Thursday, October 29, 2009

Exploiting Rich Internet Applications (RIA)

Due to fast adoption of internet technologies like Web 2.0 and their integration with advanced web applications has raised unexpected security challenges. In this article we will review some of these issues related to Adobe Flash product. Flash supports wide range of multimedia features including, rich web application development, video streaming, games and many more. Flash can be deployed within browser or as a system application to run SWF(flash-supported) files. The SWF file consists of 64 tag types, each of which contains its own type, length and value. These can be reviewed in the following picture.
As many of the features are exposed through tags title and tags data. One of such tags is ActionScript. It provides extensible functionality for rich applications. It is mainly based on ECMAScript and when compiled is converted to ActionRecord sub-tags. These sub-tags are then stored into DoAction meta data. A single stream of ActionRecords is terminated by ActionEnd tag. Now, based on the published statistics and product popularity, it is easy to compile the information about how many Flash deployments are openly available throughout the internet under various operating systems and mobile devices (Target Scanning).

-Flash is available for all major OS(s).
-It is installed with default settings.
-ActionScript v2 is supported.

There are several security issues discovered in ActionScript v2 (AS2) in past, which can cause a serious damage to all computers loaded with Flash and connected over the internet. These vulnerabilities can easily be exploited due to improper implementation of flash-based web applications and poses major risk to all internet users. Thus, we introduce two assessment methodologies to test the security of flash applications.


Manual Testing

To understand the testing procedures and dissect the simple flash file in depth, we used Adobe Flash CS3. Inside this tool we got various facilities to audit the flash movie. ActionScript Editor is the one we can use to test several conditions, such as editing the source with first frame set as, getURL("http://www.example.com"); On the other hand, one can also use SweetScape 010 Editor to do the similar testing.


Automated Testing

Fault Injection for Reverse Engineers (FIRE) Framework
-Gathering Input
Get the target flash movie to perform mutation.

-Survey Input
Survey logic will skip textual data regions in the file like XML, HTML, ASCII and mark the binary data such as ActionScripfor fault injection tests.

-Process Instrumentation
FIRE invokes the Browser COM object on start-up and monitor continuously through the debugger. By monitoring the execution of "CreateWindow" and other error conditions it is easy to measure the faults.

-Mutate Input
Fault injection can be performed on batch of file(s) and is mutated with integer overflows 8bit, 16bit, 32bit. Once the fault has been injected, the final event is sent to target application to trigger the tested SWF file.

-Process Monitoring
Whenever one code point is executed, a breakpoint will be hitted and the relevant event will be generated by FIRE to deliver it to the target listener. Some of these events are ModuleLoad Event, FaultDelivered Event, ApplicationFailure Event, ApplicationCriticalFailure Event.

-Bug Analysis
If the FIRE debugger encounter the ApplicationFailure Event or ApplicationCriticalFailure Event, it will record the case by collecting the input stream, thread context and stack trace information that will help us further to investigate the possible bug inside target input file.

Tuesday, October 20, 2009

Unicode: A Look Inside the Core of System Security

Unicode is a industry standard that is used to assign a unique number for every character independent of the platform or application. There can be different set of encoding systems used to represent a single language. For instance, English uses several encodings to cover all letters, symbols and punctuation.

One of the major problems is:
These encoding systems also conflict with one another. That is, two encodings can use the same number for two different characters, or use different numbers for the same character. Any given computer (especially servers) needs to support many different encodings; yet whenever data is passed between different encodings or platforms, that data always runs the risk of corruption. (http://unicode.org/standard/WhatIsUnicode.html)

This shows that the use of Unicode system may reveal a serious threat to end users, applications, operating systems and programming languages. Unicode v5 is a complex and large standard, such that, it provides code points, normalization, case mapping, categorization, escapings, conversion tables, binary properties, etc. Additionally, it includes several code pages and charsets like Shift_jis, Gb2312, Windows-1252, ISO-8859-1, EBCDIC-037. Furthermore, the ASCII range is reserved from U+0000 to U+007F. Unicode v5.1 holds a 21-bit scalar value with space for over 1,100,000 code points (U+0000 - U+10FFFF). For instance, the english character 'A' represents U+0041 value.

Encodings with different number of bits can be presented as:

UTF-8 (variable width 1-4 bytes)
UTF-16 (Endianess, variable width 2 or 4 bytes)
UTF-32 (Endianess, Fixed width 4 bytes, Fixed mapping)

After anticipating the above mentioned properties of Unicode system, it is quite obvious to find the root causes of data encoding and transformation problems. Some of them are listed below:

-Visual Spoofing
-Best-fit mappings
-Normalization
-Overlong UTF-8
-Character Substitution
-Character Deletion
-Casing
-Buffer Overflows
-Controlling Syntax
-Charset Transformation
-Charset Mismatch

Putting in consideration only one problem domain 'Visual Spoofing' which governs that in over 1,100,000 assigned characters look alike within the same or across multiple language scripts. The example is given below:

Such problems are the real threats. In the real-world attack scenario on International Domain Names (IDN), these can be used to spoof the actual website. For example:

gobiz.com "is not" gobiz.com

The first letter of the 1st Domain contains "Latin U+0069 char" and the first letter of the 2nd domain represents "Latin U+0261 char". Does it make any visual difference? Thus, some of the main attack vectors that leverages visual spoofing are:

-Non-unicode attacks
-Problematic font-rendering
-Confusable charaters
-Manipulating combining marks
-Syntax spoofing

Tools that can help interpret such problems within web applications are:

Watcher
http://websecuritytool.codeplex.com/
-Passive web application auditing

Unibomber
http://www.casabasecurity.com/content/unibomber-tool-specialized-xss-testing
-XSS autopwn testing tool

Friday, October 2, 2009

Evolution of SmartGrid: A new Game for Owning the Continent

The life of human has dramatically changed from the manual work to automation during the past few years. This change has brought excellent benefits to the humanity and significant change to our environment making the life easier and trustworthy. However, the lack of 'security' into automation has raised challenging questions to provide a resource with confidentiality, integrity, availability and accountability. And because of distributed nature of the internet, it has also become harder to control and regulate the illegal activities cross the border which requires additional law/petitions among countries.

SmartGrid is a digital technology for providing electricity. It allows the suppliers to remotely control the consumption of consumers electric energy and amend any possible variation in rates. In similar way, it does help users to monitor their energy usage in real-time. The major objectives of SmartGrid technology is to increase reliability, efficiency, perfectness and safety of the country's electrical infrastructure. Integration of security in such digital technology is vital and must be implemented with a broad vision. Currently, The Energy Independence and Security Act of 2007 has provided Energy Department with necessary guidelines to develop SmartGrid program. On the other side, US-NIST has been assigned with core responsibility of developing a framework of security for the SmartGrid and the project named by NIST called "Smart Grid Interoperability Project".

Current Security Initiatives (SmartGrid)

-Energy Independence and Security Act of 2007 (bill signed on 18-DEC-2007)
-NIST Smart Grid Interoperability Project (initial standards published on 8-MAY-2009)
-Advanced Metering Infrastructure (AMI) System Security Requirements v1.01 (Released on 17-DEC-2008)
-Critical Electric Infrastructure Protection Act (CEIPA) - (HR 2195) (Introduced on 30-APRIL-2009)

Challenges

In response to the current state of design and implemetation of Smart Grid technology, it is an unfortunate condition for those such as, Salt River Project and Austin Energy, who had already started this revolution years back because of no proper security integration from the initial step of production. Thus, the security will be add-on feature for some SmartGrid producers after implementation. From the anticipation of electronic industry like banks and financial institutions, health care, manufacturers and other similar market segments facing critical threats at different levels today, it is quite obvious to judge the future of SmartGrid security. Some of which are given below:

1. Penetration testing for Smart Meters have shown negative signs, allowing attacker to take full control over the meters.
2. Wide scale denial of service (DoS) attacks are possible.
3. Application threats (exploiting OSI layer-7 to control the full usage of electricity over multiple homes/businesses).
4. Physical Security threat (if malicious adversary successfully access the SmartGrid controller room).
5. Controlling SmartGrid network, thus owning the whole continent?

A very serious initiatives will be forwarded by FERC in 2010 to fine the utility companies up to "$1million dollars per day" if any found non-compliance with security standards. Hence, there is more to come in near future.