[conspire] [svlug] AnC side-channel attack: In which ASLR doesn't protect you from dumbness

Rick Moen rick at linuxmafia.com
Wed Feb 15 14:17:53 PST 2017 

Further worthwhile links:
https://www.vusec.net/projects/anc/
https://news.ycombinator.com/item?id=13650611

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Wed, 15 Feb 2017 13:33:45 -0800
From: Rick Moen <rick at linuxmafia.com>
To: skeptic at linuxmafia.com
Subject: Re: [skeptic] It isn't Windows vs Apple anymore - all modern CPUs
	can be compromised
Organization: If you lived here, you'd be $HOME already.

Quoting Beth W (badastrum at gmail.com):

> New ASLR-busting JavaScript is about to make drive-by exploits much nastier
> A property found in virtually all modern CPUs neuters decade-old
> security protection.
[...]
> Full article at
> https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/

I also recommend the actual research article discussed,
http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf

I'm not the least bit surprised, because Javascript has always been a
disaster (but also see below; it's not _really_ Javascript but rather
what it's called upon to do).  It's always been absurdly overfeatured,
and so everyone with elementary common sense has been severely
curtailing what it's permitted to do, either using a _well-tuned_
NoScript (i.e., not just load the extension and drool) or its latter-day
competitor uBlock Origin or uMatrix (same qualification).  

Users almost never are willing to do that, because users overwhelmingly
behave like morons, never even looking to tweak the defaults of their
software let alone questioning the necessity and wisdom of excessive
functionality, and correcting that.  At the end of my lecture 'The Wild,
Wild Web: Web Browser Security, Performance, and Privacy' in Feb. 2011,
I asked for an honest show of hands about how many in the audience were 
seriously considering following my recommendations, I think there were
three hands.  I thanked everyone for their honesty.  And that was a
_technical_ audience, but they were nonetheless lazy and borderline
inert.  This is the reality.

I'll mention in passing that Javascript is overfeatured but that that
any other language pressed into its role would pose the same problem, 
and that is that a remote Web server asks your browser 'Will you be
willing to run unknown program code I'm about to hand you that will run
in a full-blown Turing-complete environment and do basically damned near
anything it wants, with your user to be told the results later?', and
your browser says 'Sure, I'll start that for you.'

And why is this the case?  Why does even Firefox ship without the means
to curtail and control this stuff, with that task being consigned to 
extensions and aftermarket configuration?  Because advertising, and
because user-tracking[1].  Because Sutton's Law.

As one of the reader comments on ArsTechnica says, ASLR is and always
was security through obscurity.  The real problem is accustoming users
to blandly running complex, unknown, third-party code that they have
absolutely no reason to trust and want to run -- just because someone
makes a buck from that.  If your security depended on ASLR, you already
lost.

To translate to man-in-the-street, ASLR is this:  'Problem:  People run
exploit code.  That code, once running, finds running code and its data
structures in the user's computer memory and messes with it, in order to
do harm.  Solution:  Let's shuffle-around the vitual memory addresses of
running code and its data structures to make them unpredictably
located.'  The research paper documents a pretty easy side-channel
method for exploit code to _find_ that running code and data structures.

Darn, what a pity users keep running highly untrustworthy, complex,
unknown code from nobody-in-particular!  If only they had... what's that
phrase?...  a sense of self-preservation.

But of course computer users have none.  It's been shown repeatedly that
most will give away their corporate-network passwords for candy, for example.


You want a comprehensive layered response that still keeps Javascript in
the picture, look no farther than Qubes OS, which sandboxes everything
in individual hypervisor VMs.  Me, I'll continue to just corral and
whittle down Javascript through other means.  As I said during my
lecture, Javascript is really the keystone security problem.

And if Javascript hadn't been the advertising/tracking-driven keystone
security problem, something equally ugly would have taken its rotten
niche.


[1] This industry goes under a wealth of euphemisms, including metrics, 
'Web bugs', behavioural marketing, a lot more.



_______________________________________________
skeptic mailing list
skeptic at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/skeptic
To reach the listadmin, mail rick at linuxmafia.com 

----- End forwarded message -----

More information about the conspire mailing list