RE: [SC-L] Re: [WEB SECURITY] On sandboxes, and why you should care

2006-05-27 Thread Jeff Williams 

Dinis Cruz wrote:
 If you do accept that it is possible to build such sandboxes, then we
 need to move to the next interesting discussion, which is the 'HOW'
 
 Namely, HOW can an environment be created where the development and
 deployment of such Sandboxes makes business sense.

It's the business sense part of this that's really difficult.  It wouldn't
be *that* hard to put sandbox enforcement into all libraries.  If you want
to protect against XSS, put a validation and encoding sandbox into
HttpServletRequest.  If you want to stop SQL injection, get rid of
non-PreparedStatement and build in some control for direct references.  As
long as there are no unmanaged calls (and assuming type-safety, etc...) then
all calls can be mediated by a sandbox.

But the complexity of configuring the sandbox is the hard part.  You're
trying to move the security enforcement out of the code and into something
else. So you need a language that allows the developer to specify all those
rules.  And if the sandbox is powerful enough to only allow exactly what the
developer specifically wants to allow (positive security model), the
language will have to be just as complex as the code it's sandboxing. 

The Java sandbox is already too complex for most developers to use. I've
tangled with it several times and come away only partially accomplishing
what I wanted.  (And uncovering a massive flaw in one vendor's custom
sandbox implementation). 

This complexity is a general sandbox problem, not specific to Java or .NET
or anything else.  The most hopeless I've worked with is the Compartmented
Mode Workstation (CMW) label encodings and permissions scheme.  The web
application firewall products also have this problem.  Even .htaccess files
are generally a mess.  It's just a TON of work to move security rules out of
the code and into something else.  And developers don't want to learn some
new language to do it.

So while it might be possible to create sandboxes that are far more
powerful, the complexity goes through the roof.  And we can't even get
developers to use the relatively simple policy file for the Java sandbox.
If anything, I think we should focus on the big easy wins, like Microsoft
did by adding (some) XSS protection for .NET apps.  But the configuration
has to be really easy -- like ON/OFF.

--Jeff



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Re: [SC-L] Re: [WEB SECURITY] On sandboxes, and why you should care

2006-05-27 Thread George Capehart 
Dinis Cruz wrote:

snip

 After my explanations in this email do you still think that this is
 correct? Or can you accept now that it is possible to build a Sandboxed
 environment that is able to protect against the majority of the serious
 security issues that affect web apps today?
 
 If you do accept that it is possible to build such sandboxes, then we
 need to move to the next interesting discussion, which is the 'HOW'
 
 Namely, HOW can an environment be created where the development and
 deployment of such Sandboxes makes business sense.
 

Hola Dinis,

The snipped part of your message was one of the best, most concise
discussions of sandboxes and their potential I have ever seen.  It has
stimulated a lot of thinking on my part . . . sandboxes and their role
in systems architecture just haven't been on my radar screen.  It is
obvious that you have spent serious time and thought on the subject.
I'm thinking that I could count on my two hands the number of people who
have given sandboxing the amount of thought and effort you have.  If,
along the way, you have made any notes or captured your thoughts in any
way, it would be of great benefit to the community if you were to share
them with us.  I say this because I'm not a dumb guy, and, after
spending a /*lot*/ of time thinking about what you're saying, I can
begin to appreciate your approach.  There are many people (especially
pointy-haired managers) who are not going to sit up until midnight with
a glass of wine reading and rereading your comments until they kinda,
sorta, get an idea of your vision.  I think that it is important that
the community understand your framework and think about it when they're
coding.  If you were to write a Sandboxes for Dummies, I would make it
required reading for all Java and .Net (and for that matter, all other)
programmers.

You're /*way*/ ahead of the crowd here.

My $0.02.

Best regards,

George Capehart
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Re: [SC-L] Re: [WEB SECURITY] On sandboxes, and why you should care

2006-05-24 Thread Andrew van der Stock 

Dinis,

Sandboxing prevents a machine from having bad system() and buffer  
overflows causing system compromise. Sure that's bad enough. However,  
sandboxing does not prevent:


* all types of cross-site scripting
* SQL injection
* Command injection via SQL injection (xp_cmdshell and similar Oracle  
library calls)
* Command injection as the limited capabilities allowed by the  
sandbox ... until the attacker can work out how to get out of the  
sandbox, say via a friendly unpatched service or tunnelling terminal  
services outbound, or similar

* LDAP injection
* XML injection
* authentication attacks, such as brute forcing etc
* failure of authorization code to protect controlled resources,  
operations or transactions
* file operations on the files the app is authorized to touch, often  
quite sensitive in themselves

* second order injections (ie batch integrity issues)
* middleware attacks
* web service attacks
* SMTP attacks - ie formmail.pl - if it's badly written, there's no  
way a sandbox will help


* or the usual sorts of transactions which can lose a business money,  
like ship X widgets to Y (phishing).


Sandboxing reduces but does not eliminate the risk that the app  
server process can go ahead and destroy the rest of the box, which is  
important in a shared environment. But if the attacker can run  
arbitrary code on your host, it's just a matter of time before they  
work out how to go from loading netcat to 0wning you. That's why  
PHP's safe mode is not really all that safe and in fact, is more  
than occasionally easier to 0wn than the normal way.


For example, look at the code that Microsoft suggests for users of  
the SQL Server Reporting Services add-on:


http://support.microsoft.com/?kbid=842419

They recommend giving any SQL-calling code  
PermissionState.Unrestricted access to the SQL server. Guess what?  
The permission flood gates are now opened, and SQL injections are all  
back if there's dynamically constructed queries in the code.


Plus, those instructions are so long winded, if that's what is  
required for every assembly which asserts CAS permissions, there is  
the reason it's not done. Developers are under the pump, and unless  
it's easy, trivial and automatic, it will not be done.


Sandboxing and partial trust is a defense in depth mechanism that  
solves a small subset of issues and has the potential to reduce  
damage from other types of attack as long as keys to the kingdom are  
not granted by the asserted permissions.


It would be nice if it was on by default and programmers used it, but  
I'm not losing sleep over it. If I come across code which needs help  
with cross-site scripting or injections or worse, a process which is  
easy to conduct fraud with, I will fix that before telling them to  
turn the verifier on or insert code to demand permissions from the  
underlying CLR or VM.


thanks,
Andrew


On 24/05/2006, at 8:34 AM, Dinis Cruz wrote:

(sorry for the long time that it took for this response, see  
comments inline)


Stephen de Vries wrote:

Hi Dinis,

I think you're overestimating the effectiveness of a sandbox in  
preventing common web app vulnerabilities, and you're instead  
focussing on the tiny fraction of specific attacks that can be  
stopped with sandboxes.
Well Stephen, I would argue that you are underestimating that  
effectiveness :)


I also don't think that I am focusing on a tiny fraction of  
specific attacks. Sandboxes have the capability to resolve most of  
the current types of attacks we have today. And the ones that it is  
not able solve, it will make them easy to detect.


In fact, I would argue that Sandboxing could actually make the  
'Sandboxed Application' more simple, effective, cheaper to develop  
and easier to audit.
The fundamental point of departure between our points of view is  
that I would argue that, the crown jewels are already inside the  
sandbox!
I think that you are thinking of a unidimensional Sandbox model  
similar to the one created by the Operating system between user- 
land process and kernel, or the one implemented by .Net / Java for  
mobile code executed on a web browser.


In the solution that I am envisioning, you will have multiple  
Sandboxes, one inside the other, separated by very clearly defined  
layers (the input choke points / attack surface) where each sandbox  
is allocated privileges accordingly to what it needs to get the job  
done (principle of least privilege),  the amount of trust that we  
have in that code (Code Access Security) and the identity used to  
executed it (Role Based Security).


Unfortunately the Partial Trust Sandboxes that currently exist on  
the .Net Framework (namely Medium Trust) are not good examples of  
Sandboxes since they still allow the creation of easy exploitable  
Asp.Net code (i.e. the security vulnerabilities that you mention  
below would still occur on a web application executed under Medium  
Trust).
So spending time and effort to