Security Now 285
Topic: Browser Fuzzing
Recorded: 26 Jan 2011
Published: 26 Jan 2011
2:33 - 4:18
- Google awards its first "Elite" Chromium Security Award of $3133.7 to Sergey Glazunov for finding and reporting a CRITICAL problem with a stale pointer in speech handling.
- Sergey also made a bunch more money with multiple $1,000 rewards.
- Overall: 1 - Critical, 13 - High, 2- Medium
4:19 - 7:52
- Facebook offers 100% SSL & HTTPS option beginning today
- "Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the "Account Security" section of the Account Settings page."
7:53 - 11:26
- Attorney-Client Privilege does not apply with employer-based eMail
- California Appeals court (Sacramento 3rd Appellate District) found that a secretary's eMail communication to her attorney over an employment dispute was not privileged.
- “… [T]he e-mails sent via company computer under the circumstances of this case were akin to consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard,” the court wrote."
11:27 - 12:25
- Verizon is challenging the FCC's recent Net Neutrality position, banning providers from selectively throttling broadband traffic over their networks.
12:26 - 15:29
- A US Congressional panel is holding a hearing this week to consider reviving the impossible to implement ISP Data Retention Bill.
- Would require ISP to retain their customer's Internet data for two years.
15:30 - 16:06
- Cisco's annual 2010 Security Report indicates that cybercrime appears to be migrating from desktops which are increasingly well secured to mobile devices, which are inherently much more vulnerable.
16:07 - 28:35
- Browser vendors stir over behavioral advertising tracking & profiling
- Mozilla introduces a different Do Not Track header:
- Tracking-Preference: do-not-track
- Georgio replied:
- Why inventing yet another header ("X-Tracking-Choice") rather than reusing the "X-Do- Not-Track" proposal, which is already implemented in NoScript and Adblock Plus, and also endorsed by yourself?
- Google's Chrome
- IE9 - XML-based TPL (Tracking Protection Lists)
- http://blogs.msdn.com/b/ie/archive/2010/12/07/ie9-and-privacy-introducing-tracking-protection- v8.aspx
- IE8 was going to have it, but advertisers pressured MSFT to remove it.
- 1. IE9 will offer consumers a new opt-in mechanism (“Tracking Protection”) to identify and block many forms of undesired tracking.
- 2. “Tracking Protection Lists” will enable consumers to control what third-party site content can track them when they’re online.
28:36 - 30:24
- Bruce Schneier blogs that:
- A group of students at the Chinese University in Hong Kong have figured out how to store data in bacteria. The article talks about how secure it is, and the students even coined the term "bioencryption," but I don't see any encryption. It's just storage.
- Massively parallel bacterial data storage system
- Error tolerant data encoding/decoding system
- Recombination module for data encryption
- Ready for the exciting future of Biocomputer!
30:25 - 33:40
33:41 - 35:50 Peter Elkins (Unknown)
Spinrite fixed a broken hard drive
38:13 - 1:09:21
- Michal Zalewski (A Google engineer) releases cross_fuzz for browsers
- "I am happy to announce the availability of cross_fuzz - an amazingly effective, but notoriously annoying, cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market - many of said bugs exploitable - and is still finding more."
- Fuzzing is a software testing technique which sends malformed junk (invalid, unexpected or pseudo-random data) to the inputs of an interpreter or parser of some sort to see whether it can be destabilized by input it was not designed to handle.
- The term Fuzz originated in the fall of 1988 from a class project topic in Prof. Barton Miller's graduate University of Wisconsin Advanced Operating System class. The assignment was titled "Operating System Utility Program Reliability - The Fuzz Generator."
- Formal Test Suite development parallels Code Generation
- AKA Regression Testing
- A common functional Specification drives:
- A team of product coders, and A parallel team of test suite coders
- Initial results:
- The largest number of bugs were identified in Firefox, ten by Michal and another 50 after Cross_Fuzz was integrated into Mozilla's existing testing platform.
- The Firefox issues have since largely been addressed, but some more obscure and hard to analyze crashes still occur.
- All Webkit-based browsers: Approximately 24 crashes identified.
- Developers notified in July of 2010.
- Relevant patches have been released. Some very subtle problems persist.
- Opera was also notified in July 2010 and all of the frequent crashes were fixed in Opera 11.
- What is DOM?
- Contemporary web browser layout engines parse incoming HTML into a DOM for the page.
- Document Object Model:
- A means for client-side scripting to access, examine and manipulate web pages described by documents in HTML, XHTML and XML.
- E.g. document.formName.inputName
- Items can be created, deleted, read, written (populated) on the fly.
- Client-side form validation and dynamic tricks like "rollovers"
- The DOM is organized like a tree with the document ROOT
- Paragraph content, image references, form fields, tables, etc.
- Each element of the document is a named descendant off the root and sub-elements are descendants of those... and so on.
- Michal's Cross_Fuzz Algorithm:
- Open two windows with documents of any (DOM-enabled) type. Simple HTML, XHTML, and SVG documents are randomly selected as targets by default - although any other, possibly plugin-supported formats could be targeted instead.
- Crawl DOM hierarchy of the first document, collecting encountered object references for later reuse. Visited objects and collected references are tagged using an injected property to avoid infinite recursion; a secondary blacklist is used to prevent navigating away or descending into the master window. Critically, random shuffling and recursion fanout control are used to ensure good coverage.
- Repeat DOM crawl, randomly tweaking encountered object properties by setting them to a one of the previously recorded references (or, with some probability, to one of a handful of hardcoded "interesting" values).
- Repeat DOM crawl, randomly calling encountered object methods. Call parameters are synthesized using collected references and "interesting" values, as noted above. If a method returns an object, its output is subsequently crawled and tweaked in a similar manner.
- Randomly destroy first document using one of the several possible methods, toggle garbage collection.
- Perform the same set of crawl & tweak operations for the second document, but use references collected from the first document for overwriting properties and calling methods in the second one.
- Randomly destroy document windows, carry over a percentage of collected references to the next fuzzing cycle.
- A Web Browser DOM Fuzzer in a maximally aggressive script that thrashed around inside the browser trying to cause trouble.
- Classic Fuzzing Problems
- Making something mysteriously break is VERY different from finding a bug (You're demonstrating an unknown bug)
- To wit: The fuzzer is STILL ABLE to break EVERY web browser. Many problems were easy to find and fix, others are still not understood
- Remember: Microsoft's dilemma of not being able to make IE break last summer.
- ad times: :51 - 1:10 and 36:05 - 38:11
- Edited by: Jeff
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|