LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Google's Native Client

By Jake Edge
June 3, 2009

Allowing browsers to run native code downloaded from a web site has some attractions, at least at first blush. But, once some thought is put into it—or the serious security problems with Microsoft's ActiveX are recalled—the security flaws of the scheme become readily apparent. Google is resurrecting the idea in their Native Client (NaCl) research project, but rather than rely on trust, as ActiveX does, NaCl takes steps to verify the code before running it. As a weblog posting by Matasano Security describes, there are rather substantial technical barriers to overcome, but, even then, there are still some fairly serious repercussions to running native code from an untrusted site.

The reasons that native code is so attractive are that it allows for much better performance along with access to graphics and a user interface that isn't HTTP-based. One of the NaCl demos is a port of Quake so that it can run in the browser. Certainly games are one place where NaCl is attractive, but, also, for any existing program—at least those that aren't written in Java, Flash, or Silverlight—porting it to a new language is not required. For those who think that essentially all applications will eventually be delivered by the web, NaCl (or something like it) seems required.

But, as malware developers know, the x86 architecture has lots of ways to obscure the operation of a program in order to try to elude any kind of automatic vetting. The instructions are of variable length and malicious programs can jump anywhere in the stream, not just at the instruction boundaries found by a disassembler. In addition, x86 programs can execute from data, so that malicious programs can write some code to memory and jump there. These kinds of things cannot be determined by just examining the program binary, so Google leveraged some earlier work [PDF] to restrict the kinds of programs NaCl will execute.

Basically, NaCl requires that the code be structured such that it can be verified automatically. That means that disassembling the code must produce a stream of recognizable instructions and that jumps must land at the beginning of one of those instructions. In addition, self-modifying code is disallowed. With those restrictions in place, NaCl can verify that the code doesn't do anything that is disallowed.

NaCl then enforces some additional rules, disallowing memory management hacks that could fool the verifier and requiring that all system calls go through a "gate" in the first 64K of the code. Only certain calls are allowed through the gate, which is how NaCl protects against arbitrary code being executed. Google has created a patched version of GCC that will create an ELF-format file which follows the rules.

All of that may sound enticing, but Matasano puts a definite damper on enthusiasm for the technique. In some ways, it is similar to what Java applet sandboxes do, but Java has been around for quite some time, so many of the problems with its implementation have been found and fixed. Google sponsored a contest to try to shake out some of the problems with NaCl. Matasano participated and the blog post is essentially a report of what they and others found.

The basic problem is that bugs in the verifier, loader, or trusted system call gate can generally be immediately turned into exploits to run arbitrary code. The posting outlines a number of problems that they or other contest teams found. Until the NaCl components reach a level of maturity similar to—or even beyond—that of the Java applet sandbox, running native code in the browser is going to be a dicey proposition. A particular area of concern is that the system call gate must do its job based on what call is being made and the contents of the memory being passed, which is a much harder job than the equivalent for the Java sandbox (which is expressed in terms of Java classes and data structures).

But, even if all of the bugs with NaCl itself were found and fixed—an impossible task—there is still an architectural hole that was specifically removed from consideration in the contest: side-channel attacks. There are a number of attacks against keys and other sensitive information that can be made using timing analysis. By timing repeated executions of the code of interest, cache effects as well as branch prediction information can be extracted, which can then be used to recover keys or other information.

While the side-channel attacks are probabilistic in nature, they get better with repetition. If an attacker were able to add that kind of analysis as part of a popular game, for example, it would have ample opportunity to run. Since the kind of abilities required by the side-channel program are not very different than other, legitimate programs that NaCl would want to run, there is little that can be done to stop this kind of abuse. Whether it is a practical attack is hard to judge, but undoubtedly some attackers are already looking at it.

It seems likely that any security-conscious user is not going to be too interested in running code in NaCl anytime soon—if ever. Unfortunately, the same folks who are willing to run ActiveX programs from random internet sites might be quite willing to do the same with NaCl. That could lead to an ugly security breach of some kind, but one could argue that it is not really any worse than things are today. Running untrusted code is dangerous and there aren't many ways around that.

Comments (24 posted)

New vulnerabilities

cups: denial of service

Package(s):cups, cupsys CVE #(s):CVE-2009-0949
Created:June 3, 2009 Updated:December 8, 2009
Description: The CUPS IPP code contains a null-pointer dereferencing bug. An attacker can exploit this flaw to crash the server, leading to a denial of service.
Alerts:
Mandriva MDVSA-2009:282-1 2009-12-07
Mandriva MDVSA-2009:282 2009-10-19
Mandriva MDVSA-2009:283 2009-10-19
Mandriva MDVSA-2009:281 2009-10-19
SuSE SUSE-SR:2009:012 2009-07-03
CentOS CESA-2009:1082 2009-06-10
CentOS CESA-2009:1083 2009-06-03
Red Hat RHSA-2009:1082-01 2009-06-03
Red Hat RHSA-2009:1083-01 2009-06-03
Ubuntu USN-780-1 2009-06-03

Comments (none posted)

drupal6: cross-site scripting

Package(s):drupal6 CVE #(s):
Created:June 1, 2009 Updated:June 3, 2009
Description:

From the Debian advisory:

Markus Petrux discovered a cross-site scripting vulnerability in the taxonomy module of drupal6, a fully-featured content management framework. It is also possible that certain browsers using the UTF-7 encoding are vulnerable to a different cross-site scripting vulnerability.

Alerts:
Debian DSA-1808-1 2009-06-01

Comments (none posted)

eggdrop: remote denial of service

Package(s):eggdrop CVE #(s):CVE-2009-1789
Created:June 2, 2009 Updated:December 8, 2009
Description: From the Mandriva advisory: mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy.
Alerts:
Mandriva MDVSA-2009:126-1 2009-12-08
Debian DSA-1826-1 2009-07-04
Mandriva MDVSA-2009:126 2009-06-01

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):linux-2.6 CVE #(s):CVE-2009-1630 CVE-2009-1633 CVE-2009-1758
Created:June 2, 2009 Updated:February 15, 2010
Description: From the Debian advisory:

Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. CVE-2009-1630

Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. CVE-2009-1633

Jan Beulich discovered an issue in Xen where local guest users may cause a denial of service (oops). CVE-2009-1758

Alerts:
SuSE SUSE-SA:2010:012 2010-02-15
SuSE SUSE-SA:2009:045 2009-08-20
Debian DSA-1865-1 2009-08-16
Red Hat RHSA-2009:1211-01 2009-08-13
Debian DSA-1844-1 2009-07-28
SuSE SUSE-SA:2009:056 2009-11-16
SuSE SUSE-SA:2009:054 2009-11-11
rPath rPSA-2009-0111-1 2009-07-24
SuSE SUSE-SA:2009:038 2009-07-23
Red Hat RHSA-2009:1157-01 2009-07-14
Mandriva MDVSA-2009:148 2009-07-07
Ubuntu USN-793-1 2009-07-02
Red Hat RHSA-2009:1132-01 2009-06-30
CentOS CESA-2009:1106 2009-06-19
Mandriva MDVSA-2009:135 2009-06-17
Red Hat RHSA-2009:1106-01 2009-06-16
SuSE SUSE-SA:2009:031 2009-06-09
Debian DSA-1809-1 2009-06-01

Comments (none posted)

libsndfile: arbitrary code execution

Package(s):libsndfile CVE #(s):CVE-2009-1788 CVE-2009-1791
Created:May 28, 2009 Updated:December 4, 2009
Description: libsndfile has a pair of arbitrary code execution vulnerabilities. From the Gentoo alert:

Tobias Klein reported that the header_read() function in src/common.c uses user input for calculating a buffer size, possibly leading to a heap-based buffer overflow (CVE-2009-1788).

The vendor reported a boundary error in the aiff_read_header() function in src/aiff.c, possibly leading to a heap-based buffer overflow (CVE-2009-1791).

Alerts:
Mandriva MDVSA-2009:132-1 2009-12-03
Fedora FEDORA-2009-11618 2009-11-16
Fedora FEDORA-2009-11499 2009-11-16
SuSE SUSE-SR:2009:013 2009-08-11
Ubuntu USN-849-1 2009-10-15
Debian DSA-1814-1 2009-06-13
Mandriva MDVSA-2009:132 2009-06-07
Gentoo 200905-09 2009-05-27

Comments (none posted)

ocsinventory: SQL injection

Package(s):ocsinventory CVE #(s):CVE-2009-1769
Created:June 2, 2009 Updated:June 3, 2009
Description: From the Fedora advisory: OCS Inventory NG: Authentication result varies for existent and non-existent users - SQL injection and Unauthenticated Arbitrary File Read.
Alerts:
Fedora FEDORA-2009-5769 2009-06-02
Fedora FEDORA-2009-5773 2009-06-02
Fedora FEDORA-2009-5764 2009-06-02

Comments (none posted)

opensc: information disclosure

Package(s):opensc CVE #(s):CVE-2009-1603
Created:May 28, 2009 Updated:August 3, 2009
Description: opensc has an information disclosure vulnerability. From the Mandriva alert: src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used with unspecified third-party PKCS#11 modules, generates RSA keys with incorrect public exponents, which allows attackers to read the cleartext form of messages that were intended to be encrypted (CVE-2009-1603).
Alerts:
Gentoo 200908-01 2009-08-01
Fedora FEDORA-2009-4967 2009-05-14
Fedora FEDORA-2009-4928 2009-05-14
Mandriva MDVSA-2009:123 2009-05-27

Comments (none posted)

opensc: insecure key generation

Package(s):opensc CVE #(s):CVE-2009-0368 CVE-2008-2235
Created:June 1, 2009 Updated:August 3, 2009
Description:

From a message on the OpenSC mailing list:

The security problem in short: you need a combination of

1.) a tool that starts a key generation with public exponent set to 1 (an invalid value that causes an insecure rsa key)

2.) a PKCS#11 module that accepts that this public exponent and forwards it to the card

3.) a card that accepts the public exponent and generates the rsa key.

OpenSC is insecure because due to a code bug in pkcs11-tool it had the wrong public exponent. But OpenSC PKCS#11 module is secure, it ignores the public exponent. So only if you generate your keys with pkcs11-tool from OpenSC 0.11.7 (which very few people do), and only if you used it with some other vendors PKCS#11 module, and only if the card accepted the bogus value too, then your rsa key is insecure.

Alerts:
Gentoo 200908-01 2009-08-01
Fedora FEDORA-2009-4892 2009-05-12
Fedora FEDORA-2009-4919 2009-05-12
Fedora FEDORA-2009-4883 2009-05-12

Comments (none posted)

php-smarty: arbitrary command execution

Package(s):php-Smarty CVE #(s):CVE-2009-1669
Created:May 28, 2009 Updated:August 18, 2010
Description: php-smarty has an arbitrary command execution vulnerability. From the Red Hat bug entry: The smarty_function_math function in libs/plugins/function.math.php in Smarty 2.6.22 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. NOTE: some of these details are obtained from third party information.
Alerts:
Debian DSA-1919-2 2010-08-17
Gentoo 201006-13 2010-06-02
Debian DSA-1919-1 2009-10-25
Ubuntu USN-791-3 2009-06-24
Ubuntu USN-791-1 2009-06-24
Fedora FEDORA-2009-5520 2009-05-27
Fedora FEDORA-2009-5525 2009-05-27

Comments (none posted)

tshark: denial of service

Package(s):tshark CVE #(s):
Created:May 28, 2009 Updated:June 3, 2009
Description: tshark has a denial of service vulnerability. From the rPath alert: Previous versions of wireshark contain a Denial of Service vulnerability in the PCNFSD dissector. This vulnerability has been corrected.
Alerts:
rPath rPSA-2009-0095-1 2009-05-27

Comments (none posted)

wireshark: unspecified denial of service

Package(s):wireshark CVE #(s):CVE-2009-1829
Created:June 1, 2009 Updated:June 30, 2009
Description:

From the Mandriva advisory:

Unspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 through 1.0.7 allows remote attackers to cause a denial of service (crash) via crafted PCNFSD packets (CVE-2009-1829)

Alerts:
Gentoo 200906-05 2009-06-30
CentOS CESA-2009:1100 2009-06-16
Red Hat RHSA-2009:1100-01 2009-06-15
Mandriva MDVSA-2009:125 2009-05-31

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds