dial up an ISP in Katmandu. • Or it could just reformat your hard drive. (Dinis note: this one needs administrator

privileges)

– That's why it's important to never run, or even download, a program from an untrusted source—and by "source," I mean the person who wrote it, not the person who gave it to you. …”

19

Looking closer at Law #4

Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

– “….This is basically Law #1 in reverse. In that scenario, the bad guy tricks his victim into downloading a harmful program onto his computer and running it. In this one, the bad guy uploads a harmful program to a computer and runs it himself. Although this scenario is a danger anytime you allow strangers to connect to your computer, websites are involved in the overwhelming majority of these cases. Many people who operate websites are too hospitable for their own good, and allow visitors to upload programs to the site and run them. As we've seen above, unpleasant things can happen if a bad guy's program can run on your computer.

– If you run a website, you need to limit what visitors can do. You should only allow a program on your site if you wrote it yourself, or if you trust the developer who wrote it. But that may not be enough. If your website is one of several hosted on a shared server, you need to be extra careful. If a bad guy can compromise one of the other sites on the server, it's possible he could extend his control to the server itself, in which he could control all of the sites on it—including yours. If you're on a shared server, it's important to find out what the server administrator's policies are. (By the way, before opening your site to the public, make sure you've followed the security checklists for IIS 4.0 and IIS 5.0)….”

20

Other laws

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

– So why do all programs require administrative privileges to install which will give them those exact privileges

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

– Doesn’t it make you fell a bit uncomfortable the fact that your company’s cleaning department has that level of access?

• And you know how well they pay their staff..

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

– What about: ‘Most virus scanners are have very limited capabilities!’, one could also say: ‘Having a updated virus scanner is only marginally better than having no virus scanner at all’

Law #9: Absolute anonymity isn't practical, in real life or on the Web

– OK, but what about some Privacy!

21

Changing the odds

With these ‘laws’ the following is true:– You have to defend everything, since the attacker can attack

everything– You have to keep your defenses up all the time– You are are weak as your weakest link– The attackers have all the time in world– If you make one mistake you could be doomed– Once the attacker has broken-in (for example access to the internal

network, software installed on targeted computer, compromised browser) it will be almost impossible to stop him

I much prefer the world where I (as a defender) only need to:– Wait for the attacker to make one mistake and I know what he is

doing and what he has done in the past

22

Proposed Law: ‘Companies have to disclose what they know’

Software companies to be forced to describe what they know about their product (reduce asymmetry of information)– They don’t need to tell us the exact vulnerability details but it

we should know how many Critical, High and Medium issues they are aware of

– Of course that this would require a standard definition of what is a Critical, High and Medium issue

Good SDL to be measured and quantified (even in Microsoft, did Sharepoint Server received the same level of security audits has Vista’s Network stack)

23

The ‘catch me if you can’ game

Year 0: Vendor releases Product XYZ Year 1: Security looks good as nobody really

understands the new paradigms and technologies Year 2-4: Attackers and security researchers start to

understand what is going on and start exploiting the t Product XYZ

Year 5: Exploitation and vulnerabilities start to reach critical mass

Year 6: Vendor releases next version: ‘Product ABC’ with completely new paradigms and technologies

(go back to top & start loop again)

24

From Bruce: add liability

“…Today, the costs of insecure software aren't borne by the vendors that produce the software. In economics, this is known as an externality, the cost of a decision that's borne by people other than those making the decision.

There are no real consequences to the vendors for having bad security or low-quality software. Even worse, the marketplace often rewards low quality. More precisely, it rewards additional features and timely release dates, even if they come at the expense of quality.

If we expect software vendors to reduce features, lengthen development cycles and invest in secure software development processes, it needs to be in their financial best interests to do so. If we expect corporations to spend significant resources on their own network security -- especially the security of their customers -- it also needs to be in their financial best interests.

Liability law is a way to make it in those organizations' best interests. Raising the risk of liability raises the costs of doing it wrong and therefore increases the amount of money a CEO is willing to spend to do it right. Security is risk management; liability fiddles with the risk equation.…”

25

There are also the cases of ‘Legal’ Spyware

Texas Sues Sony for Violating Spyware Law– “…The suit stems from Sony's use of a copy-protection software

"rootkit" that installs hidden files on a user's computer, which can cripple it and leave it vulnerable to outside attacks.

– In a press conference announcing the suit, Texas Attorney General Greg Abbott accused Sony of "acting illegally" in hiding secret files on computers, and engaging in a "high-tech cloak and dagger" enterprise.

– It is unacceptable that any products containing invasive software are sold, especially when its presence is not properly disclosed and notified to the users. Furthermore, it is unacceptable that, after committing such serious offenses, anyone can believe that 'releasing a patch' can be enough to relieve the offender's responsibility.”

– Schneier criticized computer security companies such as McAfee and Symantec for not responding quickly enough to provide tools for detecting and removing the rootkit.

– What happens when the creators of malware collude with the very companies we hire to protect us from that malware?" he said. "We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything…."

26

Microsoft’s Code Access Security

Part of the .NET Framework, allows the restriction of what code executed can do:– Based on policies (which define which permissions are

allowed)– Allows the protection of assets from malicious action– Typical uses are to restrict operating system resources (files,

registry, sockets) but can be used for much more



27

Code Access Security in Action

Restrict File IO

Request File I/O permissions

Request Registry permissions







28

Code Access Security in Action

Limit access to Web Services & environment variable

Constraining Socket Access (our browsers NEED this!)





29

Code Access security in action

Making authorization decisions (business Logic issues)

Request what you need

Restrict which code can call other code







30

Java WebStart

http://java.sun.com/products/javawebstart/– Using Java Web Start technology, standalone Java software

applications can be deployed with a single click over the network. Java Web Start ensures the most current version of the application will be deployed, as well as the correct version of the Java Runtime Environment (JRE).

http://java.sun.com/javafx/– JavaFX, a new family of Sun Microsystems products based on Java

technology and targeted at the high impact, rich content market. JavaFX comprises a comprehensive set of runtime environments, widgets, development tools, and scripting environments.

– JavaFX Script is a highly productive scripting language that enables content developers to create rich media and content for deployment on Java environments. Since JavaFX Script is statically typed, it has the same code structuring, reuse, and encapsulation features that make it possible to create and maintain very large programs using Java technology.

31

Java WebStart

Security is guaranteed because Java applications execute in a so-called sandbox mode that shields the Java software from all other system resources.

– Sun takes on Ajax, Apollo and Silverlight , http://www.vnunet.com/articles/print/2189315

JavaFX Script takes advantage of the Java security model so consumers can securely access assets (e.g., pictures, music files, word documents) on their desktop.

Applications written with JavaFX Script take advantage of Java technology's established traits, such as write-once-run-anywhere portability, application security, ubiquitous distribution, and enterprise connectivity.

– The latest Java Innovation - JavaFX, http://www.sun.com/featured-articles/2007-0508/javafx/index.jsp

32

Unofficial Java WebStart Security FAQ

On http://lopica.sourceforge.net/faq.html#nosandbox ‘Security, Signing, Sandbox’ section:

– Q: Can I use a secure socket (SSL) connection back to the host when my app runs in the sandbox?

• No, you need to request all-permissions for you app.

– Q: How can I turn off the sandbox?• If your app is signed, you can call System.setSecurityManager(null) to turn off the

sandbox. If you get rid off the security manager, your app should speed up as it no longer goes through security layers. Don't expect miracles, though.

– Q: Can I make Web Start use my own policy file?• Web Start doesn't allow you to use your own policy file. A workaround that only works for

Intranets is to patch Web Start. Change Web Start's default policy file to suit your needs or ditch it and create your very own.

– Q: Which trusted root certificates ship with Web Start?• Web Start stores its trusted root certificates in the cacerts keystore. Use keytool -list

-keystore cacerts to list all root certificates. Here's the condensed output from my machine:

– thawtepersonalfreemailca,, thawtepersonalbasicca, verisignclass3ca, thawtepersonalpremiumca, thawteserverca, verisignclass4ca, cybertrust, verisignserverca, verisignclass1ca, thawtepremiumserverca, verisignclass2ca

– Q: Where can I get a free, zero-dollar Web Start key certificate?• You can sign up for a free, zero-Euro key certificate underwritten by Thwate Free

Mail at http://www.thawte.com/getinfo/products/personal/join.html third-party link. Web Start includes the Thwate Free Mail certificate in its built-in certificate key ring.

33

Java WebStart: Another example

From http://www.dallaway.com/acad/webstart/– “…The only tricky part to all of this was the security. By default, Web Start has a

very strict security policy. This is a good thing, because you know a Web Start application won't go and trash your hard drive, start looking through your email, or send messages over the net to some ad company.

– The nature of Sloppy is such that it needs to be able to talk to other web sites. That's what it does: it takes your requests, sends it to a web site, and then slows down the response. For this to work under Web Start, I needed to give Sloppy some extra security permissions. In fact, the current version of Web Start means that I have to give Sloppy unrestricted access to your computer. This is a bit over-the-top, but it's all or nothing right now. In the future the JNLP specification might allow more fine-grained permissions.

– To get this unrestricted permission I have to “sign” the application. This proves that it's me that sent the code, and that no-one has tampered with it. If you trust me, you can run the code, safe in the knowledge that I'm not interested in the contents of your hard drive or your email….”

34

When running a signed JWS application not signed by a ‘recognized’ CA

– “…Notice the worrying phrases such as “it is highly recommended not to install and run the code”? The point of this exercises was to make Sloppy more available, not to scare everyone off.

– I took a good look at the list of certificate authorities known to Web Start and one stuck out: Thawte Freemail. In particular, the word “free”. I chased this down and it is indeed a free (no money) way to get a certificate for code signing.

– When I ran the Web Start with my newly signed application I get a much more respectable prompt…”

Java WebStart: Another example (cont)

35

Java Web Start

36

Java FX - Another example

Applet with JavaFX Script UI and Server-Side Business Logic ( http://jukka.us/javafxapplet/article/index.html)

– “…After seeing the awesome demo of JavaFX Script at JavaOne 2007, I didn't care that it can't handle streaming media. What matters to me is that there is a way to create rich internet applications without having to deal with Javascript and XMLHttpRequest frameworks. I tried to find articles how people have deployed JavaFX Script applications on applets, and as of writing this, I haven't found any. Also many business applications need to utilize server-side business logic in addition to the rich user interface. This demonstration application shows how an Applet can start a JavaFX frame, and utilize server-side business logic to populate values in the user interface.

– JavaFX applets will require more permissions than what standard applet sandbox can provide. Without signing the jar-files, I experienced security Exceptions such as the one shown below:

– java.security.AccessControlException: access denied (java.util.PropertyPermission f3.embed read)

– I created a very simple user interface with one text field and one button. At this point I didn't add any logic to handle events….”

37

Java FX - Security (cont)

“…I created a very simple server-side service that I plan to use later on. The service prints the date stamp without any HTML or XML tags.

Modify the Script to Call the Web Service– First I created a new inner class within the script called MyObject with a

single text attribute. Then I created an instance of that class called myObject that I can use as reference within the script. I used the myObject.text as a reference in the TextField.value attribute. Lastly I implemented a new operation that contains Java code to create a URL connection and read the first line of contents from that URL to the myObject.text attribute. As a result, the JavaFX frame will update the current server-side timestamp to the text field whenever the button is pressed.

Deployment: – I created a default web.xml deployment descriptor and deployed the

application to a Tomcat 6.0 server. Conclusion

– I finally got an applet that can run JavaFX Script files from an applet and call server-side business logic. You can test the applet by clicking here. This applet will have a security policy capable of accessing system resources, but I assure that the applet code does not do anything more than what is shown in this article…”

38

Free certificates!

Instructions on how to get a free certificate: http://www.dallaway.com/acad/webstart/renew.html



39

Microsoft ClickOnce

It's secure, and the sandbox is large enough that you can still do interesting things. - Mike Stall's .NET Debugging Blog ‘Click Once rocks.’

ClickOnce, part of version 2.0 of the Microsoft® .NET Framework, allows you to deploy Windows-based rich client apps to a desktop by placing the application files on a Web or file server accessible to the client and providing the user with a link. (Deploy and Update Your Smart Client Projects Using a Central Server MSDN)

40

ClickOnce

“…ClickOnce is a new application deployment technology that makes deploying a Windows Forms based application as easy as deploying a web application. With ClickOnce running a Windows Forms application is as simple as clicking a link in a web page. For administrators, deploying or updating an application is simply a matter of updating files on a server; no need to individually touch every client.

ClickOnce applications run in a secure sandbox provided by the CLR Code Access Security model. Visual Studio helps the developer author for the sandbox with features like F5 debug in security zone and a code analysis tool that determines an application’s needed permissions. For applications that need a higher level of trust, ClickOnce supports both a user prompting model and an enhanced security policy pre-deployment mechanism for administrators…”

from: Aa497348.aspx.htm, ClickOnce, MSDN

41

Security Considerations for ClickOnce Deployments

(Dominick Baier, DevelopMentor, Keith Brown, Pluralsight) aa719097(vs.71).aspx

– “…Microsoft .NET 2.0 introduces a new deployment technology called ClickOnce. Among other things, ClickOnce will make it much easier to deploy WinForms applications from central network locations. Part of the concept of ClickOnce is that users can decide if they want to trust and run code that doesn't originate from their local machine. While this solves a lot of the problems that caused people not to use .NET 1.1 href-EXEs, this may not be desirable for every scenario.

– ClickOnce is the new deployment technology in .NET 2.0 that is slated to solve all these problems. The major design goals of ClickOnce are:

• Make installations from network shares, URLs, and CDs seamless.• Enable shell integration. For example, after the initial installation, applications can be

launched from the Start menu (even while being offline).• Automated updates and patching.• Better user experience by providing a standardized UI.

– But the most important new feature when it comes to security is, if an application needs more permissions than it has been granted by policy, the end user can elevate permissions without the help of an administrator…”

42

Click Once: Elevate to Full Trust

The problem here is that it is possible to elevate to Full Trust!

From .NET Security Blog– “..With v2.0 of the CLR, we’ve made things a lot easier via

ClickOnce applications. You can use ClickOnce to request any permissions that your application needs to run effectively “ if these permissions would elevate the application above what it would normally get, then the user is prompted to make a trust decision.

– This way your app can elevate to whatever permission level it needs, and you don’t have to worry about pushing out confusing CAS policy changes to everyone who wants to run it…”

43

Click Once could allow good decisions

“…Trusted Application Deployment, part of the ClickOnce deployment technology, makes it easier for organizations of any size to grant additional permissions to a managed application in a safer, more secure manner without user prompting.

With Trusted Application Deployment, an organization can just configure a client computer to have a list of trusted publishers, who are identified using Authenticode certificates. Thereafter, any ClickOnce application signed by one of these trusted publishers receives a higher level of trust….”

If only there was focus on it :(

44

Silverlight

Microsoft’s version of AIR and Java FX Sandboxed at the moment:

– All applications written for Silverlight are security transparent. This means that they cannot

• Contain unverifiable code• Call native code directly

It it CAS (Code Access Security) without the name and some major parts (like Demands, Policies, etc…)

Big question is how will MS implement the extra features (like File Access for example)

45

Adobe’s AIR (previously called Apolo)

http://downloads.zdnet.co.uk/0,1000000375,39316712s,00.htm?r=1

“…Adobe AIR is a cross-operating system runtime being developed by Adobe that allows developers to leverage their existing web development skills (Flash, Flex, HTML, JavaScript, Ajax) to build and deploy rich Internet applications (RIAs) to the desktop.

AIR enables developers to create applications that combine the benefits of Web applications--network and user connectivity, rich media content, ease of development, and broad reach--with the strengths of desktop applications--application interactions, local resource access, personal settings, powerful functionality, and rich interactive experiences…”

46

Air Security model

From http://labs.adobe.com/wiki/index.php/AIR:Developer_FAQ

“…What security model does the Adobe AIR runtime provide?

– Our goal is to provide the functionality that developers need and want, while also allowing them to create secure applications.

– While we are still finalizing the security policy, at the root of any policy is the fact that Adobe AIR applications are downloaded to, installed, and run from the user's desktop. They thus run in a different security context than applications that run in the browser, and will have a security model closer to that of a desktop application…”

47

SQL Injection on AIR

Adobe Integrated Runtime (AIR) includes the capability of creating and working with local SQL databases. The runtime includes a SQL database engine with support for many standard SQL features.

“local SQL databases” Flex developer guide

From http://www.itwriting.com/blog/?p=253 – AIR makes no attempt to isolate databases based on the origin of the application.

In AIR, a SQLite database may be anywhere in the file system, and it’s equally available to any AIR application - a big hole in the AIR sandbox. ( (check if still true))

Abode’s answer:– ”…On the other hand, an AIR application doesn’t require or use a browser. In order for a user to access an

AIR application, he or she must first choose to install the application, including going through a security dialog that will describe whether the application was signed with a security certificate. In this way, an AIR application is comparable to any other desktop application, such as one written in C++. Since any C++ application could theoretically include the SQLite library, installing an AIR application is no different from installing any C++ application in the sense that, by doing so, a user opens himself up to possible abuses and security risks. (http://probertson.com/articles/2007/06/21/securing-air-sql-database/).

– On the other hand, all this openness actually has benefits. Since my app can read files written by another app, I can write two different apps that can understand each others’ data. If I make a certain kind of app, and later you make another app that does the same thing but does it better, you can read my file format and import my data into your app — meaning you can help users migrate from my crummy app to your awesome one…”

48

Same hope for AIR

From http://livedocs.adobe.com/labs/air/1/devappshtml/help.html?content=Detecting_Apollo_capabilities_1.html

– “…All resources that are not installed with the AIR application are put in security sandboxes based on their domains of origin. For example, content served from www.example.com is put in a security sandbox for that domain.

– Although content outside of the AIR application security sandbox may access AIR runtime APIs, but some functionally (such as attempting to read files from the filesystem) will result in a runtime security exception…”

From http://www.adobe.com/cfusion/webforums/forum/messageview.cfm?forumid=72&catid=641&threadid=1288496&enterthread=y

– ”…In the Adobe® Integrated Runtime, content in the application security sandbox (such as content installed with the AIR application) can use any request headers, without error. However, for content running in the Adobe Integrated Runtime that is in a different security sandbox, or for content running in Flash® Player, using following request headers cause a runtime error to be thrown, and the restricted terms are not case-sensitive (for example, Get, get, and GET are each not allowed)…”

49

Or maybe not

From: AIR:Articles:Adobe AIR Local File System Access ( http://labs.adobe.com/wiki/index.php/AIR:Articles:Adobe_AIR_Local_File_System_Access )

– “…With the File API, AIR applications can take advantage of an unprecedented level of access to the user's local file system. AIR applications run in their own security sandbox and aren't confined by the limitations web developers have grown accustomed to inside of the browser. In traditional web applications, the only file system action available is selecting a file to be uploaded to a server. AIR expands on this ability by enabling developers to perform operations such as:

• Create Files and Directories• Open and Read Files• Write Files

• List the contents of a Directory• Find the user's home or documents directory• Inspect File and Directory Properties …“

50

Section #2

Sandboxing: Where we need to go!

(and how Code Access Security can be used to mitigate against the OWASP Top 10)

51

Overview

Sandboxing: Where we need to go! (and how Code Access Security can be used to mitigate against the OWASP Top 10)

Following on its 'Sandboxing: Where are we today? ' talk, Dinis Cruz will present practical examples (with code samples) of dynamic Sandboxes implemented using Microsoft's Code Access Security (CAS) which allow the mitigation of vulnerabilities such as the ones documented on the OWASP top 10.

Against the common belief that Sandboxing can only be used to protect host resources (network sockets, file system, process creation, etc...) this talk will show how Sandboxes can be strategically implemented to protect an application's resources and vulnerabilities in exposed capabilities (usually called 'business logic vulnerabilities').

A roadmap for the future will also be presented with practical examples on how to move to a world where Sandboxed environments are deployed to protect our servers, desktops and browsers against the new generation of malicious business models.

52

You can use SandBoxing to mitigate:

OWASP Top 10 2007– A1: Cross Site Scripting (XSS)– A2: Injection Flaws– A3: Malicious File Execution– A4: Insecure Direct Object Reference– A5: Cross Site Request Forgery (CSRF)– A6: Information Leakage and Improper Error Handling– A7: Broken Authentication and Session Management– A8: Insecure Cryptographic Storage– A9: Insecure Communications– A10: Failure to Restrict URL Access

7 Kingdoms – 1: Input Validation & Representation– 2: API Abuse– 3: Security Features– 4: Time and State– 5: Error Handling– 6: Code Quality– 7: Encapsulation (+ *Environment)

53

DEMOS

Secure HackMeBank

– Protections against SQL Injection• using PostSharp• using managed SQL query

– Protections against XSS • using forced Encoding• using managed Html builder

Protecting Business Logic– Microsoft Enterprise Library: Policy Injection Application Block

54

Why is there a Lack of focus on Partial Trust Managed Code?

There are numerous reasons that explain the current lack of focus (and faith) by Microsoft (and others) on Partial Trust Managed Code (PTMC), the main ones being:

– The lack of attacks to Full Trust environments (think of all those ISPs selling Full Trust ASP.NET accounts which are trivial to exploit and 0wn)

– The failure by Microsoft’s .NET team to implement certain types of applications and OS components in Partial Trust Managed Code (you can just hear the C++ crowd saying “man those guys can’t even do it in Full Trust!!!”)

– The non existent of public attacks that exploit the fact that our “main security defense method is the reliance of the non execution of malicious code in our environments” (this would had changed if WinZip, Flash or Adobe (for example) had been infected with malicious code that was successfully exploited in a spectacular and public way)

– (from Microsoft’s point of view) the fact that it’s main competitors are also in denial and not going in that direction

55

For Microsoft the solution has 6 areas

Technological Political Strategic Economical Social Educational

56

Technological

Dynamically calculate required CAS permissions Refactor code that requires higher permissions into separate assemblies (so that

only 1% of the code will need to run outside the Sandbox) Converters of unmanaged code to managed code (i.e. C++ to C#, VB6 to VB.Net,

etc…) Much better source code audit tools that identify vulnerabilities or areas that might

have vulnerabilities “.Net Time-machine (ala Flight Recorder)” - Much better Smart fuzzers (to find run-time vulnerabilities) ‘Security rating calculators’ which will give a product (or dll) a rating based on the

‘threat profile of that application’ (for example the more unmanaged code, the worse rating) . This will be a very important part of the ‘Partial Trust Brand’

Development environments that allow the development of complex and feature rich partial Trust applications like IE in managed code

New execution environments (aka mini CLRs) that allow the execution of Managed/Verifiable code in : Services, Drivers, plug-ins etc…

New Virtual PC Execution environments that allow the safe execution of ‘potential malicious applications’ whose interface with the user’s assets are controlled by a managed/verifiable application (and CAS policies)

‘What is going on’ tools. When I run an application I need to know EVERYTHING it does. And if the application somehow escapes the ‘execution monitoring system’ I want to know that it did.

57

Technological (cont)

Tools that allow the easy development and use of CAS and RBS (Role Base Security) and frameworks for securing an application’s Business-Logic (for example using a CAS to prevent the user account’s from being changed, or an bank account from being accessed)

Code Coverage Tools - To know how much of an application has been tested, fuzzed or executed

‘Real time Hot Patching of Jitted methods (without using the .NET profiler)’ - For advanced defence solutions we will need the capability to make changes to jitted code (i.e . writing patches in C#)

For ASP.NET we need:– WAF (Web Application Firewalls) with pluggable modules for: Data Validation, Authentication,

Authorization, Anti-CSRF, DoS, Business-Logic vulnerabilities, etc…– A framework similar to Struts (which force the developers to do the right thing (i.e. explicitly

define all inputs into their application)– IDS (Intrusion Detection Systems) with the capability to change the application’s behaviour

when under attack– Native Http Pipeline for IIS 5 and 6 to protect ASP Classic pages– CAS demands for dangerous methods (for example methods and classes that allow SQL

Injections, XSS, etc…)• The current CAS permission’s model is designed to protect the server and the other co-

hosted applications. This needs to be extended so that CAS can be used to protect the actual application from vulnerabilities in its code

• CAS demands for methods or code that ’should’ exist (for example data validation checks, authorization, etc….)

58

Political

Microsoft (and Sun) needs to come out loud and clear and say ‘Managed Verifiable code is the way to go, and we all (MS and its community) need to go that way’

The fact that Sun, Apple, Google and the Linux crowd are not doing this should not be seen as an excuse but it should be seen as an opportunity.

We need a ‘Towards a Managed and Verifiable world’ memo

59

Strategic

Microsoft needs to change its core business model from selling massive highly-coupled applications (best examples are OSes the .NET Framework and the online web services: MSN, Live , etc..) and go to a model where each application and component is developed, executed and sold separately (note that online services need even MORE security than normal software packaged applications).

For this to work, Microsoft would need to ‘really’ embrace open standards and multi-layer application models where each layer (or component) is 100% independent and the only communication channels between layers are simple, open and well documented.

Ultimately Microsoft must find a way to make money selling ‘Secure’ Environments and Applications

60

Economical

It must make commercial sense to write managed/verifiable code (in both Windows and ASP.NET worlds). Which means that the paying clients that are purchasing software/applications/services MUST demand such code (and MUST reward the companies that write them)

It also must make commercial sense (and be realistic) for companies to provide ‘Application security verification services’ . And this is a big opportunity for security vendors: “give me a service that checks and certifies applications and I will pay for it (as a monthly subscription).”

61

Social

We have to stop blaming the users for using our products the way they where supposed to be used. The current security model where the user is expected to make a major security decision on every prompt doesn’t work (and will not hold much longer).

It is not the User’s responsibility to restrict malicious code execution, it is the OS (and application audit security teams) responsibility.

Also remember that the browser is becoming the target, and for example:

– the users will not care if their OS (or kernel) is not compromised if they just lost their assets

– the attackers will not care if their exploit doesn’t survive a reboot if they are able to steal/exploit the user’s assets

62

Educational

There will need to be a big push on how to program for Partial Trust environments, and there must be a special focus in teaching the Network and Infrastructure teams since they should be the ones that define the CAS policies (not the developers)

63

Security Awareness Mode

While analyzing the different responses and attitudes that companies and product teams have in relationship with security, I came up with the following 4 Awareness Modes which I am now calling the ‘Security Awareness Modes’

– ‘Awareness Mode 1) Blissful ignorance’ - When companies have no idea of their vulnerabilities. This changes when they are attacked or pay for a competent and thorough security penetration test

– ‘Awareness Mode 2) The Patching Dance’ - When companies know where the problems are, and issue regular patches to solve them (this mode usually contains a healthy security full-discosure market)

– ‘Awareness Mode 3) The SDL Dream’ - After a while in mode 2, companies start to fall for the dream that ‘we can detect, solve or greatly reduce these issues using a strong, security focused SDL’

– ‘Awareness Mode 4) The Alignment’ - Once the limitations of Mode 3 are apparent (and correctly diagnosed) the companies realize that the only ‘real’ solution is to change their business model

64

Day Microsoft changes

Microsoft is currently in Mode 3 with its 2007 releases (Vista, Office, Sharepoint, etc…) and on Mode 2 with its other OSes (and products) and Mode 1 with its online services.

The day the following happens, will be the day that Microsoft is aligning its business model to its security requirements:

– Making Partial Trust the default for local deployed applications (and the GAC)

– De-coupling of OS and it’s current bundled applications (i.e. stop selling Megalomaniac Operation Systems, and start selling each major component separately (Kernel, windows GUI, User Applications, IE, IIS, etc….)

– De-coupling of the .NET framework and its core components– Focus on Managed/Verifiable code (creating the ‘Brand’ that will

make clients recognize such products)– Really embracing Open Standards and stopping ‘lock-in predatorial – Running online services under partial trust (making their clients aware

of it, and tying its SLA to it)– Giving buys visibility into the real security status of their products

65

It is even worse in Web 2.0 world!

Note that moving software in-house to provide it as a service (as Google will soon find out) is not something that has less security requirements than a normal ‘desktop/server packaged applications’, it has MORE security requirements since its security exploitation will affect ALL customers (i.e. in a ’software by service’ mode, Awareness Mode 4 is even more important)

66

Big Vision - Code Execution Road Map

Code Execution Road Map

So the logic here is that by 2011 there as been a clear and hard move to to execute non-kernel code in Partial Trust Managed Code environments (note that I group Full Trust with unmanaged code) together with the use of VPCs (or VMware) to execute certain type of applications which don’t need direct access to the user’s assets (for example games)

And that by 2015/2020, the conversion is made and most of the code executed is Partial Trust Managed Code. The issue will then be the security of that 1% of unmanaged & Full Trust code, and the CAS policies that control the rest of the code (and that will be a job for the security companies).

Code Execution Location Today 2011 2015/2020

Kernel (Unmanag ed & Managed Full Trust) 10% 9.5% 1%

Kernel (Partial Trust Managed Code) 0% 0.5% 9%

Admin/System code (Unmanaged & Managed Full Trust)

30% 25% 1%

Admin/System code (Partial Trust Managed Code)

0% 5% 19%

User-land code (Unmanaged & Managed Full Trust)

59% 20% 1%

User-land code (Partial Trust Managed Code) 1% 20% 29%

Virtual PC environments 0% 20% 40%

67

Road Map

The good news is that altough we will probably still need some types of AV,IDS, HPS (or whatever they will call themselves at the time), in this managed and verifiable world these tools will actually have a chance to detect and contain malicious behaviour / activities.

The reason I am moving a lot of code into the Virtual PC world is because I was looking at some of the use-cases of the software that it is used everyday, and there are large types of applications which only need “hardware + OS resources” to run (games are the best example), and don’t need any (or very limited) access to user’s assets. So in those cases it makes sense to run those apps in virtual pc environments, and here think ‘Citrix Application Virtualization’ ( http://www.citrix.com/English/ps2/products/product.asp?contentID=186) and not ‘VMWare’ (note that those applications don’t need an entire OS, they only should need the hardware, the kernel, the win32 APIs and a couple of supporting services).

Ideally that ‘bridge’ between the Virtual PC environment and the user assets would be implemented via a PTMC (Partial Trust Managed Code) application which would then envorce CAS rules to user’s assets accesses

Even I with my focus on PTMC application I know that PTMC games will NOT happen anytime soon, and since most games NEED almost full access to the user’s hardware (and admin/system access) there is NO way they will be written in user-land PTMC (on that note, we might want to make some changes in our hardware access so that code running under admin / system inside one of those VMs can NOT rootkit my network card by patching it’s flash memory.

So I think that with time we will find that large parts of the apps we run everyday are executed inside this ’sandboxed’ OS environments.

68

That’s it

Questions?

Thanks

making the case for sandbox v1.1 (sd conference 2007)

Technology

measure security

code access security

java security manager

effective security defense

real security status

air security sandbox

flash security sandbox

web browsers security