Subscribe: Security
http://scarybeastsecurity.blogspot.com/feeds/comments/default
Added By: Feedage Forager Feedage Grade B rated
Language: Malay
Tags:
chris  css  data  domain  formed css  game  https  links exploits  memory  might  parsed  request  return addresses  security  stack 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Security

Security





Updated: 2018-03-28T12:01:26.000-07:00

 



You had me until you said "an URL".

2018-02-14T10:12:31.622-08:00

You had me until you said "an URL".



Yes awesome game, I remember looking at the amiga ...

2017-11-15T11:44:45.285-08:00

Yes awesome game, I remember looking at the amiga in game messages " you have killed triax" "she wants you badly", "here is a secret passage" "it has given you special powers", i guess these were designed to get you thinking , or were they to be implemented? great game !



Chris - my name is Abhishek and I am CEO of RedMar...

2017-09-27T10:05:45.678-07:00

Chris - my name is Abhishek and I am CEO of RedMarlin. My company has developed an AI based technology that provides fully automated end-end-end brand protection from detection of fake pages to the take down.

I figured this might be of interest to you as Dropbox is most phished brand from the phishing sites we detect https://checkphish.ai/stats

I’d love to get your feedback even if you’re not in the market for this right now. Do you have 20 minutes this week? It looks like I am open on Thursday at 11am or 12pm PT if either may work

We are based in Mountain View and I am happy to drive upto SF.

Abhishek Dubey
https://redmarlina.ai
https://www.linkedin.com/in/adubey/




Reason why I moved out from Dropbox Pro customers ...

2017-09-20T04:37:57.158-07:00

Reason why I moved out from Dropbox Pro customers time ago...



Chris, you might be in a position to reevaluate th...

2017-09-19T11:28:39.436-07:00

Chris, you might be in a position to reevaluate the issue I reported #235584-Unannounced file share at hackerone. Unauthenticated file share with limited 80bits of entropy is hardly secure. Not to mention that desktop users are likely sharing their files and not knowing about it. I'm posting it here because DropBox has been advised against these practices and they decided to "accept" the risk, even thought the risk is not their to accept. I almost left an important private file exposed due to these practices. Cheers.



Hey Chris, It's been a while since I've re...

2017-09-03T21:49:35.933-07:00

Hey Chris, It's been a while since I've read your posts let alone been on Blogger. But, I just enjoyed this post. Not being much if anything of a programmer but only a dabbler in the computer world since the IBM Clone and Dos days, I try to follow and keep up with what's happening under the hood. Now let me make a comment on what you ended your post with.
I support your suggestion but I would think that anyone that might be the slightest bit interested in funding several project zeroes probably comes to a quick conclusion that it would be a bottomless pit to throw money in. But, I do give hope that there has to be at least one or two people that are smart enough and with deep enough pockets that might want to take up the charge. My next thought is why aren't you writing letters to some people that you can think of that might take an interest. What have you got to lose but some more time, right?



First shouldn't "A good balance is to req...

2017-07-11T14:49:43.636-07:00

First shouldn't "A good balance is to require the alleged CSS to at least start with well-formed CSS, iff it is a cross-domain load and the MIME type is broken." use only if instead of iff(if and only if) as that's interpreted that you may only use well formed CSS if it's cross-domain and the MIME type is broken; Which implies Presuming that iff takes precedence over 'and' that you may not use well formed CSS if it's a same domain request, else if and takes precedence over and then it implies that you may not use well formed CSS on a request which is on the same domain and has a valid MIME type. Anyway that's not too important, jut being a bit pedantic, perhaps I'm wrong.

Now my question, I know this is an old post and things may have been different back then but hasn't CSS only ever been parsed inside of a designated area such as a style tag or the style attribute, if so why would user input ever end up in there in the Yahoo email subject. The example doesn't explicitly state you added an element also from your comments it'd seem that there was no HTML injection so I don't see how that could have even been parsed as CSS instead of just plain text or rather HTML.

In addition I had to re-read the article and comments to presume you mean that the link to "http://cevans-app.appspot.com/static/yahoocss.html" will be requested and included into the document as a CSS document I fail to see how. First it's included part way through a background-image: url(); argument, the actual domain being requested should be a google.com and everything following should be part of the requested URI and not a new request which isn't much of a problem you control the initial URL anyway so you could change that to your malicious domain okay so the request is made as if to an image which could contain it's own style tags which would get parsed, but this doesn't explain why aforementioned URI is relevant. I assume you were saying that the background-img would be parsed and the XSRF tokens would be contained in the URI could be used to forge a GET request by the requested background-image URI ?

so to re-iterate why would the CSS parser pass the entire document? Isn't the entire point of the style tag/attribute to indicate where CSS exists and should be parsed from.
And why what relevance has the second link in the background-img URI?



I think that it can by bypassed in some case. I m...

2017-06-21T06:01:25.917-07:00

I think that it can by bypassed in some case.

I modified shrink_free_hole_alloc_overlap_consolidate_backward.c (https://pastebin.com/HzuKTKU9) so that it can bypass the mitigation.

Maybe we need to do more check when the chunk be merged ?



Afraid this mitigation can be bypassed easily.

2017-05-25T07:59:48.584-07:00

Afraid this mitigation can be bypassed easily.



The split stack stuff is what some CFI solutions (...

2017-05-25T00:07:41.233-07:00

The split stack stuff is what some CFI solutions (e.g. CPI) do, and basically also what Intel CET does (shadow stack for return addresses), but it only covers the case where you actually want to mount a ROP attack. There are a number of data-only attacks that rely on memory corruption and do not need to corrupt the saved return address.

You also ask why there are two pointers: that's mostly to ease debugging when chaining together frames. The use of the base pointer is not required by the architecture, x86 can do just as fine using EBP/RBP as a general purpose register: e.g. see -fomit-frame-pointer GCC option.



This idea isn't exactly new, but why don't...

2017-05-24T11:09:42.331-07:00

This idea isn't exactly new, but why don't we simply split the stack? Like having one for data and one for return addresses. So even if the data stack overflows, we wouldn't need such things as control flow integrety, because return addresses can not be overwritten with a simple memcpy stack overflow. And to protect against data corruption we still have stack cookies.
That should even be possible with x86 cpus.
Basepointer for return addresses and stackpointer for data. I mean why are there even 2 pointers? arm can do perfectly fine addressing local variables with stackpointer only.



Good article!! but could have been more precise wi...

2017-05-24T03:29:01.783-07:00

Good article!! but could have been more precise with better demonstration of the exploitation could have helped more!!



Bugs like this are to be expected from a decoder l...

2017-05-23T03:52:01.418-07:00

Bugs like this are to be expected from a decoder library, it is no coincidence that most critical Android and iOS/iTunes bugs are about media codecs as well.

As you describes, the whole design without an isolated converter process for each image is the problem here. In addition, the "convert" process could be further restricted with some AppArmor rules to prevent any serious damage from a potential remote-code execution.



Links to the exploits should now be fixed!

2017-05-19T15:11:59.582-07:00

Links to the exploits should now be fixed!



Links to the exploits don't work =(

2017-05-19T12:59:27.801-07:00

Links to the exploits don't work =(



When it comes to the upstream vendor / consumer re...

2017-05-19T12:15:05.656-07:00

When it comes to the upstream vendor / consumer responsibility then I think there should be a standardized protocol between the two. Maybe something like a standardized security RSS feed that upstream vendors provide for their products and consumers subscribe to.

On the consumer side the security reports from the feed should be automatically processed and the interested parties be notified with automatic escalation in case a security report isn't reacted to within a certain time.

This security report information could be handed even further down in case of Linux distributions as they could automatically include this information in their packages and then for an instance trigger security notices or reboot notifications with added security context.



Rust is very interesting as it eliminates memory c...

2017-05-16T03:49:13.431-07:00

Rust is very interesting as it eliminates memory corruption, use-after and data races bugs with no overhead compared to C/C++. It relies on static analysis at compilation to guarantee that.

https://www.rust-lang.org/



In SPARC, we've added to the architecture Appl...

2017-05-16T00:49:29.245-07:00

In SPARC, we've added to the architecture Application Data Integrity (part of Silicon Secured Memory), which allows us to check at runtime for linear memory corruption, with fairly low impact (to the point that we can enable it at large). The idea behind ADI stems from one of the things you point out above: the VA space is larger than the physical space, so we get extra bits of information that we can use to 'tag' memory. This is has been theorized for a long time, but has always hit a wall when the backing memory left the caching hierarchy. On SPARC, we've solved this by storing the metadata all the way down to the physical DIMM.

ADI allows us to write hardened malloc() implementations by simply extending existing ones under two constraints: 64-byte alignment and 64-byte minimum size of tagging. I've covered the theory here:

https://lazytyped.blogspot.it/2016/12/hardening-allocators-with-adi.html

You cite MPX, so, perhaps, this comparison is of some help:

https://lazytyped.blogspot.it/2016/12/hardware-buffer-overflow-defenses.html

and I'm looking forward to the next release of Solaris to showcase how we've leveraged it system wide for different bug classes ;) (the amount of incorrect handling that just popped up across the board by throwing test suites to run under our new defenses has been pretty fascinating)



I know some of those words...

2017-05-08T22:55:07.050-07:00

I know some of those words...



Wow, it would be nice to read more post like this ...

2017-05-07T13:33:27.646-07:00

Wow, it would be nice to read more post like this one.
Well done!



Hi William, I have to ask out of curiosity for th...

2017-04-22T11:43:28.867-07:00

Hi William,

I have to ask out of curiosity for the economics of that era: how many copies did Pipeline sell?


Cheers
Chris



Wow - can't believe what's involved to ena...

2017-04-22T03:08:17.407-07:00

Wow - can't believe what's involved to enable me to play that 2-years-of-my-life game in a web browser, almost 30 years later.... with hindsight if we'd prioritised gameplay rather than smooth (fast, 2x than better-playing games) scrolling I suspect the game would have sold much better!
Chris - love your post and totally share your admiration for Exile. Thanks a lot.
Ian - I still think what we achieved and when is one of those achievements I'm proudest of.



Hi Ian, Pipeline!!! I remember it well. From memo...

2017-04-21T16:00:10.888-07:00

Hi Ian,

Pipeline!!! I remember it well. From memory, the scrolling was unusually smooth for a BBC game which had me impressed from the technical perspective. I sucked at the game though.


Cheers
Chris



Thank you for this post. It is always cool to see ...

2017-04-21T15:44:41.827-07:00

Thank you for this post. It is always cool to see how true devotees have subsequently developed in their careers. I knew the authors of Exile from when I made a game in 1988 along with William Reeve (who later coded the Amiga version of Exile and then became a serial entrepreneur). It's great to see your awesome security work here. Exile had some pretty neat copy protection if I remember rightly...

Thanks to this page I also found the JavaScript BBC emulator linked in the previous comment and got to play my own game in a browser: https://bbc.godbolt.org/?disc=%7CSuperior%2FPipeline.zip&autoboot&keyLayout=physical#

All the best,
Ian Holmes https://twitter.com/ianholmes



This is an interesting emulator.

2016-12-28T03:17:21.828-08:00

This is an interesting emulator.