Security
Google's Native Client
Allowing browsers to run native code downloaded from a web site has some attractions, at least at first blush. But, once some thought is put into it—or the serious security problems with Microsoft's ActiveX are recalled—the security flaws of the scheme become readily apparent. Google is resurrecting the idea in their Native Client (NaCl) research project, but rather than rely on trust, as ActiveX does, NaCl takes steps to verify the code before running it. As a weblog posting by Matasano Security describes, there are rather substantial technical barriers to overcome, but, even then, there are still some fairly serious repercussions to running native code from an untrusted site.
The reasons that native code is so attractive are that it allows for much better performance along with access to graphics and a user interface that isn't HTTP-based. One of the NaCl demos is a port of Quake so that it can run in the browser. Certainly games are one place where NaCl is attractive, but, also, for any existing program—at least those that aren't written in Java, Flash, or Silverlight—porting it to a new language is not required. For those who think that essentially all applications will eventually be delivered by the web, NaCl (or something like it) seems required.
But, as malware developers know, the x86 architecture has lots of ways to obscure the operation of a program in order to try to elude any kind of automatic vetting. The instructions are of variable length and malicious programs can jump anywhere in the stream, not just at the instruction boundaries found by a disassembler. In addition, x86 programs can execute from data, so that malicious programs can write some code to memory and jump there. These kinds of things cannot be determined by just examining the program binary, so Google leveraged some earlier work [PDF] to restrict the kinds of programs NaCl will execute.
Basically, NaCl requires that the code be structured such that it can be verified automatically. That means that disassembling the code must produce a stream of recognizable instructions and that jumps must land at the beginning of one of those instructions. In addition, self-modifying code is disallowed. With those restrictions in place, NaCl can verify that the code doesn't do anything that is disallowed.
NaCl then enforces some additional rules, disallowing memory management hacks that could fool the verifier and requiring that all system calls go through a "gate" in the first 64K of the code. Only certain calls are allowed through the gate, which is how NaCl protects against arbitrary code being executed. Google has created a patched version of GCC that will create an ELF-format file which follows the rules.
All of that may sound enticing, but Matasano puts a definite damper on enthusiasm for the technique. In some ways, it is similar to what Java applet sandboxes do, but Java has been around for quite some time, so many of the problems with its implementation have been found and fixed. Google sponsored a contest to try to shake out some of the problems with NaCl. Matasano participated and the blog post is essentially a report of what they and others found.
The basic problem is that bugs in the verifier, loader, or trusted system call gate can generally be immediately turned into exploits to run arbitrary code. The posting outlines a number of problems that they or other contest teams found. Until the NaCl components reach a level of maturity similar to—or even beyond—that of the Java applet sandbox, running native code in the browser is going to be a dicey proposition. A particular area of concern is that the system call gate must do its job based on what call is being made and the contents of the memory being passed, which is a much harder job than the equivalent for the Java sandbox (which is expressed in terms of Java classes and data structures).
But, even if all of the bugs with NaCl itself were found and fixed—an impossible task—there is still an architectural hole that was specifically removed from consideration in the contest: side-channel attacks. There are a number of attacks against keys and other sensitive information that can be made using timing analysis. By timing repeated executions of the code of interest, cache effects as well as branch prediction information can be extracted, which can then be used to recover keys or other information.
While the side-channel attacks are probabilistic in nature, they get better with repetition. If an attacker were able to add that kind of analysis as part of a popular game, for example, it would have ample opportunity to run. Since the kind of abilities required by the side-channel program are not very different than other, legitimate programs that NaCl would want to run, there is little that can be done to stop this kind of abuse. Whether it is a practical attack is hard to judge, but undoubtedly some attackers are already looking at it.
It seems likely that any security-conscious user is not going to be too interested in running code in NaCl anytime soon—if ever. Unfortunately, the same folks who are willing to run ActiveX programs from random internet sites might be quite willing to do the same with NaCl. That could lead to an ugly security breach of some kind, but one could argue that it is not really any worse than things are today. Running untrusted code is dangerous and there aren't many ways around that.
New vulnerabilities
cups: denial of service
| Package(s): | cups, cupsys | CVE #(s): | CVE-2009-0949 | ||||||||||||||||||||||||||||||||||||||||
| Created: | June 3, 2009 | Updated: | December 8, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | The CUPS IPP code contains a null-pointer dereferencing bug. An attacker can exploit this flaw to crash the server, leading to a denial of service. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
drupal6: cross-site scripting
| Package(s): | drupal6 | CVE #(s): | |||||
| Created: | June 1, 2009 | Updated: | June 3, 2009 | ||||
| Description: | From the Debian advisory: Markus Petrux discovered a cross-site scripting vulnerability in the taxonomy module of drupal6, a fully-featured content management framework. It is also possible that certain browsers using the UTF-7 encoding are vulnerable to a different cross-site scripting vulnerability. | ||||||
| Alerts: |
| ||||||
eggdrop: remote denial of service
| Package(s): | eggdrop | CVE #(s): | CVE-2009-1789 | ||||||||||||
| Created: | June 2, 2009 | Updated: | December 8, 2009 | ||||||||||||
| Description: | From the Mandriva advisory: mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | linux-2.6 | CVE #(s): | CVE-2009-1630 CVE-2009-1633 CVE-2009-1758 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 2, 2009 | Updated: | February 15, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. CVE-2009-1630 Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. CVE-2009-1633 Jan Beulich discovered an issue in Xen where local guest users may cause a denial of service (oops). CVE-2009-1758 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libsndfile: arbitrary code execution
| Package(s): | libsndfile | CVE #(s): | CVE-2009-1788 CVE-2009-1791 | ||||||||||||||||||||||||||||||||
| Created: | May 28, 2009 | Updated: | December 4, 2009 | ||||||||||||||||||||||||||||||||
| Description: | libsndfile has a pair of arbitrary code execution vulnerabilities.
From the Gentoo alert:
Tobias Klein reported that the header_read() function in src/common.c uses user input for calculating a buffer size, possibly leading to a heap-based buffer overflow (CVE-2009-1788). The vendor reported a boundary error in the aiff_read_header() function in src/aiff.c, possibly leading to a heap-based buffer overflow (CVE-2009-1791). | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
ocsinventory: SQL injection
| Package(s): | ocsinventory | CVE #(s): | CVE-2009-1769 | ||||||||||||
| Created: | June 2, 2009 | Updated: | June 3, 2009 | ||||||||||||
| Description: | From the Fedora advisory: OCS Inventory NG: Authentication result varies for existent and non-existent users - SQL injection and Unauthenticated Arbitrary File Read. | ||||||||||||||
| Alerts: |
| ||||||||||||||
opensc: information disclosure
| Package(s): | opensc | CVE #(s): | CVE-2009-1603 | ||||||||||||||||
| Created: | May 28, 2009 | Updated: | August 3, 2009 | ||||||||||||||||
| Description: | opensc has an information disclosure vulnerability. From the Mandriva alert: src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used with unspecified third-party PKCS#11 modules, generates RSA keys with incorrect public exponents, which allows attackers to read the cleartext form of messages that were intended to be encrypted (CVE-2009-1603). | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
opensc: insecure key generation
| Package(s): | opensc | CVE #(s): | CVE-2009-0368 CVE-2008-2235 | ||||||||||||||||
| Created: | June 1, 2009 | Updated: | August 3, 2009 | ||||||||||||||||
| Description: | From a message on the OpenSC mailing list: The security problem in short: you need a combination of 1.) a tool that starts a key generation with public exponent set to 1 (an invalid value that causes an insecure rsa key) 2.) a PKCS#11 module that accepts that this public exponent and forwards it to the card 3.) a card that accepts the public exponent and generates the rsa key. OpenSC is insecure because due to a code bug in pkcs11-tool it had the wrong public exponent. But OpenSC PKCS#11 module is secure, it ignores the public exponent. So only if you generate your keys with pkcs11-tool from OpenSC 0.11.7 (which very few people do), and only if you used it with some other vendors PKCS#11 module, and only if the card accepted the bogus value too, then your rsa key is insecure. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
php-smarty: arbitrary command execution
| Package(s): | php-Smarty | CVE #(s): | CVE-2009-1669 | ||||||||||||||||||||||||||||
| Created: | May 28, 2009 | Updated: | August 18, 2010 | ||||||||||||||||||||||||||||
| Description: | php-smarty has an arbitrary command execution vulnerability. From the Red Hat bug entry: The smarty_function_math function in libs/plugins/function.math.php in Smarty 2.6.22 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. NOTE: some of these details are obtained from third party information. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
tshark: denial of service
| Package(s): | tshark | CVE #(s): | |||||
| Created: | May 28, 2009 | Updated: | June 3, 2009 | ||||
| Description: | tshark has a denial of service vulnerability. From the rPath alert: Previous versions of wireshark contain a Denial of Service vulnerability in the PCNFSD dissector. This vulnerability has been corrected. | ||||||
| Alerts: |
| ||||||
wireshark: unspecified denial of service
| Package(s): | wireshark | CVE #(s): | CVE-2009-1829 | ||||||||||||||||
| Created: | June 1, 2009 | Updated: | June 30, 2009 | ||||||||||||||||
| Description: | From the Mandriva advisory: Unspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 through 1.0.7 allows remote attackers to cause a denial of service (crash) via crafted PCNFSD packets (CVE-2009-1829) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>