Computers march to the beat of more than one type of code. The CPU
defines
the machine language. But today most computers also run interpreters
that execute
different sorts of script or byte-codes. In addition to Java and C#
byte
codes, end-user machines may well also support Javascript, Perl, PHP,
Python, Ruby and many others. Even Postscript and some image formats
are interpreted. All of these become executable code
if the right interpreter is available. And all can be dangerous. For
example,
Javascript recently has been shown to open cross-site scripting vulnerabilities.
Javascript
is
vital to SOA or Web 2.0 implementations using the
increasingly popular AJAX techniques. Flash, and CSS, in the
right circumstances, facilitate Clickjacking,
where
a
hacker can place an invisible link/button that stays under your
mouse pointer as you browse a regular page. You may think you are
clicking on a visible button or link that is part of the legitimate
page, but the
hack morphs your input into a click on something else entirely.
These vulnerabilities are often not limited to one operating system. Critical
vulnerabilities
in Adobe's Flash interpreter can be triggered
from within Adobe's Acrobat pdf reader. The first such vulnerability
affected Windows, Macintosh and Linux systems in mid 2009. Patches for
the most
recent
Flash vulnerabilities as of this writing were published in
June, 2012.
If we are to take seriously a taboo against transferring code, a course that security in the multicellular web world demands, we will need to be better at identifying such code. We must also take more care about allowing new interpreters to be installed. If we can do so, we can perhaps have a strict taboo only against transferring executable machine code while allowing access to interpreted code.
Interpreters are dangerous in large part because they may allow unfettered access to the OS’s API set, ActiveX controls, disk storage, the TCP/IP stack, the keyboard, the screen or even the PC's microphone or video camera. All of these can provide exposure to misuse by malware. Access to disk storage would seem too mundane to notice with all the other issues in front of us. But browser cookies and Flash ActionScript Supercookies store data about your browsing on your hard drive. That data, when retrieved later, allows websites to track and often to identify you on the Web (and are not neutered by "Private Browsing"). Trickier uses of the Flash supercookie capability (known as Local Shared Objects, or LSOs) were shown at the 2010 Black Hat conference to potentially allow the complete takeover of your machine.
Access to the TCP/IP stack enables the machine to replicate worms and be hijacked to implement zombie DDoS and other denial of service attacks. Access to the keyboard enables spyware to sniff passwords and credit card numbers as they are typed. Ability to write to the screen can enable phishing or spoofing. Access to the microphone can enable a browser application to capture sounds in the room. For example, Google has experimented with determining what TV shows the user is watching from snippets of the sound captured by the microphone. Access to the video camera opens the possibility of identifying the user's keystrokes by visually tracking finger movements and conceivably may even allow the attacker to read data on the screen in reflections from the users glasses or some other nearby reflective surface.
In the single-cell computing world, the machine's hardware and software facilities were assumed to be under the control of the local user of the machine. In a multicellular world, they can too easily become extensions of a remote multicellular system without our knowledge or consent. We must therefore improve our ability to control (or neuter) interpreters so their behavior cannot compromise the computer. One approach might be to provide better low-level access protection or permission facilities. The familiar Unix “permission” structure, in which applications and users have predefined permission to read, write or execute files, was designed to protect a single-cell world where the disk was the central, key resource. From a multicellular computing perspective, communication traffic between computers and between the computer and its user, not management of its file system, will usually be the most important task the computer does. Hence communication between machines (e.g., TCP/IP) and with the user (keyboard, mouse, screen, microphone and video) should be controlled with a revamped permission structure appropriate to modern attacks on networked computers.
Contact: sburbeck at mindspring.com
Last revised 6/12/2012